mirrors
/
tigervnc
mirror of https://github.com/TigerVNC/tigervnc.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
							#
#  Copyright 2018-2020 Pierre Ossman for Cendio AB
#
#  This is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This software is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this software; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
#  USA.
#

policy_module(vncsession, 1.0.0)

type vnc_session_t;
type vnc_session_exec_t;
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
can_exec(vnc_session_t, vnc_session_exec_t)

type vnc_session_var_run_t;
files_pid_file(vnc_session_var_run_t)

type vnc_home_t;
userdom_user_home_content(vnc_home_t)

allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;

allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)

# Allowed to create ~/.local
optional_policy(`
	gnome_filetrans_home_content(vnc_session_t)
')
optional_policy(`
	gen_require(`
		type gconf_home_t;
	')
	create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
')

# Manage TigerVNC files (mainly ~/.local/state/*.log)
create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_lnk_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)

kernel_read_kernel_sysctls(vnc_session_t)

corecmd_executable_file(vnc_session_exec_t)

mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(vnc_session_t)
	fs_manage_nfs_files(vnc_session_t)
')

optional_policy(`
	auth_login_pgm_domain(vnc_session_t)
	auth_write_login_records(vnc_session_t)
')

optional_policy(`
	logging_append_all_logs(vnc_session_t)
')

optional_policy(`
	miscfiles_read_localization(vnc_session_t)
')

optional_policy(`
	userdom_spec_domtrans_all_users(vnc_session_t)
	userdom_signal_all_users(vnc_session_t)

	# Make sure legacy path has correct type
	gen_require(`
		attribute userdomain;
		type gconf_home_t;
	')
	userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
	userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")

	gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
	gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
	filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
	filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
')