Add vnc_home_t type

The new vnc_home_t type for HOME/.vnc directory was added to the policy,
backed by a name transition. The vnc_session_t domain can manage files
and directories of this type.

diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
index ae768baa4f002c1ab855de6b31a523d15c1aac35..6aaf4b1f4d296d0a891476a91cf6e59d8ca2d03f 100644 (file)
--- a/unix/vncserver/selinux/vncsession.fc
+++ b/unix/vncserver/selinux/vncsession.fc
@@ -17,8 +17,8 @@
 #  USA.
 #
 
-HOME_DIR/\.vnc(/.*)?      gen_context(system_u:object_r:xdm_home_t,s0)
-HOME_ROOT/\.vnc(/.*)?      gen_context(system_u:object_r:xdm_home_t,s0)
+HOME_DIR/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
+HOME_ROOT/\.vnc(/.*)?      gen_context(system_u:object_r:vnc_home_t,s0)
 
 /usr/sbin/vncsession                   --      gen_context(system_u:object_r:vnc_session_exec_t,s0)
 /usr/libexec/vncsession-start          --      gen_context(system_u:object_r:vnc_session_exec_t,s0)

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 46e699117f33c96488682a7f03412ad2d63fd7e8..fb966c14bd879f82fbda1c6e9581692b574307f3 100644 (file)
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -19,11 +19,6 @@
 
 policy_module(vncsession, 1.0.0)
 
-gen_require(`
-       attribute userdomain;
-       type xdm_home_t;
-')
-
 type vnc_session_t;
 type vnc_session_exec_t;
 init_daemon_domain(vnc_session_t, vnc_session_exec_t)
@@ -32,6 +27,9 @@ can_exec(vnc_session_t, vnc_session_exec_t)
 type vnc_session_var_run_t;
 files_pid_file(vnc_session_var_run_t)
 
+type vnc_home_t;
+userdom_user_home_content(vnc_home_t)
+
 allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
 allow vnc_session_t self:process { getcap setexec setrlimit setsched };
 allow vnc_session_t self:fifo_file rw_fifo_file_perms;
@@ -39,10 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
 allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
 files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
 
-manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
+manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
+manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
+manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
+manage_lnk_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
 
 kernel_read_kernel_sysctls(vnc_session_t)
 
@@ -73,13 +71,13 @@ optional_policy(`
        userdom_spec_domtrans_all_users(vnc_session_t)
        userdom_signal_all_users(vnc_session_t)
 
-       userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-       userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+       userdom_user_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc")
+       userdom_admin_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc")
 
        # This also affects other tools, e.g. vncpasswd
        gen_require(`
                attribute userdomain;
        ')
-       userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-       userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+       userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
+       userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
 ')