Chris PeBenito 31b7c0
# DESC NX - NX Server
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: Thomas Bleher <ThomasBleher@gmx.de>
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Depends: sshd.te
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Type for the nxserver executable, called from ssh
Chris PeBenito 31b7c0
type nx_server_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# type of the nxserver; userdomain is needed so sshd can transition
Chris PeBenito 31b7c0
type nx_server_t, domain, userdomain;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# we need an extra role because nxserver is called from sshd
Chris PeBenito 31b7c0
role nx_server_r types nx_server_t;
Chris PeBenito 31b7c0
allow system_r nx_server_r;
Chris PeBenito 31b7c0
domain_trans(sshd_t, nx_server_exec_t, nx_server_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# not really sure if the additional attributes are needed, copied from userdomains
Chris PeBenito 31b7c0
can_create_pty(nx_server, `, userpty_type, user_tty_type')
Chris PeBenito 31b7c0
type_change nx_server_t server_pty:chr_file nx_server_devpts_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
uses_shlib(nx_server_t)
Chris PeBenito 31b7c0
read_locale(nx_server_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
tmp_domain(nx_server)
Chris PeBenito 31b7c0
var_run_domain(nx_server)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# nxserver is a shell script --> call other programs
Chris PeBenito 31b7c0
can_exec(nx_server_t, { bin_t shell_exec_t })
Chris PeBenito 31b7c0
allow nx_server_t self:process { fork sigchld };
Chris PeBenito 31b7c0
allow nx_server_t self:fifo_file { getattr ioctl read write };
Chris PeBenito 31b7c0
allow nx_server_t bin_t:dir { getattr read search };
Chris PeBenito 31b7c0
allow nx_server_t bin_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
r_dir_file(nx_server_t, proc_t)
Chris PeBenito 31b7c0
allow nx_server_t { etc_t etc_runtime_t }:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# we do not actually need this attribute or the types defined here, 
Chris PeBenito 31b7c0
# but otherwise we cannot call the ssh_domain-macro
Chris PeBenito 31b7c0
attribute nx_server_file_type;
Chris PeBenito 31b7c0
type nx_server_home_dir_t alias nx_server_home_t;
Chris PeBenito 31b7c0
type nx_server_xauth_home_t;
Chris PeBenito 31b7c0
type nx_server_tty_device_t;
Chris PeBenito 31b7c0
type nx_server_gph_t;
Chris PeBenito 31b7c0
type nx_server_fonts_cache_t;
Chris PeBenito 31b7c0
type nx_server_fonts_t;
Chris PeBenito 31b7c0
type nx_server_fonts_config_t;
Chris PeBenito 31b7c0
type nx_server_gnome_settings_t;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ssh_domain(nx_server)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
can_network_client(nx_server_t)
Chris PeBenito 31b7c0
allow nx_server_t port_type:tcp_socket name_connect;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow nx_server_t devtty_t:chr_file { read write };
Chris PeBenito 31b7c0
allow nx_server_t sysctl_kernel_t:dir search;
Chris PeBenito 31b7c0
allow nx_server_t sysctl_kernel_t:file { getattr read };
Chris PeBenito 31b7c0
allow nx_server_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0
# for reading the config files; maybe a separate type, 
Chris PeBenito 31b7c0
# but users need to be able to also read the config
Chris PeBenito 31b7c0
allow nx_server_t usr_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
dontaudit nx_server_t selinux_config_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# clients already have create permissions; the nxclient wants to also have unlink rights
Chris PeBenito 31b7c0
allow userdomain xdm_tmp_t:sock_file unlink;
Chris PeBenito 31b7c0
# for a lockfile created by the client process
Chris PeBenito 31b7c0
allow nx_server_t user_tmpfile:file getattr;
Chris PeBenito 31b7c0