From 7b691ef81e49d49f7c02b1c4c5b745c8f2e805a7 Mon Sep 17 00:00:00 2001
From: Lukas Vrabec <lvrabec@redhat.com>
Date: Wed, 6 May 2020 10:55:29 +0200
Subject: [PATCH] [SELinux] Allow vnc_session_t type execute itself

vncsession-start is running in SELinux vnc_session_t domain because of
"SELinuxContext=system_u:system_r:vnc_session_t:s0" option in systemd
vncserver@.service unit file. vncsession-start executing binary
vncsession with SELinux label/type vnc_session_t. This access was not
allowed in vncsession policy.
---
 unix/vncserver/selinux/vncsession.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 30d9e594..734f6630 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -32,6 +32,8 @@ files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
 
 auth_write_login_records(vnc_session_t)
 
+can_exec(vnc_session_t, vnc_session_exec_t)
+
 userdom_spec_domtrans_all_users(vnc_session_t)
 userdom_signal_all_users(vnc_session_t)
 
-- 
2.39.5