aboutsummaryrefslogtreecommitdiffstats
path: root/unix/vncserver
diff options
context:
space:
mode:
Diffstat (limited to 'unix/vncserver')
-rw-r--r--unix/vncserver/CMakeLists.txt5
-rw-r--r--unix/vncserver/selinux/vncsession.te14
-rw-r--r--unix/vncserver/vncserver@.service.in2
-rw-r--r--unix/vncserver/vncsession.c10
4 files changed, 26 insertions, 5 deletions
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
index ae69dc09..ed259c22 100644
--- a/unix/vncserver/CMakeLists.txt
+++ b/unix/vncserver/CMakeLists.txt
@@ -1,5 +1,8 @@
add_executable(vncsession vncsession.c)
-target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
+target_include_directories(vncsession SYSTEM PRIVATE ${PAM_INCLUDE_DIRS})
+target_include_directories(vncsession SYSTEM PRIVATE ${SELINUX_INCLUDE_DIRS})
+target_link_libraries(vncsession ${PAM_LIBRARIES})
+target_link_libraries(vncsession ${SELINUX_LIBRARIES})
configure_file(vncserver@.service.in vncserver@.service @ONLY)
configure_file(vncsession-start.in vncsession-start @ONLY)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index d92f1bda..2ce4fc81 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -37,6 +37,10 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms;
allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+# Allow access to /proc/sys/fs/nr_open
+# Needed when the nofile limit is set to unlimited.
+kernel_read_fs_sysctls(vnc_session_t)
+
# Allowed to create ~/.local
optional_policy(`
gnome_filetrans_home_content(vnc_session_t)
@@ -48,6 +52,14 @@ optional_policy(`
create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t)
')
+# Allowed to create /root/.local
+optional_policy(`
+ gen_require(`
+ type admin_home_t;
+ ')
+ create_dirs_pattern(vnc_session_t, admin_home_t, admin_home_t)
+')
+
# Manage TigerVNC files (mainly ~/.local/state/*.log)
create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
@@ -88,6 +100,7 @@ optional_policy(`
gen_require(`
attribute userdomain;
type gconf_home_t;
+ type admin_home_t;
')
userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
@@ -95,5 +108,6 @@ optional_policy(`
gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc")
filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc")
+ filetrans_pattern(vnc_session_t, admin_home_t, vnc_home_t, dir, "tigervnc")
filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc")
')
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
index 592ddb67..336498ac 100644
--- a/unix/vncserver/vncserver@.service.in
+++ b/unix/vncserver/vncserver@.service.in
@@ -31,7 +31,7 @@
[Unit]
Description=Remote desktop service (VNC)
-After=syslog.target network.target systemd-user-sessions.service
+After=network.target systemd-user-sessions.service
[Service]
Type=forking
diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c
index 0830e81a..79683ff9 100644
--- a/unix/vncserver/vncsession.c
+++ b/unix/vncserver/vncsession.c
@@ -134,7 +134,7 @@ begin_daemon(void)
static void
finish_daemon(void)
{
- write(daemon_pipe_fd, "+", 1);
+ if (write(daemon_pipe_fd, "+", 1) == -1) {}
close(daemon_pipe_fd);
daemon_pipe_fd = -1;
}
@@ -545,8 +545,12 @@ run_script(const char *username, const char *display, char **envp)
switch_user(pwent->pw_name, pwent->pw_uid, pwent->pw_gid);
- if (chdir(pwent->pw_dir) == -1)
- chdir("/");
+ if (chdir(pwent->pw_dir) == -1) {
+ syslog(LOG_CRIT, "chdir(\"%s\") failed: %s", pwent->pw_dir, strerror(errno));
+ // fallback to "/"
+ if (chdir("/") == -1)
+ syslog(LOG_CRIT, "chdir(\"%s\") failed: %s", "/", strerror(errno));
+ }
close_fds();
generated by cgit v1.2.3 (git 2.39.1) at 2025-08-11 20:27:37 +0000