Some SELinux policy additions/improvements.

2018-04-22 16:37:17 +10:00 · 2018-04-22 16:37:17 +10:00 · 18ba1a2928
commit 18ba1a2928
parent 50a24a40bf
2 changed files with 15 additions and 4 deletions
--- a/xrdp.spec
+++ b/xrdp.spec
@ -7,7 +7,7 @@ Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.6
-Release:   1%{?dist}
+Release:   2%{?dist}
 License:   ASL 2.0
 Group:     Applications/Internet
 URL:       http://www.xrdp.org/
@ -259,6 +259,10 @@ fi
 %{_datadir}/selinux/*/%{name}.pp

 %changelog
+* Sun Apr 22 2018 Bojan Smojver <bojan@rexurive.com> - 1:0.9.6-2
+- Allow oddjob-mkhomedir in SELinux policy (stolen from grishin-a)
+- Allow no new privileges transition in SELinux policy
+
 * Tue Mar 27 2018 Bojan Smojver <bojan@rexurive.com> - 1:0.9.6-1
 - Bump up to 0.9.6

--- a/xrdp.te
+++ b/xrdp.te
@ -1,17 +1,24 @@
-module xrdp 1.0.0;
+module xrdp 1.0.1;

 require {
        type unconfined_service_t;
        type unconfined_t;
        type xserver_exec_t;
+        type xserver_t;
+        type oddjob_t;
+        type oddjob_mkhomedir_exec_t;
        class process transition;
        class file entrypoint;
+        class process2 nnp_transition;
 }

 #============= unconfined_service_t ==============
-
 allow unconfined_service_t unconfined_t:process transition;
+allow unconfined_service_t oddjob_mkhomedir_exec_t:file entrypoint;

 #============= unconfined_t ==============
-
 allow unconfined_t xserver_exec_t:file entrypoint;
+allow unconfined_t xserver_t:process2 nnp_transition;
+
+#============= oddjob_t ==============
+allow oddjob_t unconfined_service_t:process transition;