# # Copyright 2018-2020 Pierre Ossman for Cendio AB # # This is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This software is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this software; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # policy_module(vncsession, 1.0.0) type vnc_session_t; type vnc_session_exec_t; init_daemon_domain(vnc_session_t, vnc_session_exec_t) can_exec(vnc_session_t, vnc_session_exec_t) type vnc_session_var_run_t; files_pid_file(vnc_session_var_run_t) type vnc_home_t; userdom_user_home_content(vnc_home_t) allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; allow vnc_session_t self:process { getcap setexec setrlimit setsched }; allow vnc_session_t self:fifo_file rw_fifo_file_perms; allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) # Allowed to create ~/.local optional_policy(` gnome_filetrans_home_content(vnc_session_t) ') optional_policy(` gen_require(` type gconf_home_t; ') create_dirs_pattern(vnc_session_t, gconf_home_t, gconf_home_t) ') # Manage TigerVNC files (mainly ~/.local/state/*.log) create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t) manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) manage_lnk_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) kernel_read_kernel_sysctls(vnc_session_t) corecmd_executable_file(vnc_session_exec_t) mcs_process_set_categories(vnc_session_t) mcs_killall(vnc_session_t) tunable_policy(`use_nfs_home_dirs',` fs_manage_nfs_dirs(vnc_session_t) fs_manage_nfs_files(vnc_session_t) ') optional_policy(` auth_login_pgm_domain(vnc_session_t) auth_write_login_records(vnc_session_t) ') optional_policy(` logging_append_all_logs(vnc_session_t) ') optional_policy(` miscfiles_read_localization(vnc_session_t) ') optional_policy(` userdom_spec_domtrans_all_users(vnc_session_t) userdom_signal_all_users(vnc_session_t) # Make sure legacy path has correct type gen_require(` attribute userdomain; type gconf_home_t; ') userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc") gnome_config_filetrans(userdomain, vnc_home_t, dir, "tigervnc") gnome_data_filetrans(userdomain, vnc_home_t, dir, "tigervnc") filetrans_pattern(userdomain, gconf_home_t, vnc_home_t, dir, "tigervnc") filetrans_pattern(vnc_session_t, gconf_home_t, vnc_home_t, dir, "tigervnc") ')