nx patch from Dan Walsh

Edits:
 - Style and whitespace fixes
 - Removed read_lnk_files_pattern from nx_read_home_files
 - Delete declaration of nx_server_home_ssh_t and files_type since the template already does this

policy/modules/services/nx.fc

@@ -1,7 +1,12 @@
 /opt/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
-
-/opt/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_ssh_home_t,s0)
-
+/opt/NX/home(/.*)?			gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/opt/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
 /opt/NX/var(/.*)?			gen_context(system_u:object_r:nx_server_var_run_t,s0)
 
 /usr/libexec/nx/nxserver	--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/bin/nxserver		--	gen_context(system_u:object_r:nx_server_exec_t,s0)
+/usr/NX/home(/.*)?			gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/usr/NX/home/nx/\.ssh(/.*)?		gen_context(system_u:object_r:nx_server_home_ssh_t,s0)
+
+/var/lib/nxserver(/.*)?			gen_context(system_u:object_r:nx_server_var_lib_t,s0)
+/var/lib/nxserver/home/.ssh(/.*)?	gen_context(system_u:object_r:nx_server_home_ssh_t,s0)

policy/modules/services/nx.if

@@ -17,3 +17,69 @@ interface(`nx_spec_domtrans_server',`
 
 	spec_domtrans_pattern($1, nx_server_exec_t, nx_server_t)
 ')
+
+########################################
+## <summary>
+##	Read nx home directory content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nx_read_home_files',`
+	gen_require(`
+		type nx_server_home_ssh_t, nx_server_var_lib_t;
+	')
+
+	allow $1 nx_server_var_lib_t:dir search_dir_perms;
+	read_files_pattern($1, nx_server_home_ssh_t, nx_server_home_ssh_t)
+')
+
+########################################
+## <summary>
+##	Read nx /var/lib content
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`nx_search_var_lib',`
+	gen_require(`
+		type nx_server_var_lib_t;
+	')
+
+	allow $1 nx_server_var_lib_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Create an object in the root directory, with a private
+##	type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="private type">
+##	<summary>
+##	The type of the object to be created.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`nx_var_lib_filetrans',`
+	gen_require(`
+		type nx_server_var_lib_t;
+	')
+
+	filetrans_pattern($1, nx_server_var_lib_t, $2, $3)
+')

policy/modules/services/nx.te

@@ -22,6 +22,9 @@ term_user_pty(nx_server_t, nx_server_devpts_t)
 type nx_server_tmp_t;
 files_tmp_file(nx_server_tmp_t)
 
+type nx_server_var_lib_t;
+files_type(nx_server_var_lib_t)
+
 type nx_server_var_run_t;
 files_pid_file(nx_server_var_run_t)
 
@@ -37,10 +40,17 @@ allow nx_server_t self:udp_socket create_socket_perms;
 allow nx_server_t nx_server_devpts_t:chr_file { rw_chr_file_perms setattr };
 term_create_pty(nx_server_t, nx_server_devpts_t)
 
+manage_dirs_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+manage_files_pattern(nx_server_t, nx_server_home_ssh_t, nx_server_home_ssh_t)
+
 manage_dirs_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
 manage_files_pattern(nx_server_t, nx_server_tmp_t, nx_server_tmp_t)
 files_tmp_filetrans(nx_server_t, nx_server_tmp_t, { file dir })
 
+manage_files_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+manage_dirs_pattern(nx_server_t, nx_server_var_lib_t, nx_server_var_lib_t)
+files_var_lib_filetrans(nx_server_t, nx_server_var_lib_t, { file dir })
+
 manage_files_pattern(nx_server_t, nx_server_var_run_t, nx_server_var_run_t)
 files_pid_filetrans(nx_server_t, nx_server_var_run_t, file)