From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 18 May 2021 13:31:53 +0200 Subject: [PATCH] selinux: further style and comprehensibility improvements Sections and rules blocks reordered according to the Style guide. https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide --- unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++----------- 1 file changed, 36 insertions(+), 23 deletions(-) diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te index 63ad8a85..86fd6e5e 100644 --- a/unix/vncserver/selinux/vncsession.te +++ b/unix/vncserver/selinux/vncsession.te @@ -20,48 +20,61 @@ policy_module(vncsession, 1.0.0) gen_require(` - attribute userdomain; - type xdm_home_t; + attribute userdomain; + type xdm_home_t; ') -type vnc_session_exec_t; -corecmd_executable_file(vnc_session_exec_t) type vnc_session_t; +type vnc_session_exec_t; init_daemon_domain(vnc_session_t, vnc_session_exec_t) -auth_login_pgm_domain(vnc_session_t) +can_exec(vnc_session_t, vnc_session_exec_t) type vnc_session_var_run_t; files_pid_file(vnc_session_var_run_t) -allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; -files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) - -auth_write_login_records(vnc_session_t) - -can_exec(vnc_session_t, vnc_session_exec_t) - -userdom_spec_domtrans_all_users(vnc_session_t) -userdom_signal_all_users(vnc_session_t) allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; allow vnc_session_t self:process { getcap setexec setrlimit setsched }; allow vnc_session_t self:fifo_file rw_fifo_file_perms; +allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; +files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) + manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) -userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") -userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") - -# This also affects other tools, e.g. vncpasswd -userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") -userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") - -miscfiles_read_localization(vnc_session_t) kernel_read_kernel_sysctls(vnc_session_t) -logging_append_all_logs(vnc_session_t) +corecmd_executable_file(vnc_session_exec_t) mcs_process_set_categories(vnc_session_t) mcs_killall(vnc_session_t) + +optional_policy(` + auth_login_pgm_domain(vnc_session_t) + auth_write_login_records(vnc_session_t) +') + +optional_policy(` + logging_append_all_logs(vnc_session_t) +') + +optional_policy(` + miscfiles_read_localization(vnc_session_t) +') + +optional_policy(` + userdom_spec_domtrans_all_users(vnc_session_t) + userdom_signal_all_users(vnc_session_t) + + userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") + userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") + + # This also affects other tools, e.g. vncpasswd + gen_require(` + attribute userdomain; + ') + userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") + userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") +') -- 2.39.5