extern/doc.rustdesk.com
1
0
Fork 1
mirror of https://github.com/rustdesk/doc.rustdesk.com.git synced 2025-01-13 01:38:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add files via upload

Browse Source
This commit is contained in:
Mr-Update 2023-11-04 22:11:03 +01:00 committed by GitHub
parent 7e22bc3cac
commit b241141735
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
content/client/linux/SELinux/_index.en.md
View File

@ -53,7 +53,7 @@ The default type of the RustDesk service is `init_t`, which is determined by [th
**Caution**: Modifying the default type means that the policies of other services may also change. Please use this method with caution!
Edit the rule file rustdesk.te:
Edit the rule file `rustdesk.te`:
```text
module rustdesk 1.0;
@ -91,17 +91,17 @@ allow init_t pulseaudio_home_t:file { read write open lock };
allow init_t session_dbusd_tmp_t:sock_file write;
allow init_t unconfined_dbusd_t:unix_stream_socket connectto;
#!!!! This avc can be allowed using the boolean 'nis_enabled'
#!!!! This AVC can be allowed using the boolean 'nis_enabled'
allow init_t ephemeral_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
#!!!! This AVC can be allowed using the boolean 'domain_can_mmap_files'
allow init_t sudo_exec_t:file map;
#============= init_t wayland ==============
#============= init_t Wayland ==============
allow init_t event_device_t:chr_file { open read write };
#!!!! This avc can be allowed using the boolean 'domain_can_mmap_files'
#!!!! This AVC can be allowed using the boolean 'domain_can_mmap_files'
allow init_t user_tmp_t:file map;
```
@ -541,7 +541,7 @@ gen_require(`
###############################################################################
#
# Part 1. The following rules are mainly from the open source `init.te`
# Part 1. The following rules are mainly from the open source `init.te`.
# https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te
#
# Note: Part 1 will probably be mostly the same as Part 3. But it's acceptable for now.
@ -559,7 +559,7 @@ typeattribute rustdesk_t init_script_domain_type;
########################################
# Use capabilities. old rule:
# Use capabilities, old rule:
allow rustdesk_t self:capability ~{ audit_control audit_write sys_module };
allow rustdesk_t self:capability2 ~{ mac_admin mac_override };
allow rustdesk_t self:cap_userns all_cap_userns_perms;
@ -623,7 +623,7 @@ allow rustdesk_t machineid_t:file mounton;
allow rustdesk_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(rustdesk_t, initctl_t, fifo_file)
# Modify utmp.
# Modify utmp
allow rustdesk_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(rustdesk_t)
@ -641,7 +641,7 @@ kernel_read_all_proc(rustdesk_t)
kernel_list_all_proc(rustdesk_t)
kernel_mounton_all_proc(rustdesk_t)
# There is bug in kernel in 4.16 where lot of domains requesting module_request, for now dontauditing
# There is bug in kernel 4.16 where lot of domains requesting module_request, for now dontauditing
kernel_dontaudit_request_load_module(rustdesk_t)
corecmd_exec_chroot(rustdesk_t)
@ -693,11 +693,11 @@ files_manage_all_locks(rustdesk_t)
files_manage_etc_runtime_files(rustdesk_t)
files_manage_etc_symlinks(rustdesk_t)
files_etc_filetrans_etc_runtime(rustdesk_t, file)
# Run /etc/X11/prefdm:
# Run /etc/X11/prefdm
files_exec_etc_files(rustdesk_t)
files_read_usr_files(rustdesk_t)
files_write_root_dirs(rustdesk_t)
# file descriptors inherited from the rootfs:
# file descriptors inherited from the rootfs
files_dontaudit_rw_root_files(rustdesk_t)
files_dontaudit_rw_root_chr_files(rustdesk_t)
files_dontaudit_mounton_modules_object(rustdesk_t)
@ -760,7 +760,7 @@ term_watch_reads_unallocated_ttys(rustdesk_t)
term_watch_user_ttys(rustdesk_t)
term_watch_reads_user_ttys(rustdesk_t)
# Run init scripts.
# Run init scripts
init_domtrans_script(rustdesk_t)
init_exec_notrans_direct_init_entry(rustdesk_t)
@ -1050,7 +1050,7 @@ allow rustdesk_t pulseaudio_home_t:file { read open write lock };
allow rustdesk_t user_fonts_cache_t:dir { add_name remove_name } ;
allow rustdesk_t user_fonts_cache_t:file { create open read write lock unlink };
#!!!! This avc can be allowed using the boolean 'nis_enabled'
#!!!! This AVC can be allowed using the boolean 'nis_enabled'
allow rustdesk_t unreserved_port_t:tcp_socket name_connect;
allow rustdesk_t xserver_port_t:tcp_socket name_connect;
allow rustdesk_t xserver_t:unix_stream_socket connectto;
@ -1797,9 +1797,9 @@ system_u:system_r:rustdesk_t:s0 110565 ? 00:00:00 rustdesk
You can use the `sepolicy generate` command:
```sh
$ # install deps
$ # install dependencies
$ sudo dnf install -y rpm rpm-build binutils
$ # generate
$ # generate policy
$ sepolicy generate --init /usr/lib/rustdesk/rustdesk
$ tree
.
@ -1813,14 +1813,12 @@ $
$
$ # generate rpm package rustdesk_selinux-1.0-1.fc38.src.rpm
$ sudo ./rustdesk.sh
$ # install
$ # install package
$ sudo dnf install -y rustdesk_selinux-1.0-1.fc38.src.rpm
$ # restart the service
$ sudo systemctl restart rustdesk
```
### Troubleshooting
#### Iteratively Add Policies
```sh