diff --git a/anda/others/rustdesk-selinux/anda.hcl b/anda/others/rustdesk-selinux/anda.hcl new file mode 100644 index 0000000000..3c34365df0 --- /dev/null +++ b/anda/others/rustdesk-selinux/anda.hcl @@ -0,0 +1,5 @@ +project pkg { + rpm { + spec = "rustdesk-selinux.spec" + } +} diff --git a/anda/others/rustdesk-selinux/rustdesk-selinux.spec b/anda/others/rustdesk-selinux/rustdesk-selinux.spec new file mode 100644 index 0000000000..d0d078b500 --- /dev/null +++ b/anda/others/rustdesk-selinux/rustdesk-selinux.spec @@ -0,0 +1,69 @@ +# vim: sw=4:ts=4:et +# Rustdesk will be added later, but for now this supplements the +# external rustdesk package + +%define relabel_files() \ +restorecon -R /usr/lib/rustdesk/rustdesk; \ + +%define selinux_policyver 38.28-1 + +Name: rustdesk-selinux +Version: 1.0 +Release: 1%{?dist} +Summary: SELinux policy module for rustdesk + +Group: System Environment/Base +License: GPLv2+ +URL: http://rustdesk.com +Source0: rustdesk.te + +Requires: policycoreutils, libselinux-utils +BuildRequires: policycoreutils, libselinux-utils, checkpolicy +Supplements: rustdesk +Enhances: rustdesk +Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils +Requires(postun): policycoreutils +BuildArch: noarch + +%description +This package installs and sets up the SELinux policy security module for rustdesk. + +%build +checkmodule -M -m -o rustdesk.mod %{SOURCE0} +semodule_package -o rustdesk.pp -m rustdesk.mod + + +%install +install -d %{buildroot}%{_datadir}/selinux/packages +install -m 644 rustdesk.pp %{buildroot}%{_datadir}/selinux/packages + + + +%post +semodule -n -i %{_datadir}/selinux/packages/rustdesk.pp +if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + %relabel_files + +fi; +exit 0 + +%postun +if [ $1 -eq 0 ]; then + semodule -n -r rustdesk + if /usr/sbin/selinuxenabled ; then + /usr/sbin/load_policy + %relabel_files + + fi; +fi; +exit 0 + +%files +%attr(0600,root,root) %{_datadir}/selinux/packages/rustdesk.pp + + +%changelog +* Sun Oct 1 2023 Cappy Ishihara 1.0-1 +- Initial version + diff --git a/anda/others/rustdesk-selinux/rustdesk.te b/anda/others/rustdesk-selinux/rustdesk.te new file mode 100644 index 0000000000..dc38a1f6dd --- /dev/null +++ b/anda/others/rustdesk-selinux/rustdesk.te @@ -0,0 +1,44 @@ +module rustdesk 1.0; + +require { + type xdm_t; + type sudo_exec_t; + type cache_home_t; + type chronyc_t; + type xserver_misc_device_t; + type xserver_t; + type chronyd_restricted_t; + type device_t; + type unreserved_port_t; + type xserver_port_t; + type event_device_t; + type init_t; + type speech_dispatcher_t; + class capability dac_override; + class dir create; + class unix_dgram_socket sendto; + class unix_stream_socket connectto; + class tcp_socket name_connect; + class chr_file { getattr open read write }; + class file execute; +} + +#============= chronyc_t ============== +allow chronyc_t chronyd_restricted_t:unix_dgram_socket sendto; + +#============= init_t ============== +allow init_t event_device_t:chr_file open; +allow init_t sudo_exec_t:file execute; + +#!!!! This avc can be allowed using the boolean 'nis_enabled' +allow init_t unreserved_port_t:tcp_socket name_connect; +allow init_t xserver_misc_device_t:chr_file { read write }; +allow init_t xserver_port_t:tcp_socket name_connect; +allow init_t xserver_t:unix_stream_socket connectto; + +#============= speech_dispatcher_t ============== +allow speech_dispatcher_t cache_home_t:dir create; +allow speech_dispatcher_t self:capability dac_override; + +#============= xdm_t ============== +allow xdm_t device_t:chr_file getattr; \ No newline at end of file