From 455d814fe8914258d7051fc517b8ac6f69770852 Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: May 25 2021 12:29:01 +0000 Subject: SELinux improvements Backport some CentOS changes --- diff --git a/0001-rpath-hack.patch b/0001-rpath-hack.patch new file mode 100644 index 0000000..4e438dd --- /dev/null +++ b/0001-rpath-hack.patch @@ -0,0 +1,24 @@ +From 2489f2f38eb32d9dd03718a36cbdbdf13d2f8b9b Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 12 Nov 2015 11:10:11 -0500 +Subject: [PATCH] rpath hack + +Normally, rpath is undesirable. But for the X server we _know_ we need +Mesa's libGL, which will always be in %{_libdir}, and not any third-party +libGL that may be configured using ld.so.conf. + +--- + configure.ac | 1 + + 1 files changed, 1 insertions(+), 0 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fa15a2d..a5af1e0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1261,6 +1261,7 @@ AM_CONDITIONAL(GLX, test "x$GLX" = xyes) + + AM_CONDITIONAL(HASHTABLE, test "x$HASHTABLE" = xyes) + ++GLX_SYS_LIBS="$GLX_SYS_LIBS -Wl,-rpath=\$(libdir)" + AC_SUBST([GLX_DEFINES]) + AC_SUBST([GLX_SYS_LIBS]) diff --git a/tigervnc-1.3.1-CVE-2014-8240.patch b/tigervnc-1.3.1-CVE-2014-8240.patch new file mode 100644 index 0000000..09217f1 --- /dev/null +++ b/tigervnc-1.3.1-CVE-2014-8240.patch @@ -0,0 +1,74 @@ +diff --git a/unix/x0vncserver/Image.cxx b/unix/x0vncserver/Image.cxx +index f998c6a..fb9dbd4 100644 +--- a/unix/x0vncserver/Image.cxx ++++ b/unix/x0vncserver/Image.cxx +@@ -80,6 +80,14 @@ void Image::Init(int width, int height) + xim = XCreateImage(dpy, vis, DefaultDepth(dpy, DefaultScreen(dpy)), + ZPixmap, 0, 0, width, height, BitmapPad(dpy), 0); + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ vlog.error("Invalid display size"); ++ XDestroyImage(xim); ++ exit(1); ++ } ++ + xim->data = (char *)malloc(xim->bytes_per_line * xim->height); + if (xim->data == NULL) { + vlog.error("malloc() failed"); +@@ -256,6 +264,17 @@ void ShmImage::Init(int width, int height, const XVisualInfo *vinfo) + return; + } + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ vlog.error("Invalid display size"); ++ XDestroyImage(xim); ++ xim = NULL; ++ delete shminfo; ++ shminfo = NULL; ++ return; ++ } ++ + shminfo->shmid = shmget(IPC_PRIVATE, + xim->bytes_per_line * xim->height, + IPC_CREAT|0777); +diff --git a/vncviewer/PlatformPixelBuffer.cxx b/vncviewer/PlatformPixelBuffer.cxx +index a2b506d..9266d9f 100644 +--- a/vncviewer/PlatformPixelBuffer.cxx ++++ b/vncviewer/PlatformPixelBuffer.cxx +@@ -49,6 +49,15 @@ PlatformPixelBuffer::PlatformPixelBuffer(int width, int height) : + if (!xim) + throw rdr::Exception("XCreateImage"); + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ if (xim) ++ XDestroyImage(xim); ++ xim = NULL; ++ throw rdr::Exception("Invalid display size"); ++ } ++ + xim->data = (char*)malloc(xim->bytes_per_line * xim->height); + if (!xim->data) + throw rdr::Exception("malloc"); +@@ -152,6 +161,16 @@ bool PlatformPixelBuffer::setupShm() + if (!xim) + goto free_shminfo; + ++ if (xim->bytes_per_line <= 0 || ++ xim->height <= 0 || ++ xim->height >= INT_MAX / xim->bytes_per_line) { ++ XDestroyImage(xim); ++ xim = NULL; ++ delete shminfo; ++ shminfo = NULL; ++ throw rdr::Exception("Invalid display size"); ++ } ++ + shminfo->shmid = shmget(IPC_PRIVATE, + xim->bytes_per_line * xim->height, + IPC_CREAT|0600); diff --git a/tigervnc-argb-runtime-ximage-byteorder-selection.patch b/tigervnc-argb-runtime-ximage-byteorder-selection.patch new file mode 100644 index 0000000..24fc077 --- /dev/null +++ b/tigervnc-argb-runtime-ximage-byteorder-selection.patch @@ -0,0 +1,43 @@ +From 7ab92639848a6059e2b6b88499b008b9606f3af6 Mon Sep 17 00:00:00 2001 +From: johnmartin-oracle <55413843+johnmartin-oracle@users.noreply.github.com> +Date: Thu, 27 Aug 2020 22:30:23 -0400 +Subject: [PATCH] Update Surface_X11.cxx + +Runtime sellection of ARGB XImage byte order +--- + vncviewer/Surface_X11.cxx | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/vncviewer/Surface_X11.cxx b/vncviewer/Surface_X11.cxx +index 6562634dc..8944c3f71 100644 +--- a/vncviewer/Surface_X11.cxx ++++ b/vncviewer/Surface_X11.cxx +@@ -123,17 +123,17 @@ void Surface::alloc() + // we find such a format + templ.type = PictTypeDirect; + templ.depth = 32; +-#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ +- templ.direct.alpha = 0; +- templ.direct.red = 8; +- templ.direct.green = 16; +- templ.direct.blue = 24; +-#else +- templ.direct.alpha = 24; +- templ.direct.red = 16; +- templ.direct.green = 8; +- templ.direct.blue = 0; +-#endif ++ if (XImageByteOrder(fl_display) == MSBFirst) { ++ templ.direct.alpha = 0; ++ templ.direct.red = 8; ++ templ.direct.green = 16; ++ templ.direct.blue = 24; ++ } else { ++ templ.direct.alpha = 24; ++ templ.direct.red = 16; ++ templ.direct.green = 8; ++ templ.direct.blue = 0; ++ } + templ.direct.alphaMask = 0xff; + templ.direct.redMask = 0xff; + templ.direct.greenMask = 0xff; diff --git a/tigervnc-correctly-start-vncsession-as-daemon.patch b/tigervnc-correctly-start-vncsession-as-daemon.patch new file mode 100644 index 0000000..af5e7f2 --- /dev/null +++ b/tigervnc-correctly-start-vncsession-as-daemon.patch @@ -0,0 +1,13 @@ +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 2b47f5f5..f78c096f 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -99,7 +99,7 @@ begin_daemon(void) + return -1; + } + +- if (pid == 0) ++ if (pid != 0) + _exit(0); + + /* Send all stdio to /dev/null */ diff --git a/tigervnc-cursor.patch b/tigervnc-cursor.patch new file mode 100644 index 0000000..1f95df8 --- /dev/null +++ b/tigervnc-cursor.patch @@ -0,0 +1,12 @@ +diff -up tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor tigervnc-1.3.0/vncviewer/Viewport.cxx +--- tigervnc-1.3.0/vncviewer/Viewport.cxx.cursor 2013-12-17 13:28:23.170400013 +0000 ++++ tigervnc-1.3.0/vncviewer/Viewport.cxx 2013-12-17 13:29:46.095784064 +0000 +@@ -248,7 +248,7 @@ void Viewport::setCursor(int width, int height, const Point& hotspot, + } + } + +- if (Fl::belowmouse() == this) ++ if (Fl::belowmouse() == this && cursor) + window()->cursor(cursor, cursorHotspot.x, cursorHotspot.y); + } + diff --git a/tigervnc-getmaster.patch b/tigervnc-getmaster.patch deleted file mode 100644 index 6ef99b4..0000000 --- a/tigervnc-getmaster.patch +++ /dev/null @@ -1,88 +0,0 @@ -diff --git a/unix/xserver/hw/vnc/InputXKB.c b/unix/xserver/hw/vnc/InputXKB.c -index f84a6e4..4eac939 100644 ---- a/unix/xserver/hw/vnc/InputXKB.c -+++ b/unix/xserver/hw/vnc/InputXKB.c -@@ -226,10 +226,7 @@ void vncPrepareInputDevices(void) - - unsigned vncGetKeyboardState(void) - { -- DeviceIntPtr master; -- -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -- return XkbStateFieldFromRec(&master->key->xkbInfo->state); -+ return XkbStateFieldFromRec(&vncKeyboardDev->master->key->xkbInfo->state); - } - - unsigned vncGetLevelThreeMask(void) -@@ -250,7 +247,7 @@ unsigned vncGetLevelThreeMask(void) - return 0; - } - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - - act = XkbKeyActionPtr(xkb, keycode, state); - if (act == NULL) -@@ -275,7 +272,7 @@ KeyCode vncPressShift(void) - if (state & ShiftMask) - return 0; - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - XkbAction *act; - unsigned char mask; -@@ -315,7 +312,7 @@ size_t vncReleaseShift(KeyCode *keys, size_t maxKeys) - - count = 0; - -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -+ master = vncKeyboardDev->master; - xkb = master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - XkbAction *act; -@@ -371,7 +368,7 @@ KeyCode vncPressLevelThree(void) - return 0; - } - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - - act = XkbKeyActionPtr(xkb, keycode, state); - if (act == NULL) -@@ -402,7 +399,7 @@ size_t vncReleaseLevelThree(KeyCode *keys, size_t maxKeys) - - count = 0; - -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -+ master = vncKeyboardDev->master; - xkb = master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - XkbAction *act; -@@ -447,7 +444,7 @@ KeyCode vncKeysymToKeycode(KeySym keysym, unsigned state, unsigned *new_state) - *new_state = state; - - fallback = 0; -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - for (key = xkb->min_key_code; key <= xkb->max_key_code; key++) { - unsigned int state_out; - KeySym dummy; -@@ -551,7 +548,7 @@ int vncIsAffectedByNumLock(KeyCode keycode) - if (numlock_keycode == 0) - return 0; - -- xkb = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT)->key->xkbInfo->desc; -+ xkb = vncKeyboardDev->master->key->xkbInfo->desc; - - act = XkbKeyActionPtr(xkb, numlock_keycode, state); - if (act == NULL) -@@ -585,7 +582,7 @@ KeyCode vncAddKeysym(KeySym keysym, unsigned state) - KeySym *syms; - KeySym upper, lower; - -- master = GetMaster(vncKeyboardDev, KEYBOARD_OR_FLOAT); -+ master = vncKeyboardDev->master; - xkb = master->key->xkbInfo->desc; - for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) { - if (XkbKeyNumGroups(xkb, key) == 0) diff --git a/tigervnc-let-user-know-about-not-using-view-only-password.patch b/tigervnc-let-user-know-about-not-using-view-only-password.patch new file mode 100644 index 0000000..e28ffa9 --- /dev/null +++ b/tigervnc-let-user-know-about-not-using-view-only-password.patch @@ -0,0 +1,13 @@ +diff --git a/unix/vncpasswd/vncpasswd.cxx b/unix/vncpasswd/vncpasswd.cxx +index 16c925ee..6398121e 100644 +--- a/unix/vncpasswd/vncpasswd.cxx ++++ b/unix/vncpasswd/vncpasswd.cxx +@@ -150,6 +150,8 @@ int main(int argc, char** argv) + char yesno[3]; + if (fgets(yesno, 3, stdin) != NULL && (yesno[0] == 'y' || yesno[0] == 'Y')) { + obfuscatedReadOnly = readpassword(); ++ } else { ++ fprintf(stderr, "A view-only password is not used\n"); + } + + FILE* fp = fopen(fname,"w"); diff --git a/tigervnc-selinux-missing-compression-and-correct-location.patch b/tigervnc-selinux-missing-compression-and-correct-location.patch new file mode 100644 index 0000000..2ec1be8 --- /dev/null +++ b/tigervnc-selinux-missing-compression-and-correct-location.patch @@ -0,0 +1,39 @@ +From 6125695b80f6a43002f454786115b0a6c1730831 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Mon, 17 May 2021 13:44:32 +0200 +Subject: [PATCH] SELinux: Add missing compression and install policy to + correct directory + +--- + unix/vncserver/selinux/Makefile | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/unix/vncserver/selinux/Makefile b/unix/vncserver/selinux/Makefile +index 7497bf846..b23f20f60 100644 +--- a/unix/vncserver/selinux/Makefile ++++ b/unix/vncserver/selinux/Makefile +@@ -10,15 +10,18 @@ + PREFIX=/usr + DATADIR=$(PREFIX)/share + +-all: vncsession.pp ++all: vncsession.pp.bz2 ++ ++%.pp.bz2: %.pp ++ bzip2 -9 $^ + + %.pp: %.te + make -f $(DATADIR)/selinux/devel/Makefile $@ + + clean: +- rm -f *.pp ++ rm -f *.pp *.pp.bz2 + rm -rf tmp + +-install: vncsession.pp +- mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages +- install vncsession.pp $(DESTDIR)$(DATADIR)/selinux/packages/vncsession.pp ++install: vncsession.pp.bz2 ++ mkdir -p $(DESTDIR)$(DATADIR)/selinux/packages/targeted/ ++ install vncsession.pp.bz2 $(DESTDIR)$(DATADIR)/selinux/packages/targeted/vncsession.pp.bz2 + diff --git a/tigervnc-selinux-policy-improvements.patch b/tigervnc-selinux-policy-improvements.patch new file mode 100644 index 0000000..c797b18 --- /dev/null +++ b/tigervnc-selinux-policy-improvements.patch @@ -0,0 +1,183 @@ +From 386542e6d50eeaa68aa91f821c0725ddd0ab9b2a Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 18 May 2021 12:23:15 +0200 +Subject: [PATCH] selinux: Fix issues reported by SELint + +Style guide [1] issues only. No impact on policy functionality. + +[1] - https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide +--- + unix/vncserver/selinux/vncsession.te | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index a773fed39..63ad8a85f 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -17,7 +17,7 @@ + # USA. + # + +-policy_module(vncsession, 1.0.0); ++policy_module(vncsession, 1.0.0) + + gen_require(` + attribute userdomain; +@@ -42,8 +42,8 @@ can_exec(vnc_session_t, vnc_session_exec_t) + userdom_spec_domtrans_all_users(vnc_session_t) + userdom_signal_all_users(vnc_session_t) + +-allow vnc_session_t self:capability { kill chown dac_override dac_read_search fowner setgid setuid sys_resource }; +-allow vnc_session_t self:process { getcap setsched setexec setrlimit }; ++allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; ++allow vnc_session_t self:process { getcap setexec setrlimit setsched }; + allow vnc_session_t self:fifo_file rw_fifo_file_perms; + + manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) +@@ -65,4 +65,3 @@ logging_append_all_logs(vnc_session_t) + + mcs_process_set_categories(vnc_session_t) + mcs_killall(vnc_session_t) +- +From 23cf514ac265a02dc666e8651dcc579022f0da77 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 18 May 2021 13:31:53 +0200 +Subject: [PATCH] selinux: further style and comprehensibility improvements + +Sections and rules blocks reordered according to the Style guide. + +https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide +--- + unix/vncserver/selinux/vncsession.te | 59 +++++++++++++++++----------- + 1 file changed, 36 insertions(+), 23 deletions(-) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index 63ad8a85f..86fd6e5ef 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -20,48 +20,61 @@ + policy_module(vncsession, 1.0.0) + + gen_require(` +- attribute userdomain; +- type xdm_home_t; ++ attribute userdomain; ++ type xdm_home_t; + ') + +-type vnc_session_exec_t; +-corecmd_executable_file(vnc_session_exec_t) + type vnc_session_t; ++type vnc_session_exec_t; + init_daemon_domain(vnc_session_t, vnc_session_exec_t) +-auth_login_pgm_domain(vnc_session_t) ++can_exec(vnc_session_t, vnc_session_exec_t) + + type vnc_session_var_run_t; + files_pid_file(vnc_session_var_run_t) +-allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; +-files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) +- +-auth_write_login_records(vnc_session_t) +- +-can_exec(vnc_session_t, vnc_session_exec_t) +- +-userdom_spec_domtrans_all_users(vnc_session_t) +-userdom_signal_all_users(vnc_session_t) + + allow vnc_session_t self:capability { chown dac_override dac_read_search fowner kill setgid setuid sys_resource }; + allow vnc_session_t self:process { getcap setexec setrlimit setsched }; + allow vnc_session_t self:fifo_file rw_fifo_file_perms; + ++allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; ++files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) ++ + manage_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) + manage_fifo_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) + manage_sock_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) + manage_lnk_files_pattern(vnc_session_t, xdm_home_t, xdm_home_t) +-userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") +-userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") +- +-# This also affects other tools, e.g. vncpasswd +-userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") +-userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") +- +-miscfiles_read_localization(vnc_session_t) + + kernel_read_kernel_sysctls(vnc_session_t) + +-logging_append_all_logs(vnc_session_t) ++corecmd_executable_file(vnc_session_exec_t) + + mcs_process_set_categories(vnc_session_t) + mcs_killall(vnc_session_t) ++ ++optional_policy(` ++ auth_login_pgm_domain(vnc_session_t) ++ auth_write_login_records(vnc_session_t) ++') ++ ++optional_policy(` ++ logging_append_all_logs(vnc_session_t) ++') ++ ++optional_policy(` ++ miscfiles_read_localization(vnc_session_t) ++') ++ ++optional_policy(` ++ userdom_spec_domtrans_all_users(vnc_session_t) ++ userdom_signal_all_users(vnc_session_t) ++ ++ userdom_user_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") ++ userdom_admin_home_dir_filetrans(vnc_session_t, xdm_home_t, dir, ".vnc") ++ ++ # This also affects other tools, e.g. vncpasswd ++ gen_require(` ++ attribute userdomain; ++ ') ++ userdom_admin_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") ++ userdom_user_home_dir_filetrans(userdomain, xdm_home_t, dir, ".vnc") ++') +From 3c8622691abfb377b48bf3749dd629c5a7120cf4 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Tue, 18 May 2021 13:39:11 +0200 +Subject: [PATCH] Allow vnc_session_t manage nfs dirs and files conditionally + +The permissions set to manage directories and files with the nfs_t type +is allowed when the use_nfs_home_dirs boolean is turned on. + +Resolves: https://github.com/TigerVNC/tigervnc/issues/1189 +--- + unix/vncserver/selinux/vncsession.te | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index 86fd6e5ef..46e699117 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -51,6 +51,11 @@ corecmd_executable_file(vnc_session_exec_t) + mcs_process_set_categories(vnc_session_t) + mcs_killall(vnc_session_t) + ++tunable_policy(`use_nfs_home_dirs',` ++ fs_manage_nfs_dirs(vnc_session_t) ++ fs_manage_nfs_files(vnc_session_t) ++') ++ + optional_policy(` + auth_login_pgm_domain(vnc_session_t) + auth_write_login_records(vnc_session_t) +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index 46e69911..f1108ec8 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -20,7 +20,6 @@ + policy_module(vncsession, 1.0.0) + + gen_require(` +- attribute userdomain; + type xdm_home_t; + ') + diff --git a/tigervnc.spec b/tigervnc.spec index 3aca4e1..4b6abc4 100644 --- a/tigervnc.spec +++ b/tigervnc.spec @@ -1,6 +1,10 @@ +#defining macros needed by SELinux +%global selinuxtype targeted +%global modulename vncsession + Name: tigervnc Version: 1.11.0 -Release: 10%{?dist} +Release: 11%{?dist} Summary: A TigerVNC remote display system %global _hardened_build 1 @@ -18,15 +22,24 @@ Source4: HOWTO.md Source5: vncserver Source6: vncserver.man -Patch1: tigervnc-getmaster.patch -Patch2: tigervnc-utilize-system-crypto-policies.patch -Patch3: tigervnc-passwd-crash-with-malloc-checks.patch -Patch4: tigervnc-systemd-service.patch +Patch2: tigervnc-cursor.patch +Patch3: tigervnc-1.3.1-CVE-2014-8240.patch +Patch4: tigervnc-let-user-know-about-not-using-view-only-password.patch +Patch5: tigervnc-utilize-system-crypto-policies.patch +Patch6: tigervnc-passwd-crash-with-malloc-checks.patch # Upstream patches Patch50: tigervnc-tolerate-specifying-boolparam.patch +Patch51: tigervnc-systemd-service.patch +Patch52: tigervnc-correctly-start-vncsession-as-daemon.patch +Patch53: tigervnc-selinux-missing-compression-and-correct-location.patch +Patch54: tigervnc-selinux-policy-improvements.patch +Patch55: tigervnc-argb-runtime-ximage-byteorder-selection.patch +# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg Patch100: tigervnc-xserver120.patch +# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start +Patch101: 0001-rpath-hack.patch BuildRequires: make BuildRequires: gcc-c++ @@ -69,7 +82,7 @@ server. Summary: A TigerVNC server Requires: perl-interpreter Requires: tigervnc-server-minimal = %{version}-%{release} -Requires: tigervnc-selinux = %{version}-%{release} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) Requires: xorg-x11-xauth Requires: xorg-x11-xinit Requires(post): systemd @@ -126,10 +139,11 @@ This package contains icons for TigerVNC viewer %package selinux Summary: SELinux module for TigerVNC BuildArch: noarch -Requires(pre): libselinux-utils -Requires(post): selinux-policy >= %{_selinux_policy_version} -Requires(post): policycoreutils -Requires(post): libselinux-utils +BuildRequires: selinux-policy-devel +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +%{?selinux_requires} %description selinux This package provides the SELinux policy module to ensure TigerVNC @@ -144,20 +158,31 @@ for all in `find . -type f -perm -001`; do chmod -x "$all" done %patch100 -p1 -b .xserver120-rebased +%patch101 -p1 -b .rpath popd -# libvnc.so: don't use unexported GetMaster function (bug #744881 again). -%patch1 -p1 -b .getmaster +# Fixed viewer crash when cursor has not been set (bug #1051333). +%patch2 -p1 -b .cursor -# Utilize system-wide crypto policies -%patch2 -p1 -b .utilize-system-crypto-policies +# CVE-2014-8240 tigervnc: integer overflow flaw, leading to a heap-based +# buffer overflow in screen size handling +%patch3 -p1 -b .tigervnc-1.3.1-CVE-2014-8240 -%patch3 -p1 -b .tigervnc-passwd-crash-with-malloc-checks +# Bug 1447555 - view-only accepts enter, unclear whether default password is generated or not +%patch4 -p1 -b .let-user-know-about-not-using-view-only-password -# https://github.com/TigerVNC/tigervnc/pull/1115 -%patch4 -p1 -b .tigervnc-systemd-service +# Utilize system-wide crypto policies +%patch5 -p1 -b .utilize-system-crypto-policies.patch -%patch50 -p1 -b .tigervnc-tolerate-specifying-boolparam +%patch6 -p1 -b .passwd-crash-with-malloc-checks + +# Upstream patches +%patch50 -p1 -b .tolerate-specifying-boolparam +%patch51 -p1 -b .systemd-service +%patch52 -p1 -b .correctly-start-vncsession-as-daemon +%patch53 -p1 -b .selinux-missing-compression-and-correct-location +%patch54 -p1 -b .selinux-policy-improvements +%patch55 -p1 -b .argb-runtime-ximage-byteorder-selection %build %ifarch sparcv9 sparc64 s390 s390x @@ -277,19 +302,16 @@ install -m 644 %{SOURCE4} %{buildroot}/%{_docdir}/tigervnc/HOWTO.md %systemd_postun xvnc.socket %pre selinux -%selinux_relabel_pre +%selinux_relabel_pre -s %{selinuxtype} %post selinux -%selinux_modules_install %{_datadir}/selinux/packages/vncsession.pp -%selinux_relabel_post - -%posttrans selinux -%selinux_relabel_post +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} %postun selinux -%selinux_modules_uninstall vncsession if [ $1 -eq 0 ]; then - %selinux_relabel_post + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + %selinux_relabel_post -s %{selinuxtype} fi @@ -336,9 +358,14 @@ fi %{_datadir}/icons/hicolor/*/apps/* %files selinux -%{_datadir}/selinux/packages/vncsession.pp +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} %changelog +* Tue May 25 2021 Jan Grulich - 1.11.0-11 +- SELinux improvements +- Backport some CentOS changes + * Wed Jan 27 2021 Fedora Release Engineering - 1.11.0-10 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild