From 698c03e74668d47937e8a2a4b705f68aa0df7606 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 28 Mar 2023 12:20:41 +0000 Subject: [PATCH] import tigervnc-1.12.0-12.el9 --- .gitignore | 1 + .tigervnc.metadata | 1 + SOURCES/0001-rpath-hack.patch | 24 + SOURCES/10-libvnc.conf | 19 + ...add-new-keycodes-for-unknown-keysyms.patch | 199 +++ ...rvnc-fix-ghost-cursor-in-zaphod-mode.patch | 117 ++ ...fix-typo-in-mirror-monitor-detection.patch | 34 + .../tigervnc-root-user-selinux-context.patch | 25 + ...heck-when-cleaning-up-keymap-changes.patch | 28 + ...llow-vncsession-create-vnc-directory.patch | 31 + ...ontext-in-case-of-different-policies.patch | 81 ++ ...igervnc-use-gnome-as-default-session.patch | 12 + ...ssion-restore-script-systemd-service.patch | 113 ++ SOURCES/tigervnc-xserver120.patch | 91 ++ SOURCES/vncserver | 897 +++++++++++++ SOURCES/xvnc.service | 38 + SOURCES/xvnc.socket | 9 + SPECS/tigervnc.spec | 1177 +++++++++++++++++ 18 files changed, 2897 insertions(+) create mode 100644 .gitignore create mode 100644 .tigervnc.metadata create mode 100644 SOURCES/0001-rpath-hack.patch create mode 100644 SOURCES/10-libvnc.conf create mode 100644 SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch create mode 100644 SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch create mode 100644 SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch create mode 100644 SOURCES/tigervnc-root-user-selinux-context.patch create mode 100644 SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch create mode 100644 SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch create mode 100644 SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch create mode 100644 SOURCES/tigervnc-use-gnome-as-default-session.patch create mode 100644 SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch create mode 100644 SOURCES/tigervnc-xserver120.patch create mode 100644 SOURCES/vncserver create mode 100644 SOURCES/xvnc.service create mode 100644 SOURCES/xvnc.socket create mode 100644 SPECS/tigervnc.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..4de86f8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/tigervnc-1.12.0.tar.gz diff --git a/.tigervnc.metadata b/.tigervnc.metadata new file mode 100644 index 0000000..9dbf56a --- /dev/null +++ b/.tigervnc.metadata @@ -0,0 +1 @@ +44db63993d8ad04f730b0b48e8aca32933bff15a SOURCES/tigervnc-1.12.0.tar.gz diff --git a/SOURCES/0001-rpath-hack.patch b/SOURCES/0001-rpath-hack.patch new file mode 100644 index 0000000..4e438dd --- /dev/null +++ b/SOURCES/0001-rpath-hack.patch @@ -0,0 +1,24 @@ +From 2489f2f38eb32d9dd03718a36cbdbdf13d2f8b9b Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Thu, 12 Nov 2015 11:10:11 -0500 +Subject: [PATCH] rpath hack + +Normally, rpath is undesirable. But for the X server we _know_ we need +Mesa's libGL, which will always be in %{_libdir}, and not any third-party +libGL that may be configured using ld.so.conf. + +--- + configure.ac | 1 + + 1 files changed, 1 insertions(+), 0 deletion(-) + +diff --git a/configure.ac b/configure.ac +index fa15a2d..a5af1e0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1261,6 +1261,7 @@ AM_CONDITIONAL(GLX, test "x$GLX" = xyes) + + AM_CONDITIONAL(HASHTABLE, test "x$HASHTABLE" = xyes) + ++GLX_SYS_LIBS="$GLX_SYS_LIBS -Wl,-rpath=\$(libdir)" + AC_SUBST([GLX_DEFINES]) + AC_SUBST([GLX_SYS_LIBS]) diff --git a/SOURCES/10-libvnc.conf b/SOURCES/10-libvnc.conf new file mode 100644 index 0000000..a053a7d --- /dev/null +++ b/SOURCES/10-libvnc.conf @@ -0,0 +1,19 @@ +# This file contains configuration of libvnc.so module +# +# To get libvnc.so module working, do this: +# 1. run "vncpasswd" from tigervnc-server package as root user +# 2. uncomment configuration lines below +# +# Please note you can specify any option which Xvnc accepts. +# Refer to `Xvnc -help` output for detailed list of options. + +#Section "Module" +# Load "vnc" +#EndSection + +#Section "Screen" +# Identifier "Screen0 +# DefaultDepth 16 +# Option "SecurityTypes" "VncAuth" +# Option "PasswordFile" "/root/.vnc/passwd" +#EndSection diff --git a/SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch b/SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch new file mode 100644 index 0000000..d4fd2b3 --- /dev/null +++ b/SOURCES/tigervnc-add-new-keycodes-for-unknown-keysyms.patch @@ -0,0 +1,199 @@ +From ccbd491fa48f1c43daeb1a6c5ee91a1a8fa3db88 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Tue, 9 Aug 2022 14:31:07 +0200 +Subject: [PATCH] x0vncserver: add new keysym in case we don't find a matching + keycode + +We might often fail to find a matching X11 keycode when the client has +a different keyboard layout and end up with no key event. To avoid a +failure we add it as a new keysym/keycode pair so the next time a keysym +from the client that is unknown to the server is send, we will find a +match and proceed with key event. This is same behavior used in Xvnc or +x11vnc, although Xvnc has more advanced mapping from keysym to keycode. +--- + unix/x0vncserver/XDesktop.cxx | 121 +++++++++++++++++++++++++++++++++- + unix/x0vncserver/XDesktop.h | 4 ++ + 2 files changed, 122 insertions(+), 3 deletions(-) + +diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx +index f2046e43e..933998f05 100644 +--- a/unix/x0vncserver/XDesktop.cxx ++++ b/unix/x0vncserver/XDesktop.cxx +@@ -31,6 +31,7 @@ + #include + + #include ++#include + #ifdef HAVE_XTEST + #include + #endif +@@ -50,6 +51,7 @@ void vncSetGlueContext(Display *dpy, void *res); + #include + #include + ++using namespace std; + using namespace rfb; + + extern const unsigned short code_map_qnum_to_xorgevdev[]; +@@ -264,6 +266,9 @@ void XDesktop::start(VNCServer* vs) { + void XDesktop::stop() { + running = false; + ++ // Delete added keycodes ++ deleteAddedKeysyms(dpy); ++ + #ifdef HAVE_XDAMAGE + if (haveDamage) + XDamageDestroy(dpy, damage); +@@ -383,6 +388,118 @@ KeyCode XDesktop::XkbKeysymToKeycode(Display* dpy, KeySym keysym) { + } + #endif + ++KeyCode XDesktop::addKeysym(Display* dpy, KeySym keysym) ++{ ++ int types[1]; ++ unsigned int key; ++ XkbDescPtr xkb; ++ XkbMapChangesRec changes; ++ KeySym *syms; ++ KeySym upper, lower; ++ ++ xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd); ++ ++ if (!xkb) ++ return 0; ++ ++ for (key = xkb->max_key_code; key >= xkb->min_key_code; key--) { ++ if (XkbKeyNumGroups(xkb, key) == 0) ++ break; ++ } ++ ++ if (key < xkb->min_key_code) ++ return 0; ++ ++ memset(&changes, 0, sizeof(changes)); ++ ++ XConvertCase(keysym, &lower, &upper); ++ ++ if (upper == lower) ++ types[XkbGroup1Index] = XkbOneLevelIndex; ++ else ++ types[XkbGroup1Index] = XkbAlphabeticIndex; ++ ++ XkbChangeTypesOfKey(xkb, key, 1, XkbGroup1Mask, types, &changes); ++ ++ syms = XkbKeySymsPtr(xkb,key); ++ if (upper == lower) ++ syms[0] = keysym; ++ else { ++ syms[0] = lower; ++ syms[1] = upper; ++ } ++ ++ changes.changed |= XkbKeySymsMask; ++ changes.first_key_sym = key; ++ changes.num_key_syms = 1; ++ ++ if (XkbChangeMap(dpy, xkb, &changes)) { ++ vlog.info("Added unknown keysym %s to keycode %d", XKeysymToString(keysym), key); ++ addedKeysyms[keysym] = key; ++ return key; ++ } ++ ++ return 0; ++} ++ ++void XDesktop::deleteAddedKeysyms(Display* dpy) { ++ XkbDescPtr xkb; ++ xkb = XkbGetMap(dpy, XkbAllComponentsMask, XkbUseCoreKbd); ++ ++ if (!xkb) ++ return; ++ ++ XkbMapChangesRec changes; ++ memset(&changes, 0, sizeof(changes)); ++ ++ KeyCode lowestKeyCode = xkb->max_key_code; ++ KeyCode highestKeyCode = xkb->min_key_code; ++ std::map::iterator it; ++ for (it = addedKeysyms.begin(); it != addedKeysyms.end(); it++) { ++ if (XkbKeyNumGroups(xkb, it->second) != 0) { ++ // Check if we are removing keysym we added ourself ++ if (XkbKeysymToKeycode(dpy, it->first) != it->second) ++ continue; ++ ++ XkbChangeTypesOfKey(xkb, it->second, 0, XkbGroup1Mask, NULL, &changes); ++ ++ if (it->second < lowestKeyCode) ++ lowestKeyCode = it->second; ++ ++ if (it->second > highestKeyCode) ++ highestKeyCode = it->second; ++ } ++ } ++ ++ changes.changed |= XkbKeySymsMask; ++ changes.first_key_sym = lowestKeyCode; ++ changes.num_key_syms = highestKeyCode - lowestKeyCode + 1; ++ XkbChangeMap(dpy, xkb, &changes); ++ ++ addedKeysyms.clear(); ++} ++ ++KeyCode XDesktop::keysymToKeycode(Display* dpy, KeySym keysym) { ++ int keycode = 0; ++ ++ // XKeysymToKeycode() doesn't respect state, so we have to use ++ // something slightly more complex ++ keycode = XkbKeysymToKeycode(dpy, keysym); ++ ++ if (keycode != 0) ++ return keycode; ++ ++ // TODO: try to further guess keycode with all possible mods as Xvnc does ++ ++ keycode = addKeysym(dpy, keysym); ++ ++ if (keycode == 0) ++ vlog.error("Failure adding new keysym 0x%lx", keysym); ++ ++ return keycode; ++} ++ ++ + void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) { + #ifdef HAVE_XTEST + int keycode = 0; +@@ -398,9 +515,7 @@ void XDesktop::keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down) { + if (pressedKeys.find(keysym) != pressedKeys.end()) + keycode = pressedKeys[keysym]; + else { +- // XKeysymToKeycode() doesn't respect state, so we have to use +- // something slightly more complex +- keycode = XkbKeysymToKeycode(dpy, keysym); ++ keycode = keysymToKeycode(dpy, keysym); + } + } + +diff --git a/unix/x0vncserver/XDesktop.h b/unix/x0vncserver/XDesktop.h +index 840d43316..6ebcd9f8a 100644 +--- a/unix/x0vncserver/XDesktop.h ++++ b/unix/x0vncserver/XDesktop.h +@@ -55,6 +55,9 @@ class XDesktop : public rfb::SDesktop, + const char* userName); + virtual void pointerEvent(const rfb::Point& pos, int buttonMask); + KeyCode XkbKeysymToKeycode(Display* dpy, KeySym keysym); ++ KeyCode addKeysym(Display* dpy, KeySym keysym); ++ void deleteAddedKeysyms(Display* dpy); ++ KeyCode keysymToKeycode(Display* dpy, KeySym keysym); + virtual void keyEvent(rdr::U32 keysym, rdr::U32 xtcode, bool down); + virtual void clientCutText(const char* str); + virtual unsigned int setScreenLayout(int fb_width, int fb_height, +@@ -78,6 +81,7 @@ class XDesktop : public rfb::SDesktop, + bool haveXtest; + bool haveDamage; + int maxButtons; ++ std::map addedKeysyms; + std::map pressedKeys; + bool running; + #ifdef HAVE_XDAMAGE diff --git a/SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch b/SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch new file mode 100644 index 0000000..8e45eb6 --- /dev/null +++ b/SOURCES/tigervnc-fix-ghost-cursor-in-zaphod-mode.patch @@ -0,0 +1,117 @@ +From f783d5c8b567199178b6690f347e060a69d2aa36 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Thu, 11 Aug 2022 13:15:29 +0200 +Subject: [PATCH] x0vncserver: update/display cursor only on correct screen in + zaphod mode + +We have to check whether we update cursor position/shape only in case +the cursor is on our display, otherwise in zaphod mode, ie. when having +two instances of x0vncserver on screens :0.0 and :0.1 we would be having +the cursor duplicated and actually not funcional (aka ghost cursor) as +it would be actually not present. We also additionally watch EnterNotify +and LeaveNotify events in order to show/hide cursor accordingly. + +Change made with help from Olivier Fourdan +--- + unix/x0vncserver/XDesktop.cxx | 60 +++++++++++++++++++++++++++++++---- + 1 file changed, 53 insertions(+), 7 deletions(-) + +diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx +index f2046e43e..f07fd78bf 100644 +--- a/unix/x0vncserver/XDesktop.cxx ++++ b/unix/x0vncserver/XDesktop.cxx +@@ -192,7 +192,8 @@ XDesktop::XDesktop(Display* dpy_, Geometry *geometry_) + RRScreenChangeNotifyMask | RRCrtcChangeNotifyMask); + /* Override TXWindow::init input mask */ + XSelectInput(dpy, DefaultRootWindow(dpy), +- PropertyChangeMask | StructureNotifyMask | ExposureMask); ++ PropertyChangeMask | StructureNotifyMask | ++ ExposureMask | EnterWindowMask | LeaveWindowMask); + } else { + #endif + vlog.info("RANDR extension not present"); +@@ -217,11 +218,13 @@ void XDesktop::poll() { + Window root, child; + int x, y, wx, wy; + unsigned int mask; +- XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, +- &x, &y, &wx, &wy, &mask); +- x -= geometry->offsetLeft(); +- y -= geometry->offsetTop(); +- server->setCursorPos(rfb::Point(x, y), false); ++ ++ if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, ++ &x, &y, &wx, &wy, &mask)) { ++ x -= geometry->offsetLeft(); ++ y -= geometry->offsetTop(); ++ server->setCursorPos(rfb::Point(x, y), false); ++ } + } + } + +@@ -253,7 +256,14 @@ void XDesktop::start(VNCServer* vs) { + #endif + + #ifdef HAVE_XFIXES +- setCursor(); ++ Window root, child; ++ int x, y, wx, wy; ++ unsigned int mask; ++ // Check whether the cursor is initially on our screen ++ if (XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, ++ &x, &y, &wx, &wy, &mask)) ++ setCursor(); ++ + #endif + + server->setLEDState(ledState); +@@ -701,6 +711,15 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) { + if (cev->subtype != XFixesDisplayCursorNotify) + return false; + ++ Window root, child; ++ int x, y, wx, wy; ++ unsigned int mask; ++ ++ // Check whether the cursor is initially on our screen ++ if (!XQueryPointer(dpy, DefaultRootWindow(dpy), &root, &child, ++ &x, &y, &wx, &wy, &mask)) ++ return false; ++ + return setCursor(); + #endif + #ifdef HAVE_XRANDR +@@ -753,6 +772,33 @@ bool XDesktop::handleGlobalEvent(XEvent* ev) { + + return true; + #endif ++#ifdef HAVE_XFIXES ++ } else if (ev->type == EnterNotify) { ++ XCrossingEvent* cev; ++ ++ if (!running) ++ return true; ++ ++ cev = (XCrossingEvent*)ev; ++ ++ if (cev->window != cev->root) ++ return false; ++ ++ return setCursor(); ++ } else if (ev->type == LeaveNotify) { ++ XCrossingEvent* cev; ++ ++ if (!running) ++ return true; ++ ++ cev = (XCrossingEvent*)ev; ++ ++ if (cev->window == cev->root) ++ return false; ++ ++ server->setCursor(0, 0, Point(), NULL); ++ return true; ++#endif + } + + return false; diff --git a/SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch b/SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch new file mode 100644 index 0000000..9076432 --- /dev/null +++ b/SOURCES/tigervnc-fix-typo-in-mirror-monitor-detection.patch @@ -0,0 +1,34 @@ +From 2daf4126882f82b6e392dfbae87205dbdc559c3d Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Thu, 23 Dec 2021 15:58:00 +0100 +Subject: [PATCH] Fix typo in mirror monitor detection + +Bug introduced in fb561eb but still somehow passed manual testing. +Resulted in some stray reads off the end of the stack, which were +hopefully harmless. +--- + vncviewer/MonitorIndicesParameter.cxx | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/vncviewer/MonitorIndicesParameter.cxx b/vncviewer/MonitorIndicesParameter.cxx +index 5130831cb..4ac74dd1a 100644 +--- a/vncviewer/MonitorIndicesParameter.cxx ++++ b/vncviewer/MonitorIndicesParameter.cxx +@@ -211,13 +211,13 @@ std::vector MonitorIndicesParameter::fetchMoni + // Only keep a single entry for mirrored screens + match = false; + for (int j = 0; j < ((int) monitors.size()); j++) { +- if (monitors[i].x != monitor.x) ++ if (monitors[j].x != monitor.x) + continue; +- if (monitors[i].y != monitor.y) ++ if (monitors[j].y != monitor.y) + continue; +- if (monitors[i].w != monitor.w) ++ if (monitors[j].w != monitor.w) + continue; +- if (monitors[i].h != monitor.h) ++ if (monitors[j].h != monitor.h) + continue; + + match = true; diff --git a/SOURCES/tigervnc-root-user-selinux-context.patch b/SOURCES/tigervnc-root-user-selinux-context.patch new file mode 100644 index 0000000..67f035f --- /dev/null +++ b/SOURCES/tigervnc-root-user-selinux-context.patch @@ -0,0 +1,25 @@ +From faf81b4b238e24fe29eb53f885a25367e212dd7b Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 7 Feb 2022 10:45:41 +0100 +Subject: [PATCH] SELinux: use /root/.vnc in file context specification + +Instead of HOME_ROOT/.vnc, /root/.vnc should be used +for user root's home to specify default file context +as HOME_ROOT actually means base for home dirs (usually /home). +--- + unix/vncserver/selinux/vncsession.fc | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/unix/vncserver/selinux/vncsession.fc b/unix/vncserver/selinux/vncsession.fc +index 6aaf4b1f4..bc81f8f25 100644 +--- a/unix/vncserver/selinux/vncsession.fc ++++ b/unix/vncserver/selinux/vncsession.fc +@@ -18,7 +18,7 @@ + # + + HOME_DIR/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) +-HOME_ROOT/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) ++/root/\.vnc(/.*)? gen_context(system_u:object_r:vnc_home_t,s0) + + /usr/sbin/vncsession -- gen_context(system_u:object_r:vnc_session_exec_t,s0) + /usr/libexec/vncsession-start -- gen_context(system_u:object_r:vnc_session_exec_t,s0) diff --git a/SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch b/SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch new file mode 100644 index 0000000..012a741 --- /dev/null +++ b/SOURCES/tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch @@ -0,0 +1,28 @@ +From 774c6bcf33b5c9b94c1ff12895775e77c555decc Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Thu, 9 Feb 2023 11:30:37 +0100 +Subject: [PATCH] Sanity check when cleaning up keymap changes + +Make sure we don't send a bogus request to the X server in the (common) +case that we don't actually have anything to restore. + +(cherry picked from commit 1e3484f2017f038dd5149cd50741feaf39a680e4) +--- + unix/x0vncserver/XDesktop.cxx | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/unix/x0vncserver/XDesktop.cxx b/unix/x0vncserver/XDesktop.cxx +index d5c6b2db9..f9c810968 100644 +--- a/unix/x0vncserver/XDesktop.cxx ++++ b/unix/x0vncserver/XDesktop.cxx +@@ -481,6 +481,10 @@ void XDesktop::deleteAddedKeysyms(Display* dpy) { + } + } + ++ // Did we actually find something to remove? ++ if (highestKeyCode < lowestKeyCode) ++ return; ++ + changes.changed |= XkbKeySymsMask; + changes.first_key_sym = lowestKeyCode; + changes.num_key_syms = highestKeyCode - lowestKeyCode + 1; diff --git a/SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch b/SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch new file mode 100644 index 0000000..d6bc61b --- /dev/null +++ b/SOURCES/tigervnc-selinux-allow-vncsession-create-vnc-directory.patch @@ -0,0 +1,31 @@ +From 717d787de8f913070446444e37d552b51f05515e Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Mon, 16 Jan 2023 12:35:40 +0100 +Subject: [PATCH] SELinux: Allow vncsession create ~/.vnc directory + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(01/12/2023 02:58:12.648:696) : proctitle=/usr/sbin/vncsession fedora :1 +type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=1 name=/home/fedora/.vnc nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=PATH msg=audit(01/12/2023 02:58:12.648:696) : item=0 name=/home/fedora/ inode=262145 dev=fc:02 mode=dir,700 ouid=fedora ogid=fedora rdev=00:00 obj=unconfined_u:object_r:user_home_dir_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(01/12/2023 02:58:12.648:696) : cwd=/home/fedora +type=SYSCALL msg=audit(01/12/2023 02:58:12.648:696) : arch=x86_64 syscall=mkdir success=no exit=EACCES(Permission denied) a0=0x7fff47d52540 a1=0755 a2=0x0 a3=0x0 items=2 ppid=2869 pid=2880 auid=fedora uid=fedora gid=fedora euid=fedora suid=fedora fsuid=fedora egid=fedora sgid=fedora fsgid=fedora tty=(none) ses=8 comm=vncsession exe=/usr/sbin/vncsession subj=system_u:system_r:vnc_session_t:s0 key=(null) +type=AVC msg=audit(01/12/2023 02:58:12.648:696) : avc: denied { create } for pid=2880 comm=vncsession name=.vnc scontext=system_u:system_r:vnc_session_t:s0 tcontext=system_u:object_r:vnc_home_t:s0 tclass=dir permissive=0 + +Resolves: rhbz#2143704 +--- + unix/vncserver/selinux/vncsession.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/unix/vncserver/selinux/vncsession.te b/unix/vncserver/selinux/vncsession.te +index fb966c14b..680be8ea1 100644 +--- a/unix/vncserver/selinux/vncsession.te ++++ b/unix/vncserver/selinux/vncsession.te +@@ -37,6 +37,7 @@ allow vnc_session_t self:fifo_file rw_fifo_file_perms; + allow vnc_session_t vnc_session_var_run_t:file manage_file_perms; + files_pid_filetrans(vnc_session_t, vnc_session_var_run_t, file) + ++create_dirs_pattern(vnc_session_t, vnc_home_t, vnc_home_t) + manage_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) + manage_fifo_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) + manage_sock_files_pattern(vnc_session_t, vnc_home_t, vnc_home_t) diff --git a/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch b/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch new file mode 100644 index 0000000..48b3a2e --- /dev/null +++ b/SOURCES/tigervnc-selinux-restore-context-in-case-of-different-policies.patch @@ -0,0 +1,81 @@ +From d2d52704624ce841f4a392fccd82079d87ff13b6 Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Thu, 11 Nov 2021 13:52:41 +0100 +Subject: [PATCH] SELinux: restore SELinux context in case of different + policies + +--- + CMakeLists.txt | 13 +++++++++++++ + unix/vncserver/CMakeLists.txt | 2 +- + unix/vncserver/vncsession.c | 16 ++++++++++++++++ + 3 files changed, 30 insertions(+), 1 deletion(-) + +diff --git a/CMakeLists.txt b/CMakeLists.txt +index 50247c7da..1708eb3d8 100644 +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -268,6 +268,19 @@ if(UNIX AND NOT APPLE) + endif() + endif() + ++# Check for SELinux library ++if(UNIX AND NOT APPLE) ++ check_include_files(selinux/selinux.h HAVE_SELINUX_H) ++ if(HAVE_SELINUX_H) ++ set(CMAKE_REQUIRED_LIBRARIES -lselinux) ++ set(CMAKE_REQUIRED_LIBRARIES) ++ set(SELINUX_LIBS selinux) ++ add_definitions("-DHAVE_SELINUX") ++ else() ++ message(WARNING "Could not find SELinux development files") ++ endif() ++endif() ++ + # Generate config.h and make sure the source finds it + configure_file(config.h.in config.h) + add_definitions(-DHAVE_CONFIG_H) +diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt +index f65ccc7db..ae69dc098 100644 +--- a/unix/vncserver/CMakeLists.txt ++++ b/unix/vncserver/CMakeLists.txt +@@ -1,5 +1,5 @@ + add_executable(vncsession vncsession.c) +-target_link_libraries(vncsession ${PAM_LIBS}) ++target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) + + configure_file(vncserver@.service.in vncserver@.service @ONLY) + configure_file(vncsession-start.in vncsession-start @ONLY) +diff --git a/unix/vncserver/vncsession.c b/unix/vncserver/vncsession.c +index 3573e5e9b..f6d2fd59e 100644 +--- a/unix/vncserver/vncsession.c ++++ b/unix/vncserver/vncsession.c +@@ -37,6 +37,11 @@ + #include + #include + ++#ifdef HAVE_SELINUX ++#include ++#include ++#endif ++ + extern char **environ; + + // PAM service name +@@ -360,6 +365,17 @@ redir_stdio(const char *homedir, const char *display) + syslog(LOG_CRIT, "Failure creating \"%s\": %s", logfile, strerror(errno)); + _exit(EX_OSERR); + } ++ ++#ifdef HAVE_SELINUX ++ int result; ++ if (selinux_file_context_verify(logfile, 0) == 0) { ++ result = selinux_restorecon(logfile, SELINUX_RESTORECON_RECURSE); ++ ++ if (result < 0) { ++ syslog(LOG_WARNING, "Failure restoring SELinux context for \"%s\": %s", logfile, strerror(errno)); ++ } ++ } ++#endif + } + + hostlen = sysconf(_SC_HOST_NAME_MAX); diff --git a/SOURCES/tigervnc-use-gnome-as-default-session.patch b/SOURCES/tigervnc-use-gnome-as-default-session.patch new file mode 100644 index 0000000..a767c40 --- /dev/null +++ b/SOURCES/tigervnc-use-gnome-as-default-session.patch @@ -0,0 +1,12 @@ +diff --git a/unix/vncserver/vncserver-config-defaults b/unix/vncserver/vncserver-config-defaults +index 0c217bf..2889347 100644 +--- a/unix/vncserver/vncserver-config-defaults ++++ b/unix/vncserver/vncserver-config-defaults +@@ -13,3 +13,7 @@ + # geometry=2000x1200 + # localhost + # alwaysshared ++ ++# Default to GNOME session ++# Note: change this only when you know what are you doing ++session=gnome diff --git a/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch b/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch new file mode 100644 index 0000000..cea1824 --- /dev/null +++ b/SOURCES/tigervnc-vncsession-restore-script-systemd-service.patch @@ -0,0 +1,113 @@ +From 1919a8ab86c99b47ba86dc697abcdf3343b0aafa Mon Sep 17 00:00:00 2001 +From: Jan Grulich +Date: Tue, 1 Feb 2022 14:31:05 +0100 +Subject: Add vncsession-restore script to restore SELinux context + +The vncsession-restore script is used in the ExecStartPre option +for systemd service file in order to properly start the session +in case the policy is updated (e.g. after Tigervnc update). + +diff --git a/unix/vncserver/CMakeLists.txt b/unix/vncserver/CMakeLists.txt +index ae69dc09..04eb6fc4 100644 +--- a/unix/vncserver/CMakeLists.txt ++++ b/unix/vncserver/CMakeLists.txt +@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c) + target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS}) + + configure_file(vncserver@.service.in vncserver@.service @ONLY) ++configure_file(vncsession-restore.in vncsession-restore @ONLY) + configure_file(vncsession-start.in vncsession-start @ONLY) + configure_file(vncserver.in vncserver @ONLY) + configure_file(vncsession.man.in vncsession.man @ONLY) +@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR}) + if(INSTALL_SYSTEMD_UNITS) + install(FILES ${CMAKE_CURRENT_BINARY_DIR}/vncserver@.service DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR}) + install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) ++ install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR}) + endif() +diff --git a/unix/vncserver/vncserver@.service.in b/unix/vncserver/vncserver@.service.in +index 39f81b73..a83e05a3 100644 +--- a/unix/vncserver/vncserver@.service.in ++++ b/unix/vncserver/vncserver@.service.in +@@ -35,6 +35,7 @@ After=syslog.target network.target + + [Service] + Type=forking ++ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i + ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i + PIDFile=/run/vncsession-%i.pid + SELinuxContext=system_u:system_r:vnc_session_t:s0 +diff --git a/unix/vncserver/vncsession-restore.in b/unix/vncserver/vncsession-restore.in +new file mode 100644 +index 00000000..d3abc57d +--- /dev/null ++++ b/unix/vncserver/vncsession-restore.in +@@ -0,0 +1,68 @@ ++#!/bin/bash ++# ++# Copyright 2022 Jan Grulich ++# ++# This is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This software is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this software; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, ++# USA. ++# ++ ++USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users" ++ ++if [ $# -ne 1 ]; then ++ echo "Syntax:" >&2 ++ echo " $0 " >&2 ++ exit 1 ++fi ++ ++if [ ! -f "${USERSFILE}" ]; then ++ echo "Users file ${USERSFILE} missing" >&2 ++ exit 1 ++fi ++ ++DISPLAY="$1" ++ ++USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'` ++ ++if [ -z "${USER}" ]; then ++ echo "No user configured for display ${DISPLAY}" >&2 ++ exit 1 ++fi ++ ++USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:` ++ ++if [ -z "${USER_HOMEDIR}" ]; then ++ echo "Failed to get home directory for ${USER}" >&2 ++ exit 1 ++fi ++ ++if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then ++ exit 0 ++fi ++ ++MATCHPATHCON=`which matchpathcon` ++ ++if [ $? -eq 0 ]; then ++ ${MATCHPATHCON} -V "${USER_HOMEDIR}/.vnc" &>/dev/null ++ if [ $? -eq 0 ]; then ++ exit 0 ++ fi ++fi ++ ++RESTORECON=`which restorecon` ++ ++if [ $? -eq 0 ]; then ++ exec "${RESTORECON}" -R "${USER_HOMEDIR}/.vnc" >&2 ++ return $? ++fi diff --git a/SOURCES/tigervnc-xserver120.patch b/SOURCES/tigervnc-xserver120.patch new file mode 100644 index 0000000..e7eae3c --- /dev/null +++ b/SOURCES/tigervnc-xserver120.patch @@ -0,0 +1,91 @@ +diff -up xserver/configure.ac.xserver116-rebased xserver/configure.ac +--- xserver/configure.ac.xserver116-rebased 2016-09-29 13:14:45.595441590 +0200 ++++ xserver/configure.ac 2016-09-29 13:14:45.631442006 +0200 +@@ -74,6 +74,7 @@ dnl forcing an entire recompile.x + AC_CONFIG_HEADERS(include/version-config.h) + + AM_PROG_AS ++AC_PROG_CXX + AC_PROG_LN_S + LT_PREREQ([2.2]) + LT_INIT([disable-static win32-dll]) +@@ -1863,6 +1864,10 @@ if test "x$XVFB" = xyes; then + AC_SUBST([XVFB_SYS_LIBS]) + fi + ++dnl Xvnc DDX ++AC_SUBST([XVNC_CPPFLAGS], ["-DHAVE_DIX_CONFIG_H $XSERVER_CFLAGS"]) ++AC_SUBST([XVNC_LIBS], ["$FB_LIB $FIXES_LIB $XEXT_LIB $CONFIG_LIB $DBE_LIB $RECORD_LIB $GLX_LIBS $RANDR_LIB $RENDER_LIB $DAMAGE_LIB $DRI3_LIB $PRESENT_LIB $MIEXT_SYNC_LIB $MIEXT_DAMAGE_LIB $MIEXT_SHADOW_LIB $XI_LIB $XKB_LIB $XKB_STUB_LIB $COMPOSITE_LIB $MAIN_LIB"]) ++AC_SUBST([XVNC_SYS_LIBS], ["$GLX_SYS_LIBS"]) + + dnl Xnest DDX + +@@ -1898,6 +1903,8 @@ if test "x$XORG" = xauto; then + fi + AC_MSG_RESULT([$XORG]) + ++AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version]) ++ + if test "x$XORG" = xyes; then + XORG_DDXINCS='-I$(top_srcdir)/hw/xfree86 -I$(top_srcdir)/hw/xfree86/include -I$(top_srcdir)/hw/xfree86/common' + XORG_OSINCS='-I$(top_srcdir)/hw/xfree86/os-support -I$(top_srcdir)/hw/xfree86/os-support/bus -I$(top_srcdir)/os' +@@ -2116,7 +2123,6 @@ if test "x$XORG" = xyes; then + AC_DEFINE(XORG_SERVER, 1, [Building Xorg server]) + AC_DEFINE(XORGSERVER, 1, [Building Xorg server]) + AC_DEFINE(XFree86Server, 1, [Building XFree86 server]) +- AC_DEFINE_UNQUOTED(XORG_VERSION_CURRENT, [$VENDOR_RELEASE], [Current Xorg version]) + AC_DEFINE(NEED_XF86_TYPES, 1, [Need XFree86 typedefs]) + AC_DEFINE(NEED_XF86_PROTOTYPES, 1, [Need XFree86 helper functions]) + AC_DEFINE(__XSERVERNAME__, "Xorg", [Name of X server]) +@@ -2691,6 +2697,7 @@ hw/dmx/Makefile + hw/dmx/man/Makefile + hw/vfb/Makefile + hw/vfb/man/Makefile ++hw/vnc/Makefile + hw/xnest/Makefile + hw/xnest/man/Makefile + hw/xwin/Makefile +diff -up xserver/hw/Makefile.am.xserver116-rebased xserver/hw/Makefile.am +--- xserver/hw/Makefile.am.xserver116-rebased 2016-09-29 13:14:45.601441659 +0200 ++++ xserver/hw/Makefile.am 2016-09-29 13:14:45.631442006 +0200 +@@ -38,7 +38,8 @@ SUBDIRS = \ + $(DMX_SUBDIRS) \ + $(KDRIVE_SUBDIRS) \ + $(XQUARTZ_SUBDIRS) \ +- $(XWAYLAND_SUBDIRS) ++ $(XWAYLAND_SUBDIRS) \ ++ vnc + + DIST_SUBDIRS = dmx xfree86 vfb xnest xwin xquartz kdrive xwayland + +diff --git xserver/mi/miinitext.c xserver/mi/miinitext.c +index 5596e21..003fc3c 100644 +--- xserver/mi/miinitext.c ++++ xserver/mi/miinitext.c +@@ -107,8 +107,15 @@ SOFTWARE. + #include "os.h" + #include "globals.h" + ++#ifdef TIGERVNC ++extern void vncExtensionInit(INITARGS); ++#endif ++ + /* List of built-in (statically linked) extensions */ + static const ExtensionModule staticExtensions[] = { ++#ifdef TIGERVNC ++ {vncExtensionInit, "VNC-EXTENSION", NULL}, ++#endif + {GEExtensionInit, "Generic Event Extension", &noGEExtension}, + {ShapeExtensionInit, "SHAPE", NULL}, + #ifdef MITSHM +--- xserver/include/os.h~ 2016-10-03 09:07:29.000000000 +0200 ++++ xserver/include/os.h 2016-10-03 14:13:00.013654506 +0200 +@@ -621,7 +621,7 @@ + extern _X_EXPORT void + LogClose(enum ExitCode error); + extern _X_EXPORT Bool +-LogSetParameter(LogParameter param, int value); ++LogSetParameter(enum _LogParameter param, int value); + extern _X_EXPORT void + LogVWrite(int verb, const char *f, va_list args) + _X_ATTRIBUTE_PRINTF(2, 0); diff --git a/SOURCES/vncserver b/SOURCES/vncserver new file mode 100644 index 0000000..3bc8d3a --- /dev/null +++ b/SOURCES/vncserver @@ -0,0 +1,897 @@ +#!/usr/bin/perl +# +# Copyright (C) 2009-2010 D. R. Commander. All Rights Reserved. +# Copyright (C) 2005-2006 Sun Microsystems, Inc. All Rights Reserved. +# Copyright (C) 2002-2003 Constantin Kaplinsky. All Rights Reserved. +# Copyright (C) 2002-2005 RealVNC Ltd. +# Copyright (C) 1999 AT&T Laboratories Cambridge. All Rights Reserved. +# +# This is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This software is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this software; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, +# USA. +# + +# +# vncserver - wrapper script to start an X VNC server. +# + +# First make sure we're operating in a sane environment. +$exedir = ""; +$slashndx = rindex($0, "/"); +if($slashndx>=0) { + $exedir = substr($0, 0, $slashndx+1); +} + +&SanityCheck(); + +&NotifyAboutDeprecation(); + +# +# Global variables. You may want to configure some of these for +# your site +# + +$geometry = "1024x768"; +#$depth = 16; + +$vncUserDir = "$ENV{HOME}/.vnc"; +$vncUserConfig = "$vncUserDir/config"; + +$vncSystemConfigDir = "/etc/tigervnc"; +$vncSystemConfigDefaultsFile = "$vncSystemConfigDir/vncserver-config-defaults"; +$vncSystemConfigMandatoryFile = "$vncSystemConfigDir/vncserver-config-mandatory"; + +$skipxstartup = 0; +$xauthorityFile = "$ENV{XAUTHORITY}" || "$ENV{HOME}/.Xauthority"; + +$xstartupFile = $vncUserDir . "/xstartup"; +$defaultXStartup + = ("#!/bin/sh\n\n". + "unset SESSION_MANAGER\n". + "unset DBUS_SESSION_BUS_ADDRESS\n". + "/etc/X11/xinit/xinitrc\n". + "# Assume either Gnome will be started by default when installed\n". + "# We want to kill the session automatically in this case when user logs out. In case you modify\n". + "# /etc/X11/xinit/Xclients or ~/.Xclients yourself to achieve a different result, then you should\n". + "# be responsible to modify below code to avoid that your session will be automatically killed\n". + "if [ -e /usr/bin/gnome-session ]; then\n". + " vncserver -kill \$DISPLAY\n". + "fi\n"); + +$defaultConfig + = ("## Supported server options to pass to vncserver upon invocation can be listed\n". + "## in this file. See the following manpages for more: vncserver(1) Xvnc(1).\n". + "## Several common ones are shown below. Uncomment and modify to your liking.\n". + "##\n". + "# securitytypes=vncauth,tlsvnc\n". + "# desktop=sandbox\n". + "# geometry=2000x1200\n". + "# localhost\n". + "# alwaysshared\n"); + +chop($host = `uname -n`); + +if (-d "/etc/X11/fontpath.d") { + $fontPath = "catalogue:/etc/X11/fontpath.d"; +} + +@fontpaths = ('/usr/share/X11/fonts', '/usr/share/fonts', '/usr/share/fonts/X11/'); +if (! -l "/usr/lib/X11") {push(@fontpaths, '/usr/lib/X11/fonts');} +if (! -l "/usr/X11") {push(@fontpaths, '/usr/X11/lib/X11/fonts');} +if (! -l "/usr/X11R6") {push(@fontpaths, '/usr/X11R6/lib/X11/fonts');} +push(@fontpaths, '/usr/share/fonts/default'); + +@fonttypes = ('misc', + '75dpi', + '100dpi', + 'Speedo', + 'Type1'); + +foreach $_fpath (@fontpaths) { + foreach $_ftype (@fonttypes) { + if (-f "$_fpath/$_ftype/fonts.dir") { + if (! -l "$_fpath/$_ftype") { + $defFontPath .= "$_fpath/$_ftype,"; + } + } + } +} + +if ($defFontPath) { + if (substr($defFontPath, -1, 1) == ',') { + chop $defFontPath; + } +} + +if ($fontPath eq "") { + $fontPath = $defFontPath; +} + +# Check command line options + +&ParseOptions("-geometry",1,"-depth",1,"-pixelformat",1,"-name",1,"-kill",1, + "-help",0,"-h",0,"--help",0,"-fp",1,"-list",0,"-fg",0,"-autokill",0,"-noxstartup",0,"-xstartup",1); + +&Usage() if ($opt{'-help'} || $opt{'-h'} || $opt{'--help'}); + +&Kill() if ($opt{'-kill'}); + +&List() if ($opt{'-list'}); + +# Uncomment this line if you want default geometry, depth and pixelformat +# to match the current X display: +# &GetXDisplayDefaults(); + +if ($opt{'-geometry'}) { + $geometry = $opt{'-geometry'}; +} +if ($opt{'-depth'}) { + $depth = $opt{'-depth'}; + $pixelformat = ""; +} +if ($opt{'-pixelformat'}) { + $pixelformat = $opt{'-pixelformat'}; +} +if ($opt{'-noxstartup'}) { + $skipxstartup = 1; +} +if ($opt{'-xstartup'}) { + $xstartupFile = $opt{'-xstartup'}; +} +if ($opt{'-fp'}) { + $fontPath = $opt{'-fp'}; + $fpArgSpecified = 1; +} + +&CheckGeometryAndDepth(); + +# Create the user's vnc directory if necessary. +if (!(-e $vncUserDir)) { + if (!mkdir($vncUserDir,0755)) { + die "$prog: Could not create $vncUserDir.\n"; + } +} + +# Find display number. +if ((@ARGV > 0) && ($ARGV[0] =~ /^:(\d+)$/)) { + $displayNumber = $1; + shift(@ARGV); + if (!&CheckDisplayNumber($displayNumber)) { + warn "A VNC server is already running as :$displayNumber\n"; + $displayNumber = &GetDisplayNumber(); + } +} elsif ((@ARGV > 0) && ($ARGV[0] !~ /^-/) && ($ARGV[0] !~ /^\+/)) { + &Usage(); +} else { + $displayNumber = &GetDisplayNumber(); +} + +$vncPort = 5900 + $displayNumber; + +if ($opt{'-name'}) { + $desktopName = $opt{'-name'}; +} else { + $desktopName = "$host:$displayNumber ($ENV{USER})"; +} + +my %default_opts; +my %config; + +# We set some reasonable defaults. Config file settings +# override these where present. +$default_opts{desktop} = "edString($desktopName); +$default_opts{auth} = "edString($xauthorityFile); +$default_opts{geometry} = $geometry if ($geometry); +$default_opts{depth} = $depth if ($depth); +$default_opts{pixelformat} = $pixelformat if ($pixelformat); +$default_opts{rfbauth} = "$vncUserDir/passwd"; +$default_opts{rfbport} = $vncPort; +$default_opts{fp} = $fontPath if ($fontPath); +$default_opts{pn} = ""; + +# Load user-overrideable system defaults +LoadConfig($vncSystemConfigDefaultsFile); + +# Then the user's settings +LoadConfig($vncUserConfig); + +# And then override anything set above if mandatory settings exist. +# WARNING: "Mandatory" is used loosely here! As the man page says, +# there is nothing stopping someone from EASILY subverting the +# settings in $vncSystemConfigMandatoryFile by simply passing +# CLI args to vncserver, which trump config files! To properly +# hard force policy in a non-subvertible way would require major +# development work that touches Xvnc itself. +LoadConfig($vncSystemConfigMandatoryFile, 1); + +# +# Check whether VNC authentication is enabled, and if so, prompt the user to +# create a VNC password if they don't already have one. +# + +$securityTypeArgSpecified = 0; +$vncAuthEnabled = 0; +$passwordArgSpecified = 0; +@vncAuthStrings = ("vncauth", "tlsvnc", "x509vnc"); + +# ...first we check our configuration files' settings +if ($config{'securitytypes'}) { + $securityTypeArgSpecified = 1; + foreach $arg2 (split(',', $config{'securitytypes'})) { + if (grep {$_ eq lc($arg2)} @vncAuthStrings) { + $vncAuthEnabled = 1; + } + } +} + +# ...and finally we check CLI args, which in the case of the topic at +# hand (VNC auth or not), override anything found in configuration files +# (even so-called "mandatory" settings). +for ($i = 0; $i < @ARGV; ++$i) { + # -SecurityTypes can be followed by a space or "=" + my @splitargs = split('=', $ARGV[$i]); + if (@splitargs <= 1 && $i < @ARGV - 1) { + push(@splitargs, $ARGV[$i + 1]); + } + if (lc(@splitargs[0]) eq "-securitytypes") { + if (@splitargs > 1) { + $securityTypeArgSpecified = 1; + } + foreach $arg2 (split(',', @splitargs[1])) { + if (grep {$_ eq lc($arg2)} @vncAuthStrings) { + $vncAuthEnabled = 1; + } + } + } + if ((lc(@splitargs[0]) eq "-password") + || (lc(@splitargs[0]) eq "-passwordfile" + || (lc(@splitargs[0]) eq "-rfbauth"))) { + $passwordArgSpecified = 1; + } +} + +if ((!$securityTypeArgSpecified || $vncAuthEnabled) && !$passwordArgSpecified) { + ($z,$z,$mode) = stat("$vncUserDir/passwd"); + if (!(-e "$vncUserDir/passwd") || ($mode & 077)) { + warn "\nYou will require a password to access your desktops.\n\n"; + system($exedir."vncpasswd -q $vncUserDir/passwd"); + if (($? >> 8) != 0) { + exit 1; + } + } +} + +$desktopLog = "$vncUserDir/$host:$displayNumber.log"; +unlink($desktopLog); + +# Make an X server cookie and set up the Xauthority file +# mcookie is a part of util-linux, usually only GNU/Linux systems have it. +$cookie = `mcookie`; +# Fallback for non GNU/Linux OS - use /dev/urandom on systems that have it, +# otherwise use perl's random number generator, seeded with the sum +# of the current time, our PID and part of the encrypted form of the password. +if ($cookie eq "" && open(URANDOM, '<', '/dev/urandom')) { + my $randata; + if (sysread(URANDOM, $randata, 16) == 16) { + $cookie = unpack 'h*', $randata; + } + close(URANDOM); +} +if ($cookie eq "") { + srand(time+$$+unpack("L",`cat $vncUserDir/passwd`)); + for (1..16) { + $cookie .= sprintf("%02x", int(rand(256)) % 256); + } +} + +open(XAUTH, "|xauth -f $xauthorityFile source -"); +print XAUTH "add $host:$displayNumber . $cookie\n"; +print XAUTH "add $host/unix:$displayNumber . $cookie\n"; +close(XAUTH); + +# Now start the X VNC Server + +# We build up our Xvnc command with options +$cmd = $exedir."Xvnc :$displayNumber"; + +foreach my $k (sort keys %config) { + $cmd .= " -$k $config{$k}"; + delete $default_opts{$k}; # file options take precedence +} + +foreach my $k (sort keys %default_opts) { + $cmd .= " -$k $default_opts{$k}"; +} + +# Add color database stuff here, e.g.: +# $cmd .= " -co /usr/lib/X11/rgb"; + +foreach $arg (@ARGV) { + $cmd .= " " . "edString($arg); +} +$cmd .= " >> " . "edString($desktopLog) . " 2>&1"; + +# Run $cmd and record the process ID. +$pidFile = "$vncUserDir/$host:$displayNumber.pid"; +system("$cmd & echo \$! >$pidFile"); + +# Give Xvnc a chance to start up + +sleep(3); +if ($fontPath ne $defFontPath) { + unless (kill 0, `cat $pidFile`) { + if ($fpArgSpecified) { + warn "\nWARNING: The first attempt to start Xvnc failed, probably because the font\n"; + warn "path you specified using the -fp argument is incorrect. Attempting to\n"; + warn "determine an appropriate font path for this system and restart Xvnc using\n"; + warn "that font path ...\n"; + } else { + warn "\nWARNING: The first attempt to start Xvnc failed, possibly because the font\n"; + warn "catalog is not properly configured. Attempting to determine an appropriate\n"; + warn "font path for this system and restart Xvnc using that font path ...\n"; + } + $cmd =~ s@-fp [^ ]+@@; + $cmd .= " -fp $defFontPath" if ($defFontPath); + system("$cmd & echo \$! >$pidFile"); + sleep(3); + } +} +unless (kill 0, `cat $pidFile`) { + warn "Could not start Xvnc.\n\n"; + unlink $pidFile; + open(LOG, "<$desktopLog"); + while () { print; } + close(LOG); + die "\n"; +} + +warn "\nNew '$desktopName' desktop is $host:$displayNumber\n\n"; + +# Create the user's xstartup script if necessary. +if (! $skipxstartup) { + if (!(-e "$xstartupFile")) { + warn "Creating default startup script $xstartupFile\n"; + open(XSTARTUP, ">$xstartupFile"); + print XSTARTUP $defaultXStartup; + close(XSTARTUP); + chmod 0755, "$xstartupFile"; + } +} + +# Create the user's config file if necessary. +if (!(-e "$vncUserDir/config")) { + warn "Creating default config $vncUserDir/config\n"; + open(VNCUSERCONFIG, ">$vncUserDir/config"); + print VNCUSERCONFIG $defaultConfig; + close(VNCUSERCONFIG); + chmod 0644, "$vncUserDir/config"; +} + +# Run the X startup script. +if (! $skipxstartup) { + warn "Starting applications specified in $xstartupFile\n"; +} +warn "Log file is $desktopLog\n\n"; + +# If the unix domain socket exists then use that (DISPLAY=:n) otherwise use +# TCP (DISPLAY=host:n) + +if (-e "/tmp/.X11-unix/X$displayNumber" || + -e "/usr/spool/sockets/X11/$displayNumber") +{ + $ENV{DISPLAY}= ":$displayNumber"; +} else { + $ENV{DISPLAY}= "$host:$displayNumber"; +} +$ENV{VNCDESKTOP}= $desktopName; + +if ($opt{'-fg'}) { + if (! $skipxstartup) { + system("$xstartupFile >> " . "edString($desktopLog) . " 2>&1"); + } + if (kill 0, `cat $pidFile`) { + $opt{'-kill'} = ':'.$displayNumber; + &Kill(); + } +} else { + if ($opt{'-autokill'}) { + if (! $skipxstartup) { + system("($xstartupFile; $0 -kill :$displayNumber) >> " + . "edString($desktopLog) . " 2>&1 &"); + } + } else { + if (! $skipxstartup) { + system("$xstartupFile >> " . "edString($desktopLog) + . " 2>&1 &"); + } + } +} + +exit; + +############################################################################### +# Functions +############################################################################### + +# +# Populate the global %config hash with settings from a specified +# vncserver configuration file if it exists +# +# Args: 1. file path +# 2. optional boolean flag to enable warning when a previously +# set configuration setting is being overridden +# +sub LoadConfig { + local ($configFile, $warnoverride) = @_; + local ($toggle) = undef; + + if (stat($configFile)) { + if (open(IN, $configFile)) { + while () { + next if /^#/; + if (my ($k, $v) = /^\s*(\w+)\s*=\s*(.+)$/) { + $k = lc($k); # must normalize key case + if ($k eq "session") { + next; + } + if ($warnoverride && $config{$k}) { + print("Warning: $configFile is overriding previously defined '$k' to be '$v'\n"); + } + $config{$k} = $v; + } elsif ($_ =~ m/^\s*(\S+)/) { + # We can't reasonably warn on override of toggles (e.g. AlwaysShared) + # because it would get crazy to do so. We'd have to check if the + # current config file being loaded defined the logical opposite setting + # (NeverShared vs. AlwaysShared, etc etc). + $toggle = lc($1); # must normalize key case + $config{$toggle} = $k; + } + } + close(IN); + } + } +} + +# +# CheckGeometryAndDepth simply makes sure that the geometry and depth values +# are sensible. +# + +sub CheckGeometryAndDepth +{ + if ($geometry =~ /^(\d+)x(\d+)$/) { + $width = $1; $height = $2; + + if (($width<1) || ($height<1)) { + die "$prog: geometry $geometry is invalid\n"; + } + + $geometry = "${width}x$height"; + } else { + die "$prog: geometry $geometry is invalid\n"; + } + + if ($depth && (($depth < 8) || ($depth > 32))) { + die "Depth must be between 8 and 32\n"; + } +} + + +# +# GetDisplayNumber gets the lowest available display number. A display number +# n is taken if something is listening on the VNC server port (5900+n) or the +# X server port (6000+n). +# + +sub GetDisplayNumber +{ + foreach $n (1..99) { + if (&CheckDisplayNumber($n)) { + return $n+0; # Bruce Mah's workaround for bug in perl 5.005_02 + } + } + + die "$prog: no free display number on $host.\n"; +} + + +# +# CheckDisplayNumber checks if the given display number is available. A +# display number n is taken if something is listening on the VNC server port +# (5900+n) or the X server port (6000+n). +# + +sub CheckDisplayNumber +{ + local ($n) = @_; + + socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n"; + eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))'; + if (!bind(S, pack('S n x12', $AF_INET, 6000 + $n))) { + close(S); + return 0; + } + close(S); + + socket(S, $AF_INET, $SOCK_STREAM, 0) || die "$prog: socket failed: $!\n"; + eval 'setsockopt(S, &SOL_SOCKET, &SO_REUSEADDR, pack("l", 1))'; + if (!bind(S, pack('S n x12', $AF_INET, 5900 + $n))) { + close(S); + return 0; + } + close(S); + + if (-e "/tmp/.X$n-lock") { + warn "\nWarning: $host:$n is taken because of /tmp/.X$n-lock\n"; + warn "Remove this file if there is no X server $host:$n\n"; + return 0; + } + + if (-e "/tmp/.X11-unix/X$n") { + warn "\nWarning: $host:$n is taken because of /tmp/.X11-unix/X$n\n"; + warn "Remove this file if there is no X server $host:$n\n"; + return 0; + } + + if (-e "/usr/spool/sockets/X11/$n") { + warn("\nWarning: $host:$n is taken because of ". + "/usr/spool/sockets/X11/$n\n"); + warn "Remove this file if there is no X server $host:$n\n"; + return 0; + } + + return 1; +} + + +# +# GetXDisplayDefaults uses xdpyinfo to find out the geometry, depth and pixel +# format of the current X display being used. If successful, it sets the +# options as appropriate so that the X VNC server will use the same settings +# (minus an allowance for window manager decorations on the geometry). Using +# the same depth and pixel format means that the VNC server won't have to +# translate pixels when the desktop is being viewed on this X display (for +# TrueColor displays anyway). +# + +sub GetXDisplayDefaults +{ + local (@lines, @matchlines, $width, $height, $defaultVisualId, $i, + $red, $green, $blue); + + $wmDecorationWidth = 4; # a guess at typical size for window manager + $wmDecorationHeight = 24; # decoration size + + return if (!defined($ENV{DISPLAY})); + + @lines = `xdpyinfo 2>/dev/null`; + + return if ($? != 0); + + @matchlines = grep(/dimensions/, @lines); + if (@matchlines) { + ($width, $height) = ($matchlines[0] =~ /(\d+)x(\d+) pixels/); + + $width -= $wmDecorationWidth; + $height -= $wmDecorationHeight; + + $geometry = "${width}x$height"; + } + + @matchlines = grep(/default visual id/, @lines); + if (@matchlines) { + ($defaultVisualId) = ($matchlines[0] =~ /id:\s+(\S+)/); + + for ($i = 0; $i < @lines; $i++) { + if ($lines[$i] =~ /^\s*visual id:\s+$defaultVisualId$/) { + if (($lines[$i+1] !~ /TrueColor/) || + ($lines[$i+2] !~ /depth/) || + ($lines[$i+4] !~ /red, green, blue masks/)) + { + return; + } + last; + } + } + + return if ($i >= @lines); + + ($depth) = ($lines[$i+2] =~ /depth:\s+(\d+)/); + ($red,$green,$blue) + = ($lines[$i+4] + =~ /masks:\s+0x([0-9a-f]+), 0x([0-9a-f]+), 0x([0-9a-f]+)/); + + $red = hex($red); + $green = hex($green); + $blue = hex($blue); + + if ($red > $blue) { + $red = int(log($red) / log(2)) - int(log($green) / log(2)); + $green = int(log($green) / log(2)) - int(log($blue) / log(2)); + $blue = int(log($blue) / log(2)) + 1; + $pixelformat = "rgb$red$green$blue"; + } else { + $blue = int(log($blue) / log(2)) - int(log($green) / log(2)); + $green = int(log($green) / log(2)) - int(log($red) / log(2)); + $red = int(log($red) / log(2)) + 1; + $pixelformat = "bgr$blue$green$red"; + } + } +} + + +# +# quotedString returns a string which yields the original string when parsed +# by a shell. +# + +sub quotedString +{ + local ($in) = @_; + + $in =~ s/\'/\'\"\'\"\'/g; + + return "'$in'"; +} + + +# +# removeSlashes turns slashes into underscores for use as a file name. +# + +sub removeSlashes +{ + local ($in) = @_; + + $in =~ s|/|_|g; + + return "$in"; +} + + +# +# Usage +# + +sub Usage +{ + die("\nusage: $prog [:] [-name ] [-depth ]\n". + " [-geometry x]\n". + " [-pixelformat rgbNNN|bgrNNN]\n". + " [-fp ]\n". + " [-cc ]\n". + " [-fg]\n". + " [-autokill]\n". + " [-noxstartup]\n". + " [-xstartup ]\n". + " ...\n\n". + " $prog -kill \n\n". + " $prog -list\n\n"); +} + + +# +# List +# + +sub List +{ + opendir(dir, $vncUserDir); + my @filelist = readdir(dir); + closedir(dir); + print "\nTigerVNC server sessions:\n\n"; + print "X DISPLAY #\tPROCESS ID\n"; + foreach my $file (@filelist) { + if ($file =~ /$host:(\d+)$\.pid/) { + chop($tmp_pid = `cat $vncUserDir/$file`); + if (kill 0, $tmp_pid) { + print ":".$1."\t\t".`cat $vncUserDir/$file`; + } else { + unlink ($vncUserDir . "/" . $file); + } + } + } + exit; +} + + +# +# Kill +# + +sub Kill +{ + $opt{'-kill'} =~ s/(:\d+)\.\d+$/$1/; # e.g. turn :1.0 into :1 + + if ($opt{'-kill'} =~ /^:\d+$/) { + $pidFile = "$vncUserDir/$host$opt{'-kill'}.pid"; + } else { + if ($opt{'-kill'} !~ /^$host:/) { + die "\nCan't tell if $opt{'-kill'} is on $host\n". + "Use -kill : instead\n\n"; + } + $pidFile = "$vncUserDir/$opt{'-kill'}.pid"; + } + + if (! -r $pidFile) { + die "\nCan't find file $pidFile\n". + "You'll have to kill the Xvnc process manually\n\n"; + } + + $SIG{'HUP'} = 'IGNORE'; + chop($pid = `cat $pidFile`); + warn "Killing Xvnc process ID $pid\n"; + + if (kill 0, $pid) { + system("kill $pid"); + sleep(1); + if (kill 0, $pid) { + print "Xvnc seems to be deadlocked. Kill the process manually and then re-run\n"; + print " ".$0." -kill ".$opt{'-kill'}."\n"; + print "to clean up the socket files.\n"; + exit + } + + } else { + warn "Xvnc process ID $pid already killed\n"; + $opt{'-kill'} =~ s/://; + + if (-e "/tmp/.X11-unix/X$opt{'-kill'}") { + print "Xvnc did not appear to shut down cleanly."; + print " Removing /tmp/.X11-unix/X$opt{'-kill'}\n"; + unlink "/tmp/.X11-unix/X$opt{'-kill'}"; + } + if (-e "/tmp/.X$opt{'-kill'}-lock") { + print "Xvnc did not appear to shut down cleanly."; + print " Removing /tmp/.X$opt{'-kill'}-lock\n"; + unlink "/tmp/.X$opt{'-kill'}-lock"; + } + } + + unlink $pidFile; + exit; +} + + +# +# ParseOptions takes a list of possible options and a boolean indicating +# whether the option has a value following, and sets up an associative array +# %opt of the values of the options given on the command line. It removes all +# the arguments it uses from @ARGV and returns them in @optArgs. +# + +sub ParseOptions +{ + local (@optval) = @_; + local ($opt, @opts, %valFollows, @newargs); + + while (@optval) { + $opt = shift(@optval); + push(@opts,$opt); + $valFollows{$opt} = shift(@optval); + } + + @optArgs = (); + %opt = (); + + arg: while (defined($arg = shift(@ARGV))) { + foreach $opt (@opts) { + if ($arg eq $opt) { + push(@optArgs, $arg); + if ($valFollows{$opt}) { + if (@ARGV == 0) { + &Usage(); + } + $opt{$opt} = shift(@ARGV); + push(@optArgs, $opt{$opt}); + } else { + $opt{$opt} = 1; + } + next arg; + } + } + push(@newargs,$arg); + } + + @ARGV = @newargs; +} + + +# Routine to make sure we're operating in a sane environment. +sub SanityCheck +{ + local ($cmd); + + # Get the program name + ($prog) = ($0 =~ m|([^/]+)$|); + + # + # Check we have all the commands we'll need on the path. + # + + cmd: + foreach $cmd ("uname","xauth") { + for (split(/:/,$ENV{PATH})) { + if (-x "$_/$cmd") { + next cmd; + } + } + die "$prog: couldn't find \"$cmd\" on your PATH.\n"; + } + + if($exedir eq "") { + cmd2: + foreach $cmd ("Xvnc","vncpasswd") { + for (split(/:/,$ENV{PATH})) { + if (-x "$_/$cmd") { + next cmd2; + } + } + die "$prog: couldn't find \"$cmd\" on your PATH.\n"; + } + } + else { + cmd3: + foreach $cmd ($exedir."Xvnc",$exedir."vncpasswd") { + for (split(/:/,$ENV{PATH})) { + if (-x "$cmd") { + next cmd3; + } + } + die "$prog: couldn't find \"$cmd\".\n"; + } + } + + if (!defined($ENV{HOME})) { + die "$prog: The HOME environment variable is not set.\n"; + } + + # + # Find socket constants. 'use Socket' is a perl5-ism, so we wrap it in an + # eval, and if it fails we try 'require "sys/socket.ph"'. If this fails, + # we just guess at the values. If you find perl moaning here, just + # hard-code the values of AF_INET and SOCK_STREAM. You can find these out + # for your platform by looking in /usr/include/sys/socket.h and related + # files. + # + + chop($os = `uname`); + chop($osrev = `uname -r`); + + eval 'use Socket'; + if ($@) { + eval 'require "sys/socket.ph"'; + if ($@) { + if (($os eq "SunOS") && ($osrev !~ /^4/)) { + $AF_INET = 2; + $SOCK_STREAM = 2; + } else { + $AF_INET = 2; + $SOCK_STREAM = 1; + } + } else { + $AF_INET = &AF_INET; + $SOCK_STREAM = &SOCK_STREAM; + } + } else { + $AF_INET = &AF_INET; + $SOCK_STREAM = &SOCK_STREAM; + } +} + +sub NotifyAboutDeprecation +{ + warn "\nWARNING: vncserver has been replaced by a systemd unit and is now considered deprecated and removed in upstream.\n"; + warn "Please read /usr/share/doc/tigervnc/HOWTO.md for more information.\n"; +} diff --git a/SOURCES/xvnc.service b/SOURCES/xvnc.service new file mode 100644 index 0000000..3471e1f --- /dev/null +++ b/SOURCES/xvnc.service @@ -0,0 +1,38 @@ +# The vncserver service unit file +# +# Quick HowTo: +# 1. Copy this file to /etc/systemd/system/xvnc@.service +# 2. Copy xvnc.socket to /etc/systemd/system/xvnc.socket +# 3. Run `systemctl daemon-reload` +# 4. Run `systemctl enable xvnc.socket` +# +# DO NOT RUN THIS SERVICE if your local area network is +# untrusted! For a secure way of using VNC, you should +# limit connections to the local host and then tunnel from +# the machine you want to view VNC on (host A) to the machine +# whose VNC output you want to view (host B) +# +# [user@hostA ~]$ ssh -v -C -L 590N:localhost:590M hostB +# +# this will open a connection on port 590N of your hostA to hostB's port 590M +# (in fact, it ssh-connects to hostB and then connects to localhost (on hostB). +# See the ssh man page for details on port forwarding) +# +# You can then point a VNC client on hostA at vncdisplay N of localhost and with +# the help of ssh, you end up seeing what hostB makes available on port 590M +# +# Use "-nolisten tcp" to prevent X connections to your VNC server via TCP. +# +# Use "-localhost" to prevent remote VNC clients connecting except when +# doing so through a secure tunnel. See the "-via" option in the +# `man vncviewer' manual page. + + +[Unit] +Description=XVNC Per-Connection Daemon + +[Service] +ExecStart=-/usr/bin/Xvnc -inetd -query localhost -geometry 1024x768 -depth 24 -once -SecurityTypes=None +User=nobody +StandardInput=socket +StandardError=syslog diff --git a/SOURCES/xvnc.socket b/SOURCES/xvnc.socket new file mode 100644 index 0000000..9b3f92d --- /dev/null +++ b/SOURCES/xvnc.socket @@ -0,0 +1,9 @@ +[Unit] +Description=XVNC Server + +[Socket] +ListenStream=5900 +Accept=yes + +[Install] +WantedBy=sockets.target diff --git a/SPECS/tigervnc.spec b/SPECS/tigervnc.spec new file mode 100644 index 0000000..a7322c0 --- /dev/null +++ b/SPECS/tigervnc.spec @@ -0,0 +1,1177 @@ + +#defining macros needed by SELinux +%global selinuxtype targeted +%global modulename vncsession + +Name: tigervnc +Version: 1.12.0 +Release: 12%{?dist} +Summary: A TigerVNC remote display system + +%global _hardened_build 1 + +License: GPLv2+ +URL: http://www.tigervnc.com + +Source0: %{name}-%{version}.tar.gz +Source1: xvnc.service +Source2: xvnc.socket +Source3: 10-libvnc.conf + +# Backwards compatibility +Source5: vncserver + +# Downstream patches +Patch1: tigervnc-use-gnome-as-default-session.patch + +# Upstream patches +Patch50: tigervnc-selinux-restore-context-in-case-of-different-policies.patch +Patch51: tigervnc-fix-typo-in-mirror-monitor-detection.patch +Patch52: tigervnc-root-user-selinux-context.patch +Patch53: tigervnc-vncsession-restore-script-systemd-service.patch +# https://github.com/TigerVNC/tigervnc/pull/1513 +Patch54: tigervnc-fix-ghost-cursor-in-zaphod-mode.patch +# https://github.com/TigerVNC/tigervnc/pull/1510 +Patch55: tigervnc-add-new-keycodes-for-unknown-keysyms.patch +Patch56: tigervnc-sanity-check-when-cleaning-up-keymap-changes.patch +Patch57: tigervnc-selinux-allow-vncsession-create-vnc-directory.patch + +# This is tigervnc-%%{version}/unix/xserver116.patch rebased on the latest xorg +Patch100: tigervnc-xserver120.patch +# 1326867 - [RHEL7.3] GLX applications in an Xvnc session fails to start +Patch101: 0001-rpath-hack.patch + +BuildRequires: make +BuildRequires: gcc-c++ +BuildRequires: libX11-devel, automake, autoconf, libtool, gettext, gettext-autopoint +BuildRequires: libXext-devel, xorg-x11-server-source, libXi-devel +BuildRequires: xorg-x11-xtrans-devel, xorg-x11-util-macros, libXtst-devel +BuildRequires: libxkbfile-devel, openssl-devel, libpciaccess-devel +BuildRequires: mesa-libGL-devel, libXinerama-devel, xorg-x11-font-utils +BuildRequires: freetype-devel, libXdmcp-devel, libxshmfence-devel +BuildRequires: libjpeg-turbo-devel, gnutls-devel, pam-devel +BuildRequires: libdrm-devel, libXt-devel, pixman-devel, libselinux-devel +BuildRequires: systemd, cmake, desktop-file-utils, selinux-policy-devel +BuildRequires: libXfixes-devel, libXdamage-devel, libXrandr-devel +%if 0%{?fedora} > 24 || 0%{?rhel} >= 7 +BuildRequires: libXfont2-devel +%else +BuildRequires: libXfont-devel +%endif + +# TigerVNC 1.4.x requires fltk 1.3.3 for keyboard handling support +# See https://github.com/TigerVNC/tigervnc/issues/8, also bug #1208814 +BuildRequires: fltk-devel >= 1.3.3 +BuildRequires: xorg-x11-server-devel + +Requires(post): coreutils +Requires(postun):coreutils + +Requires: hicolor-icon-theme +Requires: tigervnc-license +Requires: tigervnc-icons + +%description +Virtual Network Computing (VNC) is a remote display system which +allows you to view a computing 'desktop' environment not only on the +machine where it is running, but from anywhere on the Internet and +from a wide variety of machine architectures. This package contains a +client which will allow you to connect to other desktops running a VNC +server. + +%package server +Summary: A TigerVNC server +Requires: perl-interpreter +Requires: tigervnc-server-minimal = %{version}-%{release} +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +Requires: xorg-x11-xauth +Requires: xorg-x11-xinit +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): systemd + +%description server +The VNC system allows you to access the same desktop from a wide +variety of platforms. This package includes set of utilities +which make usage of TigerVNC server more user friendly. It also +contains x0vncserver program which can export your active +X session. + +%package server-minimal +Summary: A minimal installation of TigerVNC server +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +Requires(post): systemd + +Requires: mesa-dri-drivers, xkeyboard-config, xkbcomp +Requires: tigervnc-license, dbus-x11 + +%description server-minimal +The VNC system allows you to access the same desktop from a wide +variety of platforms. This package contains minimal installation +of TigerVNC server, allowing others to access the desktop on your +machine. + +%package server-module +Summary: TigerVNC module to Xorg +Requires: xorg-x11-server-Xorg %(xserver-sdk-abi-requires ansic) %(xserver-sdk-abi-requires videodrv) +Requires: tigervnc-license + +%description server-module +This package contains libvnc.so module to X server, allowing others +to access the desktop on your machine. + +%package license +Summary: License of TigerVNC suite +BuildArch: noarch + +%description license +This package contains license of the TigerVNC suite + +%package icons +Summary: Icons for TigerVNC viewer +BuildArch: noarch + +%description icons +This package contains icons for TigerVNC viewer + +%package selinux +Summary: SELinux module for TigerVNC +BuildArch: noarch +BuildRequires: selinux-policy-devel +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +BuildRequires: selinux-policy-devel +# Required for matchpathcon +Requires: libselinux-utils +# Required for restorecon +Requires: policycoreutils +%{?selinux_requires} + +%description selinux +This package provides the SELinux policy module to ensure TigerVNC +runs properly under an environment with SELinux enabled. + +%prep +%setup -q + +cp -r /usr/share/xorg-x11-server-source/* unix/xserver +pushd unix/xserver +for all in `find . -type f -perm -001`; do + chmod -x "$all" +done +%patch100 -p1 -b .xserver120-rebased +%patch101 -p1 -b .rpath +popd + +%patch1 -p1 -b .use-gnome-as-default-session + +# Upstream patches +%patch50 -p1 -b .selinux-restore-context-in-case-of-different-policies +%patch51 -p1 -b .fix-typo-in-mirror-monitor-detection +%patch52 -p1 -b .root-user-selinux-context +%patch53 -p1 -b .vncsession-restore-script-systemd-service +%patch54 -p1 -b .fix-ghost-cursor-in-zaphod-mode +%patch55 -p1 -b .add-new-keycodes-for-unknown-keysyms +%patch56 -p1 -b .sanity-check-when-cleaning-up-keymap-changes +%patch57 -p1 -b .selinux-allow-vncsession-create-vnc-directory + +%build +%ifarch sparcv9 sparc64 s390 s390x +export CFLAGS="$RPM_OPT_FLAGS -fPIC" +%else +export CFLAGS="$RPM_OPT_FLAGS -fpic" +%endif +export CXXFLAGS="$CFLAGS -std=c++11" + +%define __cmake_builddir %{_target_platform} + +mkdir -p %{%__cmake_builddir} + +%cmake + +%cmake_build + +pushd unix/xserver + +%if 0%{?fedora} > 32 || 0%{?rhel} >= 9 +sed -i 's@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}@TIGERVNC_BUILDDIR=${TIGERVNC_SRCDIR}/%{_target_platform}@g' hw/vnc/Makefile.am +%endif + +autoreconf -fiv +%configure \ + --disable-xorg --disable-xnest --disable-xvfb --disable-dmx \ + --disable-xwin --disable-xephyr --disable-kdrive --disable-xwayland \ + --with-pic --disable-static \ + --with-default-font-path="catalogue:%{_sysconfdir}/X11/fontpath.d,built-ins" \ + --with-fontdir=%{_datadir}/X11/fonts \ + --with-xkb-output=%{_localstatedir}/lib/xkb \ + --enable-install-libxf86config \ + --enable-glx --disable-dri --enable-dri2 --disable-dri3 \ + --disable-unit-tests \ + --disable-config-hal \ + --disable-config-udev \ + --with-dri-driver-path=%{_libdir}/dri \ + --without-dtrace \ + --disable-devel-docs \ + --disable-selective-werror + +make %{?_smp_mflags} +popd + +# Build icons +%if 0%{?fedora} > 32 || 0%{?rhel} >= 9 +pushd %{_target_platform}/media +%else +pushd media +%endif +make +popd + +# SELinux +pushd unix/vncserver/selinux +make +popd + +%install +%cmake_install +rm -f %{buildroot}%{_docdir}/%{name}-%{version}/{README.rst,LICENCE.TXT} + +pushd unix/xserver/hw/vnc +%make_install +popd + +# Install systemd unit file +pushd unix/vncserver/selinux +make install DESTDIR=%{buildroot} +popd + +# Install systemd unit file +install -m644 %{SOURCE1} %{buildroot}%{_unitdir}/xvnc@.service +install -m644 %{SOURCE2} %{buildroot}%{_unitdir}/xvnc.socket + +# Install desktop stuff +mkdir -p %{buildroot}%{_datadir}/icons/hicolor/{16x16,24x24,48x48}/apps + +pushd media/icons +for s in 16 24 48; do +install -m644 tigervnc_$s.png %{buildroot}%{_datadir}/icons/hicolor/${s}x$s/apps/tigervnc.png +done +popd + +%if 0%{?rhel} > 9 +# Install a replacement for /usr/bin/vncserver which will tell the user to read the +# HOWTO.md file +cat < %{buildroot}/%{_bindir}/vncserver +#!/bin/bash +echo "vncserver has been replaced by a systemd unit." +echo "Please read /usr/share/doc/tigervnc/HOWTO.md for more information." +EOF +chmod +x %{buildroot}/%{_bindir}/vncserver +%else +install -m 755 %{SOURCE5} %{buildroot}/%{_bindir}/vncserver +%endif + +%find_lang %{name} %{name}.lang + +# remove unwanted files +rm -f %{buildroot}%{_libdir}/xorg/modules/extensions/libvnc.la + +mkdir -p %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/ +install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf + +%post server +%systemd_post xvnc@.service +%systemd_post xvnc.socket + +%preun server +%systemd_preun xvnc.socket + +%postun server +%systemd_postun xvnc@.service +%systemd_postun xvnc.socket + +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%selinux_relabel_post -s %{selinuxtype} + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + %selinux_relabel_post -s %{selinuxtype} +fi + + +%files -f %{name}.lang +%doc README.rst +%{_bindir}/vncviewer +%{_datadir}/applications/* +%{_mandir}/man1/vncviewer.1* + +%files server +%config(noreplace) %{_sysconfdir}/pam.d/tigervnc +%config(noreplace) %{_sysconfdir}/tigervnc/vncserver-config-defaults +%config(noreplace) %{_sysconfdir}/tigervnc/vncserver-config-mandatory +%config(noreplace) %{_sysconfdir}/tigervnc/vncserver.users +%{_unitdir}/vncserver@.service +%{_unitdir}/xvnc@.service +%{_unitdir}/xvnc.socket +%{_bindir}/vncserver +%{_bindir}/x0vncserver +%{_sbindir}/vncsession +%{_libexecdir}/vncserver +%{_libexecdir}/vncsession-start +%{_libexecdir}/vncsession-restore +%{_mandir}/man1/x0vncserver.1* +%{_mandir}/man8/vncserver.8* +%{_mandir}/man8/vncsession.8* +%{_docdir}/tigervnc/HOWTO.md + +%files server-minimal +%{_bindir}/vncconfig +%{_bindir}/vncpasswd +%{_bindir}/Xvnc +%{_mandir}/man1/Xvnc.1* +%{_mandir}/man1/vncpasswd.1* +%{_mandir}/man1/vncconfig.1* + +%files server-module +%{_libdir}/xorg/modules/extensions/libvnc.so +%config(noreplace) %{_sysconfdir}/X11/xorg.conf.d/10-libvnc.conf + +%files license +%{_docdir}/tigervnc/LICENCE.TXT + +%files icons +%{_datadir}/icons/hicolor/*/apps/* + +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %verify(not md5 size mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} + +%changelog +* Tue Feb 21 2023 Jan Grulich - 1.12.0-12 +- SELinux: allow vncsession create .vnc directory + Resolves: bz#2164703 + +* Wed Feb 15 2023 Jan Grulich - 1.12.0-11 +- Add sanity check when cleaning up keymap changes + Resolves: bz#2169965 + +* Mon Feb 06 2023 Jan Grulich - 1.12.0-10 +- xorg-x11-server: DeepCopyPointerClasses use-after-free leads to privilege elevation + Resolves: bz#2167061 + +* Tue Dec 20 2022 Tomas Popela - 1.12.0-9 +- Rebuild for xorg-x11-server CVE-2022-46340 follow up fix + +* Fri Dec 16 2022 Jan Grulich - 1.12.0-8 +- Rebuild for xorg-x11-server CVEs + Resolves: CVE-2022-4283 (bz#2154234) + Resolves: CVE-2022-46340 (bz#2154221) + Resolves: CVE-2022-46341 (bz#2154224) + Resolves: CVE-2022-46342 (bz#2154226) + Resolves: CVE-2022-46343 (bz#2154228) + Resolves: CVE-2022-46344 (bz#2154230) + +* Thu Dec 01 2022 Jan Grulich - 1.12.0-7 +- x0vncserver: add new keysym in case we don't find matching keycode + + actually apply the patch + Resolves: bz#2119017 + +* Thu Dec 01 2022 Jan Grulich - 1.12.0-6 +- x0vncserver: add new keysym in case we don't find matching keycode + Resolves: bz#2119017 + +* Mon Oct 24 2022 Jan Grulich - 1.12.0-5 +- x0vncserver: fix ghost cursor in zaphod mode (better version) + Resolves: bz#2119016 + +* Tue May 31 2022 Jan Grulich - 1.12.0-4 +- Add BR: libXdamage, libXfixes, libXrandr + Resolves: bz#2091833 + +* Tue Apr 05 2022 Jan Grulich - 1.12.0-3 +- Do not run systemd_preun on Xvnc service file + Resolves: bz#2048011 + +* Mon Apr 04 2022 Jan Grulich - 1.12.0-2 +- Drop unexisting option from the old vncserver script + Resolves: bz#2021893 + +* Wed Mar 23 2022 Jan Grulich - 1.12.0-1 +- 1.12.0 + sync with Fedora + Resolves: bz#2048011 + Resolves: bz#2021893 + +* Mon Feb 07 2022 Jan Grulich - 1.11.0-21 +- Added vncsession-restore script for SELinux policy migration + Fix SELinux context for root user + Resolves: bz#2049506 + +* Fri Nov 26 2021 Jan Grulich - 1.11.0-20 +- Rebuild for absence in RHEL 9.0 + Resolves: bz#1985858 + +* Mon Aug 16 2021 Jan Grulich - 1.11.0-19 +- Sync upstream patches + drop unused patches + Resolves: bz#1985858 + +* Tue Aug 10 2021 Mohan Boddu - 1.11.0-18 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Mon Jul 19 2021 Jan Grulich - 1.11.0-17 +- Fix logout from VNC session using vncserver + Resolves: bz#1983704 + +* Tue Jun 01 2021 Jan Grulich - 1.11.0-16 +- Bump version for rebuild (binutils) + Resolves: bz#1961488 + +* Mon May 17 2021 Jan Grulich - 1.11.0-14 +- SELinux improvements + Resolves: bz#1961488 + +- Fix endianness issue on s390x + Resolves: bz#1963029 + +* Fri Apr 16 2021 Mohan Boddu - 1.11.0-13 +- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 + +* Mon Mar 08 2021 Jan Grulich - 1.11.0-12 +- Include RHEL8 patches + +* Fri Mar 05 2021 Jan Grulich - 1.11.0-11 +- Enable old vncserver script for RHEL 9 + +* Wed Jan 27 2021 Fedora Release Engineering - 1.11.0-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Thu Dec 10 07:45:46 CET 2020 Jan Grulich - 1.11.0-9 +- vncserver: ignore new session parameter from the new systemd support + +* Fri Nov 13 14:08:29 CET 2020 Jan Grulich - 1.11.0-8 +- Use /run instead of /var/run which is just a symlink + +* Thu Nov 05 2020 Peter Hutterer 1.11.0-7 +- Require xkbcomp directly, not xorg-x11-xkb-utils. The latter has had + Provides xkbcomp for years. + +* Tue Sep 29 13:12:22 CEST 2020 Jan Grulich - 1.11.0-6 +- Backport upstream fix allowing Tigervnc to specify boolean valus in configuration +- Revert removal of vncserver for F32 and F33 + +* Thu Sep 24 07:14:06 CEST 2020 Jan Grulich - 1.11.0-5 +- Actually install the HOWTO.md file + +* Wed Sep 23 2020 Jan Grulich - 1.11.0-4 +- Call systemd macros on correct service file + +* Tue Sep 22 2020 Jan Grulich - 1.11.0-3 +- Do not overwrite libvnc.conf config file + +* Thu Sep 17 2020 Jan Grulich - 1.11.0-2 +- Add /usr/bin/vncserver file informing users to read the HOWTO.md file + +* Wed Sep 09 2020 Jan Grulich - 1.11.0-1 +- 1.11.0 + +* Mon Aug 24 2020 Jan Grulich - 1.10.1-9 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jul 29 2020 Fedora Release Engineering - 1.10.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jul 14 2020 Tom Stellard - 1.10.1-7 +- Use make macros +- https://fedoraproject.org/wiki/Changes/UseMakeBuildInstallMacro + +* Sat Jul 11 2020 Jiri Vanek - 1.10.1-6 +- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11 + +* Sun Apr 19 2020 Jan Grulich - 1.10.1-5 +- Requires: dbus-x11 + Resolves: bz#1825331 + +* Fri Mar 13 2020 Olivier Fourdan - 1.10.1-4 +- Fix build with xserver 1.20.7 + +* Fri Jan 31 2020 Fedora Release Engineering - 1.10.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 13 2020 Jan Grulich - 1.10.1-2 +- Build with -std=c++11 + +* Fri Dec 20 2019 Jan Grulich - 1.10.1-1 +- Update to 1.10.1 + +* Tue Dec 10 2019 Jan Grulich - 1.10.0-2 +- Properly install systemd files + +* Mon Nov 18 2019 Jan Grulich - 1.10.0-1 +- Update to 1.10.0 + +* Fri Oct 18 2019 Jan Grulich - 1.9.90-1 +- Update to 1.9.90 (1.10 beta) +- Add systemd user service file +- Use a wrapper for systemd system service file to workaround systemd limitations + +* Sat Jul 27 2019 Fedora Release Engineering - 1.9.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Fri Jul 19 2019 Dan Horák - 1.9.0-6 +- drop the s390x special handling (related #1727029) + +* Wed Jun 12 2019 Jan Grulich - 1.9.0-5 +- Add missing arguments to systemd_postun scriptlets + Resolves: bz#1716411 + +* Sun Feb 03 2019 Fedora Release Engineering - 1.9.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Tue Sep 25 2018 Jan Grulich - 1.9.0-3 +- Do not crash passwd when using malloc perturb checks + Resolves: bz#1631483 + +* Wed Aug 01 2018 Jan Grulich - 1.9.0-2 +- Ignore buttons in mouse leave events + Resolves: bz#1609516 + +* Tue Jul 17 2018 Jan Grulich - 1.9.0-1 +- Update to 1.9.0 + +* Sat Jul 14 2018 Fedora Release Engineering - 1.8.90-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Jul 4 2018 Peter Robinson 1.8.90-2 +- Clean up spec: use macros consistenly, drop old sys-v migrations +- Drop ancient obsolete/provides + +* Thu Jun 14 2018 Jan Grulich - 1.8.90-1 +- Update to 1.8.90 + +* Wed Jun 13 2018 Jan Grulich - 1.8.0-10 +- Fix tigervnc systemd unit file + Resolves: bz#1583159 + +* Wed Jun 06 2018 Adam Jackson - 1.8.0-9 +- Fix GLX initialization with 1.20 + +* Wed Apr 04 2018 Adam Jackson - 1.8.0-8 +- Rebuild for xserver 1.20 + +* Fri Feb 09 2018 Fedora Release Engineering - 1.8.0-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Jan 18 2018 Igor Gnatenko - 1.8.0-6 +- Remove obsolete scriptlets + +* Fri Dec 15 2017 Jan Grulich - 1.8.0-5 +- Properly initialize tigervnc when started as systemd service + +* Thu Aug 03 2017 Fedora Release Engineering - 1.8.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 13 2017 Petr Pisar - 1.8.0-2 +- perl dependency renamed to perl-interpreter + + +* Wed May 17 2017 Jan Grulich - 1.8.0-1 +- Update to 1.8.0 + +* Thu Apr 20 2017 Jan Grulich - 1.7.90-1 +- Update to 1.7.90 (beta) + +* Thu Apr 06 2017 Jan Grulich - 1.7.1-4 +- Added systemd unit file for xvnc + Resolves: bz#891802 + +* Tue Apr 04 2017 Jan Grulich - 1.7.1-3 +- Bug 1438704 - CVE-2017-7392 CVE-2017-7393 CVE-2017-7394 + CVE-2017-7395 CVE-2017-7396 tigervnc: various flaws + + other upstream related fixes + +* Sat Feb 11 2017 Fedora Release Engineering - 1.7.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 19 2017 Jan Grulich - 1.7.1-1 +- Update to 1.7.1 + +* Mon Jan 9 2017 Hans de Goede - 1.7.0-6 +- Fix -inetd no longer working (rhbz#1408724) + +* Wed Nov 30 2016 Jan Grulich - 1.7.0-5 +- Fix broken vncserver.service file + +* Wed Nov 23 2016 Jan Grulich - 1.7.0-4 +- Improve instructions in vncserver.service + Resolves: bz#1397207 + +* Tue Oct 4 2016 Hans de Goede - 1.7.0-3 +- Update tigervnc-1.7.0-xserver119-support.patch to also request write + notfication when necessary + +* Mon Oct 3 2016 Hans de Goede - 1.7.0-2 +- Add patches for use with xserver-1.19 +- Rebuild against xserver-1.19 +- Cleanup specfile a bit + +* Mon Sep 12 2016 Jan Grulich - 1.7.0-1 +- Update to 1.7.0 + +* Mon Jul 18 2016 Jan Grulich - 1.6.90-1 +- Update to 1.6.90 (1.7.0 beta) + +* Wed Jun 01 2016 Jan Grulich - 1.6.0-6 +- Try to pickup upstream fix for compatibility with gtk vnc clients + +* Wed Jun 01 2016 Jan Grulich - 1.6.0-5 +- Re-enable patch4 again, will need to find a way to make this work on both sides + +* Mon May 23 2016 Jan Grulich - 1.6.0-4 +- Utilize system-wide crypto policies + Resolves: bz#1179345 +- Try to disable patch4 as it was previously written to support an + older version of a different client and breaks some other usage + Resolves: bz#1280440 + +* Fri Feb 05 2016 Fedora Release Engineering - 1.6.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Wed Jan 13 2016 Jan Grulich - 1.6.0-2 +- Update systemd service file + Resolves: bz#1211789 + +* Mon Jan 04 2016 Jan Grulich - 1.6.0-1 +- Update to 1.6.0 + +* Tue Dec 01 2015 Jan Grulich - 1.5.90-1 +- Update to 1.5.90 (1.6.0 beta) + +* Thu Nov 19 2015 Jan Grulich - 1.5.0-4 +- rebuild against final xorg server 1.18 release (bug #1279146) + +* Tue Sep 22 2015 Kalev Lember - 1.5.0-3 +- xorg server 1.18 ABI rebuild + +* Fri Aug 21 2015 Jan Grulich - 1.5.0-2 +- Do not fail with -inetd option + +* Wed Aug 19 2015 Jan Grulich - 1.5.0-1 +- 1.5.0 + +* Tue Aug 04 2015 Kevin Fenzi - 1.4.3-12 +- Rebuild to fix broken deps and build against xorg 1.18 prerelease + +* Thu Jun 25 2015 Tim Waugh - 1.4.3-11 +- Rebuilt (bug #1235603). + +* Fri Jun 19 2015 Fedora Release Engineering - 1.4.3-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon May 04 2015 Kalev Lember - 1.4.3-8 +- Rebuilt for nettle soname bump + +* Wed Apr 22 2015 Tim Waugh - 1.4.3-7 +- Removed incorrect parameters from vncviewer manpage (bug #1213199). + +* Tue Apr 21 2015 Tim Waugh - 1.4.3-6 +- Use full git hash for GitHub tarball release. + +* Fri Apr 10 2015 Tim Waugh - 1.4.3-5 +- Explicit version build dependency for fltk (bug #1208814). + +* Thu Apr 9 2015 Tim Waugh - 1.4.3-4 +- Drop upstream xorg-x11-server patch as it is now built (bug #1210407). + +* Thu Apr 9 2015 Tim Waugh - 1.4.3-3 +- Apply upstream patch to fix byte order (bug #1206060). + +* Fri Mar 6 2015 Tim Waugh - 1.4.3-2 +- Don't disable Xinerama extension (upstream #147). + +* Mon Mar 2 2015 Tim Waugh - 1.4.3-1 +- 1.4.3. + +* Tue Feb 24 2015 Tim Waugh - 1.4.2-3 +- Use calloc instead of xmalloc. +- Removed unnecessary configure flags. + +* Wed Feb 18 2015 Rex Dieter 1.4.2-2 +- rebuild (fltk) + +* Fri Feb 13 2015 Tim Waugh - 1.4.2-1 +- Rebased xserver116.patch against xorg-x11-server-1.17.1. +- Allow build against xorg-x11-server-1.17. +- 1.4.2. + +* Tue Sep 9 2014 Tim Waugh - 1.3.1-11 +- Added missing part of xserver114.patch (bug #1137023). + +* Wed Sep 3 2014 Tim Waugh - 1.3.1-10 +- Fix build against xorg-x11-server-1.16.0 (bug #1136532). + +* Mon Aug 18 2014 Fedora Release Engineering - 1.3.1-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Tue Jul 15 2014 Tim Waugh - 1.3.1-8 +- Input reset fixes from upstream (bug #1116956). +- No longer need ppc64le patch as it's now in xorg-x11-server. +- Rebased xserver114.patch again. + +* Fri Jun 20 2014 Hans de Goede - 1.3.1-7 +- xserver 1.15.99.903 ABI rebuild + +* Sun Jun 08 2014 Fedora Release Engineering - 1.3.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Thu May 22 2014 Tim Waugh 1.3.1-5 +- Keep pointer in sync when using module (upstream bug #152). + +* Mon Apr 28 2014 Adam Jackson 1.3.1-4 +- Add version interlocks for -server-module + +* Mon Apr 28 2014 Hans de Goede - 1.3.1-3 +- xserver 1.15.99-20140428 git snapshot ABI rebuild + +* Mon Apr 7 2014 Tim Waugh 1.3.1-2 +- Allow build with dri3 and present extensions (bug #1063392). + +* Thu Mar 27 2014 Tim Waugh 1.3.1-1 +- 1.3.1 (bug #1078806). +- Add ppc64le support (bug #1078495). + +* Wed Mar 19 2014 Tim Waugh 1.3.0-15 +- Disable dri3 to enable building (bug #1063392). +- Fixed heap-based buffer overflow (CVE-2014-0011, bug #1050928). + +* Fri Feb 21 2014 Tim Waugh 1.3.0-14 +- Enabled hardened build (bug #955206). + +* Mon Feb 10 2014 Tim Waugh 1.3.0-13 +- Clearer xstartup file (bug #923655). + +* Tue Jan 14 2014 Tim Waugh 1.3.0-12 +- Fixed instructions in systemd unit file. + +* Fri Jan 10 2014 Tim Waugh 1.3.0-11 +- Fixed viewer crash when cursor has not been set (bug #1038701). + +* Thu Dec 12 2013 Tim Waugh 1.3.0-10 +- Avoid invalid read when ZRLE connection closed (upstream bug #133). + +* Tue Dec 3 2013 Tim Waugh 1.3.0-9 +- Fixed build failure with -Werror=format-security (bug #1037358). + +* Thu Nov 07 2013 Adam Jackson 1.3.0-8 +- Rebuild against xserver 1.15RC1 + +* Tue Sep 24 2013 Tim Waugh 1.3.0-7 +- Removed incorrect patch (for unexpected key_is_down). Fixes stuck + keys bug (bug #989502). + +* Thu Sep 19 2013 Tim Waugh 1.3.0-6 +- Fixed typo in 10-libvnc.conf (bug #1009111). + +* Wed Sep 18 2013 Tim Waugh 1.3.0-5 +- Better fix for PIDFile problem (bug #983232). + +* Mon Aug 5 2013 Tim Waugh 1.3.0-4 +- Fixed doc-related build failure (bug #992790). + +* Wed Jul 24 2013 Tim Waugh 1.3.0-3 +- Avoid PIDFile problems in systemd unit file (bug #983232). +- libvnc.so: don't use unexported key_is_down function. +- Don't use shebang in vncserver script. + +* Fri Jul 12 2013 Tim Waugh 1.3.0-2 +- Renumbered patches. +- libvnc.so: don't use unexported GetMaster function (bug #744881 again). + +* Mon Jul 8 2013 Tim Waugh 1.3.0-1 +- 1.3.0. + +* Wed Jul 3 2013 Tim Waugh 1.2.80-0.18.20130314svn5065 +- Removed systemd_requires macro in order to fix the build. + +* Wed Jul 3 2013 Tim Waugh 1.2.80-0.17.20130314svn5065 +- Synchronise manpages and --help output (bug #980870). + +* Mon Jun 17 2013 Adam Jackson 1.2.80-0.16.20130314svn5065 +- tigervnc-setcursor-crash.patch: Attempt to paper over a crash in Xvnc when + setting the cursor. + +* Sat Jun 08 2013 Dennis Gilmore 1.2.80-0.15.20130314svn5065 +- bump to rebuild and pick up bugfix causing X to crash on ppc and arm + +* Thu May 23 2013 Tim Waugh 1.2.80-0.14.20130314svn5065 +- Use systemd rpm macros (bug #850340). Moved systemd requirements + from main package to server sub-package. +- Applied Debian patch to fix busy loop when run from inetd in nowait + mode (bug #920373). +- Added dependency on xorg-x11-xinit to server sub-package so that + default window manager can be found (bug #896284, bug #923655). +- Fixed bogus changelog date. + +* Thu Mar 14 2013 Adam Jackson 1.2.80-0.13.20130314svn5065 +- Less RHEL customization + +* Thu Mar 14 2013 Adam Tkac - 1.2.80-0.12.20130314svn5065 +- include /etc/X11/xorg.conf.d/10-libvnc.conf sample configuration (#712482) +- vncserver now honors specified -geometry parameter (#755947) + +* Tue Mar 12 2013 Adam Tkac - 1.2.80-0.11.20130307svn5060 +- update to r5060 +- split icons to separate package to avoid multilib issues + +* Tue Feb 19 2013 Adam Tkac - 1.2.80-0.10.20130219svn5047 +- update to r5047 (X.Org 1.14 support) + +* Fri Feb 15 2013 Fedora Release Engineering - 1.2.80-0.9.20121126svn5015 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Jan 21 2013 Adam Tkac - 1.2.80-0.8.20121126svn5015 +- rebuild due to "jpeg8-ABI" feature drop + +* Wed Jan 16 2013 Adam Tkac 1.2.80-0.7.20121126svn5015 +- rebuild + +* Tue Dec 04 2012 Adam Tkac 1.2.80-0.6.20121126svn5015 +- rebuild against new fltk + +* Mon Nov 26 2012 Adam Tkac 1.2.80-0.5.20121126svn5015 +- update to r5015 +- build with -fpic instead of -fPIC on all archs except s390/sparc + +* Wed Nov 7 2012 Peter Robinson 1.2.80-0.4.20120905svn4996 +- Build with -fPIC to fix FTBFS on ARM + +* Wed Oct 31 2012 Adam Jackson 1.2.80-0.3.20120905svn4996 +- tigervnc12-xorg113-glx.patch: Fix to only init glx on the first server + generation + +* Fri Sep 28 2012 Adam Jackson 1.2.80-0.2.20120905svn4996 +- tigervnc12-xorg113-glx.patch: Re-enable GLX against xserver 1.13 + +* Fri Aug 17 2012 Adam Tkac 1.2.80-0.1.20120905svn4996 +- update to 1.2.80 +- remove deprecated patches + - tigervnc-102434.patch + - tigervnc-viewer-reparent.patch + - tigervnc11-java7.patch +- patches merged + - tigervnc11-xorg111.patch + - tigervnc11-xorg112.patch + +* Fri Aug 10 2012 Dave Airlie 1.1.0-10 +- fix build against newer X server + +* Mon Jul 23 2012 Adam Jackson 1.1.0-9 +- Build with the Composite extension for feature parity with other X servers + +* Sat Jul 21 2012 Fedora Release Engineering - 1.1.0-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu Jul 19 2012 Dave Airlie 1.1.0-7 +- fix building against X.org 1.13 + +* Wed Apr 04 2012 Adam Jackson 1.1.0-6 +- RHEL exclusion for -server-module on ppc* too + +* Mon Mar 26 2012 Adam Tkac - 1.1.0-5 +- clean Xvnc's /tmp environment in service file before startup +- fix building against the latest JAVA 7 and X.Org 1.12 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.1.0-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Tue Nov 22 2011 Adam Tkac - 1.1.0-3 +- don't build X.Org devel docs (#755782) +- applet: BR generic java-devel instead of java-gcj-devel (#755783) +- use runuser to start Xvnc in systemd service file (#754259) +- don't attepmt to restart Xvnc session during update/erase (#753216) + +* Fri Nov 11 2011 Adam Tkac - 1.1.0-2 +- libvnc.so: don't use unexported GetMaster function (#744881) +- remove nasm buildreq + +* Mon Sep 12 2011 Adam Tkac - 1.1.0-1 +- update to 1.1.0 +- update the xorg11 patch +- patches merged + - tigervnc11-glx.patch + - tigervnc11-CVE-2011-1775.patch + - 0001-Use-memmove-instead-of-memcpy-in-fbblt.c-when-memory.patch + +* Thu Jul 28 2011 Adam Tkac - 1.0.90-6 +- add systemd service file and remove legacy SysV initscript (#717227) + +* Thu May 12 2011 Adam Tkac - 1.0.90-5 +- make Xvnc buildable against X.Org 1.11 + +* Tue May 10 2011 Adam Tkac - 1.0.90-4 +- viewer can send password without proper validation of X.509 certs + (CVE-2011-1775) + +* Wed Apr 13 2011 Adam Tkac - 1.0.90-3 +- fix wrong usage of memcpy which caused screen artifacts (#652590) +- don't point to inaccessible link in sysconfig/vncservers (#644975) + +* Fri Apr 08 2011 Adam Tkac - 1.0.90-2 +- improve compatibility with vinagre client (#692048) + +* Tue Mar 22 2011 Adam Tkac - 1.0.90-1 +- update to 1.0.90 + +* Wed Feb 09 2011 Fedora Release Engineering - 1.0.90-0.32.20110117svn4237 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Adam Tkac 1.0.90-0.31.20110117svn4237 +- fix libvnc.so module loading + +* Mon Jan 17 2011 Adam Tkac 1.0.90-0.30.20110117svn4237 +- update to r4237 +- patches merged + - tigervnc11-optionsdialog.patch + - tigervnc11-rh607866.patch + +* Fri Jan 14 2011 Adam Tkac 1.0.90-0.29.20101208svn4225 +- improve patch for keyboard issues + +* Fri Jan 14 2011 Adam Tkac 1.0.90-0.28.20101208svn4225 +- attempt to fix various keyboard-related issues (key repeating etc) + +* Fri Jan 07 2011 Adam Tkac 1.0.90-0.27.20101208svn4225 +- render "Ok" and "Cancel" buttons in the options dialog correctly + +* Wed Dec 15 2010 Jan Görig 1.0.90-0.26.20101208svn4225 +- added vncserver lock file (#662784) + +* Fri Dec 10 2010 Adam Tkac 1.0.90-0.25.20101208svn4225 +- update to r4225 +- patches merged + - tigervnc11-rh611677.patch + - tigervnc11-rh633931.patch + - tigervnc11-xorg1.10.patch +- enable VeNCrypt and PAM support + +* Mon Dec 06 2010 Adam Tkac 1.0.90-0.24.20100813svn4123 +- rebuild against xserver 1.10.X +- 0001-Return-Success-from-generate_modkeymap-when-max_keys.patch merged + +* Wed Sep 29 2010 jkeating - 1.0.90-0.23.20100813svn4123 +- Rebuilt for gcc bug 634757 + +* Tue Sep 21 2010 Adam Tkac 1.0.90-0.22.20100420svn4030 +- drop xorg-x11-fonts-misc dependency (#636170) + +* Tue Sep 21 2010 Adam Tkac 1.0.90-0.21.20100420svn4030 +- improve patch for #633645 (fix tcsh incompatibilities) + +* Thu Sep 16 2010 Adam Tkac 1.0.90-0.20.20100813svn4123 +- press fake modifiers correctly (#633931) +- supress unneeded debug information emitted from initscript (#633645) + +* Wed Aug 25 2010 Adam Tkac 1.0.90-0.19.20100813svn4123 +- separate Xvnc, vncpasswd and vncconfig to -server-minimal subpkg (#626946) +- move license to separate subpkg and Requires it from main subpkgs +- Xvnc: handle situations when no modifiers exist well (#611677) + +* Fri Aug 13 2010 Adam Tkac 1.0.90-0.18.20100813svn4123 +- update to r4123 (#617973) +- add perl requires to -server subpkg (#619791) + +* Thu Jul 22 2010 Adam Tkac 1.0.90-0.17.20100721svn4113 +- update to r4113 +- patches merged + - tigervnc11-rh586406.patch + - tigervnc11-libvnc.patch + - tigervnc11-rh597172.patch + - tigervnc11-rh600070.patch + - tigervnc11-options.patch +- don't own %%{_datadir}/icons directory (#614301) +- minor improvements in the .desktop file (#616340) +- bundled libjpeg configure requires nasm; is executed even if system-wide + libjpeg is used + +* Fri Jul 02 2010 Adam Tkac 1.0.90-0.16.20100420svn4030 +- build against system-wide libjpeg-turbo (#494458) +- build no longer requires nasm + +* Mon Jun 28 2010 Adam Tkac 1.0.90-0.15.20100420svn4030 +- vncserver: accept <+optname> option when specified as the first one + +* Thu Jun 24 2010 Adam Tkac 1.0.90-0.14.20100420svn4030 +- fix memory leak in Xvnc input code (#597172) +- don't crash when receive negative encoding (#600070) +- explicitly disable udev configuration support +- add gettext-autopoint to BR + +* Mon Jun 14 2010 Adam Tkac 1.0.90-0.13.20100420svn4030 +- update URL about SSH tunneling in the sysconfig file (#601996) + +* Fri Jun 11 2010 Adam Tkac 1.0.90-0.12.20100420svn4030 +- use newer gettext +- autopoint now uses git instead of cvs, adjust BuildRequires appropriately + +* Thu May 13 2010 Adam Tkac 1.0.90-0.11.20100420svn4030 +- link libvnc.so "now" to catch "undefined symbol" errors during Xorg startup +- use always XkbConvertCase instead of XConvertCase (#580159, #586406) +- don't link libvnc.so against libXi.la, libdix.la and libxkb.la; use symbols + from Xorg instead + +* Thu May 13 2010 Adam Tkac 1.0.90-0.10.20100420svn4030 +- update to r4030 snapshot +- patches merged to upstream + - tigervnc11-rh522369.patch + - tigervnc11-rh551262.patch + - tigervnc11-r4002.patch + - tigervnc11-r4014.patch + +* Thu Apr 08 2010 Adam Tkac 1.0.90-0.9.20100219svn3993 +- add server-applet subpackage which contains Java vncviewer applet +- fix Java applet; it didn't work when run from web browser +- add xorg-x11-xkb-utils to server Requires + +* Fri Mar 12 2010 Adam Tkac 1.0.90-0.8.20100219svn3993 +- add French translation to vncviewer.desktop (thanks to Alain Portal) + +* Thu Mar 04 2010 Adam Tkac 1.0.90-0.7.20100219svn3993 +- don't crash during pixel format change (#522369, #551262) + +* Mon Mar 01 2010 Adam Tkac 1.0.90-0.6.20100219svn3993 +- add mesa-dri-drivers and xkeyboard-config to -server Requires +- update to r3993 1.0.90 snapshot + - tigervnc11-noexecstack.patch merged + - tigervnc11-xorg18.patch merged + - xserver18.patch is no longer needed + +* Wed Jan 27 2010 Jan Gorig 1.0.90-0.5.20091221svn3929 +- initscript LSB compliance fixes (#523974) + +* Fri Jan 22 2010 Adam Tkac 1.0.90-0.4.20091221svn3929 +- mark stack as non-executable in jpeg ASM code +- add xorg-x11-xauth to Requires +- add support for X.Org 1.8 +- drop shave sources, they are no longer needed + +* Thu Jan 21 2010 Adam Tkac 1.0.90-0.3.20091221svn3929 +- drop tigervnc-xorg25909.patch, it has been merged to X.Org upstream + +* Thu Jan 07 2010 Adam Tkac 1.0.90-0.2.20091221svn3929 +- add patch for upstream X.Org issue #25909 +- add libXdmcp-devel to build requires to build Xvnc with XDMCP support (#552322) + +* Mon Dec 21 2009 Adam Tkac 1.0.90-0.1.20091221svn3929 +- update to 1.0.90 snapshot +- patches merged + - tigervnc10-compat.patch + - tigervnc10-rh510185.patch + - tigervnc10-rh524340.patch + - tigervnc10-rh516274.patch + +* Mon Oct 26 2009 Adam Tkac 1.0.0-3 +- create Xvnc keyboard mapping before first keypress (#516274) + +* Thu Oct 08 2009 Adam Tkac 1.0.0-2 +- update underlying X source to 1.6.4-0.3.fc11 +- remove bogus '-nohttpd' parameter from /etc/sysconfig/vncservers (#525629) +- initscript LSB compliance fixes (#523974) +- improve -LowColorSwitch documentation and handling (#510185) +- honor dotWhenNoCursor option (and it's changes) every time (#524340) + +* Fri Aug 28 2009 Adam Tkac 1.0.0-1 +- update to 1.0.0 +- tigervnc10-rh495457.patch merged to upstream + +* Mon Aug 24 2009 Karsten Hopp 0.0.91-0.17 +- fix ifnarch s390x for server-module + +* Fri Aug 21 2009 Tomas Mraz - 0.0.91-0.16 +- rebuilt with new openssl + +* Tue Aug 04 2009 Adam Tkac 0.0.91-0.15 +- make Xvnc compilable + +* Sun Jul 26 2009 Fedora Release Engineering - 0.0.91-0.14.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Mon Jul 13 2009 Adam Tkac 0.0.91-0.13.1 +- don't write warning when initscript is called with condrestart param (#508367) + +* Tue Jun 23 2009 Adam Tkac 0.0.91-0.13 +- temporary use F11 Xserver base to make Xvnc compilable +- BuildRequires: libXi-devel +- don't ship tigervnc-server-module on s390/s390x + +* Mon Jun 22 2009 Adam Tkac 0.0.91-0.12 +- fix local rendering of cursor (#495457) + +* Thu Jun 18 2009 Adam Tkac 0.0.91-0.11 +- update to 0.0.91 (1.0.0 RC1) +- patches merged + - tigervnc10-rh499401.patch + - tigervnc10-rh497592.patch + - tigervnc10-rh501832.patch +- after discusion in upstream drop tigervnc-bounds.patch +- configure flags cleanup + +* Thu May 21 2009 Adam Tkac 0.0.90-0.10 +- rebuild against 1.6.1.901 X server (#497835) +- disable i18n, vncviewer is not UTF-8 compatible (#501832) + +* Mon May 18 2009 Adam Tkac 0.0.90-0.9 +- fix vncpasswd crash on long passwords (#499401) +- start session dbus daemon correctly (#497592) + +* Mon May 11 2009 Adam Tkac 0.0.90-0.8.1 +- remove merged tigervnc-manminor.patch + +* Tue May 05 2009 Adam Tkac 0.0.90-0.8 +- update to 0.0.90 + +* Thu Apr 30 2009 Adam Tkac 0.0.90-0.7.20090427svn3789 +- server package now requires xorg-x11-fonts-misc (#498184) + +* Mon Apr 27 2009 Adam Tkac 0.0.90-0.6.20090427svn3789 +- update to r3789 + - tigervnc-rh494801.patch merged +- tigervnc-newfbsize.patch is no longer needed +- fix problems when vncviewer and Xvnc run on different endianess (#496653) +- UltraVNC and TightVNC clients work fine again (#496786) + +* Wed Apr 08 2009 Adam Tkac 0.0.90-0.5.20090403svn3751 +- workaround broken fontpath handling in vncserver script (#494801) + +* Fri Apr 03 2009 Adam Tkac 0.0.90-0.4.20090403svn3751 +- update to r3751 +- patches merged + - tigervnc-xclients.patch + - tigervnc-clipboard.patch + - tigervnc-rh212985.patch +- basic RandR support in Xvnc (resize of the desktop) +- use built-in libjpeg (SSE2/MMX accelerated encoding on x86 platform) +- use Tight encoding by default +- use TigerVNC icons + +* Tue Mar 03 2009 Adam Tkac 0.0.90-0.3.20090303svn3631 +- update to r3631 + +* Tue Mar 03 2009 Adam Tkac 0.0.90-0.2.20090302svn3621 +- package review related fixes + +* Mon Mar 02 2009 Adam Tkac 0.0.90-0.1.20090302svn3621 +- initial package, r3621