import tigervnc-1.11.0-9.el8

This commit is contained in:
CentOS Sources 2021-11-09 04:53:46 -05:00 committed by Stepan Oksanichenko
parent 23e227fbe7
commit cc3b8c58db
5 changed files with 271 additions and 17 deletions

View File

@ -102,6 +102,12 @@ those you most likely copied to `/etc/systemd/system/vncserver@.service`,
otherwise this service file will be preferred over the new one installed with otherwise this service file will be preferred over the new one installed with
latest Tigervnc. latest Tigervnc.
If you want to use a remote NFS server for the home directories on this machine,
you must set the use_nfs_home_dirs boolean:
```
setsebool -P use_nfs_home_dirs on
```
# Limitations # Limitations
You will not be able to start a Tigervnc server for a user who is already You will not be able to start a Tigervnc server for a user who is already
logged into a graphical session. Avoid running the server as the `root` user as logged into a graphical session. Avoid running the server as the `root` user as

View File

@ -0,0 +1,39 @@
From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001
From: Jan Grulich <jgrulich@redhat.com>
Date: Mon, 17 May 2021 13:44:32 +0200
Subject: [PATCH] SELinux: Add missing compression and install policy to
correct directory
---
unix/vncserver/selinux/Makefile | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile
index 7497bf846..b23f20f60 100644
--- a/unix/vncserver/selinux/Makefile
+++ b/unix/vncserver/selinux/Makefile
@@ -10,15 +10,18 @@
PREFIX=/usr
DATADIR=$(PREFIX)/share
-all: vncsession.pp
+all: vncsession.pp.bz2
+
+%.pp.bz2: %.pp
+ bzip2 -9 $^
%.pp: %.te
make -f $(DATADIR)/selinux/devel/Makefile $@
clean:
- rm -f *.pp
+ rm -f *.pp *.pp.bz2
rm -rf tmp
-install: vncsession.pp
- mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
- install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
+install: vncsession.pp.bz2
+ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/
+ install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2

View File

@ -0,0 +1,183 @@
From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 May 2021 12:23:15 +0200
Subject: [PATCH] selinux: Fix issues reported by SELint
Style guide [1] issues only. No impact on policy functionality.
[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index a773fed39..63ad8a85f 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -17,7 +17,7 @@
# USA.
#
-policy_module(vncsession, 1.0.0);
+policy_module(vncsession, 1.0.0)
gen_require(`
attribute userdomain;
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
userdom_spec_domtrans_all_users(vnc_session_t)
userdom_signal_all_users(vnc_session_t)
-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
-
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:31:53 +0200
Subject: [PATCH] selinux: further style and comprehensibility improvements
Sections and rules blocks reordered according to the Style guide.
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85f..86fd6e5ef 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
- type xdm_home_t;
+ attribute userdomain;
+ type xdm_home_t;
')
-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
type vnc_session_t;
+type vnc_session_exec_t;
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)
type vnc_session_var_run_t;
files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)
allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)
kernel_read_kernel_sysctls(vnc_session_t)
-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+
+optional_policy(`
+ auth_login_pgm_domain(vnc_session_t)
+ auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+ logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+ userdom_spec_domtrans_all_users(vnc_session_t)
+ userdom_signal_all_users(vnc_session_t)
+
+ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+ # This also affects other tools, e.g. vncpasswd
+ gen_require(`
+ attribute userdomain;
+ ')
+ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:39:11 +0200
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
The permissions set to manage directories and files with the nfs_t type
is allowed when the use_nfs_home_dirs boolean is turned on.
Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
---
unix/vncserver/selinux/vncsession.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 86fd6e5ef..46e699117 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(vnc_session_t)
+ fs_manage_nfs_files(vnc_session_t)
+')
+
optional_policy(`
auth_login_pgm_domain(vnc_session_t)
auth_write_login_records(vnc_session_t)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 46e69911..f1108ec8 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,7 +20,6 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
type xdm_home_t;
')

View File

@ -60,7 +60,14 @@ $defaultXStartup
= ("#!/bin/sh\n\n". = ("#!/bin/sh\n\n".
"unset SESSION_MANAGER\n". "unset SESSION_MANAGER\n".
"unset DBUS_SESSION_BUS_ADDRESS\n". "unset DBUS_SESSION_BUS_ADDRESS\n".
"exec /etc/X11/xinit/xinitrc\n"); "/etc/X11/xinit/xinitrc\n".
"# Assume either Gnome will be started by default when installed\n".
"# We want to kill the session automatically in this case when user logs out. In case you modify\n".
"# /etc/X11/xinit/Xclients or ~/.Xclients yourself to achieve a different result, then you should\n".
"# be responsible to modify below code to avoid that your session will be automatically killed\n".
"if [ -e /usr/bin/gnome-session ]; then\n".
" vncserver -kill \$DISPLAY\n".
"fi\n");
$defaultConfig $defaultConfig
= ("## Supported server options to pass to vncserver upon invocation can be listed\n". = ("## Supported server options to pass to vncserver upon invocation can be listed\n".

View File

@ -1,6 +1,11 @@
#defining macros needed by SELinux
%global selinuxtype targeted
%global modulename vncsession
Name: tigervnc Name: tigervnc
Version: 1.11.0 Version: 1.11.0
Release: 6%{?dist} Release: 9%{?dist}
Summary: A TigerVNC remote display system Summary: A TigerVNC remote display system
%global _hardened_build 1 %global _hardened_build 1
@ -31,6 +36,8 @@ Patch13: tigervnc-use-gnome-as-default-session.patch
Patch50: tigervnc-tolerate-specifying-boolparam.patch Patch50: tigervnc-tolerate-specifying-boolparam.patch
Patch51: tigervnc-systemd-service.patch Patch51: tigervnc-systemd-service.patch
Patch52: tigervnc-correctly-start-vncsession-as-daemon.patch Patch52: tigervnc-correctly-start-vncsession-as-daemon.patch
Patch53: tigervnc-selinux-missing-compression-and-correct-location.patch
Patch54: tigervnc-selinux-policy-improvements.patch
# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg # This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg
Patch100: tigervnc-xserver120.patch Patch100: tigervnc-xserver120.patch
@ -77,7 +84,7 @@ server.
Summary: A TigerVNC server Summary: A TigerVNC server
Requires: perl-interpreter Requires: perl-interpreter
Requires: tigervnc-server-minimal = %{version}-%{release} Requires: tigervnc-server-minimal = %{version}-%{release}
Requires: tigervnc-selinux = %{version}-%{release} Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
Requires: xorg-x11-xauth Requires: xorg-x11-xauth
Requires: xorg-x11-xinit Requires: xorg-x11-xinit
Requires(post): systemd Requires(post): systemd
@ -132,10 +139,11 @@ This package contains icons for TigerVNC viewer
%package selinux %package selinux
Summary: SELinux module for TigerVNC Summary: SELinux module for TigerVNC
BuildArch: noarch BuildArch: noarch
Requires(pre): libselinux-utils BuildRequires: selinux-policy-devel
Requires(post): selinux-policy >= %{_selinux_policy_version} Requires: selinux-policy-%{selinuxtype}
Requires(post): policycoreutils Requires(post): selinux-policy-%{selinuxtype}
Requires(post): libselinux-utils BuildRequires: selinux-policy-devel
%{?selinux_requires}
%description selinux %description selinux
This package provides the SELinux policy module to ensure TigerVNC This package provides the SELinux policy module to ensure TigerVNC
@ -179,6 +187,8 @@ popd
%patch50 -p1 -b .tolerate-specifying-boolparam %patch50 -p1 -b .tolerate-specifying-boolparam
%patch51 -p1 -b .systemd-service %patch51 -p1 -b .systemd-service
%patch52 -p1 -b .correctly-start-vncsession-as-daemon %patch52 -p1 -b .correctly-start-vncsession-as-daemon
%patch53 -p1 -b .selinux-missing-compression-and-correct-location
%patch54 -p1 -b .selinux-policy-improvements
%build %build
%ifarch sparcv9 sparc64 s390 s390x %ifarch sparcv9 sparc64 s390 s390x
@ -277,19 +287,16 @@ install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md
%systemd_postun xvnc.socket %systemd_postun xvnc.socket
%pre selinux %pre selinux
%selinux_relabel_pre %selinux_relabel_pre -s %{selinuxtype}
%post selinux %post selinux
%selinux_modules_install %{_datadir}/selinux/packages/vncsession.pp %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
%selinux_relabel_post %selinux_relabel_post -s %{selinuxtype}
%posttrans selinux
%selinux_relabel_post
%postun selinux %postun selinux
%selinux_modules_uninstall vncsession
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
%selinux_relabel_post %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
%selinux_relabel_post -s %{selinuxtype}
fi fi
@ -336,10 +343,22 @@ fi
%{_datadir}/icons/hicolor/*/apps/* %{_datadir}/icons/hicolor/*/apps/*
%files selinux %files selinux
%{_datadir}/selinux/packages/vncsession.pp %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
%changelog %changelog
* Mon Jul 19 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-9
- Fix logout from VNC session using vncserver
Resolves: bz#1983706
* Tue Jun 01 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-8
- Run all SELinux RPM macros on correct package
Resolves: bz#1907963
* Mon May 17 2021 Jan Grulich <jgrulich@redhat.com> - 1.11.0-7
- SELinux improvements
Resolves: bz#1907963
* Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6 * Tue Dec 15 2020 Jan Grulich <jgrulich@redhat.com> - 1.11.0-6
- Use GNOME as default session - Use GNOME as default session
Resolves: bz#1853608 Resolves: bz#1853608