8df6b161fe
Resolves: RHEL-78617 Add SELinux policy rules allowing to access /proc/sys/fs/nr_open Resolves: RHEL-77973 Add SELinux policy rules allowing to create directories under /root Resolves: RHEL-77975 Fix CVE-2025-26594 xorg-x11-server Use-after-free of the root cursor Resolves: RHEL-80208 Fix CVE-2025-26595 xorg-x11-server Buffer overflow in XkbVModMaskText() Resolves: RHEL-80189 Fix CVE-2025-26596 xorg-x11-server Heap overflow in XkbWriteKeySyms() Resolves: RHEL-80194 Fix CVE-2025-26597 xorg-x11-server Buffer overflow in XkbChangeTypesOfKey() Resolves: RHEL-80196 Fix CVE-2025-26598 xorg-x11-server Out-of-bounds write in CreatePointerBarrierClient() Resolves: RHEL-80197 Fix CVE-2025-26599 xorg-x11-server Use of uninitialized pointer in compRedirectWindow() Resolves: RHEL-80206 Fix CVE-2025-26600 xorg-x11-server Use-after-free in PlayReleasedEvents() Resolves: RHEL-80205 Fix CVE-2025-26601 xorg-x11-server Use-after-free in SyncInitTrigger() Resolves: RHEL-80209
48 lines
1.8 KiB
Diff
48 lines
1.8 KiB
Diff
From e652f06940f84fd8e19d7b674ae8c6000530fb40 Mon Sep 17 00:00:00 2001
|
|
From: Jan Grulich <jgrulich@redhat.com>
|
|
Date: Fri, 7 Feb 2025 15:32:49 +0100
|
|
Subject: [PATCH] Add SELinux policy rules allowing to create directories under
|
|
/root
|
|
|
|
We have policy that allows to create ~/.local or ~/.config, but we don't
|
|
have rule that allows the same under /root directory, where we fail in
|
|
case any of these directories doesn't exist.
|
|
---
|
|
unix/vncserver/selinux/vncsession.te | 10 ++++++++++
|
|
1 file changed, 10 insertions(+)
|
|
|
|
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
|
index d92f1bda7d..2f49717077 100644
|
|
--- a/unix/vncserver/selinux/vncsession.te
|
|
+++ b/unix/vncserver/selinux/vncsession.te
|
|
@@ -48,6 +48,14 @@ optional_policy(`
|
|
create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
|
|
')
|
|
|
|
+# Allowed to create /root/.local
|
|
+optional_policy(`
|
|
+ gen_require(`
|
|
+ type admin_home_t;
|
|
+ ')
|
|
+ create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t)
|
|
+')
|
|
+
|
|
# Manage TigerVNC files (mainly ~/.local/state/*.log)
|
|
create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
|
manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
|
|
@@ -88,6 +96,7 @@ optional_policy(`
|
|
gen_require(`
|
|
attribute userdomain;
|
|
type gconf_home_t;
|
|
+ type admin_home_t;
|
|
')
|
|
userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
|
|
userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
|
|
@@ -95,5 +104,6 @@ optional_policy(`
|
|
gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
|
|
gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
|
|
filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
|
|
+ filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc")
|
|
filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
|
|
')
|