extern/doc.rustdesk.com
1
0
Fork 1
mirror of https://github.com/rustdesk/doc.rustdesk.com.git synced 2025-01-27 16:38:35 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Mr-Update 2023-11-04 22:11:03 +01:00 committed by GitHub
parent 7e22bc3cac
commit b241141735
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
content/client/linux/SELinux/_index.en.md
View File

@ -53,7 +53,7 @@ The default type of the RustDesk service is `init_t`, which is determined by [th
**Caution**: Modifying the default type means that the policies of other services may also change. Please use this method with caution! **Caution**: Modifying the default type means that the policies of other services may also change. Please use this method with caution!
Edit the rule file rustdesk.te: Edit the rule file `rustdesk.te`:
```text ```text
module rustdesk 1.0; module rustdesk 1.0;
@ -91,17 +91,17 @@ allow init_t pulseaudio_home_t:file { read write open lock };
allow init_t session_dbusd_tmp_t:sock_file write; allow init_t session_dbusd_tmp_t:sock_file write;
allow init_t unconfined_dbusd_t:unix_stream_socket connectto; allow init_t unconfined_dbusd_t:unix_stream_socket connectto;
#!!!! This avc can be allowed using the boolean 'nis_enabled' #!!!! This AVC can be allowed using the boolean 'nis_enabled'
allow init_t ephemeral_port_t:tcp_socket name_connect; allow init_t ephemeral_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' #!!!! This AVC can be allowed using the boolean 'domain_can_mmap_files'
allow init_t sudo_exec_t:file map; allow init_t sudo_exec_t:file map;
#============= init_t wayland ============== #============= init_t Wayland ==============
allow init_t event_device_t:chr_file { open read write }; allow init_t event_device_t:chr_file { open read write };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files' #!!!! This AVC can be allowed using the boolean 'domain_can_mmap_files'
allow init_t user_tmp_t:file map; allow init_t user_tmp_t:file map;
``` ```
@ -541,7 +541,7 @@ gen_require(`
############################################################################### ###############################################################################
# #
# Part 1. The following rules are mainly from the open source `init.te` # Part 1. The following rules are mainly from the open source `init.te`.
# https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te # https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te
# #
# Note: Part 1 will probably be mostly the same as Part 3. But it's acceptable for now. # Note: Part 1 will probably be mostly the same as Part 3. But it's acceptable for now.
@ -559,7 +559,7 @@ typeattribute rustdesk_t init_script_domain_type;
######################################## ########################################
# Use capabilities. old rule: # Use capabilities, old rule:
allow rustdesk_t self:capability ~{ audit_control audit_write sys_module }; allow rustdesk_t self:capability ~{ audit_control audit_write sys_module };
allow rustdesk_t self:capability2 ~{ mac_admin mac_override }; allow rustdesk_t self:capability2 ~{ mac_admin mac_override };
allow rustdesk_t self:cap_userns all_cap_userns_perms; allow rustdesk_t self:cap_userns all_cap_userns_perms;
@ -623,7 +623,7 @@ allow rustdesk_t machineid_t:file mounton;
allow rustdesk_t initctl_t:fifo_file manage_fifo_file_perms; allow rustdesk_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(rustdesk_t, initctl_t, fifo_file) dev_filetrans(rustdesk_t, initctl_t, fifo_file)
# Modify utmp. # Modify utmp
allow rustdesk_t initrc_var_run_t:file { rw_file_perms setattr }; allow rustdesk_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(rustdesk_t) kernel_read_system_state(rustdesk_t)
@ -641,7 +641,7 @@ kernel_read_all_proc(rustdesk_t)
kernel_list_all_proc(rustdesk_t) kernel_list_all_proc(rustdesk_t)
kernel_mounton_all_proc(rustdesk_t) kernel_mounton_all_proc(rustdesk_t)
# There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing # There is bug in kernel 4.16 where lot of domains requesting module_request, for now dontauditing
kernel_dontaudit_request_load_module(rustdesk_t) kernel_dontaudit_request_load_module(rustdesk_t)
corecmd_exec_chroot(rustdesk_t) corecmd_exec_chroot(rustdesk_t)
@ -693,11 +693,11 @@ files_manage_all_locks(rustdesk_t)
files_manage_etc_runtime_files(rustdesk_t) files_manage_etc_runtime_files(rustdesk_t)
files_manage_etc_symlinks(rustdesk_t) files_manage_etc_symlinks(rustdesk_t)
files_etc_filetrans_etc_runtime(rustdesk_t, file) files_etc_filetrans_etc_runtime(rustdesk_t, file)
# Run /etc/X11/prefdm: # Run /etc/X11/prefdm
files_exec_etc_files(rustdesk_t) files_exec_etc_files(rustdesk_t)
files_read_usr_files(rustdesk_t) files_read_usr_files(rustdesk_t)
files_write_root_dirs(rustdesk_t) files_write_root_dirs(rustdesk_t)
# file descriptors inherited from the rootfs: # file descriptors inherited from the rootfs
files_dontaudit_rw_root_files(rustdesk_t) files_dontaudit_rw_root_files(rustdesk_t)
files_dontaudit_rw_root_chr_files(rustdesk_t) files_dontaudit_rw_root_chr_files(rustdesk_t)
files_dontaudit_mounton_modules_object(rustdesk_t) files_dontaudit_mounton_modules_object(rustdesk_t)
@ -760,7 +760,7 @@ term_watch_reads_unallocated_ttys(rustdesk_t)
term_watch_user_ttys(rustdesk_t) term_watch_user_ttys(rustdesk_t)
term_watch_reads_user_ttys(rustdesk_t) term_watch_reads_user_ttys(rustdesk_t)
# Run init scripts. # Run init scripts
init_domtrans_script(rustdesk_t) init_domtrans_script(rustdesk_t)
init_exec_notrans_direct_init_entry(rustdesk_t) init_exec_notrans_direct_init_entry(rustdesk_t)
@ -1050,7 +1050,7 @@ allow rustdesk_t pulseaudio_home_t:file { read open write lock };
allow rustdesk_t user_fonts_cache_t:dir { add_name remove_name } ; allow rustdesk_t user_fonts_cache_t:dir { add_name remove_name } ;
allow rustdesk_t user_fonts_cache_t:file { create open read write lock unlink }; allow rustdesk_t user_fonts_cache_t:file { create open read write lock unlink };
#!!!! This avc can be allowed using the boolean 'nis_enabled' #!!!! This AVC can be allowed using the boolean 'nis_enabled'
allow rustdesk_t unreserved_port_t:tcp_socket name_connect; allow rustdesk_t unreserved_port_t:tcp_socket name_connect;
allow rustdesk_t xserver_port_t:tcp_socket name_connect; allow rustdesk_t xserver_port_t:tcp_socket name_connect;
allow rustdesk_t xserver_t:unix_stream_socket connectto; allow rustdesk_t xserver_t:unix_stream_socket connectto;
@ -1797,9 +1797,9 @@ system_u:system_r:rustdesk_t:s0 110565 ? 00:00:00 rustdesk
You can use the `sepolicy generate` command: You can use the `sepolicy generate` command:
```sh ```sh
$ # install deps $ # install dependencies
$ sudo dnf install -y rpm rpm-build binutils $ sudo dnf install -y rpm rpm-build binutils
$ # generate $ # generate policy
$ sepolicy generate --init /usr/lib/rustdesk/rustdesk $ sepolicy generate --init /usr/lib/rustdesk/rustdesk
$ tree $ tree
. .
@ -1813,14 +1813,12 @@ $
$ $
$ # generate rpm package rustdesk_selinux-1.0-1.fc38.src.rpm $ # generate rpm package rustdesk_selinux-1.0-1.fc38.src.rpm
$ sudo ./rustdesk.sh $ sudo ./rustdesk.sh
$ # install $ # install package
$ sudo dnf install -y rustdesk_selinux-1.0-1.fc38.src.rpm $ sudo dnf install -y rustdesk_selinux-1.0-1.fc38.src.rpm
$ # restart the service $ # restart the service
$ sudo systemctl restart rustdesk $ sudo systemctl restart rustdesk
``` ```
### Troubleshooting
#### Iteratively Add Policies #### Iteratively Add Policies
```sh ```sh