From 0b41ec290436ba66245c1710d5d64d4f683f13a4 Mon Sep 17 00:00:00 2001 From: Bojan Smojver Date: Sat, 2 Jan 2021 11:19:51 +1100 Subject: [PATCH] Remove setpriv patch and adjust SELinux policy to match. --- xrdp-0.9.15-setpriv.patch | 54 --------------------------------------- xrdp.spec | 16 +++++++----- xrdp.te | 14 +++++----- 3 files changed, 16 insertions(+), 68 deletions(-) delete mode 100644 xrdp-0.9.15-setpriv.patch diff --git a/xrdp-0.9.15-setpriv.patch b/xrdp-0.9.15-setpriv.patch deleted file mode 100644 index fa7829f..0000000 --- a/xrdp-0.9.15-setpriv.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -ruN xrdp-0.9.15-v/sesman/session.c xrdp-0.9.15/sesman/session.c ---- xrdp-0.9.15-v/sesman/session.c 2020-12-29 01:03:43.000000000 +1100 -+++ xrdp-0.9.15/sesman/session.c 2020-12-29 10:31:37.895699198 +1100 -@@ -33,10 +33,6 @@ - #include "config_ac.h" - #endif - --#ifdef HAVE_SYS_PRCTL_H --#include --#endif -- - #include "sesman.h" - #include "libscp_types.h" - #include "xauth.h" -@@ -668,20 +664,7 @@ - - if (type == SESMAN_SESSION_TYPE_XORG) - { --#ifdef HAVE_SYS_PRCTL_H -- /* -- * Make sure Xorg doesn't run setuid root. Root access is not -- * needed. Xorg can fail when run as root and the user has no -- * console permissions. -- * PR_SET_NO_NEW_PRIVS requires Linux kernel 3.5 and newer. -- */ -- if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) -- { -- LOG(LOG_LEVEL_WARNING, -- "Failed to disable setuid on X server: %s", -- g_get_strerror()); -- } --#endif -+ char *setpriv = g_strdup("setpriv"); - - xserver_params = list_create(); - xserver_params->auto_free = 1; -@@ -690,6 +673,8 @@ - xserver = g_strdup((const char *)list_get_item(g_cfg->xorg_params, 0)); - - /* these are the must have parameters */ -+ list_add_item(xserver_params, (tintptr) setpriv); -+ list_add_item(xserver_params, (tintptr) g_strdup("--no-new-privs")); - list_add_item(xserver_params, (tintptr) g_strdup(xserver)); - list_add_item(xserver_params, (tintptr) g_strdup(screen)); - list_add_item(xserver_params, (tintptr) g_strdup("-auth")); -@@ -713,7 +698,7 @@ - g_setenv("XRDP_START_HEIGHT", geometry, 1); - - /* fire up Xorg */ -- g_execvp(xserver, pp1); -+ g_execvp(setpriv, pp1); - } - else if (type == SESMAN_SESSION_TYPE_XVNC) - { diff --git a/xrdp.spec b/xrdp.spec index 6c0d67d..038f0fb 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -13,7 +13,7 @@ Summary: Open source remote desktop protocol (RDP) server Name: xrdp Epoch: 1 Version: 0.9.15 -Release: 2%{?dist} +Release: 3%{?dist} License: ASL 2.0 and GPLv2+ and MIT URL: http://www.xrdp.org/ Source0: https://github.com/neutrinolabs/xrdp/releases/download/v%{version}/xrdp-%{version}.tar.gz @@ -27,13 +27,12 @@ Source7: xrdp-polkit-1.rules Patch0: xrdp-0.9.9-sesman.patch Patch1: xrdp-0.9.14-xrdp-ini.patch Patch2: xrdp-0.9.4-service.patch -Patch3: xrdp-0.9.15-setpriv.patch -Patch4: xrdp-0.9.10-scripts-libexec.patch -Patch5: xrdp-0.9.6-script-interpreter.patch -Patch6: xrdp-0.9.15-arch.patch -Patch7: xrdp-0.9.14-vnc-uninit.patch +Patch3: xrdp-0.9.10-scripts-libexec.patch +Patch4: xrdp-0.9.6-script-interpreter.patch +Patch5: xrdp-0.9.15-arch.patch +Patch6: xrdp-0.9.14-vnc-uninit.patch %if 0%{?fedora} >= 32 || 0%{?rhel} >= 8 -Patch8: xrdp-0.9.15-sesman-ini.patch +Patch7: xrdp-0.9.15-sesman-ini.patch %endif BuildRequires: gcc @@ -280,6 +279,9 @@ fi %{_datadir}/selinux/*/%{name}.pp %changelog +* Sat Jan 2 2021 Bojan Smojver - 1:0.9.15-3 +- Remove setpriv patch and adjust SELinux policy to match + * Fri Jan 1 2021 Bojan Smojver - 1:0.9.15-2 - Use /usr/libexec/Xorg or Xorg session of Fedora and RHEL8+ diff --git a/xrdp.te b/xrdp.te index b18e2fc..08c5464 100644 --- a/xrdp.te +++ b/xrdp.te @@ -1,27 +1,27 @@ -module xrdp 1.0.2; - +module xrdp 1.0.3; + require { type unconfined_service_t; type unconfined_t; type unlabeled_t; type xserver_exec_t; - type xserver_t; type oddjob_t; type oddjob_mkhomedir_exec_t; class process transition; + class process2 nnp_transition; class file entrypoint; class process2 nnp_transition; class vsock_socket { getattr read write }; } - + #============= unconfined_service_t ============== allow unconfined_service_t unconfined_t:process transition; +allow unconfined_service_t unconfined_t:process2 nnp_transition; allow unconfined_service_t oddjob_mkhomedir_exec_t:file entrypoint; allow unconfined_service_t unlabeled_t:vsock_socket { getattr read write }; - + #============= unconfined_t ============== allow unconfined_t xserver_exec_t:file entrypoint; -allow unconfined_t xserver_t:process2 nnp_transition; - + #============= oddjob_t ============== allow oddjob_t unconfined_service_t:process transition;