Algumas distribuições (como o Fedora) habilitam o SELinux por padrão, o que fará com que o serviço RustDesk falhe ao iniciar e executar normalmente.
Você pode executar sestatus no terminal para verificar se o SELinux está habilitado.
Dependendo se ele está habilitado ou não, você pode ver duas saídas diferentes, como segue:
# Habilitado
SELinux status: enabled
...
# Desabilitado
SELinux status: disabled
...
Para uma introdução ao SELinux, consulte Tutoriais SELinux (em inglês).
Aqui, usamos o Fedora 38 como exemplo para mostrar como adicionar políticas SELinux.
sudo dnf install selinux-policy-devel make
Adicionar políticas SELinux requer determinar o tipo de serviço, que está no contexto de segurança do processo.
$ ps -eZ | grep rustdesk
system_u:system_r:init_t:s0 80439 ? 00:00:02 rustdesk
system_u:system_r:init_t:s0 é o contexto de segurança do processo RustDesk, onde o terceiro campo init_t é o tipo do processo.
Existem duas maneiras de escrever regras de tipo SELinux:
O primeiro método tem modificações relativamente pequenas, mas como o init_t padrão é alterado, é equivalente a adicionar autorização a outros serviços que usam o tipo init_t. Não recomendado para uso.
O segundo método é adicionar regras do zero. Haverá muitas regras que precisam ser adicionadas, e diferentes sistemas podem ter diferenças. Pode ser necessário fazer alguns ajustes durante o uso real.
O tipo padrão do serviço RustDesk é init_t, o qual é determinado por regras de herança de contexto do SELinux (em inglês).
Atenção: Modificar o tipo padrão significa que as políticas de outros serviços também podem mudar. Use este método com cautela!
Edite o arquivo de regras rustdesk.te:
module rustdesk 1.0;
require {
type event_device_t;
type xserver_t;
type xserver_port_t;
type sudo_exec_t;
type init_t;
type ephemeral_port_t;
type user_tmp_t;
type user_fonts_cache_t;
type pulseaudio_home_t;
type session_dbusd_tmp_t;
type unconfined_dbusd_t;
class process execmem;
class file { open read create write execute execute_no_trans map setattr lock link unlink };
class unix_stream_socket connectto;
class tcp_socket name_connect;
class dir { add_name remove_name };
class sock_file write;
class chr_file { open read write } ;
}
#============= init_t ==============
allow init_t xserver_t:unix_stream_socket connectto;
allow init_t sudo_exec_t:file { open read execute execute_no_trans };
allow init_t user_tmp_t:file { open write setattr };
allow init_t self:process execmem;
allow init_t user_fonts_cache_t:dir { add_name remove_name };
allow init_t user_fonts_cache_t:file { read write create open link lock unlink };
allow init_t xserver_port_t:tcp_socket name_connect;
allow init_t pulseaudio_home_t:file { read write open lock };
allow init_t session_dbusd_tmp_t:sock_file write;
allow init_t unconfined_dbusd_t:unix_stream_socket connectto;
#!!!! This AVC can be allowed using the boolean 'nis_enabled'
allow init_t ephemeral_port_t:tcp_socket name_connect;
#!!!! This AVC can be allowed using the boolean 'domain_can_mmap_files'
allow init_t sudo_exec_t:file map;
#============= init_t Wayland ==============
allow init_t event_device_t:chr_file { open read write };
#!!!! This AVC can be allowed using the boolean 'domain_can_mmap_files'
allow init_t user_tmp_t:file map;
Executar:
$ checkmodule -M -m -o rustdesk.mod rustdesk.te && semodule_package -o rustdesk.pp -m rustdesk.mod && sudo semodule -i rustdesk.pp
$ sudo semodule -l | grep rustdesk
rustdesk_trustdesk-selinux-1.0.touch Makefile rustdesk.te rustdesk.fc rustdesk.if..
├── Makefile
├── rustdesk.fc
├── rustdesk.if
└── rustdesk.te
rustdesk.te é o arquivo principal de política.
Neste exemplo, este arquivo vem principalmente de 3 partes:
grep rustdesk /var/log/audit/audit.log | audit2allow -a -M test.init_t do sistema de teste: sesearch -A | grep 'allow init_t ' | sed 's/allow init_t /allow rustdesk_t /g'.Observação: Algumas políticas podem ser duplicadas ou redundantes, mas isso não é um problema, pois funciona no rustdesk_t.
O conteúdo de cada arquivo é o seguinte.
rustdesk.te:
policy_module(rustdesk, 1.0)
type rustdesk_t;
type rustdesk_exec_t;
gen_require(`
# usado para execução direta de scripts de inicialização
# por domínios administrativos
attribute direct_run_init;
attribute direct_init;
attribute direct_init_entry;
attribute init_script_domain_type;
attribute initrc_transition_domain;
# Atributo usado para systemd para que domínios possam permitir que o systemd crie arquivos de soquete
atributo init_sock_file_type;
# Atributo para diretórios que o systemd monitorará com base em unidades de caminho
# (consulte systemd.path(5) para obter mais informações) (Deprecado)
attribute init_watch_path_type;
# Marque tipos de processo como daemons
attribute daemon;
attribute systemprocess;
attribute systemprocess_entry;
# Marque o tipo de arquivo como um diretório de execução de daemon
attribute daemonrundir;
class passwd rootok;
class dbus { acquire_svc send_msg };
class process execmem;
type abrt_dump_oops_t;
type abrt_upload_watch_t;
type adjtime_t;
type aiccu_t;
type amanda_inetd_exec_t;
type amanda_t;
type antivirus_t;
type apcupsd_power_t;
type auditd_etc_t;
type autofs_device_t;
type binfmt_misc_fs_t;
type bitlbee_exec_t;
type bitlbee_t;
type boltd_var_lib_t;
type boltd_var_run_t;
type boothd_t;
type bootloader_exec_t;
type bootloader_t;
type bpf_t;
type bugzilla_script_t;
type certwatch_t;
type cgroup_t;
type chkpwd_exec_t;
type chkpwd_t;
type chronyc_t;
type chronyd_exec_t;
type chronyd_keys_t;
type chronyd_restricted_t;
type chroot_exec_t;
type cifs_helper_t;
type cinder_domain;
type cloudform_domain;
type collectd_script_t;
type comsat_exec_t;
type comsat_t;
type config_home_t;
type console_device_t;
type consolekit_log_t;
type container_kvm_t;
type container_runtime_domain;
type container_runtime_tmpfs_t;
type container_var_lib_t;
type crack_t;
type cups_brf_t;
type cupsd_exec_t;
type cupsd_lpd_exec_t;
type cupsd_lpd_t;
type cupsd_t;
type cvs_exec_t;
type cvs_t;
type data_home_t;
type dbskkd_exec_t;
type dbskkd_t;
type default_context_t;
type default_t;
type devicekit_disk_t;
type devicekit_power_t;
type devicekit_t;
type device_t;
type devlog_t;
type devpts_t;
type dhcpc_state_t;
type dhcp_state_t;
type dirsrvadmin_script_t;
type dri_device_t;
type dspam_script_t;
type efivarfs_t;
type ephemeral_port_t;
type etc_aliases_t;
type etc_runtime_t;
type etc_t;
type event_device_t;
type faillog_t;
type fetchmail_t;
type fingerd_exec_t;
type fingerd_t;
type fixed_disk_device_t;
type flatpak_helper_t;
type fprintd_exec_t;
type fprintd_t;
type fprintd_var_lib_t;
type fsadm_t;
type ftpd_exec_t;
type ftpd_t;
type fwupd_cache_t;
type fwupd_t;
type gconfdefaultsm_t;
type geoclue_t;
type getty_exec_t;
type getty_t;
type gitd_exec_t;
type git_system_t;
type gnome_home_type;
type gnomesystemmm_t;
type guest_t;
type home_bin_t;
type home_root_t;
type hostname_etc_t;
type httpd_log_t;
type httpd_t;
type httpd_tmp_t;
type hugetlbfs_t;
type ibacm_t;
type ibacm_var_run_t;
type inetd_child_exec_t;
type inetd_child_t;
type initctl_t;
type init_exec_t;
type initrc_state_t;
type initrc_t;
type initrc_var_run_t;
type init_t;
type init_tmp_t;
type init_var_lib_t;
type init_var_run_t;
type insights_client_t;
type install_exec_t;
type install_t;
type ipsec_conf_file_t;
type ipsec_t;
type ipsec_var_run_t;
type irqbalance_t;
type iscsi_var_lib_t;
type jockey_t;
type journalctl_exec_t;
type kadmind_t;
type kdump_crash_t;
type kdumpctl_t;
type kdump_t;
type keepalived_unconfined_script_t;
type kernel_t;
type kmod_exec_t;
type kmod_t;
type kmscon_t;
type kmsg_device_t;
type krb5_keytab_t;
type ktalkd_exec_t;
type ktalkd_t;
type l2tpd_t;
type lastlog_t;
type ld_so_cache_t;
type lldpad_t;
type loadkeys_t;
type locale_t;
type lvm_control_t;
type lvm_etc_t;
type lvm_t;
type lvm_var_run_t;
type machineid_t;
type mail_spool_t;
type mandb_t;
type mdadm_t;
type mdadm_var_run_t;
type memcached_t;
type memory_device_t;
type mnt_t;
type modemmanager_t;
type modules_dep_t;
type modules_object_t;
type mon_procd_t;
type mount_t;
type mount_var_run_t;
type mptcpd_t;
type munin_plugin_domain;
type munin_t;
type mysqld_t;
type mythtv_script_t;
type naemon_t;
type nagios_plugin_domain;
type nagios_system_plugin_t;
type named_conf_t;
type named_zone_t;
type net_conf_t;
type netlabel_mgmt_t;
type networkmanager_dispatcher_plugin;
type NetworkManager_dispatcher_t;
type NetworkManager_priv_helper_t;
type NetworkManager_t;
type nfsd_fs_t;
type nfsidmap_t;
type ninfod_t;
type nrpe_exec_t;
type nrpe_t;
type nsfs_t;
type openshift_cgroup_read_t;
type openshift_net_read_t;
type oracleasm_t;
type passwd_file_t;
type pcscd_t;
type pdns_t;
type pegasus_openlmi_domain;
type pkcs_slotd_t;
type pkcs_slotd_tmpfs_t;
type plymouthd_t;
type plymouth_exec_t;
type policykit_t;
type postfix_exec_t;
type print_spool_t;
type proc_net_t;
type proc_security_t;
type ptchown_t;
type pulseaudio_home_t;
type qmail_tcp_env_exec_t;
type qmail_tcp_env_t;
type qpidd_t;
type quota_exec_t;
type quota_t;
type radiusd_t;
type random_device_t;
type random_seed_t;
type rdisc_t;
type rhsmcertd_t;
type rlogind_exec_t;
type rlogind_t;
type root_t;
type rpm_script_t;
type rpm_var_cache_t;
type rpm_var_lib_t;
type rshd_exec_t;
type rshd_t;
type rsync_exec_t;
type rsync_t;
type rustdesk_exec_t;
type rustdesk_t;
type sblim_domain;
type security_t;
type selinux_config_t;
type selinux_login_config_t;
type semanage_store_t;
type session_dbusd_tmp_t;
type shell_exec_t;
type smbcontrol_t;
type smokeping_cgi_script_t;
type spc_t;
type speech_dispatcher_t;
type sshd_exec_t;
type sshd_t;
type ssh_keysign_t;
type sslh_t;
type sssd_var_lib_t;
type staff_t;
type stratisd_data_t;
type stunnel_exec_t;
type stunnel_t;
type sudo_exec_t;
type sulogin_exec_t;
type sulogin_t;
type svc_start_exec_t;
type svc_start_t;
type svirt_file_type;
type svirt_sandbox_domain;
type svirt_t;
type svirt_tcg_t;
type swat_exec_t;
type swat_t;
type sysctl_kernel_t;
type sysfs_t;
type syslogd_t;
type systemd_bootchart_t;
type system_dbusd_t;
type system_dbusd_var_run_t;
type systemd_coredump_t;
type systemd_gpt_generator_t;
type systemd_home_t;
type systemd_hostnamed_t;
type systemd_hwdb_t;
type systemd_importd_t;
type systemd_initctl_t;
type systemd_journal_upload_t;
type systemd_localed_t;
type systemd_logger_t;
type systemd_logind_inhibit_var_run_t;
type systemd_logind_sessions_t;
type systemd_logind_t;
type systemd_logind_var_run_t;
type systemd_machined_t;
type systemd_modules_load_t;
type systemd_mount_directory;
type systemd_networkd_exec_t;
type systemd_networkd_t;
type systemd_network_generator_t;
type systemd_notify_t;
type systemd_passwd_agent_exec_t;
type systemd_passwd_agent_t;
type systemd_passwd_var_run_t;
type systemd_pstore_t;
type systemd_resolved_exec_t;
type systemd_resolved_t;
type systemd_rfkill_t;
type systemd_rfkill_var_lib_t;
type systemd_sleep_t;
type systemd_socket_proxyd_t;
type systemd_sysctl_t;
type systemd_systemctl_exec_t;
type systemd_timedated_t;
type systemd_timedated_var_lib_t;
type systemd_tmpfiles_t;
type systemd_userdbd_runtime_t;
type systemd_userdbd_t;
type tangd_db_t;
type tangd_t;
type targetclid_t;
type tcpd_exec_t;
type tcpd_t;
type telnetd_exec_t;
type telnetd_t;
type tftpd_exec_t;
type tftpd_t;
type thin_domain;
type thumb_t;
type timedatex_t;
type tlp_t;
type tmpfs_t;
type tmpreaper_t;
type tmp_t;
type tpm_device_t;
type tty_device_t;
type udev_rules_t;
type udev_t;
type unconfined_dbusd_t;
type unconfined_service_t;
type unconfined_t;
type unlabeled_t;
type unreserved_port_t;
type updpwd_exec_t;
type updpwd_t;
type urandom_device_t;
type usbtty_device_t;
type user_devpts_t;
type user_fonts_cache_t;
type user_home_dir_t;
type user_home_t;
type user_t;
type user_tmp_t;
type user_tty_device_t;
type usr_t;
type uucpd_exec_t;
type uucpd_t;
type uuidd_t;
type uuidd_var_run_t;
type var_lib_nfs_t;
type var_lib_t;
type var_log_t;
type var_run_t;
type var_spool_t;
type var_t;
type virsh_t;
type virtd_t;
type virt_etc_rw_t;
type virtio_device_t;
type vnstatd_t;
type watchdog_device_t;
type watchdog_t;
type wireguard_t;
type wireless_device_t;
type wtmp_t;
type xdm_exec_t;
type xdm_t;
type xdm_var_lib_t;
type xenconsoled_t;
type xend_t;
type xguest_t;
type xserver_port_t;
type xserver_t;
')
###############################################################################
#Parte 1. As seguintes regras são principalmente do código aberto `init.te`.
# https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/init.te
#
# Observação: a Parte 1 provavelmente será a mesma que a Parte 3. Mas está aceitável por enquanto.
#
init_daemon_domain(rustdesk_t, rustdesk_exec_t)
domain_role_change_exemption(rustdesk_t)
domain_subj_id_change_exemption(rustdesk_t)
domain_obj_id_change_exemption(rustdesk_t)
role system_r types rustdesk_t;
corecmd_shell_entry_type(rustdesk_t)
typeattribute rustdesk_t init_script_domain_type;
########################################
# Use capacidades, regra antiga:
allow rustdesk_t self:capability ~{ audit_control audit_write sys_module };
allow rustdesk_t self:capability2 ~{ mac_admin mac_override };
allow rustdesk_t self:cap_userns all_cap_userns_perms;
allow rustdesk_t self:tcp_socket { listen accept };
allow rustdesk_t self:packet_socket create_socket_perms;
allow rustdesk_t self:key manage_key_perms;
allow rustdesk_t self:bpf { map_create map_read map_write prog_load prog_run };
allow rustdesk_t self:file mounton;
allow rustdesk_t self:fifo_file rw_fifo_file_perms;
allow rustdesk_t self:service manage_service_perms;
allow rustdesk_t self:user_namespace create;
# Re-exec itself
can_exec(rustdesk_t, rustdesk_exec_t)
# executando conteúdo em /run/initramfs
manage_files_pattern(rustdesk_t, initrc_state_t, initrc_state_t)
can_exec(rustdesk_t, initrc_state_t)
allow rustdesk_t initrc_t:unix_stream_socket { connectto create_stream_socket_perms };
allow rustdesk_t initrc_t:tcp_socket create_stream_socket_perms;
allow initrc_t rustdesk_t:unix_stream_socket { connectto rw_stream_socket_perms sendto };
allow initrc_t rustdesk_t:fifo_file rw_fifo_file_perms;
manage_files_pattern(rustdesk_t, init_tmp_t, init_tmp_t)
manage_dirs_pattern(rustdesk_t, init_tmp_t, init_tmp_t)
manage_lnk_files_pattern(rustdesk_t, init_tmp_t, init_tmp_t)
manage_sock_files_pattern(rustdesk_t, init_tmp_t, init_tmp_t)
files_tmp_filetrans(rustdesk_t, init_tmp_t, { file sock_file })
allow rustdesk_t init_tmp_t:file map;
manage_dirs_pattern(rustdesk_t, init_var_lib_t, init_var_lib_t)
manage_files_pattern(rustdesk_t, init_var_lib_t, init_var_lib_t)
manage_lnk_files_pattern(rustdesk_t, init_var_lib_t, init_var_lib_t)
manage_sock_files_pattern(rustdesk_t, init_var_lib_t, init_var_lib_t)
files_var_lib_filetrans(rustdesk_t, init_var_lib_t, { dir file })
allow rustdesk_t init_var_lib_t:dir mounton;
allow rustdesk_t init_var_lib_t:file map;
manage_dirs_pattern(rustdesk_t, init_var_run_t, init_var_run_t)
manage_files_pattern(rustdesk_t, init_var_run_t, init_var_run_t)
manage_lnk_files_pattern(rustdesk_t, init_var_run_t, init_var_run_t)
manage_sock_files_pattern(rustdesk_t, init_var_run_t, init_var_run_t)
manage_fifo_files_pattern(rustdesk_t, init_var_run_t, init_var_run_t)
manage_blk_files_pattern(rustdesk_t, init_var_run_t, init_var_run_t)
manage_chr_files_pattern(rustdesk_t, init_var_run_t, init_var_run_t)
files_pid_filetrans(rustdesk_t, init_var_run_t, { dir file blk_file chr_file fifo_file})
allow rustdesk_t init_var_run_t:dir mounton;
allow rustdesk_t init_var_run_t:file mounton;
allow rustdesk_t init_var_run_t:sock_file relabelto;
allow rustdesk_t init_var_run_t:blk_file { getattr relabelto };
allow rustdesk_t init_var_run_t:chr_file { getattr relabelto };
allow rustdesk_t init_var_run_t:fifo_file { getattr relabelto };
allow rustdesk_t machineid_t:file manage_file_perms;
files_pid_filetrans(rustdesk_t, machineid_t, file, "machine-id")
files_etc_filetrans(rustdesk_t, machineid_t, file, "machine-id")
allow rustdesk_t machineid_t:file mounton;
allow rustdesk_t initctl_t:fifo_file manage_fifo_file_perms;
dev_filetrans(rustdesk_t, initctl_t, fifo_file)
# Modificar utmp
allow rustdesk_t initrc_var_run_t:file { rw_file_perms setattr };
kernel_read_system_state(rustdesk_t)
kernel_share_state(rustdesk_t)
kernel_stream_connect(rustdesk_t)
kernel_rw_stream_socket_perms(rustdesk_t)
kernel_rw_unix_dgram_sockets(rustdesk_t)
kernel_mounton_systemd_ProtectKernelTunables(rustdesk_t)
kernel_read_core_if(rustdesk_t)
kernel_mounton_core_if(rustdesk_t)
kernel_mounton_all_sysctls(rustdesk_t)
kernel_get_sysvipc_info(rustdesk_t)
kernel_load_module(rustdesk_t)
kernel_read_all_proc(rustdesk_t)
kernel_list_all_proc(rustdesk_t)
kernel_mounton_all_proc(rustdesk_t)
# Existe um bug no kernel 4.16 onde muitos domínios solicitam module_request, por enquanto não auditando
kernel_dontaudit_request_load_module(rustdesk_t)
corecmd_exec_chroot(rustdesk_t)
corecmd_exec_bin(rustdesk_t)
corenet_all_recvfrom_netlabel(rustdesk_t)
corenet_tcp_bind_all_ports(rustdesk_t)
corenet_udp_bind_all_ports(rustdesk_t)
dev_create_all_files(rustdesk_t)
dev_create_all_chr_files(rustdesk_t)
dev_list_sysfs(rustdesk_t)
dev_manage_sysfs(rustdesk_t)
dev_mounton_all_device_nodes(rustdesk_t)
dev_setattr_all_blk_files(rustdesk_t)
dev_setattr_all_chr_files(rustdesk_t)
dev_read_urand(rustdesk_t)
dev_read_raw_memory(rustdesk_t)
# Early devtmpfs
dev_rw_generic_chr_files(rustdesk_t)
dev_filetrans_all_named_dev(rustdesk_t)
dev_write_watchdog(rustdesk_t)
dev_rw_inherited_input_dev(rustdesk_t)
dev_rw_dri(rustdesk_t)
dev_rw_tpm(rustdesk_t)
domain_getpgid_all_domains(rustdesk_t)
domain_kill_all_domains(rustdesk_t)
domain_signal_all_domains(rustdesk_t)
domain_signull_all_domains(rustdesk_t)
domain_sigstop_all_domains(rustdesk_t)
domain_sigchld_all_domains(rustdesk_t)
domain_read_all_domains_state(rustdesk_t)
domain_getattr_all_domains(rustdesk_t)
domain_setrlimit_all_domains(rustdesk_t)
domain_rlimitinh_all_domains(rustdesk_t)
domain_noatsecure_all_domains(rustdesk_t)
domain_setpriority_all_domains(rustdesk_t)
files_read_config_files(rustdesk_t)
files_read_all_pids(rustdesk_t)
files_map_all_pids(rustdesk_t)
files_read_system_conf_files(rustdesk_t)
files_rw_generic_pids(rustdesk_t)
files_dontaudit_search_isid_type_dirs(rustdesk_t)
files_read_isid_type_files(rustdesk_t)
files_read_etc_runtime_files(rustdesk_t)
files_manage_all_locks(rustdesk_t)
files_manage_etc_runtime_files(rustdesk_t)
files_manage_etc_symlinks(rustdesk_t)
files_etc_filetrans_etc_runtime(rustdesk_t, file)
# Execute /etc/X11/prefdm
files_exec_etc_files(rustdesk_t)
files_read_usr_files(rustdesk_t)
files_write_root_dirs(rustdesk_t)
# descritores de arquivo herdados do rootfs
files_dontaudit_rw_root_files(rustdesk_t)
files_dontaudit_rw_root_chr_files(rustdesk_t)
files_dontaudit_mounton_modules_object(rustdesk_t)
files_manage_mnt_dirs(rustdesk_t)
files_manage_mnt_files(rustdesk_t)
files_read_mnt_symlinks(rustdesk_t)
files_mounton_etc(rustdesk_t)
files_create_default_dir(rustdesk_t)
files_remount_rootfs(rustdesk_t)
files_create_var_dirs(rustdesk_t)
files_watch_non_security_dirs(rustdesk_t)
files_watch_non_security_files(rustdesk_t)
files_watch_non_security_lnk_files(rustdesk_t)
fs_read_efivarfs_files(rustdesk_t)
fs_setattr_efivarfs_files(rustdesk_t)
fs_read_nfsd_files(rustdesk_t)
fstools_getattr_swap_files(rustdesk_t)
mcs_process_set_categories(rustdesk_t)
mls_file_read_all_levels(rustdesk_t)
mls_file_write_all_levels(rustdesk_t)
mls_file_downgrade(rustdesk_t)
mls_file_upgrade(rustdesk_t)
mls_fd_use_all_levels(rustdesk_t)
mls_fd_share_all_levels(rustdesk_t)
mls_process_set_level(rustdesk_t)
mls_process_write_down(rustdesk_t)
mls_socket_read_all_levels(rustdesk_t)
mls_socket_write_all_levels(rustdesk_t)
mls_rangetrans_source(rustdesk_t)
selinux_set_all_booleans(rustdesk_t)
selinux_load_policy(rustdesk_t)
selinux_mounton_fs(rustdesk_t)
allow rustdesk_t security_t:security load_policy;
selinux_compute_access_vector(rustdesk_t)
selinux_compute_create_context(rustdesk_t)
selinux_compute_user_contexts(rustdesk_t)
selinux_validate_context(rustdesk_t)
selinux_compute_relabel_context(rustdesk_t)
selinux_unmount_fs(rustdesk_t)
term_create_pty_dir(rustdesk_t)
term_use_unallocated_ttys(rustdesk_t)
term_setattr_unallocated_ttys(rustdesk_t)
term_use_console(rustdesk_t)
term_use_all_inherited_terms(rustdesk_t)
term_use_usb_ttys(rustdesk_t)
term_use_all_ptys(rustdesk_t)
term_setattr_all_ptys(rustdesk_t)
term_use_virtio_console(rustdesk_t)
term_watch_console_dev(rustdesk_t)
term_watch_reads_console_dev(rustdesk_t)
term_watch_unallocated_ttys(rustdesk_t)
term_watch_reads_unallocated_ttys(rustdesk_t)
term_watch_user_ttys(rustdesk_t)
term_watch_reads_user_ttys(rustdesk_t)
# Executar scripts de inicialização
init_domtrans_script(rustdesk_t)
init_exec_notrans_direct_init_entry(rustdesk_t)
libs_rw_ld_so_cache(rustdesk_t)
logging_create_devlog_dev(rustdesk_t)
logging_send_syslog_msg(rustdesk_t)
logging_send_audit_msgs(rustdesk_t)
logging_manage_generic_logs(rustdesk_t)
logging_mmap_generic_logs(rustdesk_t)
logging_relabel_devlog_dev(rustdesk_t)
logging_manage_audit_config(rustdesk_t)
logging_create_syslog_netlink_audit_socket(rustdesk_t)
logging_write_var_log_dirs(rustdesk_t)
logging_manage_var_log_symlinks(rustdesk_t)
seutil_read_config(rustdesk_t)
seutil_read_login_config(rustdesk_t)
seutil_read_default_contexts(rustdesk_t)
seutil_read_module_store(rustdesk_t)
miscfiles_manage_localization(rustdesk_t)
miscfiles_filetrans_named_content(rustdesk_t)
udev_manage_rules_files(rustdesk_t)
userdom_use_user_ttys(rustdesk_t)
userdom_manage_tmp_dirs(rustdesk_t)
userdom_manage_tmp_sockets(rustdesk_t)
userdom_delete_user_tmp_files(rustdesk_t)
userdom_delete_user_home_content_files(rustdesk_t)
userdom_connectto_stream(rustdesk_t)
userdom_rw_inherited_user_pipes(rustdesk_t)
userdom_transition_login_userdomain(rustdesk_t)
userdom_nnp_transition_login_userdomain(rustdesk_t)
userdom_noatsecure_login_userdomain(rustdesk_t)
userdom_sigchld_login_userdomain(rustdesk_t)
userdom_use_user_ptys(rustdesk_t)
userdom_watch_user_ptys(rustdesk_t)
userdom_watch_reads_user_ptys(rustdesk_t)
allow rustdesk_t self:process setsched;
ifdef(`distro_redhat',`
fs_manage_tmpfs_files(rustdesk_t)
fs_manage_tmpfs_symlinks(rustdesk_t)
fs_manage_tmpfs_sockets(rustdesk_t)
fs_manage_tmpfs_chr_files(rustdesk_t)
fs_exec_tmpfs_files(rustdesk_t)
fs_read_tmpfs_symlinks(rustdesk_t)
fs_tmpfs_filetrans(rustdesk_t, initctl_t, fifo_file)
fs_tmpfs_filetrans_named_content(rustdesk_t)
fs_relabelfrom_tmpfs_lnk_files(rustdesk_t)
logging_stream_connect_syslog(rustdesk_t)
logging_relabel_syslog_pid_socket(rustdesk_t)
')
corecmd_shell_domtrans(rustdesk_t, initrc_t)
storage_raw_rw_fixed_disk(rustdesk_t)
sysnet_read_dhcpc_state(rustdesk_t)
allow rustdesk_t self:system all_system_perms;
allow rustdesk_t self:system module_load;
allow rustdesk_t self:unix_dgram_socket { create_socket_perms sendto };
allow rustdesk_t self:process { setkeycreate setsockcreate setfscreate setrlimit setexec };
allow rustdesk_t self:process { getcap setcap };
allow rustdesk_t self:unix_stream_socket { create_stream_socket_perms connectto recvfrom };
allow rustdesk_t self:netlink_kobject_uevent_socket create_socket_perms;
allow rustdesk_t self:netlink_selinux_socket create_socket_perms;
allow rustdesk_t self:unix_dgram_socket lock;
# Até o systemd ser corrigido
allow daemon rustdesk_t:socket_class_set { getopt read getattr ioctl setopt write };
allow rustdesk_t self:udp_socket create_socket_perms;
allow rustdesk_t self:netlink_route_socket create_netlink_socket_perms;
allow rustdesk_t initrc_t:unix_dgram_socket create_socket_perms;
kernel_list_unlabeled(rustdesk_t)
kernel_read_unlabeled_lnk_files(rustdesk_t)
kernel_read_network_state(rustdesk_t)
kernel_rw_all_sysctls(rustdesk_t)
kernel_rw_security_state(rustdesk_t)
kernel_rw_usermodehelper_state(rustdesk_t)
kernel_read_software_raid_state(rustdesk_t)
kernel_unmount_debugfs(rustdesk_t)
kernel_setsched(rustdesk_t)
kernel_mounton_kernel_sysctl(rustdesk_t)
dev_write_kmsg(rustdesk_t)
dev_write_urand(rustdesk_t)
dev_rw_lvm_control(rustdesk_t)
dev_rw_autofs(rustdesk_t)
dev_manage_generic_symlinks(rustdesk_t)
dev_manage_generic_dirs(rustdesk_t)
dev_manage_generic_files(rustdesk_t)
dev_read_generic_chr_files(rustdesk_t)
dev_relabel_generic_dev_dirs(rustdesk_t)
dev_relabel_all_dev_nodes(rustdesk_t)
dev_relabel_all_dev_files(rustdesk_t)
dev_manage_sysfs_dirs(rustdesk_t)
dev_relabel_sysfs_dirs(rustdesk_t)
dev_rw_wireless(rustdesk_t)
files_search_all(rustdesk_t)
files_mounton_all_mountpoints(rustdesk_t)
files_unmount_all_file_type_fs(rustdesk_t)
files_remount_all_file_type_fs(rustdesk_t)
files_mounton_kernel_symbol_table(rustdesk_t)
files_manage_all_pid_dirs(rustdesk_t)
files_write_all_pid_sockets(rustdesk_t)
files_manage_etc_dirs(rustdesk_t)
files_manage_generic_tmp_dirs(rustdesk_t)
files_relabel_all_pid_dirs(rustdesk_t)
files_relabel_all_pid_files(rustdesk_t)
files_create_all_pid_sockets(rustdesk_t)
files_delete_all_pids(rustdesk_t)
files_exec_generic_pid_files(rustdesk_t)
files_create_all_pid_pipes(rustdesk_t)
files_create_all_spool_sockets(rustdesk_t)
files_delete_all_spool_sockets(rustdesk_t)
files_create_var_lib_dirs(rustdesk_t)
files_create_var_lib_symlinks(rustdesk_t)
files_read_var_lib_symlinks(rustdesk_t)
files_manage_urandom_seed(rustdesk_t)
files_list_locks(rustdesk_t)
files_list_spool(rustdesk_t)
files_list_var(rustdesk_t)
files_write_var_dirs(rustdesk_t)
files_manage_var_symlinks(rustdesk_t)
files_setattr_var_dirs(rustdesk_t)
files_list_boot(rustdesk_t)
files_list_home(rustdesk_t)
files_create_lock_dirs(rustdesk_t)
files_relabel_all_files(rustdesk_t)
files_read_kernel_modules(rustdesk_t)
files_map_kernel_modules(rustdesk_t)
files_dontaudit_mounton_isid(rustdesk_t)
files_delete_tmp_files(rustdesk_t)
files_delete_tmp_pipes(rustdesk_t)
files_delete_tmp_sockets(rustdesk_t)
fs_getattr_all_fs(rustdesk_t)
fs_manage_cgroup_dirs(rustdesk_t)
fs_manage_cgroup_files(rustdesk_t)
fs_manage_bpf_dirs(rustdesk_t)
fs_manage_bpf_files(rustdesk_t)
fs_manage_hugetlbfs_dirs(rustdesk_t)
fs_manage_tmpfs_dirs(rustdesk_t)
fs_relabel_tmpfs_blk_file(rustdesk_t)
fs_relabel_tmpfs_chr_file(rustdesk_t)
fs_relabel_pstore_dirs(rustdesk_t)
fs_relabel_tmpfs_dirs(rustdesk_t)
fs_relabel_tmpfs_files(rustdesk_t)
fs_relabel_tmpfs_fifo_files(rustdesk_t)
fs_mount_all_fs(rustdesk_t)
fs_unmount_all_fs(rustdesk_t)
fs_remount_all_fs(rustdesk_t)
fs_list_all(rustdesk_t)
fs_list_auto_mountpoints(rustdesk_t)
fs_register_binary_executable_type(rustdesk_t)
fs_relabel_tmpfs_sock_file(rustdesk_t)
fs_rw_tmpfs_files(rustdesk_t)
fs_relabel_cgroup_dirs(rustdesk_t)
fs_search_cgroup_dirs(rustdesk_t)
# for network namespaces
fs_read_nsfs_files(rustdesk_t)
storage_getattr_removable_dev(rustdesk_t)
term_relabel_ptys_dirs(rustdesk_t)
auth_relabel_login_records(rustdesk_t)
auth_relabel_pam_console_data_dirs(rustdesk_t)
auth_manage_faillog(rustdesk_t)
clock_read_adjtime(rustdesk_t)
init_read_script_state(rustdesk_t)
seutil_read_file_contexts(rustdesk_t)
systemd_exec_systemctl(rustdesk_t)
systemd_manage_home_content(rustdesk_t)
systemd_manage_unit_dirs(rustdesk_t)
systemd_manage_random_seed(rustdesk_t)
systemd_manage_all_unit_files(rustdesk_t)
systemd_logger_stream_connect(rustdesk_t)
systemd_login_manage_pid_files(rustdesk_t)
systemd_config_all_services(rustdesk_t)
systemd_relabelto_fifo_file_passwd_run(rustdesk_t)
systemd_relabel_unit_dirs(rustdesk_t)
systemd_relabel_unit_files(rustdesk_t)
systemd_relabel_unit_symlinks(rustdesk_t)
systemd_login_status(rustdesk_t)
systemd_map_networkd_exec_files(rustdesk_t)
systemd_map_resolved_exec_files(rustdesk_t)
systemd_rfkill_setattr_lib(rustdesk_t)
systemd_rfkill_mounton_var_lib(rustdesk_t)
systemd_rfkill_manage_lib_dirs(rustdesk_t)
systemd_timedated_mounton_var_lib(rustdesk_t)
systemd_mounton_inhibit_dir(rustdesk_t)
systemd_timedated_manage_lib_dirs(rustdesk_t)
systemd_login_mounton_pid_dirs(rustdesk_t)
systemd_mounton_inherited_logind_sessions_dirs(rustdesk_t)
systemd_delete_private_tmp(rustdesk_t)
systemd_userdbd_stream_connect(rustdesk_t)
systemd_userdbd_runtime_filetrans(rustdesk_t)
systemd_userdbd_runtime_manage_symlinks(rustdesk_t)
systemd_write_inherited_logind_sessions_pipes(rustdesk_t)
create_sock_files_pattern(rustdesk_t, init_sock_file_type, init_sock_file_type)
create_dirs_pattern(rustdesk_t, var_log_t, var_log_t)
auth_use_nsswitch(rustdesk_t)
auth_rw_login_records(rustdesk_t)
auth_rw_lastlog(rustdesk_t)
auth_domtrans_chk_passwd(rustdesk_t)
auth_manage_passwd(rustdesk_t)
allow rustdesk_t var_run_t:dir relabelto;
allow rustdesk_t daemon:unix_stream_socket create_stream_socket_perms;
allow rustdesk_t daemon:unix_dgram_socket create_socket_perms;
allow rustdesk_t daemon:tcp_socket create_stream_socket_perms;
allow rustdesk_t daemon:udp_socket create_socket_perms;
allow daemon rustdesk_t:unix_dgram_socket sendto;
# Precisa escrever em /var/run/systemd/notify
init_write_pid_socket(daemon)
allow daemon rustdesk_t:unix_stream_socket { append write read getattr ioctl };
allow rustdesk_t daemon:process siginh;
ifdef(`hide_broken_symptoms',`
# RHEL4 systems seem to have a stray
# fds open from the initrd
ifdef(`distro_rhel4',`
kernel_dontaudit_use_fds(daemon)
')
dontaudit daemon rustdesk_t:dir search_dir_perms;
dontaudit daemon rustdesk_t:file read_file_perms;
')
dontaudit systemprocess rustdesk_t:unix_stream_socket getattr;
allow rustdesk_t daemon:unix_stream_socket create_stream_socket_perms;
allow rustdesk_t daemon:unix_dgram_socket create_socket_perms;
allow daemon rustdesk_t:unix_stream_socket ioctl;
allow daemon rustdesk_t:unix_dgram_socket sendto;
# Lidar com a transição direta do upstart/systemd para um executável
allow rustdesk_t systemprocess:process { dyntransition siginh };
allow rustdesk_t systemprocess:unix_stream_socket create_stream_socket_perms;
allow rustdesk_t systemprocess:unix_dgram_socket create_socket_perms;
allow systemprocess rustdesk_t:unix_dgram_socket sendto;
allow systemprocess rustdesk_t:unix_stream_socket { append write read getattr ioctl };
###############################################################################
#
# Parte 2. As seguintes regras foram geradas por
# `grep rustdesk /var/log/audit/audit.log | audit2allow -a -M test`
#
#============= rustdesk_t ==============
corenet_tcp_connect_unreserved_ports(rustdesk_t)
allow rustdesk_t self:process execmem;
allow rustdesk_t data_home_t:dir { add_name create remove_name write };
allow rustdesk_t config_home_t:dir { write add_name remove_name };
allow rustdesk_t data_home_t:file { create link open read rename setattr unlink write };
allow rustdesk_t config_home_t:file { create link open read rename setattr unlink write };
allow rustdesk_t sudo_exec_t:file { execute execute_no_trans map open read } ;
allow rustdesk_t systemd_logind_t:dbus send_msg;
allow rustdesk_t tmp_t:file { setattr open setattr unlink write unlink };
allow rustdesk_t user_tmp_t:file { open write read link unlink map };
allow systemd_coredump_t rustdesk_exec_t:file read;
allow rustdesk_t event_device_t:chr_file { append open ioctl lock read write };
allow rustdesk_t session_dbusd_tmp_t:sock_file write;
allow rustdesk_t unconfined_dbusd_t:unix_stream_socket connectto;
allow unconfined_t rustdesk_exec_t:file { execute getattr open read };
allow init_t rustdesk_exec_t:file getattr;
allow rustdesk_t pulseaudio_home_t:file { read open write lock };
allow rustdesk_t user_fonts_cache_t:dir { add_name remove_name } ;
allow rustdesk_t user_fonts_cache_t:file { create open read write lock unlink };
#!!!! Este AVC pode ser permitido usando o booleano 'nis_enabled'
allow rustdesk_t unreserved_port_t:tcp_socket name_connect;
allow rustdesk_t xserver_port_t:tcp_socket name_connect;
allow rustdesk_t xserver_t:unix_stream_socket connectto;
allow rustdesk_t ephemeral_port_t:tcp_socket name_connect;
###############################################################################
#
# Parte 3. As seguintes regras são das regras instaladas no sistema.
# `dnf install setools-console`
# `sesearch -A | grep 'allow init_t ' | sed 's/allow init_t /allow rustdesk_t /g'`
#
#============= mesclar de init_t ==============
allow rustdesk_t abrt_dump_oops_t:dbus send_msg;
allow rustdesk_t abrt_upload_watch_t:dbus send_msg;
allow rustdesk_t adjtime_t:file { ioctl lock open read };
allow rustdesk_t aiccu_t:dbus send_msg;
allow rustdesk_t amanda_inetd_exec_t:file ioctl;
allow rustdesk_t amanda_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t antivirus_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t apcupsd_power_t:file { ioctl lock open read };
allow rustdesk_t auditd_etc_t:dir { add_name remove_name write };
allow rustdesk_t auditd_etc_t:file { append create ioctl link lock open read rename setattr unlink watch watch_reads write };
allow rustdesk_t autofs_device_t:chr_file { append ioctl lock open read write };
allow rustdesk_t base_ro_file_type:file { execute execute_no_trans map };
allow rustdesk_t binfmt_misc_fs_t:file { append ioctl lock open read write };
allow rustdesk_t bitlbee_exec_t:file ioctl;
allow rustdesk_t bitlbee_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t boltd_var_lib_t:dir { add_name create link mounton remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t boltd_var_lib_t:fifo_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t boltd_var_lib_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t boltd_var_lib_t:sock_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t boltd_var_run_t:dir mounton;
allow rustdesk_t boolean_type:dir { getattr ioctl lock open read search };
allow rustdesk_t boolean_type:file { append getattr ioctl lock open read write };
allow rustdesk_t boothd_t:dbus send_msg;
allow rustdesk_t bootloader_exec_t:file { execute ioctl map open read };
allow rustdesk_t bootloader_t:process transition;
allow rustdesk_t bpf_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t bpf_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t bpf_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t bugzilla_script_t:dbus send_msg;
allow rustdesk_t certwatch_t:dbus send_msg;
allow rustdesk_t cgroup_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t cgroup_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t cgroup_t:file { append create link rename setattr unlink watch_reads write };
allow rustdesk_t cgroup_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t chkpwd_exec_t:file { execute ioctl map open read };
allow rustdesk_t chkpwd_t:process transition;
allow rustdesk_t chronyc_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t chronyd_exec_t:file ioctl;
allow rustdesk_t chronyd_keys_t:file { ioctl lock open read };
allow rustdesk_t chronyd_restricted_t:dbus send_msg;
allow rustdesk_t chronyd_restricted_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t chronyd_restricted_t:process transition;
allow rustdesk_t chroot_exec_t:file { execute execute_no_trans ioctl lock map open read };
allow rustdesk_t cifs_helper_t:dbus send_msg;
allow rustdesk_t cinder_domain:dbus send_msg;
allow rustdesk_t cloudform_domain:dbus send_msg;
allow rustdesk_t collectd_script_t:dbus send_msg;
allow rustdesk_t comsat_exec_t:file { execute ioctl map open read };
allow rustdesk_t comsat_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t comsat_t:process transition;
allow rustdesk_t comsat_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t configfile:file { ioctl lock open read };
allow rustdesk_t configfile:lnk_file read;
allow rustdesk_t console_device_t:chr_file { read watch watch_reads };
allow rustdesk_t consolekit_log_t:dir { add_name remove_name write };
allow rustdesk_t consolekit_log_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t container_kvm_t:dbus send_msg;
allow rustdesk_t container_runtime_domain:dbus send_msg;
allow rustdesk_t container_runtime_tmpfs_t:file { ioctl lock open read };
allow rustdesk_t container_runtime_tmpfs_t:lnk_file read;
allow rustdesk_t container_var_lib_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t container_var_lib_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t container_var_lib_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t crack_t:dbus send_msg;
allow rustdesk_t cups_brf_t:dbus send_msg;
allow rustdesk_t cupsd_exec_t:file ioctl;
allow rustdesk_t cupsd_lpd_exec_t:file ioctl;
allow rustdesk_t cupsd_lpd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t cupsd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t cvs_exec_t:file ioctl;
allow rustdesk_t cvs_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t daemon:fifo_file { append getattr ioctl lock open write };
allow rustdesk_t daemon:process siginh;
allow rustdesk_t daemon:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t daemon:udp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t daemon:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t daemon:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t dbskkd_exec_t:file { execute ioctl map open read };
allow rustdesk_t dbskkd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t dbskkd_t:process transition;
allow rustdesk_t dbskkd_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t default_context_t:file { ioctl lock open read };
allow rustdesk_t default_t:dir create;
allow rustdesk_t devicekit_disk_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t devicekit_power_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t devicekit_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t device_node:blk_file { getattr mounton relabelfrom relabelto setattr };
allow rustdesk_t device_node:chr_file { create getattr mounton relabelfrom relabelto setattr };
allow rustdesk_t device_node:dir { getattr relabelfrom relabelto };
allow rustdesk_t device_node:fifo_file { getattr relabelfrom relabelto };
allow rustdesk_t device_node:file { create getattr mounton open relabelfrom relabelto };
allow rustdesk_t device_node:lnk_file { getattr relabelfrom relabelto };
allow rustdesk_t device_node:sock_file { getattr relabelfrom relabelto };
allow rustdesk_t device_t:chr_file { append ioctl lock open read write };
allow rustdesk_t device_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t device_t:file { append ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t device_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t devlog_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t devlog_t:sock_file { create ioctl link lock read rename setattr unlink };
allow rustdesk_t devpts_t:chr_file { append ioctl lock read write };
allow rustdesk_t devpts_t:dir create;
allow rustdesk_t dhcpc_state_t:file { ioctl lock open read };
allow rustdesk_t dhcp_state_t:file setattr;
allow rustdesk_t direct_init_entry:file execute_no_trans;
allow rustdesk_t dirsrvadmin_script_t:dbus send_msg;
allow rustdesk_t domain:dir { getattr ioctl lock open read search };
allow rustdesk_t domain:file { getattr ioctl lock open read };
allow rustdesk_t domain:lnk_file { getattr read };
allow rustdesk_t domain:process { getattr getpgid noatsecure rlimitinh setrlimit setsched sigchld sigkill signal signull sigstop };
allow rustdesk_t dri_device_t:chr_file { append ioctl lock map open read write };
allow rustdesk_t dspam_script_t:dbus send_msg;
allow rustdesk_t efivarfs_t:file { ioctl lock open read setattr };
allow rustdesk_t etc_aliases_t:dir { add_name remove_name write };
allow rustdesk_t etc_aliases_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t etc_aliases_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t etc_runtime_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t etc_runtime_t:file { append create link rename setattr unlink watch_reads write };
allow rustdesk_t etc_t:dir { add_name create link mounton remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t etc_t:dir { create link mounton rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t etc_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t faillog_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t faillog_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t faillog_t:file { create link open read rename setattr unlink watch_reads write };
allow rustdesk_t fetchmail_t:dbus send_msg;
allow rustdesk_t filesystem_type:dir { getattr ioctl lock open read search write };
allow rustdesk_t filesystem_type:filesystem { getattr mount remount unmount };
allow rustdesk_t file_type:blk_file { getattr relabelfrom relabelto };
allow rustdesk_t file_type:chr_file { getattr relabelfrom relabelto };
allow rustdesk_t file_type:dir { getattr ioctl lock open read relabelfrom relabelto search };
allow rustdesk_t file_type:fifo_file { getattr relabelfrom relabelto };
allow rustdesk_t file_type:file { getattr relabelfrom relabelto };
allow rustdesk_t file_type:filesystem { getattr remount unmount };
allow rustdesk_t file_type:lnk_file { getattr relabelfrom relabelto };
allow rustdesk_t file_type:sock_file { getattr relabelfrom relabelto };
allow rustdesk_t fingerd_exec_t:file ioctl;
allow rustdesk_t fingerd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t fixed_disk_device_t:blk_file { append ioctl lock open read write };
allow rustdesk_t fixed_disk_device_t:chr_file { append ioctl lock open read write };
allow rustdesk_t fixed_disk_device_t:lnk_file read;
allow rustdesk_t flatpak_helper_t:dbus send_msg;
allow rustdesk_t fprintd_exec_t:file { ioctl lock };
allow rustdesk_t fprintd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t fprintd_var_lib_t:dir { mounton setattr };
allow rustdesk_t fsadm_t:dbus send_msg;
allow rustdesk_t fsadm_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t ftpd_exec_t:file ioctl;
allow rustdesk_t ftpd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t fwupd_cache_t:dir { remove_name rmdir write };
allow rustdesk_t fwupd_cache_t:file unlink;
allow rustdesk_t fwupd_t:dbus send_msg;
allow rustdesk_t gconfdefaultsm_t:dbus send_msg;
allow rustdesk_t geoclue_t:dbus send_msg;
allow rustdesk_t geoclue_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t getty_exec_t:file ioctl;
allow rustdesk_t getty_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t gitd_exec_t:file ioctl;
allow rustdesk_t git_system_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t gnome_home_type:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t gnome_home_type:file { append create ioctl link lock map open read rename setattr unlink watch_reads write };
allow rustdesk_t gnome_home_type:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t gnome_home_type:sock_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t gnomesystemmm_t:dbus send_msg;
allow rustdesk_t guest_t:dbus send_msg;
allow rustdesk_t home_bin_t:file { execute execute_no_trans ioctl map open read };
allow rustdesk_t home_root_t:lnk_file read;
allow rustdesk_t hostname_etc_t:file unlink;
allow rustdesk_t httpd_log_t:dir { add_name create setattr write };
allow rustdesk_t httpd_tmp_t:file unlink;
allow rustdesk_t httpd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t hugetlbfs_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t hugetlbfs_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t ibacm_t:netlink_rdma_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t ibacm_var_run_t:fifo_file { append ioctl link lock read rename setattr write };
allow rustdesk_t ibacm_var_run_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t ibacm_var_run_t:sock_file { ioctl link lock read rename };
allow rustdesk_t inetd_child_exec_t:file ioctl;
allow rustdesk_t inetd_child_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t initctl_t:fifo_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t init_exec_t:file { entrypoint execute execute_no_trans ioctl lock map open read };
allow rustdesk_t initrc_state_t:dir { add_name remove_name write };
allow rustdesk_t initrc_state_t:file { append create execute execute_no_trans ioctl link lock map open read rename setattr unlink watch_reads write };
allow rustdesk_t initrc_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t initrc_t:process transition;
allow rustdesk_t initrc_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t initrc_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t initrc_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t initrc_var_run_t:file { append setattr write };
allow rustdesk_t init_script_file_type:file { execute ioctl map open read };
allow rustdesk_t init_script_file_type:service { disable enable reload start status stop };
allow rustdesk_t init_t:association sendto;
allow rustdesk_t init_t:bpf { map_create map_read map_write prog_load prog_run };
allow rustdesk_t init_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm };
allow rustdesk_t init_t:capability { audit_write audit_control sys_module chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow rustdesk_t init_t:cap_userns { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow rustdesk_t init_t:dir watch;
allow rustdesk_t init_t:fifo_file { create link rename setattr unlink append getattr ioctl lock open read write };
allow rustdesk_t init_t:file { append mounton write };
allow rustdesk_t init_t:key { create read setattr view write };
allow rustdesk_t init_t:lnk_file { ioctl lock };
allow rustdesk_t init_t:lockdown { confidentiality integrity };
allow rustdesk_t init_tmp_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t init_tmp_t:file { create link map open rename setattr unlink watch_reads write };
allow rustdesk_t init_tmp_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t init_tmp_t:sock_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t init_t:netlink_audit_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_relay nlmsg_tty_audit read setattr setopt shutdown write };
allow rustdesk_t init_t:netlink_kobject_uevent_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t init_t:netlink_route_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow rustdesk_t init_t:netlink_selinux_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t init_t:packet_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t init_t:peer recv;
allow rustdesk_t init_t:process { fork getcap getsched setcap setexec setfscreate setkeycreate setsockcreate };
allow rustdesk_t init_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow rustdesk_t init_t:service { disable enable reload start status stop };
allow rustdesk_t init_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow rustdesk_t init_t:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
allow rustdesk_t init_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t init_t:udp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t init_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read sendto setattr setopt shutdown write };
allow rustdesk_t init_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read recvfrom sendto setattr setopt shutdown write };
allow rustdesk_t init_t:user_namespace create;
allow rustdesk_t init_var_lib_t:dir { add_name create link mounton remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t init_var_lib_t:dir { create link mounton rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t init_var_lib_t:file { append create ioctl link lock map open read rename setattr unlink watch_reads write };
allow rustdesk_t init_var_lib_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t init_var_lib_t:sock_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t init_var_run_t:blk_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t init_var_run_t:chr_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t init_var_run_t:dir mounton;
allow rustdesk_t init_var_run_t:fifo_file { append ioctl link lock read rename setattr write };
allow rustdesk_t init_var_run_t:file { append create link mounton rename setattr watch_reads write };
allow rustdesk_t init_var_run_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t init_var_run_t:sock_file { ioctl link lock read rename };
allow rustdesk_t init_var_run_t:sock_file { ioctl link lock rename };
allow rustdesk_t insights_client_t:fifo_file read;
allow rustdesk_t install_exec_t:file { execute ioctl map open read };
allow rustdesk_t install_t:dbus send_msg;
allow rustdesk_t install_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t install_t:process transition;
allow rustdesk_t install_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t ipsec_conf_file_t:file { ioctl lock open read };
allow rustdesk_t ipsec_t:unix_stream_socket connectto;
allow rustdesk_t ipsec_var_run_t:file { append create link rename setattr watch_reads write };
allow rustdesk_t irqbalance_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t iscsi_var_lib_t:file { ioctl lock open read };
allow rustdesk_t jockey_t:dbus send_msg;
allow rustdesk_t journalctl_exec_t:file { execute execute_no_trans ioctl lock map open read };
allow rustdesk_t kadmind_t:dbus send_msg;
allow rustdesk_t kdump_crash_t:file { ioctl lock open read };
allow rustdesk_t kdumpctl_t:dbus send_msg;
allow rustdesk_t kdump_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t keepalived_unconfined_script_t:dbus send_msg;
allow rustdesk_t kernel_t:dbus send_msg;
allow rustdesk_t kernel_t:fd use;
allow rustdesk_t kernel_t:fifo_file { append getattr ioctl lock read write };
allow rustdesk_t kernel_t:system ipc_info;
allow rustdesk_t kernel_t:unix_dgram_socket { getattr ioctl read write };
allow rustdesk_t kernel_t:unix_stream_socket { append bind connect getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t kmod_exec_t:file ioctl;
allow rustdesk_t kmod_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t kmscon_t:dbus send_msg;
allow rustdesk_t kmsg_device_t:chr_file { append ioctl lock open write };
allow rustdesk_t krb5_keytab_t:file { ioctl lock open read };
allow rustdesk_t ktalkd_exec_t:file ioctl;
allow rustdesk_t ktalkd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t l2tpd_t:dbus send_msg;
allow rustdesk_t lastlog_t:file { append ioctl lock open read setattr write };
allow rustdesk_t lastlog_t:file { open read setattr write };
allow rustdesk_t ld_so_cache_t:file { append write };
allow rustdesk_t lldpad_t:dbus send_msg;
allow rustdesk_t loadkeys_t:dbus send_msg;
allow rustdesk_t locale_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t locale_t:file { append create link rename setattr unlink watch_reads write };
allow rustdesk_t locale_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t lockfile:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t lockfile:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t lockfile:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t login_userdomain:process2 nnp_transition;
allow rustdesk_t login_userdomain:process transition;
allow rustdesk_t lvm_control_t:chr_file { append ioctl lock open read write };
allow rustdesk_t lvm_etc_t:file map;
allow rustdesk_t lvm_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t lvm_var_run_t:fifo_file { append ioctl lock read write };
allow rustdesk_t machineid_t:file { append create link mounton rename setattr unlink watch_reads write };
allow rustdesk_t mail_spool_t:lnk_file read;
allow rustdesk_t mandb_t:dbus send_msg;
allow rustdesk_t mdadm_t:unix_stream_socket connectto;
allow rustdesk_t mdadm_var_run_t:file { append create link rename setattr watch_reads write };
allow rustdesk_t memcached_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t memory_device_t:chr_file { ioctl lock map open read };
allow rustdesk_t mnt_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t mnt_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t mnt_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t mnt_t:lnk_file read;
allow rustdesk_t modemmanager_t:dbus send_msg;
allow rustdesk_t modemmanager_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t modules_dep_t:file { ioctl lock map open read };
allow rustdesk_t modules_object_t:dir mounton;
allow rustdesk_t modules_object_t:file { ioctl lock map open read };
allow rustdesk_t modules_object_t:lnk_file read;
allow rustdesk_t mon_procd_t:dbus send_msg;
allow rustdesk_t mountpoint:dir mounton;
allow rustdesk_t mountpoint:file mounton;
allow rustdesk_t mount_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t mount_var_run_t:file { append create link rename setattr watch_reads write };
allow rustdesk_t mptcpd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t munin_plugin_domain:dbus send_msg;
allow rustdesk_t munin_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t mysqld_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t mythtv_script_t:dbus send_msg;
allow rustdesk_t naemon_t:dbus send_msg;
allow rustdesk_t nagios_plugin_domain:dbus send_msg;
allow rustdesk_t nagios_system_plugin_t:dbus send_msg;
allow rustdesk_t named_conf_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t named_conf_t:file { append create link rename setattr unlink watch_reads write };
allow rustdesk_t named_zone_t:dir setattr;
allow rustdesk_t net_conf_t:dir { add_name remove_name write };
allow rustdesk_t net_conf_t:fifo_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t netlabel_mgmt_t:dbus send_msg;
allow rustdesk_t networkmanager_dispatcher_plugin:dbus send_msg;
allow rustdesk_t NetworkManager_dispatcher_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t NetworkManager_priv_helper_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t NetworkManager_t:unix_stream_socket connectto;
allow rustdesk_t nfsd_fs_t:file { ioctl lock open read };
allow rustdesk_t nfsidmap_t:dbus send_msg;
allow rustdesk_t ninfod_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t non_security_file_type:dir create;
allow rustdesk_t non_security_file_type:dir { mounton setattr write };
allow rustdesk_t non_security_file_type:dir setattr;
allow rustdesk_t non_security_file_type:dir watch;
allow rustdesk_t non_security_file_type:file mounton;
allow rustdesk_t non_security_file_type:file watch;
allow rustdesk_t non_security_file_type:lnk_file watch;
allow rustdesk_t nrpe_exec_t:file ioctl;
allow rustdesk_t nrpe_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t nsfs_t:file { getattr ioctl lock open read };
allow rustdesk_t nsswitch_domain:dbus send_msg;
allow rustdesk_t openshift_cgroup_read_t:dbus send_msg;
allow rustdesk_t openshift_net_read_t:dbus send_msg;
allow rustdesk_t oracleasm_t:dbus send_msg;
allow rustdesk_t passwd_file_t:file { append create link rename setattr unlink watch_reads write };
allow rustdesk_t pcscd_t:unix_stream_socket connectto;
allow rustdesk_t pdns_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t pegasus_openlmi_domain:dbus send_msg;
allow rustdesk_t pidfile:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t pidfile:fifo_file { create open unlink };
allow rustdesk_t pidfile:file { ioctl lock map open read unlink };
allow rustdesk_t pidfile:lnk_file read;
allow rustdesk_t pidfile:sock_file { append create open setattr unlink write };
allow rustdesk_t pkcs_slotd_tmpfs_t:file unlink;
allow rustdesk_t pkcs_slotd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t pkcs_slotd_t:shm destroy;
allow rustdesk_t plymouthd_t:unix_stream_socket connectto;
allow rustdesk_t plymouth_exec_t:file { execute execute_no_trans ioctl lock map open read };
allow rustdesk_t policykit_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t port_type:tcp_socket name_bind;
allow rustdesk_t port_type:udp_socket name_bind;
allow rustdesk_t postfix_exec_t:file { execute execute_no_trans ioctl lock map open read };
allow rustdesk_t print_spool_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t print_spool_t:fifo_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t print_spool_t:file { append create ioctl link lock map open read rename setattr unlink watch_reads write };
allow rustdesk_t print_spool_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t proc_net_t:lnk_file { getattr read };
allow rustdesk_t proc_security_t:file { append write };
allow rustdesk_t proc_type:dir { getattr ioctl lock mounton open read search };
allow rustdesk_t proc_type:file { getattr ioctl lock mounton open read };
allow rustdesk_t ptchown_t:dbus send_msg;
allow rustdesk_t ptynode:chr_file { append ioctl lock open read write };
allow rustdesk_t qmail_tcp_env_exec_t:file { execute ioctl map open read };
allow rustdesk_t qmail_tcp_env_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t qmail_tcp_env_t:process transition;
allow rustdesk_t qmail_tcp_env_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t qpidd_t:dbus send_msg;
allow rustdesk_t quota_exec_t:file { execute ioctl map open read };
allow rustdesk_t quota_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t quota_t:process transition;
allow rustdesk_t quota_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t radiusd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t random_device_t:chr_file { ioctl lock open read };
allow rustdesk_t random_seed_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t rdisc_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t rhsmcertd_t:dbus send_msg;
allow rustdesk_t rlogind_exec_t:file ioctl;
allow rustdesk_t rlogind_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t root_t:dir write;
allow rustdesk_t rpm_script_t:unix_stream_socket { append bind connect getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t rpm_var_cache_t:file { ioctl lock open read };
allow rustdesk_t rpm_var_cache_t:lnk_file read;
allow rustdesk_t rpm_var_lib_t:file { ioctl lock map open read };
allow rustdesk_t rpm_var_lib_t:lnk_file read;
allow rustdesk_t rshd_exec_t:file { execute ioctl map open read };
allow rustdesk_t rshd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t rshd_t:process transition;
allow rustdesk_t rshd_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t rshd_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t rsync_exec_t:file ioctl;
allow rustdesk_t rsync_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t rustdesk_exec_t:file { entrypoint execute ioctl lock map open read };
allow rustdesk_t rustdesk_t:association sendto;
allow rustdesk_t rustdesk_t:bpf { map_create map_read map_write prog_load prog_run };
allow rustdesk_t rustdesk_t:capability2 { audit_read block_suspend bpf checkpoint_restore epolwakeup perfmon syslog wake_alarm };
allow rustdesk_t rustdesk_t:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow rustdesk_t rustdesk_t:capability sys_module;
allow rustdesk_t rustdesk_t:cap_userns { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
allow rustdesk_t rustdesk_t:dbus send_msg;
allow rustdesk_t rustdesk_t:dir watch;
allow rustdesk_t rustdesk_t:fifo_file { create link rename setattr unlink };
allow rustdesk_t rustdesk_t:fifo_file open;
allow rustdesk_t rustdesk_t:file { append mounton write };
allow rustdesk_t rustdesk_t:key { create read setattr view write };
allow rustdesk_t rustdesk_t:lnk_file { ioctl lock };
allow rustdesk_t rustdesk_t:lockdown { confidentiality integrity };
allow rustdesk_t rustdesk_t:netlink_audit_socket { append bind connect create lock nlmsg_read nlmsg_relay nlmsg_tty_audit setattr shutdown };
allow rustdesk_t rustdesk_t:netlink_kobject_uevent_socket { append bind connect create lock setattr shutdown };
allow rustdesk_t rustdesk_t:netlink_route_socket { append bind connect create lock nlmsg_read nlmsg_write setattr shutdown };
allow rustdesk_t rustdesk_t:netlink_selinux_socket { append bind connect create lock setattr shutdown };
allow rustdesk_t rustdesk_t:packet_socket { append bind connect create lock setattr shutdown };
allow rustdesk_t rustdesk_t:peer recv;
allow rustdesk_t rustdesk_t:process { fork getcap getsched setcap setexec setfscreate setkeycreate setsockcreate };
allow rustdesk_t rustdesk_t:sem { associate create destroy getattr read setattr unix_read unix_write write };
allow rustdesk_t rustdesk_t:service { disable enable reload start status stop };
allow rustdesk_t rustdesk_t:shm { associate create destroy getattr lock read setattr unix_read unix_write write };
allow rustdesk_t rustdesk_t:system { disable enable halt ipc_info module_load module_request reboot reload start status stop syslog_console syslog_mod syslog_read undefined };
allow rustdesk_t rustdesk_t:unix_stream_socket { connectto recvfrom };
allow rustdesk_t rustdesk_t:user_namespace create;
allow rustdesk_t sblim_domain:dbus send_msg;
allow rustdesk_t security_t:file map;
allow rustdesk_t security_t:security { check_context compute_av compute_create compute_relabel compute_user load_policy };
allow rustdesk_t selinux_config_t:file { ioctl lock open read };
allow rustdesk_t selinux_config_t:lnk_file read;
allow rustdesk_t selinux_login_config_t:file { ioctl lock open read };
allow rustdesk_t selinux_login_config_t:lnk_file read;
allow rustdesk_t semanage_store_t:file { ioctl lock open read };
allow rustdesk_t semanage_store_t:lnk_file read;
allow rustdesk_t session_dbusd_tmp_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t shell_exec_t:file entrypoint;
allow rustdesk_t smbcontrol_t:dbus send_msg;
allow rustdesk_t smokeping_cgi_script_t:dbus send_msg;
allow rustdesk_t spc_t:dbus send_msg;
allow rustdesk_t speech_dispatcher_t:dbus send_msg;
allow rustdesk_t spoolfile:sock_file { create open setattr unlink };
allow rustdesk_t sshd_exec_t:file ioctl;
allow rustdesk_t sshd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t ssh_keysign_t:dbus send_msg;
allow rustdesk_t sslh_t:dbus send_msg;
allow rustdesk_t sssd_var_lib_t:sock_file { create setattr unlink };
allow rustdesk_t staff_t:fd use;
allow rustdesk_t stratisd_data_t:lnk_file read;
allow rustdesk_t stunnel_exec_t:file ioctl;
allow rustdesk_t stunnel_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t sulogin_exec_t:file ioctl;
allow rustdesk_t sulogin_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t svc_start_exec_t:file ioctl;
allow rustdesk_t svc_start_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t svirt_file_type:chr_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t svirt_file_type:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t svirt_file_type:fifo_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t svirt_file_type:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t svirt_file_type:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t svirt_sandbox_domain:process transition;
allow rustdesk_t svirt_sandbox_domain:unix_dgram_socket sendto;
allow rustdesk_t svirt_tcg_t:dbus send_msg;
allow rustdesk_t svirt_t:dbus send_msg;
allow rustdesk_t swat_exec_t:file { execute ioctl map open read };
allow rustdesk_t swat_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t swat_t:process transition;
allow rustdesk_t swat_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t sysctl_kernel_t:file mounton;
allow rustdesk_t sysctl_type:dir { getattr ioctl lock mounton open read search };
allow rustdesk_t sysctl_type:file { append getattr ioctl lock open read setattr write };
allow rustdesk_t sysfs_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t sysfs_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t sysfs_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t sysfs_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t syslogd_t:netlink_audit_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow rustdesk_t syslogd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_bootchart_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t system_dbusd_t:dbus acquire_svc;
allow rustdesk_t system_dbusd_var_run_t:sock_file { read watch };
allow rustdesk_t systemd_coredump_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_gpt_generator_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_home_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t systemd_home_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t systemd_home_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t systemd_hostnamed_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_hwdb_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_importd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_initctl_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_journal_upload_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_localed_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_logger_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_logger_t:unix_stream_socket connectto;
allow rustdesk_t systemd_logind_inhibit_var_run_t:dir mounton;
allow rustdesk_t systemd_logind_inhibit_var_run_t:fifo_file write;
allow rustdesk_t systemd_logind_sessions_t:dir mounton;
allow rustdesk_t systemd_logind_sessions_t:fifo_file write;
allow rustdesk_t systemd_logind_t:fd use;
allow rustdesk_t systemd_logind_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_logind_t:system status;
allow rustdesk_t systemd_logind_var_run_t:dir mounton;
allow rustdesk_t systemd_logind_var_run_t:file { append create link rename setattr watch_reads write };
allow rustdesk_t systemd_machined_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_modules_load_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_mount_directory:dir { create mounton };
allow rustdesk_t systemd_networkd_exec_t:file map;
allow rustdesk_t systemd_networkd_t:netlink_route_socket { append bind connect create getattr getopt ioctl lock nlmsg_read nlmsg_write read setattr setopt shutdown write };
allow rustdesk_t systemd_networkd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_network_generator_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_notify_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_passwd_agent_exec_t:file { execute ioctl lock map open read };
allow rustdesk_t systemd_passwd_agent_exec_t:file { ioctl lock };
allow rustdesk_t systemd_passwd_agent_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_passwd_var_run_t:fifo_file { append ioctl link lock read rename setattr write };
allow rustdesk_t systemd_passwd_var_run_t:file { append create link rename setattr watch_reads write };
allow rustdesk_t systemd_passwd_var_run_t:sock_file { ioctl link lock read rename };
allow rustdesk_t systemd_private_tmp_type:dir { remove_name rmdir write };
allow rustdesk_t systemd_private_tmp_type:fifo_file unlink;
allow rustdesk_t systemd_private_tmp_type:file unlink;
allow rustdesk_t systemd_private_tmp_type:lnk_file unlink;
allow rustdesk_t systemd_private_tmp_type:sock_file unlink;
allow rustdesk_t systemd_pstore_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_resolved_exec_t:file map;
allow rustdesk_t systemd_resolved_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_rfkill_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_rfkill_var_lib_t:dir { add_name create link mounton remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t systemd_sleep_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_socket_proxyd_t:unix_stream_socket connectto;
allow rustdesk_t systemd_sysctl_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_systemctl_exec_t:file { execute execute_no_trans ioctl lock map open read };
allow rustdesk_t systemd_timedated_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_timedated_var_lib_t:dir { add_name create link mounton remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t systemd_timedated_var_lib_t:lnk_file read;
allow rustdesk_t systemd_tmpfiles_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemd_unit_file_type:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t systemd_unit_file_type:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t systemd_unit_file_type:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t systemd_unit_file_type:service { disable enable reload start status stop };
allow rustdesk_t systemd_userdbd_runtime_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t systemd_userdbd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t systemprocess:process { dyntransition siginh };
allow rustdesk_t systemprocess:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t systemprocess:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t tangd_db_t:file { ioctl lock open read };
allow rustdesk_t tangd_t:dbus send_msg;
allow rustdesk_t targetclid_t:dbus send_msg;
allow rustdesk_t tcpd_exec_t:file { execute ioctl map open read };
allow rustdesk_t tcpd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t tcpd_t:process transition;
allow rustdesk_t tcpd_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t tcpd_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t telnetd_exec_t:file ioctl;
allow rustdesk_t telnetd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t tftpd_exec_t:file ioctl;
allow rustdesk_t tftpd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t thin_domain:dbus send_msg;
allow rustdesk_t thumb_t:dbus send_msg;
allow rustdesk_t timedatex_t:dbus send_msg;
allow rustdesk_t tlp_t:dbus send_msg;
allow rustdesk_t tmpfs_t:chr_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t tmpfs_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t tmpfs_t:file { append create execute execute_no_trans ioctl link lock map open read rename setattr unlink watch_reads write };
allow rustdesk_t tmpfs_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t tmpfs_t:sock_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t tmpreaper_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t tmp_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t tmp_t:fifo_file unlink;
allow rustdesk_t tmp_t:sock_file unlink;
allow rustdesk_t tpm_device_t:chr_file { append ioctl lock open read write };
allow rustdesk_t tty_device_t:chr_file { append ioctl lock open read watch watch_reads write };
allow rustdesk_t ttynode:chr_file { append ioctl lock read write };
allow rustdesk_t udev_rules_t:dir { add_name remove_name write };
allow rustdesk_t udev_rules_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t udev_t:netlink_kobject_uevent_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t unconfined_service_t:fifo_file { append getattr ioctl lock open write };
allow rustdesk_t unconfined_service_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t unconfined_service_t:process { siginh transition };
allow rustdesk_t unconfined_service_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t unconfined_service_t:udp_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t unconfined_service_t:unix_dgram_socket { append bind connect create getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t unconfined_service_t:unix_stream_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t unlabeled_t:file { ioctl lock open read };
allow rustdesk_t unlabeled_t:lnk_file read;
allow rustdesk_t updpwd_exec_t:file { execute ioctl map open read };
allow rustdesk_t updpwd_t:process transition;
allow rustdesk_t urandom_device_t:chr_file { append write };
allow rustdesk_t usbtty_device_t:chr_file { append ioctl lock open read write };
allow rustdesk_t user_devpts_t:chr_file { watch watch_reads };
allow rustdesk_t userdomain:fifo_file { append getattr ioctl lock read write };
allow rustdesk_t userdomain:unix_stream_socket { append bind connect connectto getattr getopt ioctl lock read setattr setopt shutdown write };
allow rustdesk_t userdomain:unix_stream_socket connectto;
allow rustdesk_t user_home_dir_t:lnk_file read;
allow rustdesk_t user_home_t:file unlink;
allow rustdesk_t user_t:fd use;
allow rustdesk_t user_tmp_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch_reads write };
allow rustdesk_t user_tmp_t:dir { create link rename reparent rmdir setattr unlink watch_reads };
allow rustdesk_t user_tmp_t:sock_file { append create ioctl link lock open read rename setattr unlink write };
allow rustdesk_t user_tty_device_t:chr_file { open watch watch_reads };
allow rustdesk_t usr_t:dir { add_name remove_name write };
allow rustdesk_t uucpd_exec_t:file ioctl;
allow rustdesk_t uucpd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t uuidd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t uuidd_var_run_t:fifo_file { append ioctl link lock read rename setattr write };
allow rustdesk_t uuidd_var_run_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t uuidd_var_run_t:sock_file { ioctl link lock read rename };
allow rustdesk_t var_lib_nfs_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t var_lib_t:dir { add_name create remove_name setattr write };
allow rustdesk_t var_lib_t:dir { create setattr };
allow rustdesk_t var_lib_t:file { append create ioctl link lock open read rename setattr unlink watch_reads write };
allow rustdesk_t var_lib_t:lnk_file { create read write };
allow rustdesk_t var_log_t:dir { add_name create remove_name setattr write };
allow rustdesk_t var_log_t:dir { create setattr };
allow rustdesk_t var_log_t:file { append create ioctl link lock map open read rename setattr unlink watch_reads write };
allow rustdesk_t var_log_t:file { create link map open read rename setattr unlink watch_reads write };
allow rustdesk_t var_log_t:lnk_file { append create ioctl link lock read rename setattr unlink watch_reads write };
allow rustdesk_t var_run_t:file { append execute execute_no_trans write };
allow rustdesk_t var_run_t:lnk_file unlink;
allow rustdesk_t var_spool_t:dir { add_name remove_name write };
allow rustdesk_t var_t:dir { add_name create remove_name setattr write };
allow rustdesk_t var_t:dir { create setattr };
allow rustdesk_t var_t:lnk_file { append create ioctl link lock rename setattr unlink watch_reads write };
allow rustdesk_t virsh_t:dbus send_msg;
allow rustdesk_t virtd_t:unix_stream_socket connectto;
allow rustdesk_t virt_etc_rw_t:file { ioctl lock open read };
allow rustdesk_t virt_etc_rw_t:lnk_file read;
allow rustdesk_t virtio_device_t:chr_file { append ioctl lock open read write };
allow rustdesk_t vnstatd_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t watchdog_device_t:chr_file { append ioctl lock open write };
allow rustdesk_t watchdog_t:dbus send_msg;
allow rustdesk_t wireguard_t:dbus send_msg;
allow rustdesk_t wireless_device_t:chr_file { append ioctl lock open read write };
allow rustdesk_t wtmp_t:file { append ioctl lock open read write };
allow rustdesk_t wtmp_t:file { open read write };
allow rustdesk_t xdm_exec_t:file ioctl;
allow rustdesk_t xdm_t:process2 { nnp_transition nosuid_transition };
allow rustdesk_t xdm_var_lib_t:file { ioctl lock open read };
allow rustdesk_t xdm_var_lib_t:lnk_file read;
allow rustdesk_t xenconsoled_t:dbus send_msg;
allow rustdesk_t xend_t:dbus send_msg;
allow rustdesk_t xguest_t:dbus send_msg;
allow rustdesk_t xserver_port_t:tcp_socket name_connect;
allow rustdesk_t xserver_t:tcp_socket { accept append bind connect create getattr getopt ioctl listen lock read setattr setopt shutdown write };
allow rustdesk_t xserver_t:unix_stream_socket connectto;
rustdesk.fc:
/usr/bin/rustdesk -- gen_context(system_u:object_r:rustdesk_exec_t,s0)
rustdesk.if:
## <summary>RustDesk</summary>
Makefile:
TARGET?=rustdesk
MODULES?=${TARGET:=.pp.bz2}
SHAREDIR?=/usr/share
SELINUXTYPE?=targeted
all: ${TARGET:=.pp.bz2}
%.pp.bz2: %.pp
@echo Compressing $^ -\> $@
bzip2 -9 $^
%.pp: %.te
make -f ${SHAREDIR}/selinux/devel/Makefile $@
clean:
rm -f *~ *.tc *.pp *.pp.bz2
rm -rf tmp *.tar.gz
man: install-policy
sepolicy manpage --path . --domain ${TARGET}_t
install-policy: all
semodule -i ${TARGET}.pp.bz2
install: man
install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${SELINUXTYPE}/${TARGET}.pp.bz2
install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
Veja o contexto de segurança do RustDesk antes da modificação:
$ ls -lZ /usr/lib/rustdesk/rustdesk
-rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 25456 Oct 8 19:58 /usr/lib/rustdesk/rustdesk
$ ps -eZ | grep rustdesk
system_u:system_r:init_t:s0 80439 ? 00:00:02 rustdesk
Executar:
$ cd rustdesk-selinux-1.0
$ make
$ sudo make install-policy
$ semodule -l | grep rustdesk
rustdesk
$ sudo chcon -t rustdesk_exec_t /usr/bin/rustdesk
$ sudo systemctl restart rustdesk
Veja o contexto de segurança novamente:
$ ls -lZ /usr/lib/rustdesk/rustdesk
-rwxr-xr-x. 1 root root system_u:object_r:rustdesk_exec_t:s0 25456 Oct 8 19:58 /usr/lib/rustdesk/rustdesk
$ ps -eZ | grep rustdesk
system_u:system_r:rustdesk_t:s0 110565 ? 00:00:00 rustdesk
Você pode usar o comando sepolicy generate:
$ # Instale as dependências
$ sudo dnf install -y rpm rpm-build binutils
$ # Gere a política
$ sepolicy generate --init /usr/lib/rustdesk/rustdesk
$ tree
.
├── rustdesk.fc
├── rustdesk.if
├── rustdesk_selinux.spec
├── rustdesk.sh
└── rustdesk.te
$ # Edite o arquivo rustdesk.te
$
$
$ # Gere o pacote rpm rustdesk_selinux-1.0-1.fc38.src.rpm
$ sudo ./rustdesk.sh
$ # Instale o pacote
$ sudo dnf install -y rustdesk_selinux-1.0-1.fc38.src.rpm
$ # Reinicie o serviço RustDesk
$ sudo systemctl restart rustdesk
$ cd /tmp
$ grep rustdesk_t /var/log/audit/audit.log | audit2allow -a -M rustdesk_tmp
$ cd <rustdesk-selinux-1.0>
$ # merge rustdesk_tmp.te to rustdesk.te
$ make clean && make && sudo make install-policy