From 1919a8ab86c99b47ba86dc697abcdf3343b0aafa Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Tue, 1 Feb 2022 14:31:05 +0100 Subject: Add vncsession-restore script to restore SELinux context The vncsession-restore script is used in the ExecStartPre option for systemd service file in order to properly start the session in case the policy is updated (e.g. after Tigervnc update). diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt index bce1c3e..44c4e2a 100644 --- a/unix/vncserver/CMakeLists.txt +++ b/unix/vncserver/CMakeLists.txt @@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c) target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) configure_file(vncserver@.service.in vncserver@.service @ONLY) +configure_file(vncsession-restore.in vncsession-restore @ONLY) configure_file(vncsession-start.in vncsession-start @ONLY) configure_file(vncserver.in vncserver @ONLY) @@ -17,4 +18,5 @@ install(FILES vncserver.users DESTINATION ${CMAKE_INSTALL_FULL_SYSCONFDIR}/tiger if(INSTALL_SYSTEMD_UNITS) install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR}) install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) + install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) endif() diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in index 5624dff..be62c85 100644 --- a/unix/vncserver/vncserver@.service.in +++ b/unix/vncserver/vncserver@.service.in @@ -35,6 +35,7 @@ After=syslog.target network.target [Service] Type=forking +ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i PIDFile=/run/vncsession-%i.pid SELinuxContext=system_u:system_r:vnc_session_t:s0 diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in new file mode 100644 index 00000000..d3abc57d --- /dev/null +++ b/unix/vncserver/vncsession-restore.in @@ -0,0 +1,68 @@ +#!/bin/bash +# +# Copyright 2022 Jan Grulich +# +# This is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. +# + +USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users" + +if [ $# -ne 1 ]; then + echo "Syntax:" >&2 + echo " $0 " >&2 + exit 1 +fi + +if [ ! -f "${USERSFILE}" ]; then + echo "Users file ${USERSFILE} missing" >&2 + exit 1 +fi + +DISPLAY="$1" + +USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'` + +if [ -z "${USER}" ]; then + echo "No user configured for display ${DISPLAY}" >&2 + exit 1 +fi + +USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:` + +if [ -z "${USER_HOMEDIR}" ]; then + echo "Failed to get home directory for ${USER}" >&2 + exit 1 +fi + +if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then + exit 0 +fi + +MATCHPATHCON=`which matchpathcon` + +if [ $? -eq 0 ]; then + ${MATCHPATHCON} -V "${USER_HOMEDIR}/.vnc" &>/dev/null + if [ $? -eq 0 ]; then + exit 0 + fi +fi + +RESTORECON=`which restorecon` + +if [ $? -eq 0 ]; then + exec "${RESTORECON}" -R "${USER_HOMEDIR}/.vnc" >&2 + return $? +fi