Add SELinux policy rules allowing to create directories under /root

[grulja]

We have policy that allows to create ~/.local or ~/.config, but we don't have rule that allows the same under /root directory, where we fail in case any of these directories doesn't exist.

[grulja]

This is an attempt to fix https://issues.redhat.com/browse/RHEL-77975. I don't really have SELinux knowledge so it's mostly guessing and opened for a discussion. I also haven't tried it yet. Maybe this gives Tigervnc permission we don't need, but I don't really know.

CCing @zpytela for help.

[grulja]

Hmm, it looks we already have ability to create at least ~/.local thanks to:

# Allowed to create ~/.local
optional_policy(`
	gnome_filetrans_home_content(vnc_session_t)
')

So some additions I did are most likely not necessary.

[grulja]

So I think this is close to be working, but it's still missing one thing. The code I added now allows to create /root/.local/state/tigervnc, but tigervnc folder is labeled as admin_home_t and I don't know how to change that.
Obviously running restorecon -Rv /root/.local/state/tigervnc fixes it and it starts to work.

I tried adding:

diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te
index e1ed6c11..93fdeaa4 100644
--- a/unix/vncserver/selinux/vncsession.te
+++ b/unix/vncserver/selinux/vncsession.te
@@ -97,6 +97,7 @@ optional_policy(`
                attribute userdomain;
                type gconf_home_t;
        ')
+       userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".local")
        userdom_admin_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")
        userdom_user_home_dir_filetrans(userdomain, vnc_home_t, dir, ".vnc")

But that's not it.

@zpytela would you know please? Thank you.

[grulja]

Alright, after reading some documentation and testing it now seems to work as expected.

[CendioOssman]

Thanks! Can confirm it fixes the issue here as well. Tested on Fedora 41.