From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Tue, 18 May 2021 12:23:15 +0200 Subject: [PATCH] selinux: Fix issues reported by SELint Style guide [1] issues only. No impact on policy functionality. [1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide --- unix/vncserver/selinux/vncsession.te | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te index a773fed39..63ad8a85f 100644 --- a/unix/vncserver/selinux/vncsession.te +++ b/unix/vncserver/selinux/vncsession.te @@ -17,7 +17,7 @@ # USA. # -policy_module(vncsession, 1.0.0); +policy_module(vncsession, 1.0.0) gen_require(` attribute userdomain; @@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t) userdom_spec_domtrans_all_users(vnc_session_t) userdom_signal_all_users(vnc_session_t) -allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource }; -allow vnc_session_t self:process { getcap setsched setexec setrlimit }; +allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; +allow vnc_session_t self:process { getcap setexec setrlimit setsched }; allow vnc_session_t self:fifo_file rw_fifo_file_perms; manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) @@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t) mcs_process_set_categories(vnc_session_t) mcs_killall(vnc_session_t) - From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 18 May 2021 13:31:53 +0200 Subject: [PATCH] selinux: further style and comprehensibility improvements Sections and rules blocks reordered according to the Style guide. https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide --- unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++----------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te index 63ad8a85f..86fd6e5ef 100644 --- a/unix/vncserver/selinux/vncsession.te +++ b/unix/vncserver/selinux/vncsession.te @@ -20,48 +20,61 @@ policy_module(vncsession, 1.0.0) gen_require(` - attribute userdomain; - type xdm_home_t; + attribute userdomain; + type xdm_home_t; ') -type vnc_session_exec_t; -corecmd_executable_file(vnc_session_exec_t) type vnc_session_t; +type vnc_session_exec_t; init_daemon_domain(vnc_session_t, vnc_session_exec_t) -auth_login_pgm_domain(vnc_session_t) +can_exec(vnc_session_t, vnc_session_exec_t) type vnc_session_var_run_t; files_pid_file(vnc_session_var_run_t) -allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; -files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) - -auth_write_login_records(vnc_session_t) - -can_exec(vnc_session_t, vnc_session_exec_t) - -userdom_spec_domtrans_all_users(vnc_session_t) -userdom_signal_all_users(vnc_session_t) allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; allow vnc_session_t self:process { getcap setexec setrlimit setsched }; allow vnc_session_t self:fifo_file rw_fifo_file_perms; +allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; +files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) + manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) -userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") -userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") - -# This also affects other tools, e.g. vncpasswd -userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") -userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") - -miscfiles_read_localization(vnc_session_t) kernel_read_kernel_sysctls(vnc_session_t) -logging_append_all_logs(vnc_session_t) +corecmd_executable_file(vnc_session_exec_t) mcs_process_set_categories(vnc_session_t) mcs_killall(vnc_session_t) + +optional_policy(` + auth_login_pgm_domain(vnc_session_t) + auth_write_login_records(vnc_session_t) +') + +optional_policy(` + logging_append_all_logs(vnc_session_t) +') + +optional_policy(` + miscfiles_read_localization(vnc_session_t) +') + +optional_policy(` + userdom_spec_domtrans_all_users(vnc_session_t) + userdom_signal_all_users(vnc_session_t) + + userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") + userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") + + # This also affects other tools, e.g. vncpasswd + gen_require(` + attribute userdomain; + ') + userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") + userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") +') From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 18 May 2021 13:39:11 +0200 Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally The permissions set to manage directories and files with the nfs_t type is allowed when the use_nfs_home_dirs boolean is turned on. Resolves: https://github.com/TigerVNC/tigervnc/issues/1189 --- unix/vncserver/selinux/vncsession.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te index 86fd6e5ef..46e699117 100644 --- a/unix/vncserver/selinux/vncsession.te +++ b/unix/vncserver/selinux/vncsession.te @@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t) mcs_process_set_categories(vnc_session_t) mcs_killall(vnc_session_t) +tunable_policy(`use_nfs_home_dirs',` + fs_manage_nfs_dirs(vnc_session_t) + fs_manage_nfs_files(vnc_session_t) +') + optional_policy(` auth_login_pgm_domain(vnc_session_t) auth_write_login_records(vnc_session_t) diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te index 46e69911..f1108ec8 100644 --- a/unix/vncserver/selinux/vncsession.te +++ b/unix/vncserver/selinux/vncsession.te @@ -20,7 +20,6 @@ policy_module(vncsession, 1.0.0) gen_require(` - attribute userdomain; type xdm_home_t; ')