rpms/tigervnc
5
0
Fork 0
Code Issues Pull Requests Releases Activity

SELinux improvements

Browse Source 
Backport some CentOS changes
This commit is contained in:
Jan Grulich 2021-05-25 14:29:01 +02:00
parent 86f663cd8a
commit 455d814fe8
10 changed files with 455 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
0001-rpath-hack.patch Normal file
View File

@ -0,0 +1,24 @@
From 2489f2f38eb32d9dd03718a36cbdbdf13d2f8b9b Mon Sep 17 00:00:00 2001
From: Adam Jackson <ajax@redhat.com>
Date: Thu, 12 Nov 2015 11:10:11 -0500
Subject: [PATCH] rpath hack
Normally, rpath is undesirable. But for the X server we _know_ we need
Mesa's libGL, which will always be in %{_libdir}, and not any third-party
libGL that may be configured using ld.so.conf.
---
configure.ac | 1 +
1 files changed, 1 insertions(+), 0 deletion(-)
diff --git a/configure.ac b/configure.ac
index fa15a2d..a5af1e0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1261,6 +1261,7 @@ AM_CONDITIONAL(GLX, test "x$GLX" = xyes)
AM_CONDITIONAL(HASHTABLE, test "x$HASHTABLE" = xyes)
+GLX_SYS_LIBS="$GLX_SYS_LIBS -Wl,-rpath=\$(libdir)"
AC_SUBST([GLX_DEFINES])
AC_SUBST([GLX_SYS_LIBS])

74
tigervnc-1.3.1-CVE-2014-8240.patch Normal file
View File

@ -0,0 +1,74 @@
diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx
index f998c6a..fb9dbd4 100644
--- a/unix/x0vncserver/Image.cxx
+++ b/unix/x0vncserver/Image.cxx
@@ -80,6 +80,14 @@ void Image::Init(int width, int height)
xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)),
ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0);
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ exit(1);
+ }
+
xim->data = (char *)malloc(xim->bytes_per_line * xim->height);
if (xim->data == NULL) {
vlog.error("malloc() failed");
@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo)
return;
}
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ vlog.error("Invalid display size");
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ return;
+ }
+
shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
IPC_CREAT|0777);
diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx
index a2b506d..9266d9f 100644
--- a/vncviewer/PlatformPixelBuffer.cxx
+++ b/vncviewer/PlatformPixelBuffer.cxx
@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) :
if (!xim)
throw rdr::Exception("XCreateImage");
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ if (xim)
+ XDestroyImage(xim);
+ xim = NULL;
+ throw rdr::Exception("Invalid display size");
+ }
+
xim->data = (char*)malloc(xim->bytes_per_line * xim->height);
if (!xim->data)
throw rdr::Exception("malloc");
@@ -152,6 +161,16 @@ bool PlatformPixelBuffer::setupShm()
if (!xim)
goto free_shminfo;
+ if (xim->bytes_per_line <= 0 ||
+ xim->height <= 0 ||
+ xim->height >= INT_MAX / xim->bytes_per_line) {
+ XDestroyImage(xim);
+ xim = NULL;
+ delete shminfo;
+ shminfo = NULL;
+ throw rdr::Exception("Invalid display size");
+ }
+
shminfo->shmid = shmget(IPC_PRIVATE,
xim->bytes_per_line * xim->height,
IPC_CREAT|0600);

43
tigervnc-argb-runtime-ximage-byteorder-selection.patch Normal file
View File

@ -0,0 +1,43 @@
From 7ab92639848a6059e2b6b88499b008b9606f3af6 Mon Sep 17 00:00:00 2001
From: johnmartin-oracle <55413843+johnmartin-oracle@users.noreply.github.com>
Date: Thu, 27 Aug 2020 22:30:23 -0400
Subject: [PATCH] Update Surface_X11.cxx
Runtime sellection of ARGB XImage byte order
---
vncviewer/Surface_X11.cxx | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/vncviewer/Surface_X11.cxx b/vncviewer/Surface_X11.cxx
index 6562634dc..8944c3f71 100644
--- a/vncviewer/Surface_X11.cxx
+++ b/vncviewer/Surface_X11.cxx
@@ -123,17 +123,17 @@ void Surface::alloc()
// we find such a format
templ.type = PictTypeDirect;
templ.depth = 32;
-#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__
- templ.direct.alpha = 0;
- templ.direct.red = 8;
- templ.direct.green = 16;
- templ.direct.blue = 24;
-#else
- templ.direct.alpha = 24;
- templ.direct.red = 16;
- templ.direct.green = 8;
- templ.direct.blue = 0;
-#endif
+ if (XImageByteOrder(fl_display) == MSBFirst) {
+ templ.direct.alpha = 0;
+ templ.direct.red = 8;
+ templ.direct.green = 16;
+ templ.direct.blue = 24;
+ } else {
+ templ.direct.alpha = 24;
+ templ.direct.red = 16;
+ templ.direct.green = 8;
+ templ.direct.blue = 0;
+ }
templ.direct.alphaMask = 0xff;
templ.direct.redMask = 0xff;
templ.direct.greenMask = 0xff;

13
tigervnc-correctly-start-vncsession-as-daemon.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 2b47f5f5..f78c096f 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -99,7 +99,7 @@ begin_daemon(void)
return -1;
}
- if (pid == 0)
+ if (pid != 0)
_exit(0);
/* Send all stdio to /dev/null */

12
tigervnc-cursor.patch Normal file
View File

@ -0,0 +1,12 @@
diff -up tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor tigervnc-1.3.0/vncviewer/Viewport.cxx
--- tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor 2013-12-17 13:28:23.170400013 +0000
+++ tigervnc-1.3.0/vncviewer/Viewport.cxx 2013-12-17 13:29:46.095784064 +0000
@@ -248,7 +248,7 @@ void Viewport::setCursor(int width, int height, const Point& hotspot,
}
}
- if (Fl::belowmouse() == this)
+ if (Fl::belowmouse() == this && cursor)
window()->cursor(cursor, cursorHotspot.x, cursorHotspot.y);
}

88
tigervnc-getmaster.patch
View File

@ -1,88 +0,0 @@
diff --git a/unix/xserver/hw/vnc/InputXKB.c b/unix/xserver/hw/vnc/InputXKB.c
index f84a6e4..4eac939 100644
--- a/unix/xserver/hw/vnc/InputXKB.c
+++ b/unix/xserver/hw/vnc/InputXKB.c
@@ -226,10 +226,7 @@ void vncPrepareInputDevices(void)
unsigned vncGetKeyboardState(void)
{
- DeviceIntPtr master;
-
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
- return XkbStateFieldFromRec(&master->key->xkbInfo->state);
+ return XkbStateFieldFromRec(&vncKeyboardDev->master->key->xkbInfo->state);
}
unsigned vncGetLevelThreeMask(void)
@@ -250,7 +247,7 @@ unsigned vncGetLevelThreeMask(void)
return 0;
}
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
act = XkbKeyActionPtr(xkb, keycode, state);
if (act == NULL)
@@ -275,7 +272,7 @@ KeyCode vncPressShift(void)
if (state & ShiftMask)
return 0;
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
XkbAction *act;
unsigned char mask;
@@ -315,7 +312,7 @@ size_t vncReleaseShift(KeyCode *keys, size_t maxKeys)
count = 0;
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
+ master = vncKeyboardDev->master;
xkb = master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
XkbAction *act;
@@ -371,7 +368,7 @@ KeyCode vncPressLevelThree(void)
return 0;
}
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
act = XkbKeyActionPtr(xkb, keycode, state);
if (act == NULL)
@@ -402,7 +399,7 @@ size_t vncReleaseLevelThree(KeyCode *keys, size_t maxKeys)
count = 0;
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
+ master = vncKeyboardDev->master;
xkb = master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
XkbAction *act;
@@ -447,7 +444,7 @@ KeyCode vncKeysymToKeycode(KeySym keysym, unsigned state, unsigned *new_state)
*new_state = state;
fallback = 0;
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) {
unsigned int state_out;
KeySym dummy;
@@ -551,7 +548,7 @@ int vncIsAffectedByNumLock(KeyCode keycode)
if (numlock_keycode == 0)
return 0;
- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc;
+ xkb = vncKeyboardDev->master->key->xkbInfo->desc;
act = XkbKeyActionPtr(xkb, numlock_keycode, state);
if (act == NULL)
@@ -585,7 +582,7 @@ KeyCode vncAddKeysym(KeySym keysym, unsigned state)
KeySym *syms;
KeySym upper, lower;
- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT);
+ master = vncKeyboardDev->master;
xkb = master->key->xkbInfo->desc;
for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) {
if (XkbKeyNumGroups(xkb, key) == 0)

13
tigervnc-let-user-know-about-not-using-view-only-password.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx
index 16c925ee..6398121e 100644
--- a/unix/vncpasswd/vncpasswd.cxx
+++ b/unix/vncpasswd/vncpasswd.cxx
@@ -150,6 +150,8 @@ int main(int argc, char** argv)
char yesno[3];
if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) {
obfuscatedReadOnly = readpassword();
+ } else {
+ fprintf(stderr, "A view-only password is not used\n");
}
FILE* fp = fopen(fname,"w");

39
tigervnc-selinux-missing-compression-and-correct-location.patch Normal file
View File

@ -0,0 +1,39 @@
From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Mon, 17 May 2021 13:44:32 +0200
Subject: [PATCH] SELinux: Add missing compression and install policy to
correct directory
---
unix/vncserver/selinux/Makefile | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile
index 7497bf846..b23f20f60 100644
--- a/unix/vncserver/selinux/Makefile
+++ b/unix/vncserver/selinux/Makefile
@@ -10,15 +10,18 @@
PREFIX=/usr
DATADIR=$(PREFIX)/share
-all: vncsession.pp
+all: vncsession.pp.bz2
+
+%.pp.bz2: %.pp
+ bzip2 -9 $^
%.pp: %.te
make -f $(DATADIR)/selinux/devel/Makefile $@
clean:
- rm -f *.pp
+ rm -f *.pp *.pp.bz2
rm -rf tmp
-install: vncsession.pp
- mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
- install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
+install: vncsession.pp.bz2
+ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/
+ install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2

183
tigervnc-selinux-policy-improvements.patch Normal file
View File

@ -0,0 +1,183 @@
From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 May 2021 12:23:15 +0200
Subject: [PATCH] selinux: Fix issues reported by SELint
Style guide [1] issues only. No impact on policy functionality.
[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index a773fed39..63ad8a85f 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -17,7 +17,7 @@
# USA.
#
-policy_module(vncsession, 1.0.0);
+policy_module(vncsession, 1.0.0)
gen_require(`
attribute userdomain;
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
userdom_spec_domtrans_all_users(vnc_session_t)
userdom_signal_all_users(vnc_session_t)
-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
-
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:31:53 +0200
Subject: [PATCH] selinux: further style and comprehensibility improvements
Sections and rules blocks reordered according to the Style guide.
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85f..86fd6e5ef 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
- type xdm_home_t;
+ attribute userdomain;
+ type xdm_home_t;
')
-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
type vnc_session_t;
+type vnc_session_exec_t;
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)
type vnc_session_var_run_t;
files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)
allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)
kernel_read_kernel_sysctls(vnc_session_t)
-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+
+optional_policy(`
+ auth_login_pgm_domain(vnc_session_t)
+ auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+ logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+ userdom_spec_domtrans_all_users(vnc_session_t)
+ userdom_signal_all_users(vnc_session_t)
+
+ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+ # This also affects other tools, e.g. vncpasswd
+ gen_require(`
+ attribute userdomain;
+ ')
+ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:39:11 +0200
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
The permissions set to manage directories and files with the nfs_t type
is allowed when the use_nfs_home_dirs boolean is turned on.
Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
---
unix/vncserver/selinux/vncsession.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 86fd6e5ef..46e699117 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(vnc_session_t)
+ fs_manage_nfs_files(vnc_session_t)
+')
+
optional_policy(`
auth_login_pgm_domain(vnc_session_t)
auth_write_login_records(vnc_session_t)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 46e69911..f1108ec8 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,7 +20,6 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
type xdm_home_t;
')

81
tigervnc.spec
View File

@ -1,6 +1,10 @@
#defining macros needed by SELinux
%global selinuxtype targeted
%global modulename vncsession
Name: tigervnc
Version: 1.11.0
Release: 10%{?dist}
Release: 11%{?dist}
Summary: A TigerVNC remote display system
%global _hardened_build 1
@ -18,15 +22,24 @@ Source4: HOWTO.md
Source5: vncserver
Source6: vncserver.man
Patch1: tigervnc-getmaster.patch
Patch2: tigervnc-utilize-system-crypto-policies.patch
Patch3: tigervnc-passwd-crash-with-malloc-checks.patch
Patch4: tigervnc-systemd-service.patch
Patch2: tigervnc-cursor.patch
Patch3: tigervnc-1.3.1-CVE-2014-8240.patch
Patch4: tigervnc-let-user-know-about-not-using-view-only-password.patch
Patch5: tigervnc-utilize-system-crypto-policies.patch
Patch6: tigervnc-passwd-crash-with-malloc-checks.patch
# Upstream patches
Patch50: tigervnc-tolerate-specifying-boolparam.patch
Patch51: tigervnc-systemd-service.patch
Patch52: tigervnc-correctly-start-vncsession-as-daemon.patch
Patch53: tigervnc-selinux-missing-compression-and-correct-location.patch
Patch54: tigervnc-selinux-policy-improvements.patch
Patch55: tigervnc-argb-runtime-ximage-byteorder-selection.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch
# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start
Patch101: 0001-rpath-hack.patch
BuildRequires: make
BuildRequires: gcc-c++
@ -69,7 +82,7 @@ server.
Summary: A TigerVNC server
Requires: perl-interpreter
Requires: tigervnc-server-minimal = %{version}-%{release}
Requires: tigervnc-selinux = %{version}-%{release}
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
Requires: xorg-x11-xauth
Requires: xorg-x11-xinit
Requires(post): systemd
@ -126,10 +139,11 @@ This package contains icons for TigerVNC viewer
%package selinux
Summary: SELinux module for TigerVNC
BuildArch: noarch
Requires(pre): libselinux-utils
Requires(post): selinux-policy >= %{_selinux_policy_version}
Requires(post): policycoreutils
Requires(post): libselinux-utils
BuildRequires: selinux-policy-devel
Requires: selinux-policy-%{selinuxtype}
Requires(post): selinux-policy-%{selinuxtype}
BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux
This package provides the SELinux policy module to ensure TigerVNC
@ -144,20 +158,31 @@ for all in `find . -type f -perm -001`; do
chmod -x "$all"
done
%patch100 -p1 -b .xserver120-rebased
%patch101 -p1 -b .rpath
popd
# libvnc.so: don't use unexported GetMaster function (bug #744881 again).
%patch1 -p1 -b .getmaster
# Fixed viewer crash when cursor has not been set (bug #1051333).
%patch2 -p1 -b .cursor
# CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based
# buffer overflow in screen size handling
%patch3 -p1 -b .tigervnc-1.3.1-CVE-2014-8240
# Bug 1447555 - view-only accepts enter, unclear whether default password is generated or not
%patch4 -p1 -b .let-user-know-about-not-using-view-only-password
# Utilize system-wide crypto policies
%patch2 -p1 -b .utilize-system-crypto-policies
%patch5 -p1 -b .utilize-system-crypto-policies.patch
%patch3 -p1 -b .tigervnc-passwd-crash-with-malloc-checks
%patch6 -p1 -b .passwd-crash-with-malloc-checks
# https://github.com/TigerVNC/tigervnc/pull/1115
%patch4 -p1 -b .tigervnc-systemd-service
%patch50 -p1 -b .tigervnc-tolerate-specifying-boolparam
# Upstream patches
%patch50 -p1 -b .tolerate-specifying-boolparam
%patch51 -p1 -b .systemd-service
%patch52 -p1 -b .correctly-start-vncsession-as-daemon
%patch53 -p1 -b .selinux-missing-compression-and-correct-location
%patch54 -p1 -b .selinux-policy-improvements
%patch55 -p1 -b .argb-runtime-ximage-byteorder-selection
%build
%ifarch sparcv9 sparc64 s390 s390x
@ -277,19 +302,16 @@ install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md
%systemd_postun xvnc.socket
%pre selinux
%selinux_relabel_pre
%selinux_relabel_pre -s %{selinuxtype}
%post selinux
%selinux_modules_install %{_datadir}/selinux/packages/vncsession.pp
%selinux_relabel_post
%posttrans selinux
%selinux_relabel_post
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
%postun selinux
%selinux_modules_uninstall vncsession
if [ $1 -eq 0 ]; then
%selinux_relabel_post
%selinux_modules_uninstall -s %{selinuxtype} %{modulename}
%selinux_relabel_post -s %{selinuxtype}
fi
@ -336,9 +358,14 @@ fi
%{_datadir}/icons/hicolor/*/apps/*
%files selinux
%{_datadir}/selinux/packages/vncsession.pp
%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog
* Tue May 25 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-11
- SELinux improvements
- Backport some CentOS changes
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.11.0-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild