From 75d49d9d763ea0c6b7eb4315fe73c0680692a6d7 Mon Sep 17 00:00:00 2001 From: Bojan Smojver Date: Wed, 12 Apr 2017 22:15:12 +1000 Subject: [PATCH] Add SELinux policy sub-package. --- xrdp.spec | 48 +++++++++++++++++++++++++++++++++++++++++++++++- xrdp.te | 17 +++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 xrdp.te diff --git a/xrdp.spec b/xrdp.spec index 998b2be..8bbffde 100644 --- a/xrdp.spec +++ b/xrdp.spec @@ -1,10 +1,13 @@ %global _hardened_build 1 +%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null) +%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls targeted || echo %{selinux_types}) + Summary: Open source remote desktop protocol (RDP) server Name: xrdp Epoch: 1 Version: 0.9.2 -Release: 7%{?dist} +Release: 8%{?dist} License: ASL 2.0 Group: Applications/Internet URL: http://www.xrdp.org/ @@ -14,6 +17,7 @@ Source2: xrdp.sysconfig Source3: xrdp.logrotate Source4: openssl.conf Source5: README.Fedora +Source6: xrdp.te Patch0: xrdp-0.9.2-sesman.patch Patch1: xrdp-0.9.2-xrdp-ini.patch Patch2: xrdp-0.9.2-service.patch @@ -31,6 +35,9 @@ BuildRequires: pkgconfig(pixman-1) BuildRequires: pkgconfig(systemd) BuildRequires: nasm +BuildRequires: checkpolicy, selinux-policy-devel +BuildRequires: hardlink + # tigervnc-server-minimal provides Xvnc (default for now) Requires: tigervnc-server-minimal # xorgxrdp is another back end (small, so require it too) @@ -56,10 +63,23 @@ of RDP clients, including FreeRDP and Microsoft RDP client. This package contains headers necessary for developing xrdp backends that talk to xrdp. +%package selinux +Summary: SELinux policy module required tu run xrdp + +Requires: %{name} = %{version}-%{release} +Requires: selinux-policy >= %{_selinux_policy_version} + +%description selinux +This package contains SELinux policy module necessary to run xrdp. + %prep %autosetup -p1 %{__cp} %{SOURCE5} . +# SELinux policy module +%{__mkdir} SELinux +%{__cp} -p %{SOURCE6} SELinux + # create 'bash -l' based startwm, to pick up PATH etc. echo '#!/bin/bash -l . %{_libexecdir}/xrdp/startwm.sh' > sesman/startwm-bash.sh @@ -68,6 +88,16 @@ echo '#!/bin/bash -l %configure --enable-fuse --enable-pixman --enable-painter %make_build +# SELinux policy module +cd SELinux +for selinuxvariant in %{selinux_variants} +do + %{__make} NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile + %{__mv} %{name}.pp %{name}.pp.${selinuxvariant} + %{__make} NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean +done +cd - + %install %make_install @@ -89,6 +119,15 @@ echo '#!/bin/bash -l #move startwm script to libexec %{__mv} -f %{buildroot}%{_sysconfdir}/xrdp/startwm.sh %{buildroot}%{_libexecdir}/xrdp/ +# SELinux policy module +for selinuxvariant in %{selinux_variants} +do + %{__install} -d %{buildroot}%{_datadir}/selinux/${selinuxvariant} + %{__install} -p -m 644 SELinux/%{name}.pp.${selinuxvariant} \ + %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{name}.pp +done +/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux + %post %systemd_post xrdp.service @@ -195,7 +234,14 @@ chmod 400 %{_sysconfdir}/xrdp/key.pem %{_libdir}/pkgconfig/xrdp.pc %{_libdir}/pkgconfig/rfxcodec.pc +%files selinux +%doc SELinux/%{name}.te +%{_datadir}/selinux/*/%{name}.pp + %changelog +* Wed Apr 12 2017 Bojan Smojver - 1:0.9.2-8 +- Add SELinux policy sub-package + * Tue Apr 11 2017 Bojan Smojver - 1:0.9.2-7 - Own /usr/libexec/xrdp directory diff --git a/xrdp.te b/xrdp.te new file mode 100644 index 0000000..c90925c --- /dev/null +++ b/xrdp.te @@ -0,0 +1,17 @@ +module xrdp 1.0.0; + +require { + type unconfined_service_t; + type unconfined_t; + type xserver_exec_t; + class process transition; + class file entrypoint; +} + +#============= unconfined_service_t ============== + +allow unconfined_service_t unconfined_t:process transition; + +#============= unconfined_t ============== + +allow unconfined_t xserver_exec_t:file entrypoint;