123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384 |
- #
- # Copyright 2018-2020 Pierre Ossman for Cendio AB
- #
- # This is free software; you can redistribute it and/or modify
- # it under the terms of the GNU General Public License as published by
- # the Free Software Foundation; either version 2 of the License, or
- # (at your option) any later version.
- #
- # This software is distributed in the hope that it will be useful,
- # but WITHOUT ANY WARRANTY; without even the implied warranty of
- # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- # GNU General Public License for more details.
- #
- # You should have received a copy of the GNU General Public License
- # along with this software; if not, write to the Free Software
- # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
- # USA.
- #
-
- policy_module(vncsession, 1.0.0)
-
- type vnc_session_t;
- type vnc_session_exec_t;
- init_daemon_domain(vnc_session_t, vnc_session_exec_t)
- can_exec(vnc_session_t, vnc_session_exec_t)
-
- type vnc_session_var_run_t;
- files_pid_file(vnc_session_var_run_t)
-
- type vnc_home_t;
- userdom_user_home_content(vnc_home_t)
-
- allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
- allow vnc_session_t self:process { getcap setexec setrlimit setsched };
- allow vnc_session_t self:fifo_file rw_fifo_file_perms;
-
- allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
- files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
- create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
- manage_lnk_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
-
- kernel_read_kernel_sysctls(vnc_session_t)
-
- corecmd_executable_file(vnc_session_exec_t)
-
- mcs_process_set_categories(vnc_session_t)
- mcs_killall(vnc_session_t)
-
- tunable_policy(`use_nfs_home_dirs',`
- fs_manage_nfs_dirs(vnc_session_t)
- fs_manage_nfs_files(vnc_session_t)
- ')
-
- optional_policy(`
- auth_login_pgm_domain(vnc_session_t)
- auth_write_login_records(vnc_session_t)
- ')
-
- optional_policy(`
- logging_append_all_logs(vnc_session_t)
- ')
-
- optional_policy(`
- miscfiles_read_localization(vnc_session_t)
- ')
-
- optional_policy(`
- userdom_spec_domtrans_all_users(vnc_session_t)
- userdom_signal_all_users(vnc_session_t)
-
- userdom_user_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc")
- userdom_admin_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc")
-
- # This also affects other tools, e.g. vncpasswd
- gen_require(`
- attribute userdomain;
- ')
- userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
- userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
- ')
|