Add SELinux policy file for vncsession

Running as a service on a SELinux system requires rules so we can
transition to our own context. We also need the proper permissions
to start new user sessions.

6 files changed, 146 insertions, 1 deletions

diff --git a/contrib/packages/rpm/el7/SPECS/tigervnc.spec b/contrib/packages/rpm/el7/SPECS/tigervnc.spec
index 5ae3b2f7..c6c34d49 100644
--- a/contrib/packages/rpm/el7/SPECS/tigervnc.spec
+++ b/contrib/packages/rpm/el7/SPECS/tigervnc.spec
@@ -21,7 +21,7 @@ BuildRequires:  mesa-libGL-devel, libXinerama-devel, ImageMagick
 BuildRequires:  freetype-devel, libXdmcp-devel, libXfont2-devel
 BuildRequires:  libXrandr-devel, fltk-devel >= 1.3.3
 BuildRequires:  libjpeg-turbo-devel, gnutls-devel, pam-devel
-BuildRequires:  systemd, cmake
+BuildRequires:  systemd, cmake, selinux-policy-devel
 
 Requires(post):   coreutils
 Requires(postun): coreutils
@@ -52,6 +52,7 @@ Provides:       tightvnc-server = 1.5.0-0.15.20090204svn3586
 Obsoletes:      tightvnc-server < 1.5.0-0.15.20090204svn3586
 Requires:       perl
 Requires:       tigervnc-server-minimal = %{version}-%{release}
+Requires:       tigervnc-selinux = %{version}-%{release}
 Requires:       xorg-x11-xauth
 Requires:       xorg-x11-xinit
 Requires(post):   systemd
@@ -115,6 +116,18 @@ BuildArch:      noarch
 %description icons
 This package contains icons for TigerVNC viewer
 
+%package selinux
+Summary:        SELinux module for TigerVNC
+BuildArch:      noarch
+Requires(pre):  libselinux-utils
+Requires(post): selinux-policy-base >= %{_selinux_policy_version}
+Requires(post): policycoreutils policycoreutils-python
+Requires(post): libselinux-utils
+
+%description selinux
+This package provides the SELinux policy module to ensure TigerVNC
+runs properly under an environment with SELinux enabled.
+
 %prep
 rm -rf $RPM_BUILD_ROOT
 %setup -q -n %{name}-%{version}%{?snap:-%{snap}}
@@ -174,6 +187,11 @@ pushd media
 make
 popd
 
+# SELinux
+pushd unix/vncserver/selinux
+make
+popd
+
 %install
 make install DESTDIR=$RPM_BUILD_ROOT
 
@@ -181,6 +199,10 @@ pushd unix/xserver/hw/vnc
 make install DESTDIR=$RPM_BUILD_ROOT
 popd
 
+pushd unix/vncserver/selinux
+make install DESTDIR=$RPM_BUILD_ROOT
+popd
+
 %find_lang %{name} %{name}.lang
 
 # remove unwanted files
@@ -208,6 +230,22 @@ if [ -x %{_bindir}/gtk-update-icon-cache ]; then
         %{_bindir}/gtk-update-icon-cache -q %{_datadir}/icons/hicolor || :
 fi
 
+%pre selinux
+%selinux_relabel_pre
+
+%post selinux
+%selinux_modules_install %{_datadir}/selinux/packages/vncsession.pp
+%selinux_relabel_post
+
+%posttrans selinux
+%selinux_relabel_post
+
+%postun selinux
+%selinux_modules_uninstall vncsession
+if [ $1 -eq 0 ]; then
+    %selinux_relabel_post
+fi
+
 %files -f %{name}.lang
 %defattr(-,root,root,-)
 %doc %{_docdir}/%{name}-%{version}/README.rst
@@ -253,6 +291,9 @@ fi
 %defattr(-,root,root,-)
 %{_datadir}/icons/hicolor/*/apps/*
 
+%files selinux
+%{_datadir}/selinux/packages/vncsession.pp
+
 %changelog
 * Mon Jan 14 2019 Pierre Ossman <ossman@cendio.se> 1.9.80-4
 - Use system FLTK for build
diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile
new file mode 100644
index 00000000..7497bf84
--- /dev/null
+++ b/unix/vncserver/selinux/Makefile
@@ -0,0 +1,24 @@
+# SELinux module for TigerVNC's vncsession
+#
+# This will install the policy module, but not load it. To apply
+# it you should also run:
+#
+#     sudo semodule -i /usr/share/selinux/packages/vncsession.pp
+#     sudo restorecon /usr/sbin/vncsession /usr/libexec/vncsession-start
+#
+
+PREFIX=/usr
+DATADIR=$(PREFIX)/share
+
+all: vncsession.pp
+
+%.pp: %.te
+	make -f $(DATADIR)/selinux/devel/Makefile $@
+
+clean:
+	rm -f *.pp
+	rm -rf tmp
+
+install: vncsession.pp
+	mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages
+	install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp
diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc
new file mode 100644
index 00000000..97fa0753
--- /dev/null
+++ b/unix/vncserver/selinux/vncsession.fc
@@ -0,0 +1,23 @@
+#
+#  Copyright 2018 Pierre Ossman for Cendio AB
+#
+#  This is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This software is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this software; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+#  USA.
+#
+
+/usr/sbin/vncsession			--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
+/usr/libexec/vncsession-start		--	gen_context(system_u:object_r:vnc_session_exec_t,s0)
+
+/var/run/vncsession-:[0-9]*\.pid	--      gen_context(system_u:object_r:vnc_session_var_run_t,s0)
diff --git a/unix/vncserver/selinux/vncsession.if b/unix/vncserver/selinux/vncsession.if
new file mode 100644
index 00000000..3eb6a305
--- /dev/null
+++ b/unix/vncserver/selinux/vncsession.if
@@ -0,0 +1 @@
+## <summary></summary>
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
new file mode 100644
index 00000000..30d9e594
--- /dev/null
+++ b/unix/vncserver/selinux/vncsession.te
@@ -0,0 +1,55 @@
+#
+#  Copyright 2018-2020 Pierre Ossman for Cendio AB
+#
+#  This is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This software is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this software; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+#  USA.
+#
+
+policy_module(vncsession, 1.0.0);
+
+type vnc_session_exec_t;
+corecmd_executable_file(vnc_session_exec_t)
+type vnc_session_t;
+init_daemon_domain(vnc_session_t, vnc_session_exec_t)
+auth_login_pgm_domain(vnc_session_t)
+
+type vnc_session_var_run_t;
+files_pid_file(vnc_session_var_run_t)
+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
+auth_write_login_records(vnc_session_t)
+
+userdom_spec_domtrans_all_users(vnc_session_t)
+userdom_signal_all_users(vnc_session_t)
+
+allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:fifo_file rw_fifo_file_perms;
+
+miscfiles_read_localization(vnc_session_t)
+
+kernel_read_kernel_sysctls(vnc_session_t)
+
+logging_append_all_logs(vnc_session_t)
+
+mcs_process_set_categories(vnc_session_t)
+mcs_killall(vnc_session_t)
+
+# To create the log file in the user home directory
+allow vnc_session_t file_type:dir search_dir_perms;
+userdom_user_home_dir_filetrans_user_home_content(vnc_session_t, dir, ".vnc");
+userdom_manage_user_home_content_dirs(vnc_session_t);
+userdom_manage_user_home_content_files(vnc_session_t);
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
index 36ad02d0..51c9a2c9 100644
--- a/unix/vncserver/vncserver@.service.in
+++ b/unix/vncserver/vncserver@.service.in
@@ -37,6 +37,7 @@ After=syslog.target network.target
 Type=forking
 ExecStart=/usr/libexec/vncsession-start %i
 PIDFile=/var/run/vncsession-%i.pid
+SELinuxContext=system_u:system_r:vnc_session_t:s0
 
 [Install]
 WantedBy=multi-user.target