SELinux: restore SELinux context in case of different policies
This commit is contained in:
Jan Grulich
parent
5d58589e65
commit
b88f0100f9
@ -0,0 +1,81 @@
|
||||
From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Thu, 11 Nov 2021 13:52:41 +0100
|
||||
Subject: [PATCH] SELinux: restore SELinux context in case of different
|
||||
policies
|
||||
|
||||
---
|
||||
CMakeLists.txt | 13 +++++++++++++
|
||||
unix/vncserver/CMakeLists.txt | 2 +-
|
||||
unix/vncserver/vncsession.c | 16 ++++++++++++++++
|
||||
3 files changed, 30 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/CMakeLists.txt b/CMakeLists.txt
|
||||
index 50247c7da..1708eb3d8 100644
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE)
|
||||
endif()
|
||||
endif()
|
||||
|
||||
+# Check for SELinux library
|
||||
+if(UNIX AND NOT APPLE)
|
||||
+ check_include_files(selinux/selinux.h HAVE_SELINUX_H)
|
||||
+ if(HAVE_SELINUX_H)
|
||||
+ set(CMAKE_REQUIRED_LIBRARIES -lselinux)
|
||||
+ set(CMAKE_REQUIRED_LIBRARIES)
|
||||
+ set(SELINUX_LIBS selinux)
|
||||
+ add_definitions("-DHAVE_SELINUX")
|
||||
+ else()
|
||||
+ message(WARNING "Could not find SELinux development files")
|
||||
+ endif()
|
||||
+endif()
|
||||
+
|
||||
# Generate config.h and make sure the source finds it
|
||||
configure_file(config.h.in config.h)
|
||||
add_definitions(-DHAVE_CONFIG_H)
|
||||
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
|
||||
index f65ccc7db..ae69dc098 100644
|
||||
--- a/unix/vncserver/CMakeLists.txt
|
||||
+++ b/unix/vncserver/CMakeLists.txt
|
||||
@@ -1,5 +1,5 @@
|
||||
add_executable(vncsession vncsession.c)
|
||||
-target_link_libraries(vncsession ${PAM_LIBS})
|
||||
+target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
|
||||
|
||||
configure_file(vncserver@.service.in vncserver@.service @ONLY)
|
||||
configure_file(vncsession-start.in vncsession-start @ONLY)
|
||||
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
|
||||
index 3573e5e9b..f6d2fd59e 100644
|
||||
--- a/unix/vncserver/vncsession.c
|
||||
+++ b/unix/vncserver/vncsession.c
|
||||
@@ -37,6 +37,11 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/wait.h>
|
||||
|
||||
+#ifdef HAVE_SELINUX
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/restorecon.h>
|
||||
+#endif
|
||||
+
|
||||
extern char **environ;
|
||||
|
||||
// PAM service name
|
||||
@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display)
|
||||
syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno));
|
||||
_exit(EX_OSERR);
|
||||
}
|
||||
+
|
||||
+#ifdef HAVE_SELINUX
|
||||
+ int result;
|
||||
+ if (selinux_file_context_verify(logfile, 0) == 0) {
|
||||
+ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE);
|
||||
+
|
||||
+ if (result < 0) {
|
||||
+ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno));
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
}
|
||||
|
||||
hostlen = sysconf(_SC_HOST_NAME_MAX);
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
Name: tigervnc
|
||||
Version: 1.12.0
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
Summary: A TigerVNC remote display system
|
||||
|
||||
%global _hardened_build 1
|
||||
@ -23,10 +23,13 @@ Source5: vncserver
|
||||
|
||||
# Downstream patches
|
||||
|
||||
# Upstream patches
|
||||
Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch
|
||||
|
||||
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
|
||||
Patch100: tigervnc-xserver120.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: make
|
||||
BuildRequires: gcc-c++
|
||||
BuildRequires: libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint
|
||||
BuildRequires: libXext-devel, xorg-x11-server-source, libXi-devel
|
||||
@ -36,7 +39,8 @@ BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils
|
||||
BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel
|
||||
BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel
|
||||
BuildRequires: libdrm-devel, libXt-devel, pixman-devel,
|
||||
BuildRequires: systemd, cmake, desktop-file-utils, selinux-policy-devel
|
||||
BuildRequires: systemd, cmake, desktop-file-utils
|
||||
BuildRequires: libselinux-devel, selinux-policy-devel
|
||||
%if 0%{?fedora} > 24 || 0%{?rhel} >= 7
|
||||
BuildRequires: libXfont2-devel
|
||||
%else
|
||||
@ -137,6 +141,8 @@ runs properly under an environment with SELinux enabled.
|
||||
%prep
|
||||
%setup -q
|
||||
|
||||
%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies
|
||||
|
||||
cp -r /usr/share/xorg-x11-server-source/* unix/xserver
|
||||
pushd unix/xserver
|
||||
for all in `find . -type f -perm -001`; do
|
||||
@ -317,6 +323,9 @@ fi
|
||||
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
|
||||
|
||||
%changelog
|
||||
* Fri Jan 14 2021 Jan Grulich <jgrulich@redhat.com> - 1.12.0-2
|
||||
- SELinux: restore SELinux context in case of different policies
|
||||
|
||||
* Thu Nov 11 2021 Jan Grulich <jgrulich@redhat.com> - 1.12.0-1
|
||||
- 1.12.0
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user