Remove setpriv patch and adjust SELinux policy to match.

2021-01-02 11:19:51 +11:00 · 2021-01-02 11:19:51 +11:00 · 0b41ec2904
parent f569bf929f
commit 0b41ec2904
3 changed files with 16 additions and 68 deletions
--- a/xrdp-0.9.15-setpriv.patch
+++ b/xrdp-0.9.15-setpriv.patch
@ -1,54 +0,0 @@
-diff -ruN xrdp-0.9.15-v/sesman/session.c xrdp-0.9.15/sesman/session.c
--- xrdp-0.9.15-v/sesman/session.c	2020-12-29 01:03:43.000000000 +1100
-+++ xrdp-0.9.15/sesman/session.c	2020-12-29 10:31:37.895699198 +1100
-@@ -33,10 +33,6 @@
- #include "config_ac.h"
- #endif
- 
-#ifdef HAVE_SYS_PRCTL_H
-#include <sys/prctl.h>
-#endif
-
- #include "sesman.h"
- #include "libscp_types.h"
- #include "xauth.h"
-@@ -668,20 +664,7 @@
- 
-                 if (type == SESMAN_SESSION_TYPE_XORG)
-                 {
-#ifdef HAVE_SYS_PRCTL_H
-                    /*
-                     * Make sure Xorg doesn't run setuid root. Root access is not
-                     * needed. Xorg can fail when run as root and the user has no
-                     * console permissions.
-                     * PR_SET_NO_NEW_PRIVS requires Linux kernel 3.5 and newer.
-                     */
-                    if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0)
-                    {
-                        LOG(LOG_LEVEL_WARNING,
-                            "Failed to disable setuid on X server: %s",
-                            g_get_strerror());
-                    }
-#endif
-+                    char *setpriv = g_strdup("setpriv");
- 
-                     xserver_params = list_create();
-                     xserver_params->auto_free = 1;
-@@ -690,6 +673,8 @@
-                     xserver = g_strdup((const char *)list_get_item(g_cfg->xorg_params, 0));
- 
-                     /* these are the must have parameters */
-+                    list_add_item(xserver_params, (tintptr) setpriv);
-+                    list_add_item(xserver_params, (tintptr) g_strdup("--no-new-privs"));
-                     list_add_item(xserver_params, (tintptr) g_strdup(xserver));
-                     list_add_item(xserver_params, (tintptr) g_strdup(screen));
-                     list_add_item(xserver_params, (tintptr) g_strdup("-auth"));
-@@ -713,7 +698,7 @@
-                     g_setenv("XRDP_START_HEIGHT", geometry, 1);
- 
-                     /* fire up Xorg */
-                    g_execvp(xserver, pp1);
-+                    g_execvp(setpriv, pp1);
-                 }
-                 else if (type == SESMAN_SESSION_TYPE_XVNC)
-                 {
--- a/xrdp.spec
+++ b/xrdp.spec
@ -13,7 +13,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.15
-Release:   2%{?dist}
+Release:   3%{?dist}
 License:   ASL 2.0 and GPLv2+ and MIT
 URL:       http://www.xrdp.org/
 Source0:   https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xrdp-%{version}.tar.gz
@ -27,13 +27,12 @@ Source7:   xrdp-polkit-1.rules
 Patch0:    xrdp-0.9.9-sesman.patch
 Patch1:    xrdp-0.9.14-xrdp-ini.patch
 Patch2:    xrdp-0.9.4-service.patch
-Patch3:    xrdp-0.9.15-setpriv.patch
-Patch4:    xrdp-0.9.10-scripts-libexec.patch
-Patch5:    xrdp-0.9.6-script-interpreter.patch
-Patch6:    xrdp-0.9.15-arch.patch
-Patch7:    xrdp-0.9.14-vnc-uninit.patch
+Patch3:    xrdp-0.9.10-scripts-libexec.patch
+Patch4:    xrdp-0.9.6-script-interpreter.patch
+Patch5:    xrdp-0.9.15-arch.patch
+Patch6:    xrdp-0.9.14-vnc-uninit.patch
 %if 0%{?fedora} >= 32 || 0%{?rhel} >= 8
-Patch8:    xrdp-0.9.15-sesman-ini.patch
+Patch7:    xrdp-0.9.15-sesman-ini.patch
 %endif

 BuildRequires: gcc
@ -280,6 +279,9 @@ fi
 %{_datadir}/selinux/*/%{name}.pp

 %changelog
+* Sat Jan  2 2021 Bojan Smojver <bojan@rexurive.com> - 1:0.9.15-3
+- Remove setpriv patch and adjust SELinux policy to match
+
 * Fri Jan  1 2021 Bojan Smojver <bojan@rexurive.com> - 1:0.9.15-2
 - Use /usr/libexec/Xorg or Xorg session of Fedora and RHEL8+

--- a/xrdp.te
+++ b/xrdp.te
@ -1,27 +1,27 @@
-module xrdp 1.0.2;
-
+module xrdp 1.0.3;
+ 
 require {
        type unconfined_service_t;
        type unconfined_t;
        type unlabeled_t;
        type xserver_exec_t;
-        type xserver_t;
        type oddjob_t;
        type oddjob_mkhomedir_exec_t;
        class process transition;
+        class process2 nnp_transition;
        class file entrypoint;
        class process2 nnp_transition;
        class vsock_socket { getattr read write };
 }
-
+ 
 #============= unconfined_service_t ==============
 allow unconfined_service_t unconfined_t:process transition;
+allow unconfined_service_t unconfined_t:process2 nnp_transition;
 allow unconfined_service_t oddjob_mkhomedir_exec_t:file entrypoint;
 allow unconfined_service_t unlabeled_t:vsock_socket { getattr read write };
-
+ 
 #============= unconfined_t ==============
 allow unconfined_t xserver_exec_t:file entrypoint;
-allow unconfined_t xserver_t:process2 nnp_transition;
-
+ 
 #============= oddjob_t ==============
 allow oddjob_t unconfined_service_t:process transition;