import tigervnc-1.12.0-4.el8

2022-02-18 08:20:15 +00:00 · 2022-02-18 08:20:15 +00:00 · 8dbf5bacd8
commit 8dbf5bacd8
parent 2c1e9f3151
3 changed files with 153 additions and 2 deletions
--- a/SOURCES/tigervnc-root-user-selinux-context.patch
+++ b/SOURCES/tigervnc-root-user-selinux-context.patch
@ -0,0 +1,25 @@
+From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Mon, 7 Feb 2022 10:45:41 +0100
+Subject: [PATCH] SELinux: use /root/.vnc in file context specification
+
+Instead of HOME_ROOT/.vnc, /root/.vnc should be used
+for user root's home to specify default file context
+as HOME_ROOT actually means base for home dirs (usually /home).
+---
+ unix/vncserver/selinux/vncsession.fc | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
+index 6aaf4b1f4..bc81f8f25 100644
+--- a/unix/vncserver/selinux/vncsession.fc
+++ b/unix/vncserver/selinux/vncsession.fc
+@@ -18,7 +18,7 @@
+ #
+
+ HOME_DIR/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
+-HOME_ROOT/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
+/root/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
+
+ /usr/sbin/vncsession			--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
+ /usr/libexec/vncsession-start		--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
--- a/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch
+++ b/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch
@ -0,0 +1,113 @@
+From 1919a8ab86c99b47ba86dc697abcdf3343b0aafa Mon Sep 17 00:00:00 2001
+From: Jan Grulich <jgrulich@redhat.com>
+Date: Tue, 1 Feb 2022 14:31:05 +0100
+Subject: Add vncsession-restore script to restore SELinux context
+
+The vncsession-restore script is used in the ExecStartPre option
+for systemd service file in order to properly start the session
+in case the policy is updated (e.g. after Tigervnc update).
+
+diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
+index ae69dc09..04eb6fc4 100644
+--- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt
+@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
+ target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
+ 
+ configure_file(vncserver@.service.in vncserver@.service @ONLY)
+configure_file(vncsession-restore.in vncsession-restore @ONLY)
+ configure_file(vncsession-start.in vncsession-start @ONLY)
+ configure_file(vncserver.in vncserver @ONLY)
+ configure_file(vncsession.man.in vncsession.man @ONLY)
+@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
+ if(INSTALL_SYSTEMD_UNITS)
+   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
+   install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
+  install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
+ endif()
+diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
+index 39f81b73..a83e05a3 100644
+--- a/unix/vncserver/vncserver@.service.in
+++ b/unix/vncserver/vncserver@.service.in
+@@ -35,6 +35,7 @@ After=syslog.target network.target
+ 
+ [Service]
+ Type=forking
+ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i
+ ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
+ PIDFile=/run/vncsession-%i.pid
+ SELinuxContext=system_u:system_r:vnc_session_t:s0
+diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in
+new file mode 100644
+index 00000000..d3abc57d
+--- /dev/null
+++ b/unix/vncserver/vncsession-restore.in
+@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+#  Copyright 2022 Jan Grulich <jgrulich@redhat.com>
+#
+#  This is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This software is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this software; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+#  USA.
+#
+
+USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users"
+
+if [ $# -ne 1 ]; then
+	echo "Syntax:" >&2
+	echo "    $0 <display>" >&2
+	exit 1
+fi
+
+if [ ! -f "${USERSFILE}" ]; then
+	echo "Users file ${USERSFILE} missing" >&2
+	exit 1
+fi
+
+DISPLAY="$1"
+
+USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'`
+
+if [ -z "${USER}" ]; then
+	echo "No user configured for display ${DISPLAY}" >&2
+	exit 1
+fi
+
+USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:`
+
+if [ -z "${USER_HOMEDIR}" ]; then
+	echo "Failed to get home directory for ${USER}" >&2
+	exit 1
+fi
+
+if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then
+	exit 0
+fi
+
+MATCHPATHCON=`which matchpathcon`
+
+if [ $? -eq 0 ]; then
+	${MATCHPATHCON} -V "${USER_HOMEDIR}/.vnc" &>/dev/null
+	if [ $? -eq 0 ]; then
+		exit 0
+	fi
+fi
+
+RESTORECON=`which restorecon`
+
+if [ $? -eq 0 ]; then
+	exec "${RESTORECON}" -R "${USER_HOMEDIR}/.vnc" >&2
+	return $?
+fi
--- a/SPECS/tigervnc.spec
+++ b/SPECS/tigervnc.spec
@ -5,7 +5,7 @@

 Name:           tigervnc
 Version:        1.12.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Summary:        A TigerVNC remote display system

 %global _hardened_build 1
@ -26,6 +26,8 @@ Patch1:         tigervnc-use-gnome-as-default-session.patch
 # Upstream patches
 Patch50:        tigervnc-selinux-restore-context-in-case-of-different-policies.patch
 Patch51:        tigervnc-fix-typo-in-mirror-monitor-detection.patch
+Patch52:        tigervnc-root-user-selinux-context.patch
+Patch53:        tigervnc-vncsession-restore-script-systemd-service.patch

 # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
 Patch100:       tigervnc-xserver120.patch
@ -132,6 +134,10 @@ BuildRequires:  selinux-policy-devel
 Requires:       selinux-policy-%{selinuxtype}
 Requires(post): selinux-policy-%{selinuxtype}
 BuildRequires:  selinux-policy-devel
+# Required for matchpathcon
+Requires:       libselinux-utils
+# Required for restorecon
+Requires:       policycoreutils
 %{?selinux_requires}

 %description selinux
@ -155,7 +161,8 @@ popd
 # Upstream patches
 %patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
 %patch51 -p1 -b .fix-typo-in-mirror-monitor-detection
-
+%patch52 -p1 -b .root-user-selinux-context
+%patch53 -p1 -b .vncsession-restore-script-systemd-service

 %build
 %ifarch sparcv9 sparc64 s390 s390x
@ -281,6 +288,7 @@ fi
 %{_sbindir}/vncsession
 %{_libexecdir}/vncserver
 %{_libexecdir}/vncsession-start
+%{_libexecdir}/vncsession-restore
 %{_mandir}/man1/x0vncserver.1*
 %{_mandir}/man8/vncserver.8*
 %{_mandir}/man8/vncsession.8*
@ -309,6 +317,11 @@ fi
 %ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}

 %changelog
+* Tue Feb 08 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-4
+- Added vncsession-restore script for SELinux policy migration
+  Fix SELinux context for root user
+  Resolves: bz#2021892
+
 * Fri Jan 21 2022 Jan Grulich <jgrulich@redhat.com> - 1.12.0-3
 - Fix crash in vncviewer
  Resolves: bz#2021892