import tigervnc-1.12.0-4.el8

This commit is contained in:
CentOS Sources 2022-03-29 08:10:17 -04:00 committed by Stepan Oksanichenko
parent 7e3694d0bb
commit 271aebb9f8
22 changed files with 294 additions and 1059 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/tigervnc-1.11.0.tar.gz SOURCES/tigervnc-1.12.0.tar.gz

View File

@ -1 +1 @@
6f6b621a76b734888748de10c32c2b5b59d40b19 SOURCES/tigervnc-1.11.0.tar.gz 44db63993d8ad04f730b0b48e8aca32933bff15a SOURCES/tigervnc-1.12.0.tar.gz

View File

@ -1,116 +0,0 @@
# What has changed
The previous Tigervnc versions had a wrapper script called `vncserver` which
could be run as a user manually to start *Xvnc* process. The usage was quite
simple as you just run
```
$ vncserver :x [vncserver options] [Xvnc options]
```
and that was it. While this was working just fine, there were issues when users
wanted to start a Tigervnc server using *systemd*. For these reasons things were
completely changed and there is now a new way how this all is supposed to work.
 # How to start Tigervnc server
 
## Add a user mapping
With this you can map a user to a particular port. The mapping should be done in
`/etc/tigervnc/vncserver.users` configuration file. It should be pretty
straightforward once you open the file as there are some examples, but basically
the mapping is in form
```
:x=user
```
For example you can have
```
:1=test
:2=vncuser
```
## Configure Xvnc options
To configure Xvnc parameters, you need to go to the same directory where you did
the user mapping and open `vncserver-config-defaults` configuration file. This
file is for the default Xvnc configuration and will be applied to every user
unless any of the following applies:
* The user has its own configuration in `$HOME/.vnc/config`
* The same option with different value is configured in
  `vncserver-config-mandatory` configuration file, which replaces the default
  configuration and has even a higher priority than the per-user configuration.
  This option is for system administrators when they want to force particular
  *Xvnc* options.
Format of the configuration file is also quite simple as the configuration is
in form of
```
option=value
option
```
for example
```
session=gnome
securitytypes=vncauth,tlsvnc
desktop=sandbox
geometry=2000x1200
localhost
alwaysshared
```
### Note:
There is one important option you need to set and that option is the session you
want to start. E.g when you want to start GNOME desktop, then you have to use
```
session=gnome
```
which should match the name of a session desktop file from `/usr/share/xsessions`
directory.
## Set VNC password
You need to set a password for each user in order to be able to start the
Tigervnc server. In order to create a password, you just run
```
$ vncpasswd
```
as the user you will be starting the server for.
### Note:
If you were using Tigervnc before for your user and you already created a
password, then you will have to make sure the `$HOME/.vnc` folder created by
`vncpasswd` will have the correct *SELinux* context. You either can delete this
folder and recreate it again by creating the password one more time, or
alternatively you can run
```
$ restorecon -RFv /home/<USER>/.vnc
```
## Start the Tigervnc server
Finally you can start the server using systemd service. To do so just run
```
$ systemctl start vncserver@:x
```
as root or
```
$ sudo systemctl start vncserver@:x
```
as a regular user in case it has permissions to run `sudo`. Don't forget to
replace the `:x` by the actual number you configured in the user mapping file.
Following our example by running
```
$ systemctl start vncserver@:1
```
you will start a Tigervnc server for user `test` with a GNOME session.
### Note:
If you were previously using Tigervnc and you were used to start it using
*systemd* then you will need to remove previous *systemd* configuration files,
those you most likely copied to `/etc/systemd/system/vncserver@.service`,
otherwise this service file will be preferred over the new one installed with
latest Tigervnc.
If you want to use a remote NFS server for the home directories on this machine,
you must set the use_nfs_home_dirs boolean:
```
setsebool -P use_nfs_home_dirs on
```
# Limitations
You will not be able to start a Tigervnc server for a user who is already
logged into a graphical session. Avoid running the server as the `root` user as
it's not a safe thing to do. While running the server as the `root` should work
in general, it's not recommended to do so and there might be some things which
are not working properly.

View File

@ -1,74 +0,0 @@
diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx
index f998c6a..fb9dbd4 100644
--- a/unix/x0vncserver/Image.cxx
+++ b/unix/x0vncserver/Image.cxx
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ exit(1);
+ }
+
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
if (xim->data == NULL) {
vlog.error("malloc() failed");
@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo)
return;
}
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ return;
+ }
+
shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
IPC_CREAT|0777);
diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx
index a2b506d..9266d9f 100644
--- a/vncviewer/PlatformPixelBuffer.cxx
+++ b/vncviewer/PlatformPixelBuffer.cxx
@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) :
if (!xim)
throw rdr::Exception("XCreateImage");
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ if (xim)
+ XDestroyImage(xim);
+ xim = NULL;
+ throw rdr::Exception("Invalid display size");
+ }
+
xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
if (!xim->data)
throw rdr::Exception("malloc");
@@ -152,6 +161,16 @@ bool PlatformPixelBuffer::setupShm()
if (!xim)
goto free_shminfo;
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ throw rdr::Exception("Invalid display size");
+ }
+
shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
IPC_CREAT|0600);

View File

@ -1,13 +0,0 @@
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 2b47f5f5..f78c096f 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -99,7 +99,7 @@ begin_daemon(void)
return -1;
}
- if (pid == 0)
+ if (pid != 0)
_exit(0);
/* Send all stdio to /dev/null */

View File

@ -1,12 +0,0 @@
diff -up tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor tigervnc-1.3.0/vncviewer/Viewport.cxx
--- tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor 2013-12-17 13:28:23.170400013 +0000
+++ tigervnc-1.3.0/vncviewer/Viewport.cxx 2013-12-17 13:29:46.095784064 +0000
@@ -248,7 +248,7 @@ void Viewport::setCursor(int width, int height, const Point& hotspot,
}
}
- if (Fl::belowmouse() == this)
+ if (Fl::belowmouse() == this && cursor)
window()->cursor(cursor, cursorHotspot.x, cursorHotspot.y);
}

View File

@ -0,0 +1,34 @@
From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Thu, 23 Dec 2021 15:58:00 +0100
Subject: [PATCH] Fix typo in mirror monitor detection
Bug introduced in fb561eb but still somehow passed manual testing.
Resulted in some stray reads off the end of the stack, which were
hopefully harmless.
---
vncviewer/MonitorIndicesParameter.cxx | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx
index 5130831cb..4ac74dd1a 100644
--- a/vncviewer/MonitorIndicesParameter.cxx
+++ b/vncviewer/MonitorIndicesParameter.cxx
@@ -211,13 +211,13 @@ std::vector<MonitorIndicesParameter::Monitor> MonitorIndicesParameter::fetchMoni
// Only keep a single entry for mirrored screens
match = false;
for (int j = 0; j < ((int) monitors.size()); j++) {
- if (monitors[i].x != monitor.x)
+ if (monitors[j].x != monitor.x)
continue;
- if (monitors[i].y != monitor.y)
+ if (monitors[j].y != monitor.y)
continue;
- if (monitors[i].w != monitor.w)
+ if (monitors[j].w != monitor.w)
continue;
- if (monitors[i].h != monitor.h)
+ if (monitors[j].h != monitor.h)
continue;
match = true;

View File

@ -1,88 +0,0 @@
diff --git a/unix/xserver/hw/vnc/InputXKB.c b/unix/xserver/hw/vnc/InputXKB.c
index f84a6e4..4eac939 100644
--- a/unix/xserver/hw/vnc/InputXKB.c
+++ b/unix/xserver/hw/vnc/InputXKB.c
@@ -226,10 +226,7 @@ void vncPrepareInputDevices(void)
unsigned vncGetKeyboardState(void)
{
- DeviceIntPtr master;
-
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
- return XkbStateFieldFromRec(&master->key->xkbInfo->state);
+ return XkbStateFieldFromRec(&vncKeyboardDev->master->key->xkbInfo->state);
}
unsigned vncGetLevelThreeMask(void)
@@ -250,7 +247,7 @@ unsigned vncGetLevelThreeMask(void)
return 0;
}
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
act = XkbKeyActionPtr(xkb, keycode, state);
if (act == NULL)
@@ -275,7 +272,7 @@ KeyCode vncPressShift(void)
if (state & ShiftMask)
return 0;
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
XkbAction *act;
unsigned char mask;
@@ -315,7 +312,7 @@ size_t vncReleaseShift(KeyCode *keys, size_t maxKeys)
count = 0;
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
+ master = vncKeyboardDev->master;
xkb = master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
XkbAction *act;
@@ -371,7 +368,7 @@ KeyCode vncPressLevelThree(void)
return 0;
}
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
act = XkbKeyActionPtr(xkb, keycode, state);
if (act == NULL)
@@ -402,7 +399,7 @@ size_t vncReleaseLevelThree(KeyCode *keys, size_t maxKeys)
count = 0;
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
+ master = vncKeyboardDev->master;
xkb = master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
XkbAction *act;
@@ -447,7 +444,7 @@ KeyCode vncKeysymToKeycode(KeySym keysym, unsigned state, unsigned *new_state)
*new_state = state;
fallback = 0;
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
unsigned int state_out;
KeySym dummy;
@@ -551,7 +548,7 @@ int vncIsAffectedByNumLock(KeyCode keycode)
if (numlock_keycode == 0)
return 0;
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
act = XkbKeyActionPtr(xkb, numlock_keycode, state);
if (act == NULL)
@@ -585,7 +582,7 @@ KeyCode vncAddKeysym(KeySym keysym, unsigned state)
KeySym *syms;
KeySym upper, lower;
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
+ master = vncKeyboardDev->master;
xkb = master->key->xkbInfo->desc;
for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) {
if (XkbKeyNumGroups(xkb, key) == 0)

View File

@ -1,13 +0,0 @@
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
index 16c925ee..6398121e 100644
--- a/unix/vncpasswd/vncpasswd.cxx
+++ b/unix/vncpasswd/vncpasswd.cxx
@@ -150,6 +150,8 @@ int main(int argc, char** argv)
char yesno[3];
if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) {
obfuscatedReadOnly = readpassword();
+ } else {
+ fprintf(stderr, "A view-only password is not used\n");
}
FILE* fp = fopen(fname,"w");

View File

@ -1,41 +0,0 @@
diff --git a/common/rfb/Password.cxx b/common/rfb/Password.cxx
index e4a508c..f555c57 100644
--- a/common/rfb/Password.cxx
+++ b/common/rfb/Password.cxx
@@ -55,7 +55,7 @@ PlainPasswd::~PlainPasswd() {
void PlainPasswd::replaceBuf(char* b) {
if (buf)
- memset(buf, 0, strlen(buf));
+ memset(buf, 0, length ? length : strlen(buf));
CharArray::replaceBuf(b);
}
diff --git a/common/rfb/util.h b/common/rfb/util.h
index 3100f90..764692a 100644
--- a/common/rfb/util.h
+++ b/common/rfb/util.h
@@ -51,16 +51,21 @@ namespace rfb {
CharArray() : buf(0) {}
CharArray(char* str) : buf(str) {} // note: assumes ownership
CharArray(size_t len) {
+ length = len;
buf = new char[len]();
}
~CharArray() {
- delete [] buf;
+ if (buf) {
+ delete [] buf;
+ buf = nullptr;
+ }
}
void format(const char *fmt, ...) __printf_attr(2, 3);
// Get the buffer pointer & clear it (i.e. caller takes ownership)
char* takeBuf() {char* tmp = buf; buf = 0; return tmp;}
- void replaceBuf(char* b) {delete [] buf; buf = b;}
+ void replaceBuf(char* b) {if (buf) delete [] buf; buf = b;}
char* buf;
+ size_t length = 0;
private:
CharArray(const CharArray&);
CharArray& operator=(const CharArray&);

View File

@ -0,0 +1,25 @@
From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 7 Feb 2022 10:45:41 +0100
Subject: [PATCH] SELinux: use /root/.vnc in file context specification
Instead of HOME_ROOT/.vnc, /root/.vnc should be used
for user root's home to specify default file context
as HOME_ROOT actually means base for home dirs (usually /home).
---
unix/vncserver/selinux/vncsession.fc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
index 6aaf4b1f4..bc81f8f25 100644
--- a/unix/vncserver/selinux/vncsession.fc
+++ b/unix/vncserver/selinux/vncsession.fc
@@ -18,7 +18,7 @@
#
HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
+/root/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0)
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)

View File

@ -1,39 +0,0 @@
From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Mon, 17 May 2021 13:44:32 +0200
Subject: [PATCH] SELinux: Add missing compression and install policy to
correct directory
---
unix/vncserver/selinux/Makefile | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile
index 7497bf846..b23f20f60 100644
--- a/unix/vncserver/selinux/Makefile
+++ b/unix/vncserver/selinux/Makefile
@@ -10,15 +10,18 @@
PREFIX=/usr
DATADIR=$(PREFIX)/share
-all: vncsession.pp
+all: vncsession.pp.bz2
+
+%.pp.bz2: %.pp
+ bzip2 -9 $^
%.pp: %.te
make -f $(DATADIR)/selinux/devel/Makefile $@
clean:
- rm -f *.pp
+ rm -f *.pp *.pp.bz2
rm -rf tmp
-install: vncsession.pp
- mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
- install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
+install: vncsession.pp.bz2
+ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/
+ install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2

View File

@ -1,183 +0,0 @@
From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 May 2021 12:23:15 +0200
Subject: [PATCH] selinux: Fix issues reported by SELint
Style guide [1] issues only. No impact on policy functionality.
[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index a773fed39..63ad8a85f 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -17,7 +17,7 @@
# USA.
#
-policy_module(vncsession, 1.0.0);
+policy_module(vncsession, 1.0.0)
gen_require(`
attribute userdomain;
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
userdom_spec_domtrans_all_users(vnc_session_t)
userdom_signal_all_users(vnc_session_t)
-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
-
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:31:53 +0200
Subject: [PATCH] selinux: further style and comprehensibility improvements
Sections and rules blocks reordered according to the Style guide.
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85f..86fd6e5ef 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
- type xdm_home_t;
+ attribute userdomain;
+ type xdm_home_t;
')
-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
type vnc_session_t;
+type vnc_session_exec_t;
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)
type vnc_session_var_run_t;
files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)
allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)
kernel_read_kernel_sysctls(vnc_session_t)
-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+
+optional_policy(`
+ auth_login_pgm_domain(vnc_session_t)
+ auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+ logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+ userdom_spec_domtrans_all_users(vnc_session_t)
+ userdom_signal_all_users(vnc_session_t)
+
+ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+ # This also affects other tools, e.g. vncpasswd
+ gen_require(`
+ attribute userdomain;
+ ')
+ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:39:11 +0200
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
The permissions set to manage directories and files with the nfs_t type
is allowed when the use_nfs_home_dirs boolean is turned on.
Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
---
unix/vncserver/selinux/vncsession.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 86fd6e5ef..46e699117 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(vnc_session_t)
+ fs_manage_nfs_files(vnc_session_t)
+')
+
optional_policy(`
auth_login_pgm_domain(vnc_session_t)
auth_write_login_records(vnc_session_t)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 46e69911..f1108ec8 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,7 +20,6 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
type xdm_home_t;
')

View File

@ -0,0 +1,81 @@
From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Thu, 11 Nov 2021 13:52:41 +0100
Subject: [PATCH] SELinux: restore SELinux context in case of different
policies
---
CMakeLists.txt | 13 +++++++++++++
unix/vncserver/CMakeLists.txt | 2 +-
unix/vncserver/vncsession.c | 16 ++++++++++++++++
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 50247c7da..1708eb3d8 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
endif()
endif()
+# Check for SELinux library
+if(UNIX AND NOT APPLE)
+ check_include_files(selinux/selinux.h HAVE_SELINUX_H)
+ if(HAVE_SELINUX_H)
+ set(CMAKE_REQUIRED_LIBRARIES -lselinux)
+ set(CMAKE_REQUIRED_LIBRARIES)
+ set(SELINUX_LIBS selinux)
+ add_definitions("-DHAVE_SELINUX")
+ else()
+ message(WARNING "Could not find SELinux development files")
+ endif()
+endif()
+
# Generate config.h and make sure the source finds it
configure_file(config.h.in config.h)
add_definitions(-DHAVE_CONFIG_H)
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
index f65ccc7db..ae69dc098 100644
--- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt
@@ -1,5 +1,5 @@
add_executable(vncsession vncsession.c)
-target_link_libraries(vncsession ${PAM_LIBS})
+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
configure_file(vncserver@.service.in vncserver@.service @ONLY)
configure_file(vncsession-start.in vncsession-start @ONLY)
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 3573e5e9b..f6d2fd59e 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -37,6 +37,11 @@
#include <sys/types.h>
#include <sys/wait.h>
+#ifdef HAVE_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/restorecon.h>
+#endif
+
extern char **environ;
// PAM service name
@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
_exit(EX_OSERR);
}
+
+#ifdef HAVE_SELINUX
+ int result;
+ if (selinux_file_context_verify(logfile, 0) == 0) {
+ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE);
+
+ if (result < 0) {
+ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno));
+ }
+ }
+#endif
}
hostlen = sysconf(_SC_HOST_NAME_MAX);

View File

@ -1,47 +0,0 @@
From 40f104ffe1e36df9613f8d316f616fb2b089cc86 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Tue, 29 Sep 2020 13:37:16 +0200
Subject: [PATCH] Use /run instead of /var/run which is just a symlink
---
unix/vncserver/selinux/vncsession.fc | 2 +-
unix/vncserver/vncserver@.service.in | 2 +-
unix/vncserver/vncsession.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
index 121cdd237..ae768baa4 100644
--- a/unix/vncserver/selinux/vncsession.fc
+++ b/unix/vncserver/selinux/vncsession.fc
@@ -23,4 +23,4 @@ HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0)
/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
-/var/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0)
+/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0)
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
index 584ecf4b1..5624dff76 100644
--- a/unix/vncserver/vncserver@.service.in
+++ b/unix/vncserver/vncserver@.service.in
@@ -36,7 +36,7 @@ After=syslog.target network.target
[Service]
Type=forking
ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
-PIDFile=/var/run/vncsession-%i.pid
+PIDFile=/run/vncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0
[Install]
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 3e0c98f0f..2b47f5f55 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -543,7 +543,7 @@ main(int argc, char **argv)
}
snprintf(pid_file, sizeof(pid_file),
- "/var/run/vncsession-%s.pid", display);
+ "/run/vncsession-%s.pid", display);
f = fopen(pid_file, "w");
if (f == NULL) {
syslog(LOG_ERR, "Failure creating pid file \"%s\": %s",

View File

@ -1,149 +0,0 @@
From 38c6848b30cb1908171f2b4628e345fbf6727b39 Mon Sep 17 00:00:00 2001
From: Pierre Ossman <ossman@cendio.se>
Date: Fri, 18 Sep 2020 10:44:32 +0200
Subject: [PATCH] Tolerate specifying -BoolParam 0 and similar
This is needed by vncserver which doesn't know which parameters are
boolean, and it cannot use the -Param=Value form as that isn't tolerated
by the Xorg code.
---
unix/vncserver/vncserver.in | 8 ++++----
unix/xserver/hw/vnc/RFBGlue.cc | 16 ++++++++++++++++
unix/xserver/hw/vnc/RFBGlue.h | 1 +
unix/xserver/hw/vnc/xvnc.c | 14 ++++++++++++++
vncviewer/vncviewer.cxx | 20 ++++++++++++++++++++
5 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/unix/vncserver/vncserver.in b/unix/vncserver/vncserver.in
index 25fbbd315..261b258f1 100755
--- a/unix/vncserver/vncserver.in
+++ b/unix/vncserver/vncserver.in
@@ -107,7 +107,7 @@ $default_opts{rfbwait} = 30000;
$default_opts{rfbauth} = "$vncUserDir/passwd";
$default_opts{rfbport} = $vncPort;
$default_opts{fp} = $fontPath if ($fontPath);
-$default_opts{pn} = "";
+$default_opts{pn} = undef;
# Load user-overrideable system defaults
LoadConfig($vncSystemConfigDefaultsFile);
@@ -242,13 +242,13 @@ push(@cmd, "@CMAKE_INSTALL_FULL_BINDIR@/Xvnc", ":$displayNumber");
foreach my $k (sort keys %config) {
push(@cmd, "-$k");
- push(@cmd, $config{$k}) if $config{$k};
+ push(@cmd, $config{$k}) if defined($config{$k});
delete $default_opts{$k}; # file options take precedence
}
foreach my $k (sort keys %default_opts) {
push(@cmd, "-$k");
- push(@cmd, $default_opts{$k}) if $default_opts{$k};
+ push(@cmd, $default_opts{$k}) if defined($default_opts{$k});
}
warn "\nNew '$desktopName' desktop is $host:$displayNumber\n\n";
@@ -291,7 +291,7 @@ sub LoadConfig {
# current config file being loaded defined the logical opposite setting
# (NeverShared vs. AlwaysShared, etc etc).
$toggle = lc($1); # must normalize key case
- $config{$toggle} = $k;
+ $config{$toggle} = undef;
}
}
close(IN);
diff --git a/unix/xserver/hw/vnc/RFBGlue.cc b/unix/xserver/hw/vnc/RFBGlue.cc
index f108fae43..7c32bea8f 100644
--- a/unix/xserver/hw/vnc/RFBGlue.cc
+++ b/unix/xserver/hw/vnc/RFBGlue.cc
@@ -143,6 +143,22 @@ const char* vncGetParamDesc(const char *name)
return param->getDescription();
}
+int vncIsParamBool(const char *name)
+{
+ VoidParameter *param;
+ BoolParameter *bparam;
+
+ param = rfb::Configuration::getParam(name);
+ if (param == NULL)
+ return false;
+
+ bparam = dynamic_cast<BoolParameter*>(param);
+ if (bparam == NULL)
+ return false;
+
+ return true;
+}
+
int vncGetParamCount(void)
{
int count;
diff --git a/unix/xserver/hw/vnc/RFBGlue.h b/unix/xserver/hw/vnc/RFBGlue.h
index 112405b84..695cea105 100644
--- a/unix/xserver/hw/vnc/RFBGlue.h
+++ b/unix/xserver/hw/vnc/RFBGlue.h
@@ -41,6 +41,7 @@ int vncSetParam(const char *name, const char *value);
int vncSetParamSimple(const char *nameAndValue);
char* vncGetParam(const char *name);
const char* vncGetParamDesc(const char *name);
+int vncIsParamBool(const char *name);
int vncGetParamCount(void);
char *vncGetParamList(void);
diff --git a/unix/xserver/hw/vnc/xvnc.c b/unix/xserver/hw/vnc/xvnc.c
index 4eb0b0b13..5744acac8 100644
--- a/unix/xserver/hw/vnc/xvnc.c
+++ b/unix/xserver/hw/vnc/xvnc.c
@@ -618,6 +618,20 @@ ddxProcessArgument(int argc, char *argv[], int i)
exit(0);
}
+ /* We need to resolve an ambiguity for booleans */
+ if (argv[i][0] == '-' && i+1 < argc &&
+ vncIsParamBool(&argv[i][1])) {
+ if ((strcasecmp(argv[i+1], "0") == 0) ||
+ (strcasecmp(argv[i+1], "1") == 0) ||
+ (strcasecmp(argv[i+1], "true") == 0) ||
+ (strcasecmp(argv[i+1], "false") == 0) ||
+ (strcasecmp(argv[i+1], "yes") == 0) ||
+ (strcasecmp(argv[i+1], "no") == 0)) {
+ vncSetParam(&argv[i][1], argv[i+1]);
+ return 2;
+ }
+ }
+
if (vncSetParamSimple(argv[i]))
return 1;
diff --git a/vncviewer/vncviewer.cxx b/vncviewer/vncviewer.cxx
index d4dd3063c..77ba3d3f4 100644
--- a/vncviewer/vncviewer.cxx
+++ b/vncviewer/vncviewer.cxx
@@ -556,6 +556,26 @@ int main(int argc, char** argv)
}
for (int i = 1; i < argc;) {
+ /* We need to resolve an ambiguity for booleans */
+ if (argv[i][0] == '-' && i+1 < argc) {
+ VoidParameter *param;
+
+ param = Configuration::getParam(&argv[i][1]);
+ if ((param != NULL) &&
+ (dynamic_cast<BoolParameter*>(param) != NULL)) {
+ if ((strcasecmp(argv[i+1], "0") == 0) ||
+ (strcasecmp(argv[i+1], "1") == 0) ||
+ (strcasecmp(argv[i+1], "true") == 0) ||
+ (strcasecmp(argv[i+1], "false") == 0) ||
+ (strcasecmp(argv[i+1], "yes") == 0) ||
+ (strcasecmp(argv[i+1], "no") == 0)) {
+ param->setParam(argv[i+1]);
+ i += 2;
+ continue;
+ }
+ }
+ }
+
if (Configuration::setParam(argv[i])) {
i++;
continue;

View File

@ -1,13 +0,0 @@
diff --git a/common/rfb/Security.cxx b/common/rfb/Security.cxx
index e623ab5..4987b29 100644
--- a/common/rfb/Security.cxx
+++ b/common/rfb/Security.cxx
@@ -52,7 +52,7 @@ static LogWriter vlog("Security");
#ifdef HAVE_GNUTLS
StringParameter Security::GnuTLSPriority("GnuTLSPriority",
"GnuTLS priority string that controls the TLS sessions handshake algorithms",
- "NORMAL");
+ "@SYSTEM");
#endif
Security::Security()

View File

@ -0,0 +1,113 @@
From 1919a8ab86c99b47ba86dc697abcdf3343b0aafa Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Tue, 1 Feb 2022 14:31:05 +0100
Subject: Add vncsession-restore script to restore SELinux context
The vncsession-restore script is used in the ExecStartPre option
for systemd service file in order to properly start the session
in case the policy is updated (e.g. after Tigervnc update).
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
index ae69dc09..04eb6fc4 100644
--- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt
@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
configure_file(vncserver@.service.in vncserver@.service @ONLY)
+configure_file(vncsession-restore.in vncsession-restore @ONLY)
configure_file(vncsession-start.in vncsession-start @ONLY)
configure_file(vncserver.in vncserver @ONLY)
configure_file(vncsession.man.in vncsession.man @ONLY)
@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
if(INSTALL_SYSTEMD_UNITS)
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
+ install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
endif()
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
index 39f81b73..a83e05a3 100644
--- a/unix/vncserver/vncserver@.service.in
+++ b/unix/vncserver/vncserver@.service.in
@@ -35,6 +35,7 @@ After=syslog.target network.target
[Service]
Type=forking
+ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i
ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
PIDFile=/run/vncsession-%i.pid
SELinuxContext=system_u:system_r:vnc_session_t:s0
diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in
new file mode 100644
index 00000000..d3abc57d
--- /dev/null
+++ b/unix/vncserver/vncsession-restore.in
@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+# Copyright 2022 Jan Grulich <jgrulich@redhat.com>
+#
+# This is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+#
+
+USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users"
+
+if [ $# -ne 1 ]; then
+ echo "Syntax:" >&2
+ echo " $0 <display>" >&2
+ exit 1
+fi
+
+if [ ! -f "${USERSFILE}" ]; then
+ echo "Users file ${USERSFILE} missing" >&2
+ exit 1
+fi
+
+DISPLAY="$1"
+
+USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'`
+
+if [ -z "${USER}" ]; then
+ echo "No user configured for display ${DISPLAY}" >&2
+ exit 1
+fi
+
+USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:`
+
+if [ -z "${USER_HOMEDIR}" ]; then
+ echo "Failed to get home directory for ${USER}" >&2
+ exit 1
+fi
+
+if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then
+ exit 0
+fi
+
+MATCHPATHCON=`which matchpathcon`
+
+if [ $? -eq 0 ]; then
+ ${MATCHPATHCON} -V "${USER_HOMEDIR}/.vnc" &>/dev/null
+ if [ $? -eq 0 ]; then
+ exit 0
+ fi
+fi
+
+RESTORECON=`which restorecon`
+
+if [ $? -eq 0 ]; then
+ exec "${RESTORECON}" -R "${USER_HOMEDIR}/.vnc" >&2
+ return $?
+fi

View File

@ -1,13 +0,0 @@
diff --git a/common/rfb/SSecurityTLS.cxx b/common/rfb/SSecurityTLS.cxx
index b946022..2daefa2 100644
--- a/common/rfb/SSecurityTLS.cxx
+++ b/common/rfb/SSecurityTLS.cxx
@@ -186,7 +186,7 @@ void SSecurityTLS::setParams(gnutls_session_t session)
if (gnutls_dh_params_init(&dh_params) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_init failed");
- if (gnutls_dh_params_generate2(dh_params, DH_BITS) != GNUTLS_E_SUCCESS)
+ if (gnutls_dh_params_generate2(dh_params, gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM)) != GNUTLS_E_SUCCESS)
throw AuthFailureException("gnutls_dh_params_generate2 failed");
if (anon) {

View File

@ -168,7 +168,8 @@ if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) {
$displayNumber = $1; $displayNumber = $1;
shift(@ARGV); shift(@ARGV);
if (!&CheckDisplayNumber($displayNumber)) { if (!&CheckDisplayNumber($displayNumber)) {
die "A VNC server is already running as :$displayNumber\n"; warn "A VNC server is already running as :$displayNumber\n";
$displayNumber = &GetDisplayNumber();
} }
} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) { } elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) {
&Usage(); &Usage();
@ -194,7 +195,6 @@ $default_opts{auth} = &quotedString($xauthorityFile);
$default_opts{geometry} = $geometry if ($geometry); $default_opts{geometry} = $geometry if ($geometry);
$default_opts{depth} = $depth if ($depth); $default_opts{depth} = $depth if ($depth);
$default_opts{pixelformat} = $pixelformat if ($pixelformat); $default_opts{pixelformat} = $pixelformat if ($pixelformat);
$default_opts{rfbwait} = 30000;
$default_opts{rfbauth} = "$vncUserDir/passwd"; $default_opts{rfbauth} = "$vncUserDir/passwd";
$default_opts{rfbport} = $vncPort; $default_opts{rfbport} = $vncPort;
$default_opts{fp} = $fontPath if ($fontPath); $default_opts{fp} = $fontPath if ($fontPath);
@ -892,6 +892,6 @@ sub SanityCheck
sub NotifyAboutDeprecation sub NotifyAboutDeprecation
{ {
warn "\nWARNING: vncserver has been replaced by a systemd unit and is about to be removed in future releases.\n"; warn "\nWARNING: vncserver has been replaced by a systemd unit and is now considered deprecated and removed in upstream.\n";
warn "Please read /usr/share/doc/tigervnc/HOWTO.md for more information.\n"; warn "Please read /usr/share/doc/tigervnc/HOWTO.md for more information.\n";
} }

View File

@ -1,204 +0,0 @@
.TH vncserver 1 "" "TigerVNC" "Virtual Network Computing"
.SH NAME
vncserver \- start or stop a VNC server
.SH SYNOPSIS
.B vncserver
.RI [: display# ]
.RB [ \-name
.IR desktop-name ]
.RB [ \-geometry
.IR width x height ]
.RB [ \-depth
.IR depth ]
.RB [ \-pixelformat
.IR format ]
.RB [ \-fp
.IR font-path ]
.RB [ \-fg ]
.RB [ \-autokill ]
.RB [ \-noxstartup ]
.RB [ \-xstartup
.IR script ]
.RI [ Xvnc-options... ]
.br
.BI "vncserver \-kill :" display#
.br
.BI "vncserver \-list"
.SH DESCRIPTION
.B vncserver
is used to start a VNC (Virtual Network Computing) desktop.
.B vncserver
is a Perl script which simplifies the process of starting an Xvnc server. It
runs Xvnc with appropriate options and starts a window manager on the VNC
desktop.
.B vncserver
can be run with no options at all. In this case it will choose the first
available display number (usually :1), start Xvnc with that display number,
and start the default window manager in the Xvnc session. You can also
specify the display number, in which case vncserver will attempt to start
Xvnc with that display number and exit if the display number is not
available. For example:
.RS
vncserver :13
.RE
Editing the file $HOME/.vnc/xstartup allows you to change the applications run
at startup (but note that this will not affect an existing VNC session.)
.SH OPTIONS
You can get a list of options by passing \fB\-h\fP as an option to vncserver.
In addition to the options listed below, any unrecognised options will be
passed to Xvnc - see the Xvnc man page, or "Xvnc \-help", for details.
.TP
.B \-name \fIdesktop-name\fP
Each VNC desktop has a name which may be displayed by the viewer. The desktop
name defaults to "\fIhost\fP:\fIdisplay#\fP (\fIusername\fP)", but you can
change it with this option. The desktop name option is passed to the xstartup
script via the $VNCDESKTOP environment variable, which allows you to run a
different set of applications depending on the name of the desktop.
.
.TP
.B \-geometry \fIwidth\fPx\fIheight\fP
Specify the size of the VNC desktop to be created. Default is 1024x768.
.
.TP
.B \-depth \fIdepth\fP
Specify the pixel depth (in bits) of the VNC desktop to be created. Default is
24. Other possible values are 8, 15 and 16 - anything else is likely to cause
strange behaviour by applications.
.
.TP
.B \-pixelformat \fIformat\fP
Specify pixel format for Xvnc to use (BGRnnn or RGBnnn). The default for
depth 8 is BGR233 (meaning the most significant two bits represent blue, the
next three green, and the least significant three represent red), the default
for depth 16 is RGB565, and the default for depth 24 is RGB888.
.
.TP
.B \-cc 3
As an alternative to the default TrueColor visual, this allows you to run an
Xvnc server with a PseudoColor visual (i.e. one which uses a color map or
palette), which can be useful for running some old X applications which only
work on such a display. Values other than 3 (PseudoColor) and 4 (TrueColor)
for the \-cc option may result in strange behaviour, and PseudoColor desktops
must have an 8-bit depth.
.
.TP
.B \-kill :\fIdisplay#\fP
This kills a VNC desktop previously started with vncserver. It does this by
killing the Xvnc process, whose process ID is stored in the file
"$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid". The
.B \-kill
option ignores anything preceding the first colon (":") in the display
argument. Thus, you can invoke "vncserver \-kill $DISPLAY", for example at the
end of your xstartup file after a particular application exits.
.
.TP
.B \-fp \fIfont-path\fP
If the vncserver script detects that the X Font Server (XFS) is running, it
will attempt to start Xvnc and configure Xvnc to use XFS for font handling.
Otherwise, if XFS is not running, the vncserver script will attempt to start
Xvnc and allow Xvnc to use its own preferred method of font handling (which may
be a hard-coded font path or, on more recent systems, a font catalog.) In
any case, if Xvnc fails to start, the vncserver script will then attempt to
determine an appropriate X font path for this system and start Xvnc using
that font path.
The
.B \-fp
argument allows you to override the above fallback logic and specify a font
path for Xvnc to use.
.
.TP
.B \-fg
Runs Xvnc as a foreground process. This has two effects: (1) The VNC server
can be aborted with CTRL-C, and (2) the VNC server will exit as soon as the
user logs out of the window manager in the VNC session. This may be necessary
when launching TigerVNC from within certain grid computing environments.
.
.TP
.B \-autokill
Automatically kill Xvnc whenever the xstartup script exits. In most cases,
this has the effect of terminating Xvnc when the user logs out of the window
manager.
.
.TP
.B \-noxstartup
Do not run the %HOME/.vnc/xstartup script after launching Xvnc. This
option allows you to manually start a window manager in your TigerVNC session.
.
.TP
.B \-xstartup \fIscript\fP
Run a custom startup script, instead of %HOME/.vnc/xstartup, after launching
Xvnc. This is useful to run full-screen applications.
.
.TP
.B \-list
Lists all VNC desktops started by vncserver.
.SH FILES
Several VNC-related files are found in the directory $HOME/.vnc:
.TP
$HOME/.vnc/xstartup
A shell script specifying X applications to be run when a VNC desktop is
started. If this file does not exist, then vncserver will create a default
xstartup script which attempts to launch your chosen window manager.
.TP
/etc/tigervnc/vncserver-config-defaults
The optional system-wide equivalent of $HOME/.vnc/config. If this file exists
and defines options to be passed to Xvnc, they will be used as defaults for
users. The user's $HOME/.vnc/config overrides settings configured in this file.
The overall configuration file load order is: this file, $HOME/.vnc/config,
and then /etc/tigervnc/vncserver-config-mandatory. None are required to exist.
.TP
/etc/tigervnc/vncserver-config-mandatory
The optional system-wide equivalent of $HOME/.vnc/config. If this file exists
and defines options to be passed to Xvnc, they will override any of the same
options defined in a user's $HOME/.vnc/config. This file offers a mechanism
to establish some basic form of system-wide policy. WARNING! There is
nothing stopping users from constructing their own vncserver-like script
that calls Xvnc directly to bypass any options defined in
/etc/tigervnc/vncserver-config-mandatory. Likewise, any CLI arguments passed
to vncserver will override ANY config file setting of the same name. The
overall configuration file load order is:
/etc/tigervnc/vncserver-config-defaults, $HOME/.vnc/config, and then this file.
None are required to exist.
.TP
$HOME/.vnc/config
An optional server config file wherein options to be passed to Xvnc are listed
to avoid hard-coding them to the physical invocation. List options in this file
one per line. For those requiring an argument, simply separate the option from
the argument with an equal sign, for example: "geometry=2000x1200" or
"securitytypes=vncauth,tlsvnc". Options without an argument are simply listed
as a single word, for example: "localhost" or "alwaysshared".
.TP
$HOME/.vnc/passwd
The VNC password file.
.TP
$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.log
The log file for Xvnc and applications started in xstartup.
.TP
$HOME/.vnc/\fIhost\fP:\fIdisplay#\fP.pid
Identifies the Xvnc process ID, used by the
.B \-kill
option.
.SH SEE ALSO
.BR vncviewer (1),
.BR vncpasswd (1),
.BR vncconfig (1),
.BR Xvnc (1)
.br
https://www.tigervnc.org
.SH AUTHOR
Tristan Richardson, RealVNC Ltd., D. R. Commander and others.
VNC was originally developed by the RealVNC team while at Olivetti
Research Ltd / AT&T Laboratories Cambridge. TightVNC additions were
implemented by Constantin Kaplinsky. Many other people have since
participated in development, testing and support. This manual is part
of the TigerVNC software suite.

View File

@ -4,8 +4,8 @@
%global modulename vncsession %global modulename vncsession
Name: tigervnc Name: tigervnc
Version: 1.11.0 Version: 1.12.0
Release: 9%{?dist} Release: 4%{?dist}
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
%global _hardened_build 1 %global _hardened_build 1
@ -17,27 +17,17 @@ Source0: %{name}-%{version}.tar.gz
Source1: xvnc.service Source1: xvnc.service
Source2: xvnc.socket Source2: xvnc.socket
Source3: 10-libvnc.conf Source3: 10-libvnc.conf
Source4: HOWTO.md
# Backwards compatibility # Backwards compatibility
Source5: vncserver Source5: vncserver
Source6: vncserver.man
Patch2: tigervnc-getmaster.patch Patch1: tigervnc-use-gnome-as-default-session.patch
Patch5: tigervnc-cursor.patch
Patch6: tigervnc-1.3.1-CVE-2014-8240.patch
Patch8: tigervnc-let-user-know-about-not-using-view-only-password.patch
Patch9: tigervnc-working-tls-on-fips-systems.patch
Patch11: tigervnc-utilize-system-crypto-policies.patch
Patch12: tigervnc-passwd-crash-with-malloc-checks.patch
Patch13: tigervnc-use-gnome-as-default-session.patch
# Upstream patches # Upstream patches
Patch50: tigervnc-tolerate-specifying-boolparam.patch Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch
Patch51: tigervnc-systemd-service.patch Patch51: tigervnc-fix-typo-in-mirror-monitor-detection.patch
Patch52: tigervnc-correctly-start-vncsession-as-daemon.patch Patch52: tigervnc-root-user-selinux-context.patch
Patch53: tigervnc-selinux-missing-compression-and-correct-location.patch Patch53: tigervnc-vncsession-restore-script-systemd-service.patch
Patch54: tigervnc-selinux-policy-improvements.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch Patch100: tigervnc-xserver120.patch
@ -53,7 +43,8 @@ BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel
BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel
BuildRequires: libdrm-devel, libXt-devel, pixman-devel BuildRequires: libdrm-devel, libXt-devel, pixman-devel
BuildRequires: systemd, cmake, desktop-file-utils, selinux-policy-devel BuildRequires: systemd, cmake, desktop-file-utils
BuildRequires: libselinux-devel, selinux-policy-devel
%if 0%{?fedora} > 24 || 0%{?rhel} >= 7 %if 0%{?fedora} > 24 || 0%{?rhel} >= 7
BuildRequires: libXfont2-devel BuildRequires: libXfont2-devel
%else %else
@ -143,6 +134,10 @@ BuildRequires: selinux-policy-devel
Requires: selinux-policy-%{selinuxtype} Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype} Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel BuildRequires: selinux-policy-devel
# Required for matchpathcon
Requires: libselinux-utils
# Required for restorecon
Requires: policycoreutils
%{?selinux_requires} %{?selinux_requires}
%description selinux %description selinux
@ -161,34 +156,13 @@ done
%patch101 -p1 -b .rpath %patch101 -p1 -b .rpath
popd popd
# libvnc.so: don't use unexported GetMaster function (bug #744881 again). %patch1 -p1 -b .use-gnome-as-default-session
%patch2 -p1 -b .getmaster
# Fixed viewer crash when cursor has not been set (bug #1051333).
%patch5 -p1 -b .cursor
# CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based
# buffer overflow in screen size handling
%patch6 -p1 -b .tigervnc-1.3.1-CVE-2014-8240
# Bug 1447555 - view-only accepts enter, unclear whether default password is generated or not
%patch8 -p1 -b .let-user-know-about-not-using-view-only-password
# Bug 1492107 - VNC cannot be used when FIPS is enabled because DH_BITS is too low
%patch9 -p1 -b .working-tls-on-fips-systems
# Utilize system-wide crypto policies
%patch11 -p1 -b .utilize-system-crypto-policies.patch
%patch12 -p1 -b .passwd-crash-with-malloc-checks
%patch13 -p1 -b .use-gnome-as-default-session
# Upstream patches # Upstream patches
%patch50 -p1 -b .tolerate-specifying-boolparam %patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
%patch51 -p1 -b .systemd-service %patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
%patch52 -p1 -b .correctly-start-vncsession-as-daemon %patch52 -p1 -b .root-user-selinux-context
%patch53 -p1 -b .selinux-missing-compression-and-correct-location %patch53 -p1 -b .vncsession-restore-script-systemd-service
%patch54 -p1 -b .selinux-policy-improvements
%build %build
%ifarch sparcv9 sparc64 s390 s390x %ifarch sparcv9 sparc64 s390 s390x
@ -259,10 +233,7 @@ install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps
done done
popd popd
rm -f %{buildroot}/%{_mandir}/man8/vncserver.8
install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver
install -m 644 %{SOURCE6} %{buildroot}/%{_mandir}/man8/vncserver.8
%find_lang %{name} %{name}.lang %find_lang %{name} %{name}.lang
@ -272,8 +243,6 @@ rm -f %{buildroot}%{_libdir}/xorg/modules/extensions/libvnc.la
mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/ mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf
install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md
%post server %post server
%systemd_post xvnc.service %systemd_post xvnc.service
%systemd_post xvnc.socket %systemd_post xvnc.socket
@ -319,6 +288,7 @@ fi
%{_sbindir}/vncsession %{_sbindir}/vncsession
%{_libexecdir}/vncserver %{_libexecdir}/vncserver
%{_libexecdir}/vncsession-start %{_libexecdir}/vncsession-start
%{_libexecdir}/vncsession-restore
%{_mandir}/man1/x0vncserver.1* %{_mandir}/man1/x0vncserver.1*
%{_mandir}/man8/vncserver.8* %{_mandir}/man8/vncserver.8*
%{_mandir}/man8/vncsession.8* %{_mandir}/man8/vncsession.8*
@ -347,6 +317,23 @@ fi
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog %changelog
* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
- Added vncsession-restore script for SELinux policy migration
Fix SELinux context for root user
Resolves: bz#2021892
* Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
- Fix crash in vncviewer
Resolves: bz#2021892
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
- Remove unavailable option from vncserver script
Resolves: bz#2021892
* Fri Jan 14 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
- 1.12.0
Resolves: bz#2021892
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9 * Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
- Fix logout from VNC session using vncserver - Fix logout from VNC session using vncserver
Resolves: bz#1983706 Resolves: bz#1983706