tigervnc/tigervnc-selinux-policy-improvements.patch
Jan Grulich 7386fac05b SELinux improvements
Resolves: bz#1961488
2021-05-25 13:17:07 +02:00

184 lines
6.3 KiB
Diff

From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 May 2021 12:23:15 +0200
Subject: [PATCH] selinux: Fix issues reported by SELint
Style guide [1] issues only. No impact on policy functionality.
[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index a773fed39..63ad8a85f 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -17,7 +17,7 @@
# USA.
#
-policy_module(vncsession, 1.0.0);
+policy_module(vncsession, 1.0.0)
gen_require(`
attribute userdomain;
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
userdom_spec_domtrans_all_users(vnc_session_t)
userdom_signal_all_users(vnc_session_t)
-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
-
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:31:53 +0200
Subject: [PATCH] selinux: further style and comprehensibility improvements
Sections and rules blocks reordered according to the Style guide.
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
1 file changed, 36 insertions(+), 23 deletions(-)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85f..86fd6e5ef 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
- type xdm_home_t;
+ attribute userdomain;
+ type xdm_home_t;
')
-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
type vnc_session_t;
+type vnc_session_exec_t;
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)
type vnc_session_var_run_t;
files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)
allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)
kernel_read_kernel_sysctls(vnc_session_t)
-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+
+optional_policy(`
+ auth_login_pgm_domain(vnc_session_t)
+ auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+ logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+ miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+ userdom_spec_domtrans_all_users(vnc_session_t)
+ userdom_signal_all_users(vnc_session_t)
+
+ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+ # This also affects other tools, e.g. vncpasswd
+ gen_require(`
+ attribute userdomain;
+ ')
+ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:39:11 +0200
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
The permissions set to manage directories and files with the nfs_t type
is allowed when the use_nfs_home_dirs boolean is turned on.
Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
---
unix/vncserver/selinux/vncsession.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 86fd6e5ef..46e699117 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)
+tunable_policy(`use_nfs_home_dirs',`
+ fs_manage_nfs_dirs(vnc_session_t)
+ fs_manage_nfs_files(vnc_session_t)
+')
+
optional_policy(`
auth_login_pgm_domain(vnc_session_t)
auth_write_login_records(vnc_session_t)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 46e69911..f1108ec8 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,7 +20,6 @@
policy_module(vncsession, 1.0.0)
gen_require(`
- attribute userdomain;
type xdm_home_t;
')