Confine gnome-remote-desktop

- add new gnome_remote_desktop_t port mapping for tcp 3389-3399 - add file type for /var/lib/gnome-remote-desktop(/.*)? - add new domain and transition for /usr/libexec/gnome-remote-desktop-daemon Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2271661
fedora-selinux · Sep 11, 2024 · 8d05aa8 · 8d05aa8
1 parent 1d35556
commit 8d05aa8
Show file tree

Hide file tree

Showing 7 changed files with 272 additions and 0 deletions.
diff --git a/policy/modules.conf b/policy/modules.conf
@@ -1086,6 +1086,13 @@ glusterd =  module
 # 
 gnome = module
 
+# Layer: apps
+# Module: gnome_remote_desktop
+#
+# gnome-remote-desktop
+#
+gnome_remote_desktop = module
+
 # Layer: apps
 # Module: gpg
 #

diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
@@ -410,3 +410,7 @@ allow session_bus_type dbusd_unconfined:dbus send_msg;
 
 kernel_stream_connect(session_bus_type)
 systemd_login_read_pid_files(session_bus_type)
+
+optional_policy(`
+	gnome_remote_desktop_rw_tcp_sockets(system_dbusd_t)
+')
diff --git a/policy/modules/contrib/gnome_remote_desktop.fc b/policy/modules/contrib/gnome_remote_desktop.fc
@@ -0,0 +1,3 @@
+/usr/libexec/gnome-remote-desktop-daemon		--	gen_context(system_u:object_r:gnome_remote_desktop_exec_t,s0)
+
+/var/lib/gnome-remote-desktop(/.*)?		gen_context(system_u:object_r:gnome_remote_desktop_var_lib_t,s0)
diff --git a/policy/modules/contrib/gnome_remote_desktop.if b/policy/modules/contrib/gnome_remote_desktop.if
@@ -0,0 +1,178 @@
+
+## <summary>policy for gnome_remote_desktop</summary>
+
+########################################
+## <summary>
+##	Execute gnome_remote_desktop_exec_t in the gnome_remote_desktop domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`gnome_remote_desktop_domtrans',`
+	gen_require(`
+		type gnome_remote_desktop_t, gnome_remote_desktop_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, gnome_remote_desktop_exec_t, gnome_remote_desktop_t)
+')
+
+######################################
+## <summary>
+##	Execute gnome_remote_desktop in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_remote_desktop_exec',`
+	gen_require(`
+		type gnome_remote_desktop_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, gnome_remote_desktop_exec_t)
+')
+
+########################################
+## <summary>
+##	Search gnome_remote_desktop lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_remote_desktop_search_lib',`
+	gen_require(`
+		type gnome_remote_desktop_var_lib_t;
+	')
+
+	allow $1 gnome_remote_desktop_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read gnome_remote_desktop lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_remote_desktop_read_lib_files',`
+	gen_require(`
+		type gnome_remote_desktop_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gnome_remote_desktop lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_remote_desktop_manage_lib_files',`
+	gen_require(`
+		type gnome_remote_desktop_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage gnome_remote_desktop lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_remote_desktop_manage_lib_dirs',`
+	gen_require(`
+		type gnome_remote_desktop_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an gnome_remote_desktop environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`gnome_remote_desktop_admin',`
+	gen_require(`
+		type gnome_remote_desktop_t;
+		type gnome_remote_desktop_var_lib_t;
+	')
+
+	allow $1 gnome_remote_desktop_t:process { signal_perms };
+	ps_process_pattern($1, gnome_remote_desktop_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 gnome_remote_desktop_t:process ptrace;
+	')
+
+	files_search_var_lib($1)
+	admin_pattern($1, gnome_remote_desktop_var_lib_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+## <summary>
+##	Read and write to TCP socket
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read and write to
+##  gnome_remote_desktop_port_t TCP socket
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`gnome_remote_desktop_rw_tcp_sockets', `
+	gen_require(`
+		type gnome_remote_desktop_t;
+	')
+
+	allow $1 gnome_remote_desktop_t:tcp_socket rw_socket_perms;
+')
diff --git a/policy/modules/contrib/gnome_remote_desktop.te b/policy/modules/contrib/gnome_remote_desktop.te
@@ -0,0 +1,73 @@
+policy_module(gnome_remote_desktop, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type gnome_remote_desktop_t;
+type gnome_remote_desktop_exec_t;
+domain_type(gnome_remote_desktop_t)
+domain_entry_file(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
+role system_r types gnome_remote_desktop_t;
+
+permissive gnome_remote_desktop_t;
+
+type gnome_remote_desktop_var_lib_t;
+files_type(gnome_remote_desktop_var_lib_t)
+
+########################################
+#
+# gnome_remote_desktop local policy
+#
+
+kernel_dgram_send(gnome_remote_desktop_t)
+
+manage_dirs_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+manage_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+manage_lnk_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
+files_var_lib_filetrans(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, { dir file lnk_file })
+
+#============= gnome_remote_desktop_t ==============
+corenet_tcp_bind_gnome_remote_desktop_port(gnome_remote_desktop_t)
+allow gnome_remote_desktop_t self:tcp_socket create_stream_socket_perms;
+allow gnome_remote_desktop_t self:unix_dgram_socket create_socket_perms;
+
+domain_use_interactive_fds(gnome_remote_desktop_t)
+
+files_read_etc_files(gnome_remote_desktop_t)
+
+corenet_tcp_bind_generic_node(gnome_remote_desktop_t)
+dev_read_sysfs(gnome_remote_desktop_t)
+files_watch_usr_dirs(gnome_remote_desktop_t)
+fs_getattr_cgroup(gnome_remote_desktop_t)
+fs_getattr_xattr_fs(gnome_remote_desktop_t)
+init_read_state(gnome_remote_desktop_t)
+
+optional_policy(`
+	dbus_system_domain(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
+')
+
+optional_policy(`
+	kerberos_read_config(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+	logging_write_syslog_pid_socket(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+	miscfiles_read_certs(gnome_remote_desktop_t)
+	miscfiles_read_localization(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+	systemd_login_list_pid_dirs(gnome_remote_desktop_t)
+	systemd_login_read_pid_files(gnome_remote_desktop_t)
+	systemd_read_logind_sessions_files(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+	xserver_dbus_chat_xdm(gnome_remote_desktop_t)
+	xserver_read_xdm_state(gnome_remote_desktop_t)
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
@@ -186,6 +186,7 @@ network_port(git, tcp,9418,s0, udp,9418,s0)
 network_port(glance, tcp,9292,s0, udp,9292,s0)
 network_port(glance_registry, tcp,9191,s0, udp,9191,s0)
 network_port(gluster, tcp,24007-24027,s0, tcp, 38465-38469,s0)
+network_port(gnome_remote_desktop, tcp,3389-3399,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
 network_port(hadoop_datanode, tcp,50010,s0)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
@@ -1857,3 +1857,9 @@ tunable_policy(`selinuxuser_direct_dri_enabled',`
 ',`
 	dev_dontaudit_rw_dri(dridomain)
 ')
+
+#============= xdm_t ==============
+optional_policy(`
+	gnome_remote_desktop_rw_tcp_sockets(xdm_t)
+	dev_rw_dma_dev(xdm_t)
+')