From 47d56c959d86bb297250547d81e895c0546fcd21 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 18 May 2021 13:49:09 +0200 Subject: [PATCH] Add vnc_home_t type The new vnc_home_t type for HOME/.vnc directory was added to the policy, backed by a name transition. The vnc_session_t domain can manage files and directories of this type. --- unix/vncserver/selinux/vncsession.fc | 4 ++-- unix/vncserver/selinux/vncsession.te | 24 +++++++++++------------- 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc index ae768baa..6aaf4b1f 100644 --- a/unix/vncserver/selinux/vncsession.fc +++ b/unix/vncserver/selinux/vncsession.fc @@ -17,8 +17,8 @@ # USA. # -HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) -HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:xdm_home_t,s0) +HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) +HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) /usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) /usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te index 46e69911..fb966c14 100644 --- a/unix/vncserver/selinux/vncsession.te +++ b/unix/vncserver/selinux/vncsession.te @@ -19,11 +19,6 @@ policy_module(vncsession, 1.0.0) -gen_require(` - attribute userdomain; - type xdm_home_t; -') - type vnc_session_t; type vnc_session_exec_t; init_daemon_domain(vnc_session_t, vnc_session_exec_t) @@ -32,6 +27,9 @@ can_exec(vnc_session_t, vnc_session_exec_t) type vnc_session_var_run_t; files_pid_file(vnc_session_var_run_t) +type vnc_home_t; +userdom_user_home_content(vnc_home_t) + allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; allow vnc_session_t self:process { getcap setexec setrlimit setsched }; allow vnc_session_t self:fifo_file rw_fifo_file_perms; @@ -39,10 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms; allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) -manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) -manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) -manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) -manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) +manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) +manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) +manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) +manage_lnk_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) kernel_read_kernel_sysctls(vnc_session_t) @@ -73,13 +71,13 @@ optional_policy(` userdom_spec_domtrans_all_users(vnc_session_t) userdom_signal_all_users(vnc_session_t) - userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") - userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") + userdom_user_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc") + userdom_admin_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc") # This also affects other tools, e.g. vncpasswd gen_require(` attribute userdomain; ') - userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") - userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") + userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") + userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") ') -- 2.39.5