aboutsummaryrefslogtreecommitdiffstats
path: root/unix/vncserver/selinux/vncsession.te
blob: 680be8ea1e28acb8c929e11299f4c6cf5a3329a2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
#
#  Copyright 2018-2020 Pierre Ossman for Cendio AB
#
#  This is free software; you can redistribute it and/or modify
#  it under the terms of the GNU General Public License as published by
#  the Free Software Foundation; either version 2 of the License, or
#  (at your option) any later version.
#
#  This software is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this software; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
#  USA.
#

policy_module(vncsession, 1.0.0)

type vnc_session_t;
type vnc_session_exec_t;
init_daemon_domain(vnc_session_t, vnc_session_exec_t)
can_exec(vnc_session_t, vnc_session_exec_t)

type vnc_session_var_run_t;
files_pid_file(vnc_session_var_run_t)

type vnc_home_t;
userdom_user_home_content(vnc_home_t)

allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
allow vnc_session_t self:process { getcap setexec setrlimit setsched };
allow vnc_session_t self:fifo_file rw_fifo_file_perms;

allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)

create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)
manage_lnk_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t)

kernel_read_kernel_sysctls(vnc_session_t)

corecmd_executable_file(vnc_session_exec_t)

mcs_process_set_categories(vnc_session_t)
mcs_killall(vnc_session_t)

tunable_policy(`use_nfs_home_dirs',`
	fs_manage_nfs_dirs(vnc_session_t)
	fs_manage_nfs_files(vnc_session_t)
')

optional_policy(`
	auth_login_pgm_domain(vnc_session_t)
	auth_write_login_records(vnc_session_t)
')

optional_policy(`
	logging_append_all_logs(vnc_session_t)
')

optional_policy(`
	miscfiles_read_localization(vnc_session_t)
')

optional_policy(`
	userdom_spec_domtrans_all_users(vnc_session_t)
	userdom_signal_all_users(vnc_session_t)

	userdom_user_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc")
	userdom_admin_home_dir_filetrans(vnc_session_t, vnc_home_t, dir, ".vnc")

	# This also affects other tools, e.g. vncpasswd
	gen_require(`
		attribute userdomain;
	')
	userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
	userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
')