aboutsummaryrefslogtreecommitdiffstats
path: root/unix/vncserver/selinux
Commit message (Collapse)AuthorAgeFilesLines
* Add SELinux policy rules allowing to access /proc/sys/fs/nr_openJan Grulich2025-02-271-0/+8
| | | | | This is needed when the nofile limit is set to unlimited, otherwise we will fail to start a VNC session.
* Add SELinux policy rules allowing to create directories under /rootJan Grulich2025-02-131-0/+10
| | | | | | We have policy that allows to create ~/.local or ~/.config, but we don't have rule that allows the same under /root directory, where we fail in case any of these directories doesn't exist.
* Merge pull request #1737 from 62832/fix-1195Samuel Mannehed (ThinLinc team)2024-05-072-4/+25
|\ | | | | Allow for alternative user config locations, deprecate `~/.vnc` in favour of XDG Base Directory Specification paths
| * Implement XDG Base Directory paths, deprecate ~/.vnc902024-04-262-4/+25
| |
* | Add .gitignore for SELinux filesPierre Ossman2024-04-261-0/+2
| |
* | Don't trigger build from install targetPierre Ossman2024-04-261-1/+1
| | | | | | | | | | | | The norm is that the install target is read only from the point of view of the source and build directory, so avoid accidentally triggering any build.
* | Clean up temporary SELinux directoryPierre Ossman2024-04-261-0/+1
| |
* | Overwrite vncsession.pp.bz2 each timePierre Ossman2024-04-261-1/+1
|/ | | | | Make it easier to work iteratively by not having to remove the output file each time.
* SELinux: Allow vncsession create ~/.vnc directoryZdenek Pytela2023-02-201-0/+1
| | | | | | | | | | | | | Addresses the following AVC denial: type=PROCTITLE msg=audit(01/12/2023 02:58:12.648:696) : proctitle=/usr/sbin/vncsession fedora :1 type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=1 name=/home/fedora/.vnc nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=0 name=/home/fedora/ inode=262145 dev=fc:02 mode=dir,700 ouid=fedora ogid=fedora rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/12/2023 02:58:12.648:696) : cwd=/home/fedora type=SYSCALL msg=audit(01/12/2023 02:58:12.648:696) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7fff47d52540 a1=0755 a2=0x0 a3=0x0 items=2 ppid=2869 pid=2880 auid=fedora uid=fedora gid=fedora euid=fedora suid=fedora fsuid=fedora egid=fedora sgid=fedora fsgid=fedora tty=(none) ses=8 comm=vncsession exe=/usr/sbin/vncsession subj=system_u:system_r:vnc_session_t:s0 key=(null) type=AVC msg=audit(01/12/2023 02:58:12.648:696) : avc: denied { create } for pid=2880 comm=vncsession name=.vnc scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:vnc_home_t:s0 tclass=dir permissive=0 Resolves: rhbz#2143704
* SELinux: use /root/.vnc in file context specificationZdenek Pytela2022-02-071-1/+1
| | | | | | Instead of HOME_ROOT/.vnc, /root/.vnc should be used for user root's home to specify default file context as HOME_ROOT actually means base for home dirs (usually /home).
* Merge branch 'fb-session-nfs' of https://github.com/zpytela/tigervncPierre Ossman2021-08-262-32/+47
|\
| * Add vnc_home_t typeZdenek Pytela2021-05-182-15/+13
| | | | | | | | | | | | The new vnc_home_t type for HOME/.vnc directory was added to the policy, backed by a name transition. The vnc_session_t domain can manage files and directories of this type.
| * Allow vnc_session_t manage nfs dirs and files conditionallyZdenek Pytela2021-05-181-0/+5
| | | | | | | | | | | | | | The permissions set to manage directories and files with the nfs_t type is allowed when the use_nfs_home_dirs boolean is turned on. Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
| * selinux: further style and comprehensibility improvementsZdenek Pytela2021-05-181-23/+36
| | | | | | | | | | | | Sections and rules blocks reordered according to the Style guide. https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
| * selinux: Fix issues reported by SELintVit Mojzis2021-05-181-4/+3
| | | | | | | | | | | | Style guide [1] issues only. No impact on policy functionality. [1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
* | SELinux: Add missing compression and install policy to correct directoryJan Grulich2021-05-171-5/+8
|/
* Use /run instead of /var/run which is just a symlinkJan Grulich2020-09-291-1/+1
|
* Comment on SELinux rule affect other commandsPierre Ossman2020-08-171-0/+1
| | | | | | This line affects every command run by the user, unlike everything else in our policy which is just for vncserver/vncsession. It's easy to miss this so add a comment pointing it out.
* [SELinux] Allow vnc session create ~/.vncLukas Vrabec2020-07-312-5/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | Allow vnc session labeled with SELinux vnc_session_t domain to create directory in user homedir ~/.vnc labeled with SELinux label xdm_home_t. Because also process vncpasswd creates ~/.vnc directory, file transition that userdomain attribute SELinux domain (label for the process) can create the directory with the same label needs to be added. userdomain attribute contains following SELinux types: auditadm_t dbadm_t guest_t logadm_t secadm_t staff_t staff_wine_t sysadm_t unconfined_t user_t user_wine_t webadm_t xguest_t Signed-off-by: Lukas Vrabec <lvrabec@redhat.com>
* [SELinux] Allow vnc_session_t type execute itselfLukas Vrabec2020-05-061-0/+2
| | | | | | | | vncsession-start is running in SELinux vnc_session_t domain because of "SELinuxContext=system_u:system_r:vnc_session_t:s0" option in systemd vncserver@.service unit file. vncsession-start executing binary vncsession with SELinux label/type vnc_session_t. This access was not allowed in vncsession policy.
* Add SELinux policy file for vncsessionPierre Ossman2020-03-124-0/+103
Running as a service on a SELinux system requires rules so we can transition to our own context. We also need the proper permissions to start new user sessions.
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-27 13:44:29 +0000