add rustdesk selinux (#748)

* add rustdesk-selinux

* add build deps

anda/others/rustdesk-selinux/anda.hcl

@@ -0,0 +1,5 @@
+project pkg {
+	rpm {
+		spec = "rustdesk-selinux.spec"
+	}
+}

anda/others/rustdesk-selinux/rustdesk-selinux.spec

@@ -0,0 +1,69 @@
+# vim: sw=4:ts=4:et
+# Rustdesk will be added later, but for now this supplements the
+# external rustdesk package
+
+%define relabel_files() \
+restorecon -R /usr/lib/rustdesk/rustdesk; \
+
+%define selinux_policyver 38.28-1
+
+Name:   rustdesk-selinux
+Version:	1.0
+Release:	1%{?dist}
+Summary:	SELinux policy module for rustdesk
+
+Group:	System Environment/Base		
+License:	GPLv2+	
+URL:		http://rustdesk.com
+Source0:	rustdesk.te
+
+Requires: policycoreutils, libselinux-utils
+BuildRequires: policycoreutils, libselinux-utils, checkpolicy
+Supplements: rustdesk
+Enhances: rustdesk
+Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
+Requires(postun): policycoreutils
+BuildArch: noarch
+
+%description
+This package installs and sets up the  SELinux policy security module for rustdesk.
+
+%build
+checkmodule -M -m -o rustdesk.mod %{SOURCE0}
+semodule_package -o rustdesk.pp -m rustdesk.mod
+
+
+%install
+install -d %{buildroot}%{_datadir}/selinux/packages
+install -m 644 rustdesk.pp %{buildroot}%{_datadir}/selinux/packages
+
+
+
+%post
+semodule -n -i %{_datadir}/selinux/packages/rustdesk.pp
+if /usr/sbin/selinuxenabled ; then
+    /usr/sbin/load_policy
+    %relabel_files
+
+fi;
+exit 0
+
+%postun
+if [ $1 -eq 0 ]; then
+    semodule -n -r rustdesk
+    if /usr/sbin/selinuxenabled ; then
+       /usr/sbin/load_policy
+       %relabel_files
+
+    fi;
+fi;
+exit 0
+
+%files
+%attr(0600,root,root) %{_datadir}/selinux/packages/rustdesk.pp
+
+
+%changelog
+* Sun Oct  1 2023 Cappy Ishihara <[email protected]> 1.0-1
+- Initial version
+

anda/others/rustdesk-selinux/rustdesk.te

@@ -0,0 +1,44 @@
+module rustdesk 1.0;
+
+require {
+        type xdm_t;
+        type sudo_exec_t;
+        type cache_home_t;
+        type chronyc_t;
+        type xserver_misc_device_t;
+        type xserver_t;
+        type chronyd_restricted_t;
+        type device_t;
+        type unreserved_port_t;
+        type xserver_port_t;
+        type event_device_t;
+        type init_t;
+        type speech_dispatcher_t;
+        class capability dac_override;
+        class dir create;
+        class unix_dgram_socket sendto;
+        class unix_stream_socket connectto;
+        class tcp_socket name_connect;
+        class chr_file { getattr open read write };
+        class file execute;
+}
+
+#============= chronyc_t ==============
+allow chronyc_t chronyd_restricted_t:unix_dgram_socket sendto;
+
+#============= init_t ==============
+allow init_t event_device_t:chr_file open;
+allow init_t sudo_exec_t:file execute;
+
+#!!!! This avc can be allowed using the boolean 'nis_enabled'
+allow init_t unreserved_port_t:tcp_socket name_connect;
+allow init_t xserver_misc_device_t:chr_file { read write };
+allow init_t xserver_port_t:tcp_socket name_connect;
+allow init_t xserver_t:unix_stream_socket connectto;
+
+#============= speech_dispatcher_t ==============
+allow speech_dispatcher_t cache_home_t:dir create;
+allow speech_dispatcher_t self:capability dac_override;
+
+#============= xdm_t ==============
+allow xdm_t device_t:chr_file getattr;