Blob Blame History Raw
From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 May 2021 12:23:15 +0200
Subject: [PATCH] selinux: Fix issues reported by SELint

Style guide [1] issues only. No impact on policy functionality.

[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
 unix/vncserver/selinux/vncsession.te | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index a773fed39..63ad8a85f 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -17,7 +17,7 @@
 #  USA.
 #

-policy_module(vncsession, 1.0.0);
+policy_module(vncsession, 1.0.0)

 gen_require(`
     attribute userdomain;
@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t)
 userdom_spec_domtrans_all_users(vnc_session_t)
 userdom_signal_all_users(vnc_session_t)

-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource };
-allow vnc_session_t self:process { getcap setsched setexec setrlimit };
+allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
+allow vnc_session_t self:process { getcap setexec setrlimit setsched };
 allow vnc_session_t self:fifo_file rw_fifo_file_perms;

 manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t)

 mcs_process_set_categories(vnc_session_t)
 mcs_killall(vnc_session_t)
-
From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:31:53 +0200
Subject: [PATCH] selinux: further style and comprehensibility improvements

Sections and rules blocks reordered according to the Style guide.

https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
---
 unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++-----------
 1 file changed, 36 insertions(+), 23 deletions(-)

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 63ad8a85f..86fd6e5ef 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,48 +20,61 @@
 policy_module(vncsession, 1.0.0)

 gen_require(`
-    attribute userdomain;
-    type xdm_home_t;
+	attribute userdomain;
+	type xdm_home_t;
 ')

-type vnc_session_exec_t;
-corecmd_executable_file(vnc_session_exec_t)
 type vnc_session_t;
+type vnc_session_exec_t;
 init_daemon_domain(vnc_session_t, vnc_session_exec_t)
-auth_login_pgm_domain(vnc_session_t)
+can_exec(vnc_session_t, vnc_session_exec_t)

 type vnc_session_var_run_t;
 files_pid_file(vnc_session_var_run_t)
-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
-
-auth_write_login_records(vnc_session_t)
-
-can_exec(vnc_session_t, vnc_session_exec_t)
-
-userdom_spec_domtrans_all_users(vnc_session_t)
-userdom_signal_all_users(vnc_session_t)

 allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource };
 allow vnc_session_t self:process { getcap setexec setrlimit setsched };
 allow vnc_session_t self:fifo_file rw_fifo_file_perms;

+allow vnc_session_t vnc_session_var_run_t:file manage_file_perms;
+files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file)
+
 manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
 manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t)
-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
-
-# This also affects other tools, e.g. vncpasswd
-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
-
-miscfiles_read_localization(vnc_session_t)

 kernel_read_kernel_sysctls(vnc_session_t)

-logging_append_all_logs(vnc_session_t)
+corecmd_executable_file(vnc_session_exec_t)

 mcs_process_set_categories(vnc_session_t)
 mcs_killall(vnc_session_t)
+
+optional_policy(`
+	auth_login_pgm_domain(vnc_session_t)
+	auth_write_login_records(vnc_session_t)
+')
+
+optional_policy(`
+	logging_append_all_logs(vnc_session_t)
+')
+
+optional_policy(`
+	miscfiles_read_localization(vnc_session_t)
+')
+
+optional_policy(`
+	userdom_spec_domtrans_all_users(vnc_session_t)
+	userdom_signal_all_users(vnc_session_t)
+
+	userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+	userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc")
+
+	# This also affects other tools, e.g. vncpasswd
+	gen_require(`
+		attribute userdomain;
+	')
+	userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+	userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc")
+')
From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 18 May 2021 13:39:11 +0200
Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally

The permissions set to manage directories and files with the nfs_t type
is allowed when the use_nfs_home_dirs boolean is turned on.

Resolves: https://github.com/TigerVNC/tigervnc/issues/1189
---
 unix/vncserver/selinux/vncsession.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 86fd6e5ef..46e699117 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t)
 mcs_process_set_categories(vnc_session_t)
 mcs_killall(vnc_session_t)

+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(vnc_session_t)
+	fs_manage_nfs_files(vnc_session_t)
+')
+
 optional_policy(`
 	auth_login_pgm_domain(vnc_session_t)
 	auth_write_login_records(vnc_session_t)
diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index 46e69911..f1108ec8 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -20,7 +20,6 @@
 policy_module(vncsession, 1.0.0)

 gen_require(`
-	attribute userdomain;
 	type xdm_home_t;
 ')