Implement some comments from PR

fedora-selinux · Sep 3, 2024 · cd92c3c · cd92c3c
1 parent d05e276
commit cd92c3c
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 23 deletions.
diff --git a/policy/modules/contrib/gnome_remote_desktop.if b/policy/modules/contrib/gnome_remote_desktop.if
@@ -142,9 +142,9 @@ interface(`gnome_remote_desktop_admin',`
 	allow $1 gnome_remote_desktop_t:process { signal_perms };
 	ps_process_pattern($1, gnome_remote_desktop_t)
 
-    tunable_policy(`deny_ptrace',`',`
-        allow $1 gnome_remote_desktop_t:process ptrace;
-    ')
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 gnome_remote_desktop_t:process ptrace;
+	')
 
 	files_search_var_lib($1)
 	admin_pattern($1, gnome_remote_desktop_var_lib_t)

diff --git a/policy/modules/contrib/gnome_remote_desktop.te b/policy/modules/contrib/gnome_remote_desktop.te
@@ -1,14 +1,5 @@
 policy_module(gnome_remote_desktop, 1.0.0)
 
-require {
-        type gnome_remote_desktop_port_t;
-	type system_dbusd_t;
-        type systemd_logind_t;
-	type xdm_t;
-	class tcp_socket { accept bind create getattr getopt listen name_bind setopt shutdown };
-	class unix_dgram_socket create;
-}
-
 ########################################
 #
 # Declarations
@@ -30,10 +21,6 @@ files_type(gnome_remote_desktop_var_lib_t)
 # gnome_remote_desktop local policy
 #
 
-optional_policy(`
-	dbus_system_domain(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
-')
-
 manage_dirs_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
 manage_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
 manage_lnk_files_pattern(gnome_remote_desktop_t, gnome_remote_desktop_var_lib_t, gnome_remote_desktop_var_lib_t)
@@ -43,11 +30,9 @@ domain_use_interactive_fds(gnome_remote_desktop_t)
 
 files_read_etc_files(gnome_remote_desktop_t)
 
-miscfiles_read_localization(gnome_remote_desktop_t)
-
 #============= gnome_remote_desktop_t ==============
 allow gnome_remote_desktop_t gnome_remote_desktop_port_t:tcp_socket name_bind;
-allow gnome_remote_desktop_t self:tcp_socket { accept bind create getattr getopt listen read setopt write };
+allow gnome_remote_desktop_t self:tcp_socket create_stream_socket_perms;
 allow gnome_remote_desktop_t self:unix_dgram_socket { create write };
 allow system_dbusd_t gnome_remote_desktop_t:tcp_socket { read write };
 corenet_tcp_bind_generic_node(gnome_remote_desktop_t)
@@ -59,10 +44,21 @@ init_read_state(gnome_remote_desktop_t)
 kerberos_read_config(gnome_remote_desktop_t)
 kernel_dgram_send(gnome_remote_desktop_t)
 logging_write_syslog_pid_socket(gnome_remote_desktop_t)
-miscfiles_read_certs(gnome_remote_desktop_t)
-systemd_login_list_pid_dirs(gnome_remote_desktop_t)
-systemd_login_read_pid_files(gnome_remote_desktop_t)
-systemd_read_logind_sessions_files(gnome_remote_desktop_t)
+
+optional_policy(`
+	systemd_login_list_pid_dirs(gnome_remote_desktop_t)
+	systemd_login_read_pid_files(gnome_remote_desktop_t)
+	systemd_read_logind_sessions_files(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+	miscfiles_read_certs(gnome_remote_desktop_t)
+	miscfiles_read_localization(gnome_remote_desktop_t)
+')
+
+optional_policy(`
+	dbus_system_domain(gnome_remote_desktop_t, gnome_remote_desktop_exec_t)
+')
 
 #============= xdm_t ==============
 optional_policy(`