Skip to content

Commit

Permalink
Confine gnome-remote-desktop
Browse files Browse the repository at this point in the history 
- add new gnome_remote_desktop_t port mapping for tcp 3389-3399
- add file type for /var/lib/gnome-remote-desktop(/.*)?
- add new domain and transition for /usr/libexec/gnome-remote-desktop-daemon

Resolves: RHEL-35877
  • Loading branch information
@bachradsusi @zpytela
bachradsusi authored and zpytela committed Oct 16, 2024
1 parent 4435060 commit 3d165a6
Show file tree
Hide file tree
Showing 7 changed files with 272 additions and 0 deletions.
7 changes: 7 additions & 0 deletions policy/modules.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1114,6 +1114,13 @@ glusterd = module
#
gnome = module

# Layer: apps
# Module: gnome_remote_desktop
#
# gnome-remote-desktop
#
gnome_remote_desktop = module

# Layer: apps
# Module: gpg
#
Expand Down
4 changes: 4 additions & 0 deletions policy/modules/contrib/dbus.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -408,3 +408,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg;

kernel_stream_connect(session_bus_type)
systemd_login_read_pid_files(session_bus_type)

optional_policy(`
gnome_remote_desktop_rw_tcp_sockets(system_dbusd_t)
')
3 changes: 3 additions & 0 deletions policy/modules/contrib/gnome_remote_desktop.fc
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
/usr/libexec/gnome-remote-desktop-daemon -- gen_context(system_u:object_r:gnome_remote_desktop_exec_t,s0)

/var/lib/gnome-remote-desktop(/.*)? gen_context(system_u:object_r:gnome_remote_desktop_var_lib_t,s0)
178 changes: 178 additions & 0 deletions policy/modules/contrib/gnome_remote_desktop.if
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,178 @@

## <summary>policy for gnome_remote_desktop</summary>

########################################
## <summary>
## Execute gnome_remote_desktop_exec_t in the gnome_remote_desktop domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`gnome_remote_desktop_domtrans',`
gen_require(`
type gnome_remote_desktop_t, gnome_remote_desktop_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, gnome_remote_desktop_exec_t, gnome_remote_desktop_t)
')

######################################
## <summary>
## Execute gnome_remote_desktop in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_remote_desktop_exec',`
gen_require(`
type gnome_remote_desktop_exec_t;
')

corecmd_search_bin($1)
can_exec($1, gnome_remote_desktop_exec_t)
')

########################################
## <summary>
## Search gnome_remote_desktop lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_remote_desktop_search_lib',`
gen_require(`
type gnome_remote_desktop_var_lib_t;
')

allow $1 gnome_remote_desktop_var_lib_t:dir search_dir_perms;
files_search_var_lib($1)
')

########################################
## <summary>
## Read gnome_remote_desktop lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_remote_desktop_read_lib_files',`
gen_require(`
type gnome_remote_desktop_var_lib_t;
')

files_search_var_lib($1)
read_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
')

########################################
## <summary>
## Manage gnome_remote_desktop lib files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_remote_desktop_manage_lib_files',`
gen_require(`
type gnome_remote_desktop_var_lib_t;
')

files_search_var_lib($1)
manage_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
')

########################################
## <summary>
## Manage gnome_remote_desktop lib directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_remote_desktop_manage_lib_dirs',`
gen_require(`
type gnome_remote_desktop_var_lib_t;
')

files_search_var_lib($1)
manage_dirs_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
')


########################################
## <summary>
## All of the rules required to administrate
## an gnome_remote_desktop environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`gnome_remote_desktop_admin',`
gen_require(`
type gnome_remote_desktop_t;
type gnome_remote_desktop_var_lib_t;
')

allow $1 gnome_remote_desktop_t:process { signal_perms };
ps_process_pattern($1, gnome_remote_desktop_t)

tunable_policy(`deny_ptrace',`',`
allow $1 gnome_remote_desktop_t:process ptrace;
')

files_search_var_lib($1)
admin_pattern($1, gnome_remote_desktop_var_lib_t)
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

## <summary>
## Read and write to TCP socket
## </summary>
## <desc>
## <p>
## Allow the specified domain to read and write to
## gnome_remote_desktop_port_t TCP socket
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`gnome_remote_desktop_rw_tcp_sockets', `
gen_require(`
type gnome_remote_desktop_t;
')

allow $1 gnome_remote_desktop_t:tcp_socket rw_socket_perms;
')
73 changes: 73 additions & 0 deletions policy/modules/contrib/gnome_remote_desktop.te
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
policy_module(gnome_remote_desktop, 1.0.0)

########################################
#
# Declarations
#

type gnome_remote_desktop_t;
type gnome_remote_desktop_exec_t;
domain_type(gnome_remote_desktop_t)
domain_entry_file(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
role system_r types gnome_remote_desktop_t;

permissive gnome_remote_desktop_t;

type gnome_remote_desktop_var_lib_t;
files_type(gnome_remote_desktop_var_lib_t)

########################################
#
# gnome_remote_desktop local policy
#

kernel_dgram_send(gnome_remote_desktop_t)

manage_dirs_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
manage_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
manage_lnk_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
files_var_lib_filetrans(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, { dir file lnk_file })

#============= gnome_remote_desktop_t ==============
corenet_tcp_bind_gnome_remote_desktop_port(gnome_remote_desktop_t)
allow gnome_remote_desktop_t self:tcp_socket create_stream_socket_perms;
allow gnome_remote_desktop_t self:unix_dgram_socket create_socket_perms;

domain_use_interactive_fds(gnome_remote_desktop_t)

files_read_etc_files(gnome_remote_desktop_t)

corenet_tcp_bind_generic_node(gnome_remote_desktop_t)
dev_read_sysfs(gnome_remote_desktop_t)
files_watch_usr_dirs(gnome_remote_desktop_t)
fs_getattr_cgroup(gnome_remote_desktop_t)
fs_getattr_xattr_fs(gnome_remote_desktop_t)
init_read_state(gnome_remote_desktop_t)

optional_policy(`
dbus_system_domain(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
')

optional_policy(`
kerberos_read_config(gnome_remote_desktop_t)
')

optional_policy(`
logging_write_syslog_pid_socket(gnome_remote_desktop_t)
')

optional_policy(`
miscfiles_read_certs(gnome_remote_desktop_t)
miscfiles_read_localization(gnome_remote_desktop_t)
')

optional_policy(`
systemd_login_list_pid_dirs(gnome_remote_desktop_t)
systemd_login_read_pid_files(gnome_remote_desktop_t)
systemd_read_logind_sessions_files(gnome_remote_desktop_t)
')

optional_policy(`
xserver_dbus_chat_xdm(gnome_remote_desktop_t)
xserver_read_xdm_state(gnome_remote_desktop_t)
')
1 change: 1 addition & 0 deletions policy/modules/kernel/corenetwork.te.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,6 +186,7 @@ network_port(git, tcp,9418,s0, udp,9418,s0)
network_port(glance, tcp,9292,s0, udp,9292,s0)
network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
network_port(gnome_remote_desktop, tcp,3389-3399,s0)
network_port(gopher, tcp,70,s0, udp,70,s0)
network_port(gpsd, tcp,2947,s0)
network_port(hadoop_datanode, tcp,50010,s0)
Expand Down
6 changes: 6 additions & 0 deletions policy/modules/services/xserver.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1856,3 +1856,9 @@ tunable_policy(`selinuxuser_direct_dri_enabled',`
',`
dev_dontaudit_rw_dri(dridomain)
')

#============= xdm_t ==============
optional_policy(`
gnome_remote_desktop_rw_tcp_sockets(xdm_t)
dev_rw_dma_dev(xdm_t)
')

0 comments on commit 3d165a6

Please sign in to comment.