BuildRequires: freetype-devel, libXdmcp-devel, libXfont2-devel
BuildRequires: libXrandr-devel, fltk-devel >= 1.3.3
BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel
-BuildRequires: systemd, cmake
+BuildRequires: systemd, cmake, selinux-policy-devel
Requires(post): coreutils
Requires(postun): coreutils
Obsoletes: tightvnc-server < 1.5.0-0.15.20090204svn3586
Requires: perl
Requires: tigervnc-server-minimal = %{version}-%{release}
+Requires: tigervnc-selinux = %{version}-%{release}
Requires: xorg-x11-xauth
Requires: xorg-x11-xinit
Requires(post): systemd
%description icons
This package contains icons for TigerVNC viewer
+%package selinux
+Summary: SELinux module for TigerVNC
+BuildArch: noarch
+Requires(pre): libselinux-utils
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): policycoreutils policycoreutils-python
+Requires(post): libselinux-utils
+
+%description selinux
+This package provides the SELinux policy module to ensure TigerVNC
+runs properly under an environment with SELinux enabled.
+
%prep
rm -rf $RPM_BUILD_ROOT
%setup -q -n %{name}-%{version}%{?snap:-%{snap}}
make
popd
+# SELinux
+pushd unix/vncserver/selinux
+make
+popd
+
%install
make install DESTDIR=$RPM_BUILD_ROOT
make install DESTDIR=$RPM_BUILD_ROOT
popd
+pushd unix/vncserver/selinux
+make install DESTDIR=$RPM_BUILD_ROOT
+popd
+
%find_lang %{name} %{name}.lang
# remove unwanted files
%{_bindir}/gtk-update-icon-cache -q %{_datadir}/icons/hicolor || :
fi
+%pre selinux
+%selinux_relabel_pre
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/vncsession.pp
+%selinux_relabel_post
+
+%posttrans selinux
+%selinux_relabel_post
+
+%postun selinux
+%selinux_modules_uninstall vncsession
+if [ $1 -eq 0 ]; then
+ %selinux_relabel_post
+fi
+
%files -f %{name}.lang
%defattr(-,root,root,-)
%doc %{_docdir}/%{name}-%{version}/README.rst
%defattr(-,root,root,-)
%{_datadir}/icons/hicolor/*/apps/*
+%files selinux
+%{_datadir}/selinux/packages/vncsession.pp
+
%changelog
* Mon Jan 14 2019 Pierre Ossman <ossman@cendio.se> 1.9.80-4
- Use system FLTK for build
--- /dev/null
+# SELinux module for TigerVNC's vncsession
+#
+# This will install the policy module, but not load it. To apply
+# it you should also run:
+#
+# sudo semodule -i /usr/share/selinux/packages/vncsession.pp
+# sudo restorecon /usr/sbin/vncsession /usr/libexec/vncsession-start
+#
+
+PREFIX=/usr
+DATADIR=$(PREFIX)/share
+
+all: vncsession.pp
+
+%.pp: %.te
+ make -f $(DATADIR)/selinux/devel/Makefile $@
+
+clean:
+ rm -f *.pp
+ rm -rf tmp
+
+install: vncsession.pp
+ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
+ install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
--- /dev/null
+#
+# Copyright 2018 Pierre Ossman for Cendio AB
+#
+# This is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+#
+
+/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
+/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0)
+
+/var/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0)
--- /dev/null
+## <summary></summary>
--- /dev/null
+#
+# Copyright 2018-2020 Pierre Ossman for Cendio AB
+#
+# This is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This software is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this software; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
+# USA.
+#
+
+policy_module(vncsession, 1.0.0);
+
+type vnc_session_exec_t;
+corecmd_executable_file(vnc_session_exec_t)
+type vnc_session_t;
+init_daemon_domain(vnc_session_t, vnc_session_exec_t)
+auth_login_pgm_domain(vnc_session_t)
+
+type vnc_session_var_run_t;
+files_pid_file(vnc_session_var_run_t)
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
+auth_write_login_records(vnc_session_t)
+
+userdom_spec_domtrans_all_users(vnc_session_t)
+userdom_signal_all_users(vnc_session_t)
+
+allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+
+miscfiles_read_localization(vnc_session_t)
+
+kernel_read_kernel_sysctls(vnc_session_t)
+
+logging_append_all_logs(vnc_session_t)
+
+mcs_process_set_categories(vnc_session_t)
+mcs_killall(vnc_session_t)
+
+# To create the log file in the user home directory
+allow vnc_session_t file_type:dir search_dir_perms;
+userdom_user_home_dir_filetrans_user_home_content(vnc_session_t, dir, ".vnc");
+userdom_manage_user_home_content_dirs(vnc_session_t);
+userdom_manage_user_home_content_files(vnc_session_t);
Type=forking
ExecStart=/usr/libexec/vncsession-start %i
PIDFile=/var/run/vncsession-%i.pid
+SELinuxContext=system_u:system_r:vnc_session_t:s0
[Install]
WantedBy=multi-user.target
projects / tigervnc.git / commitdiff