Add SELinux policy sub-package.

2017-04-12 22:15:12 +10:00 · 2017-04-12 22:15:12 +10:00 · 75d49d9d76
commit 75d49d9d76
parent 24e3a2139d
2 changed files with 64 additions and 1 deletions
--- a/xrdp.spec
+++ b/xrdp.spec
@ -1,10 +1,13 @@
 %global _hardened_build 1

+%global selinux_types %(%{__awk} '/^#[[:space:]]*SELINUXTYPE=/,/^[^#]/ { if ($3 == "-") printf "%s ", $2 }' /etc/selinux/config 2>/dev/null)
+%global selinux_variants %([ -z "%{selinux_types}" ] && echo mls targeted || echo %{selinux_types})
+
 Summary:   Open source remote desktop protocol (RDP) server
 Name:      xrdp
 Epoch:     1
 Version:   0.9.2
-Release:   7%{?dist}
+Release:   8%{?dist}
 License:   ASL 2.0
 Group:     Applications/Internet
 URL:       http://www.xrdp.org/
@ -14,6 +17,7 @@ Source2:   xrdp.sysconfig
 Source3:   xrdp.logrotate
 Source4:   openssl.conf
 Source5:   README.Fedora
+Source6:   xrdp.te
 Patch0:    xrdp-0.9.2-sesman.patch
 Patch1:    xrdp-0.9.2-xrdp-ini.patch
 Patch2:    xrdp-0.9.2-service.patch
@ -31,6 +35,9 @@ BuildRequires: pkgconfig(pixman-1)
 BuildRequires: pkgconfig(systemd)
 BuildRequires: nasm

+BuildRequires: checkpolicy, selinux-policy-devel
+BuildRequires: hardlink
+
 # tigervnc-server-minimal provides Xvnc (default for now)
 Requires: tigervnc-server-minimal
 # xorgxrdp is another back end (small, so require it too)
@ -56,10 +63,23 @@ of RDP clients, including FreeRDP and Microsoft RDP client.
 This package contains headers necessary for developing xrdp backends that
 talk to xrdp.

+%package selinux
+Summary: SELinux policy module required tu run xrdp
+
+Requires:      %{name} = %{version}-%{release}
+Requires:      selinux-policy >= %{_selinux_policy_version}
+
+%description selinux
+This package contains SELinux policy module necessary to run xrdp.
+
 %prep
 %autosetup -p1
 %{__cp} %{SOURCE5} .

+# SELinux policy module
+%{__mkdir} SELinux
+%{__cp} -p %{SOURCE6} SELinux
+
 # create 'bash -l' based startwm, to pick up PATH etc.
 echo '#!/bin/bash -l
 . %{_libexecdir}/xrdp/startwm.sh' > sesman/startwm-bash.sh
@ -68,6 +88,16 @@ echo '#!/bin/bash -l
 %configure --enable-fuse --enable-pixman --enable-painter
 %make_build

+# SELinux policy module
+cd SELinux
+for selinuxvariant in %{selinux_variants}
+do
+  %{__make} NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+  %{__mv} %{name}.pp %{name}.pp.${selinuxvariant}
+  %{__make} NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+done
+cd -
+
 %install
 %make_install

@ -89,6 +119,15 @@ echo '#!/bin/bash -l
 #move startwm script to libexec
 %{__mv} -f %{buildroot}%{_sysconfdir}/xrdp/startwm.sh %{buildroot}%{_libexecdir}/xrdp/

+# SELinux policy module
+for selinuxvariant in %{selinux_variants}
+do
+  %{__install} -d %{buildroot}%{_datadir}/selinux/${selinuxvariant}
+  %{__install} -p -m 644 SELinux/%{name}.pp.${selinuxvariant} \
+               %{buildroot}%{_datadir}/selinux/${selinuxvariant}/%{name}.pp
+done
+/usr/sbin/hardlink -cv %{buildroot}%{_datadir}/selinux
+
 %post
 %systemd_post xrdp.service

@ -195,7 +234,14 @@ chmod 400 %{_sysconfdir}/xrdp/key.pem
 %{_libdir}/pkgconfig/xrdp.pc
 %{_libdir}/pkgconfig/rfxcodec.pc

+%files selinux
+%doc SELinux/%{name}.te
+%{_datadir}/selinux/*/%{name}.pp
+
 %changelog
+* Wed Apr 12 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.2-8
+- Add SELinux policy sub-package
+
 * Tue Apr 11 2017 Bojan Smojver <bojan@rexurive.com> - 1:0.9.2-7
 - Own /usr/libexec/xrdp directory

--- a/xrdp.te
+++ b/xrdp.te
@ -0,0 +1,17 @@
+module xrdp 1.0.0;
+
+require {
+        type unconfined_service_t;
+        type unconfined_t;
+        type xserver_exec_t;
+        class process transition;
+        class file entrypoint;
+}
+
+#============= unconfined_service_t ==============
+
+allow unconfined_service_t unconfined_t:process transition;
+
+#============= unconfined_t ==============
+
+allow unconfined_t xserver_exec_t:file entrypoint;