diff options
| author | Jan Grulich <jgrulich@redhat.com> | 2025-02-27 13:49:02 +0100 |
|---|---|---|
| committer | Jan Grulich <jgrulich@redhat.com> | 2025-02-27 13:49:02 +0100 |
| commit | 313200978926cc7b7521c0d645918391b7609681 (patch) | |
| tree | 4e0fce072e96863ed95fa40803211af083d4b287 | |
| parent | 62c606d97312206f3dbe9122373e5b9b985ba57e (diff) | |
| download | tigervnc-313200978926cc7b7521c0d645918391b7609681.tar.gz tigervnc-313200978926cc7b7521c0d645918391b7609681.zip | |
Add SELinux policy rules allowing to access /proc/sys/fs/nr_open
This is needed when the nofile limit is set to unlimited, otherwise we
will fail to start a VNC session.
| -rw-r--r-- | unix/vncserver/selinux/vncsession.te | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te index 2f497170..4dbf687e 100644 --- a/unix/vncserver/selinux/vncsession.te +++ b/unix/vncserver/selinux/vncsession.te @@ -34,6 +34,14 @@ allow vnc_session_t self:capability { chown dac_override dac_read_search fowner allow vnc_session_t self:process { getcap setexec setrlimit setsched }; allow vnc_session_t self:fifo_file rw_fifo_file_perms; +optional_policy(` + gen_require(` + type sysctl_fs_t; + ') + allow vnc_session_t sysctl_fs_t:dir search; + allow vnc_session_t sysctl_fs_t:file { getattr open read }; +') + allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) |