|
|
601a16 |
From 1919a8ab86c99b47ba86dc697abcdf3343b0aafa Mon Sep 17 00:00:00 2001
|
|
|
601a16 |
From: Jan Grulich <jgrulich@redhat.com>
|
|
|
601a16 |
Date: Tue, 1 Feb 2022 14:31:05 +0100
|
|
|
601a16 |
Subject: Add vncsession-restore script to restore SELinux context
|
|
|
601a16 |
|
|
|
601a16 |
The vncsession-restore script is used in the ExecStartPre option
|
|
|
601a16 |
for systemd service file in order to properly start the session
|
|
|
601a16 |
in case the policy is updated (e.g. after Tigervnc update).
|
|
|
601a16 |
|
|
|
601a16 |
diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt
|
|
|
d7e56c |
index ae69dc09..04eb6fc4 100644
|
|
|
601a16 |
--- a/unix/vncserver/CMakeLists.txt
|
|
|
601a16 |
+++ b/unix/vncserver/CMakeLists.txt
|
|
|
601a16 |
@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
|
|
|
601a16 |
target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
|
|
|
d7e56c |
|
|
|
601a16 |
configure_file(vncserver@.service.in vncserver@.service @ONLY)
|
|
|
601a16 |
+configure_file(vncsession-restore.in vncsession-restore @ONLY)
|
|
|
601a16 |
configure_file(vncsession-start.in vncsession-start @ONLY)
|
|
|
601a16 |
configure_file(vncserver.in vncserver @ONLY)
|
|
|
d7e56c |
configure_file(vncsession.man.in vncsession.man @ONLY)
|
|
|
d7e56c |
@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
|
|
|
601a16 |
if(INSTALL_SYSTEMD_UNITS)
|
|
|
601a16 |
install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
|
|
|
601a16 |
install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
|
|
|
601a16 |
+ install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
|
|
|
601a16 |
endif()
|
|
|
601a16 |
diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in
|
|
|
d7e56c |
index 39f81b73..a83e05a3 100644
|
|
|
601a16 |
--- a/unix/vncserver/vncserver@.service.in
|
|
|
601a16 |
+++ b/unix/vncserver/vncserver@.service.in
|
|
|
601a16 |
@@ -35,6 +35,7 @@ After=syslog.target network.target
|
|
|
d7e56c |
|
|
|
601a16 |
[Service]
|
|
|
601a16 |
Type=forking
|
|
|
601a16 |
+ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i
|
|
|
601a16 |
ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
|
|
|
601a16 |
PIDFile=/run/vncsession-%i.pid
|
|
|
601a16 |
SELinuxContext=system_u:system_r:vnc_session_t:s0
|
|
|
601a16 |
diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in
|
|
|
601a16 |
new file mode 100644
|
|
|
601a16 |
index 00000000..d3abc57d
|
|
|
601a16 |
--- /dev/null
|
|
|
601a16 |
+++ b/unix/vncserver/vncsession-restore.in
|
|
|
601a16 |
@@ -0,0 +1,68 @@
|
|
|
601a16 |
+#!/bin/bash
|
|
|
601a16 |
+#
|
|
|
601a16 |
+# Copyright 2022 Jan Grulich <jgrulich@redhat.com>
|
|
|
601a16 |
+#
|
|
|
601a16 |
+# This is free software; you can redistribute it and/or modify
|
|
|
601a16 |
+# it under the terms of the GNU General Public License as published by
|
|
|
601a16 |
+# the Free Software Foundation; either version 2 of the License, or
|
|
|
601a16 |
+# (at your option) any later version.
|
|
|
601a16 |
+#
|
|
|
601a16 |
+# This software is distributed in the hope that it will be useful,
|
|
|
601a16 |
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
601a16 |
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
601a16 |
+# GNU General Public License for more details.
|
|
|
601a16 |
+#
|
|
|
601a16 |
+# You should have received a copy of the GNU General Public License
|
|
|
601a16 |
+# along with this software; if not, write to the Free Software
|
|
|
601a16 |
+# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
|
|
601a16 |
+# USA.
|
|
|
601a16 |
+#
|
|
|
601a16 |
+
|
|
|
601a16 |
+USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users"
|
|
|
601a16 |
+
|
|
|
601a16 |
+if [ $# -ne 1 ]; then
|
|
|
601a16 |
+ echo "Syntax:" >&2
|
|
|
601a16 |
+ echo " $0 <display>" >&2
|
|
|
601a16 |
+ exit 1
|
|
|
601a16 |
+fi
|
|
|
601a16 |
+
|
|
|
601a16 |
+if [ ! -f "${USERSFILE}" ]; then
|
|
|
601a16 |
+ echo "Users file ${USERSFILE} missing" >&2
|
|
|
601a16 |
+ exit 1
|
|
|
601a16 |
+fi
|
|
|
601a16 |
+
|
|
|
601a16 |
+DISPLAY="$1"
|
|
|
601a16 |
+
|
|
|
601a16 |
+USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'`
|
|
|
601a16 |
+
|
|
|
601a16 |
+if [ -z "${USER}" ]; then
|
|
|
601a16 |
+ echo "No user configured for display ${DISPLAY}" >&2
|
|
|
601a16 |
+ exit 1
|
|
|
601a16 |
+fi
|
|
|
601a16 |
+
|
|
|
601a16 |
+USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:`
|
|
|
601a16 |
+
|
|
|
601a16 |
+if [ -z "${USER_HOMEDIR}" ]; then
|
|
|
601a16 |
+ echo "Failed to get home directory for ${USER}" >&2
|
|
|
601a16 |
+ exit 1
|
|
|
601a16 |
+fi
|
|
|
601a16 |
+
|
|
|
601a16 |
+if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then
|
|
|
601a16 |
+ exit 0
|
|
|
601a16 |
+fi
|
|
|
601a16 |
+
|
|
|
601a16 |
+MATCHPATHCON=`which matchpathcon`
|
|
|
601a16 |
+
|
|
|
601a16 |
+if [ $? -eq 0 ]; then
|
|
|
601a16 |
+ ${MATCHPATHCON} -V "${USER_HOMEDIR}/.vnc" &>/dev/null
|
|
|
601a16 |
+ if [ $? -eq 0 ]; then
|
|
|
601a16 |
+ exit 0
|
|
|
601a16 |
+ fi
|
|
|
601a16 |
+fi
|
|
|
601a16 |
+
|
|
|
601a16 |
+RESTORECON=`which restorecon`
|
|
|
601a16 |
+
|
|
|
601a16 |
+if [ $? -eq 0 ]; then
|
|
|
601a16 |
+ exec "${RESTORECON}" -R "${USER_HOMEDIR}/.vnc" >&2
|
|
|
601a16 |
+ return $?
|
|
|
601a16 |
+fi
|