184 lines
6.3 KiB
Diff
184 lines
6.3 KiB
Diff
From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
|
|
From: Vit Mojzis <vmojzis@redhat.com>
|
|
Date: Tue, 18 May 2021 12:23:15 +0200
|
|
Subject: [PATCH] selinux: Fix issues reported by SELint
|
|
|
|
Style guide [1] issues only. No impact on policy functionality.
|
|
|
|
[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
|
|
---
|
|
unix/vncserver/selinux/vncsession.te | 7 +++----
|
|
1 file changed, 3 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
|
index a773fed39..63ad8a85f 100644
|
|
--- a/unix/vncserver/selinux/vncsession.te
|
|
+++ b/unix/vncserver/selinux/vncsession.te
|
|
@@ -17,7 +17,7 @@
|
|
# USA.
|
|
#
|
|
|
|
-policy_module(vncsession, 1.0.0);
|
|
+policy_module(vncsession, 1.0.0)
|
|
|
|
gen_require(`
|
|
attribute userdomain;
|
|
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
|
|
userdom_spec_domtrans_all_users(vnc_session_t)
|
|
userdom_signal_all_users(vnc_session_t)
|
|
|
|
-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
|
|
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
|
|
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
|
|
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
|
|
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
|
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)
|
|
|
|
mcs_process_set_categories(vnc_session_t)
|
|
mcs_killall(vnc_session_t)
|
|
-
|
|
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Tue, 18 May 2021 13:31:53 +0200
|
|
Subject: [PATCH] selinux: further style and comprehensibility improvements
|
|
|
|
Sections and rules blocks reordered according to the Style guide.
|
|
|
|
https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
|
|
---
|
|
unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
|
|
1 file changed, 36 insertions(+), 23 deletions(-)
|
|
|
|
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
|
index 63ad8a85f..86fd6e5ef 100644
|
|
--- a/unix/vncserver/selinux/vncsession.te
|
|
+++ b/unix/vncserver/selinux/vncsession.te
|
|
@@ -20,48 +20,61 @@
|
|
policy_module(vncsession, 1.0.0)
|
|
|
|
gen_require(`
|
|
- attribute userdomain;
|
|
- type xdm_home_t;
|
|
+ attribute userdomain;
|
|
+ type xdm_home_t;
|
|
')
|
|
|
|
-type vnc_session_exec_t;
|
|
-corecmd_executable_file(vnc_session_exec_t)
|
|
type vnc_session_t;
|
|
+type vnc_session_exec_t;
|
|
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
|
|
-auth_login_pgm_domain(vnc_session_t)
|
|
+can_exec(vnc_session_t, vnc_session_exec_t)
|
|
|
|
type vnc_session_var_run_t;
|
|
files_pid_file(vnc_session_var_run_t)
|
|
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
|
|
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
|
|
-
|
|
-auth_write_login_records(vnc_session_t)
|
|
-
|
|
-can_exec(vnc_session_t, vnc_session_exec_t)
|
|
-
|
|
-userdom_spec_domtrans_all_users(vnc_session_t)
|
|
-userdom_signal_all_users(vnc_session_t)
|
|
|
|
allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
|
|
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
|
|
allow vnc_session_t self:fifo_file rw_fifo_file_perms;
|
|
|
|
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
|
|
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
|
|
+
|
|
manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
|
manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
|
manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
|
manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
|
|
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
|
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
|
-
|
|
-# This also affects other tools, e.g. vncpasswd
|
|
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
|
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
|
-
|
|
-miscfiles_read_localization(vnc_session_t)
|
|
|
|
kernel_read_kernel_sysctls(vnc_session_t)
|
|
|
|
-logging_append_all_logs(vnc_session_t)
|
|
+corecmd_executable_file(vnc_session_exec_t)
|
|
|
|
mcs_process_set_categories(vnc_session_t)
|
|
mcs_killall(vnc_session_t)
|
|
+
|
|
+optional_policy(`
|
|
+ auth_login_pgm_domain(vnc_session_t)
|
|
+ auth_write_login_records(vnc_session_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ logging_append_all_logs(vnc_session_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ miscfiles_read_localization(vnc_session_t)
|
|
+')
|
|
+
|
|
+optional_policy(`
|
|
+ userdom_spec_domtrans_all_users(vnc_session_t)
|
|
+ userdom_signal_all_users(vnc_session_t)
|
|
+
|
|
+ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
|
+ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
|
|
+
|
|
+ # This also affects other tools, e.g. vncpasswd
|
|
+ gen_require(`
|
|
+ attribute userdomain;
|
|
+ ')
|
|
+ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
|
+ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
|
|
+')
|
|
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Tue, 18 May 2021 13:39:11 +0200
|
|
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally
|
|
|
|
The permissions set to manage directories and files with the nfs_t type
|
|
is allowed when the use_nfs_home_dirs boolean is turned on.
|
|
|
|
Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
|
|
---
|
|
unix/vncserver/selinux/vncsession.te | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
|
index 86fd6e5ef..46e699117 100644
|
|
--- a/unix/vncserver/selinux/vncsession.te
|
|
+++ b/unix/vncserver/selinux/vncsession.te
|
|
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
|
|
mcs_process_set_categories(vnc_session_t)
|
|
mcs_killall(vnc_session_t)
|
|
|
|
+tunable_policy(`use_nfs_home_dirs',`
|
|
+ fs_manage_nfs_dirs(vnc_session_t)
|
|
+ fs_manage_nfs_files(vnc_session_t)
|
|
+')
|
|
+
|
|
optional_policy(`
|
|
auth_login_pgm_domain(vnc_session_t)
|
|
auth_write_login_records(vnc_session_t)
|
|
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
|
|
index 46e69911..f1108ec8 100644
|
|
--- a/unix/vncserver/selinux/vncsession.te
|
|
+++ b/unix/vncserver/selinux/vncsession.te
|
|
@@ -20,7 +20,6 @@
|
|
policy_module(vncsession, 1.0.0)
|
|
|
|
gen_require(`
|
|
- attribute userdomain;
|
|
type xdm_home_t;
|
|
')
|
|
|