From 7694f9b4aae475a7b5985e0e960e21c5869f64cf Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Thu, 19 Jul 2018 16:04:23 +0200 Subject: [PATCH] Add SELinux policy file for vncsession Running as a service on a SELinux system requires rules so we can transition to our own context. We also need the proper permissions to start new user sessions. --- contrib/packages/rpm/el7/SPECS/tigervnc.spec | 43 ++++++++++++++- unix/vncserver/selinux/Makefile | 24 +++++++++ unix/vncserver/selinux/vncsession.fc | 23 ++++++++ unix/vncserver/selinux/vncsession.if | 1 + unix/vncserver/selinux/vncsession.te | 55 ++++++++++++++++++++ unix/vncserver/vncserver@.service.in | 1 + 6 files changed, 146 insertions(+), 1 deletion(-) create mode 100644 unix/vncserver/selinux/Makefile create mode 100644 unix/vncserver/selinux/vncsession.fc create mode 100644 unix/vncserver/selinux/vncsession.if create mode 100644 unix/vncserver/selinux/vncsession.te diff --git a/contrib/packages/rpm/el7/SPECS/tigervnc.spec b/contrib/packages/rpm/el7/SPECS/tigervnc.spec index 5ae3b2f7..c6c34d49 100644 --- a/contrib/packages/rpm/el7/SPECS/tigervnc.spec +++ b/contrib/packages/rpm/el7/SPECS/tigervnc.spec @@ -21,7 +21,7 @@ BuildRequires: mesa-libGL-devel, libXinerama-devel, ImageMagick BuildRequires: freetype-devel, libXdmcp-devel, libXfont2-devel BuildRequires: libXrandr-devel, fltk-devel >= 1.3.3 BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel -BuildRequires: systemd, cmake +BuildRequires: systemd, cmake, selinux-policy-devel Requires(post): coreutils Requires(postun): coreutils @@ -52,6 +52,7 @@ Provides: tightvnc-server = 1.5.0-0.15.20090204svn3586 Obsoletes: tightvnc-server < 1.5.0-0.15.20090204svn3586 Requires: perl Requires: tigervnc-server-minimal = %{version}-%{release} +Requires: tigervnc-selinux = %{version}-%{release} Requires: xorg-x11-xauth Requires: xorg-x11-xinit Requires(post): systemd @@ -115,6 +116,18 @@ BuildArch: noarch %description icons This package contains icons for TigerVNC viewer +%package selinux +Summary: SELinux module for TigerVNC +BuildArch: noarch +Requires(pre): libselinux-utils +Requires(post): selinux-policy-base >= %{_selinux_policy_version} +Requires(post): policycoreutils policycoreutils-python +Requires(post): libselinux-utils + +%description selinux +This package provides the SELinux policy module to ensure TigerVNC +runs properly under an environment with SELinux enabled. + %prep rm -rf $RPM_BUILD_ROOT %setup -q -n %{name}-%{version}%{?snap:-%{snap}} @@ -174,6 +187,11 @@ pushd media make popd +# SELinux +pushd unix/vncserver/selinux +make +popd + %install make install DESTDIR=$RPM_BUILD_ROOT @@ -181,6 +199,10 @@ pushd unix/xserver/hw/vnc make install DESTDIR=$RPM_BUILD_ROOT popd +pushd unix/vncserver/selinux +make install DESTDIR=$RPM_BUILD_ROOT +popd + %find_lang %{name} %{name}.lang # remove unwanted files @@ -208,6 +230,22 @@ if [ -x %{_bindir}/gtk-update-icon-cache ]; then %{_bindir}/gtk-update-icon-cache -q %{_datadir}/icons/hicolor || : fi +%pre selinux +%selinux_relabel_pre + +%post selinux +%selinux_modules_install %{_datadir}/selinux/packages/vncsession.pp +%selinux_relabel_post + +%posttrans selinux +%selinux_relabel_post + +%postun selinux +%selinux_modules_uninstall vncsession +if [ $1 -eq 0 ]; then + %selinux_relabel_post +fi + %files -f %{name}.lang %defattr(-,root,root,-) %doc %{_docdir}/%{name}-%{version}/README.rst @@ -253,6 +291,9 @@ fi %defattr(-,root,root,-) %{_datadir}/icons/hicolor/*/apps/* +%files selinux +%{_datadir}/selinux/packages/vncsession.pp + %changelog * Mon Jan 14 2019 Pierre Ossman 1.9.80-4 - Use system FLTK for build diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile new file mode 100644 index 00000000..7497bf84 --- /dev/null +++ b/unix/vncserver/selinux/Makefile @@ -0,0 +1,24 @@ +# SELinux module for TigerVNC's vncsession +# +# This will install the policy module, but not load it. To apply +# it you should also run: +# +# sudo semodule -i /usr/share/selinux/packages/vncsession.pp +# sudo restorecon /usr/sbin/vncsession /usr/libexec/vncsession-start +# + +PREFIX=/usr +DATADIR=$(PREFIX)/share + +all: vncsession.pp + +%.pp: %.te + make -f $(DATADIR)/selinux/devel/Makefile $@ + +clean: + rm -f *.pp + rm -rf tmp + +install: vncsession.pp + mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages + install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc new file mode 100644 index 00000000..97fa0753 --- /dev/null +++ b/unix/vncserver/selinux/vncsession.fc @@ -0,0 +1,23 @@ +# +# Copyright 2018 Pierre Ossman for Cendio AB +# +# This is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. +# + +/usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) +/usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) + +/var/run/vncsession-:[0-9]*\.pid -- gen_context(system_u:object_r:vnc_session_var_run_t,s0) diff --git a/unix/vncserver/selinux/vncsession.if b/unix/vncserver/selinux/vncsession.if new file mode 100644 index 00000000..3eb6a305 --- /dev/null +++ b/unix/vncserver/selinux/vncsession.if @@ -0,0 +1 @@ +## diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te new file mode 100644 index 00000000..30d9e594 --- /dev/null +++ b/unix/vncserver/selinux/vncsession.te @@ -0,0 +1,55 @@ +# +# Copyright 2018-2020 Pierre Ossman for Cendio AB +# +# This is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. +# + +policy_module(vncsession, 1.0.0); + +type vnc_session_exec_t; +corecmd_executable_file(vnc_session_exec_t) +type vnc_session_t; +init_daemon_domain(vnc_session_t, vnc_session_exec_t) +auth_login_pgm_domain(vnc_session_t) + +type vnc_session_var_run_t; +files_pid_file(vnc_session_var_run_t) +allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; +files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) + +auth_write_login_records(vnc_session_t) + +userdom_spec_domtrans_all_users(vnc_session_t) +userdom_signal_all_users(vnc_session_t) + +allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource }; +allow vnc_session_t self:process { getcap setsched setexec setrlimit }; +allow vnc_session_t self:fifo_file rw_fifo_file_perms; + +miscfiles_read_localization(vnc_session_t) + +kernel_read_kernel_sysctls(vnc_session_t) + +logging_append_all_logs(vnc_session_t) + +mcs_process_set_categories(vnc_session_t) +mcs_killall(vnc_session_t) + +# To create the log file in the user home directory +allow vnc_session_t file_type:dir search_dir_perms; +userdom_user_home_dir_filetrans_user_home_content(vnc_session_t, dir, ".vnc"); +userdom_manage_user_home_content_dirs(vnc_session_t); +userdom_manage_user_home_content_files(vnc_session_t); diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in index 36ad02d0..51c9a2c9 100644 --- a/unix/vncserver/vncserver@.service.in +++ b/unix/vncserver/vncserver@.service.in @@ -37,6 +37,7 @@ After=syslog.target network.target Type=forking ExecStart=/usr/libexec/vncsession-start %i PIDFile=/var/run/vncsession-%i.pid +SELinuxContext=system_u:system_r:vnc_session_t:s0 [Install] WantedBy=multi-user.target -- 2.39.5