Add vncsession-restore script to restore SELinux context

The vncsession-restore script is used in the ExecStartPre option
for systemd service file in order to properly start the session
in case the policy is updated (e.g. after Tigervnc update).

unix/vncserver/CMakeLists.txt

@@ -2,6 +2,7 @@ add_executable(vncsession vncsession.c)
 target_link_libraries(vncsession ${PAM_LIBS} ${SELINUX_LIBS})
 
 configure_file([email protected] [email protected] @ONLY)
+configure_file(vncsession-restore.in vncsession-restore @ONLY)
 configure_file(vncsession-start.in vncsession-start @ONLY)
 configure_file(vncserver.in vncserver @ONLY)
 configure_file(vncsession.man.in vncsession.man @ONLY)
@@ -20,4 +21,5 @@ install(FILES HOWTO.md DESTINATION ${CMAKE_INSTALL_FULL_DOCDIR})
 if(INSTALL_SYSTEMD_UNITS)
   install(FILES ${CMAKE_CURRENT_BINARY_DIR}/[email protected] DESTINATION ${CMAKE_INSTALL_FULL_UNITDIR})
   install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-start DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
+  install(PROGRAMS ${CMAKE_CURRENT_BINARY_DIR}/vncsession-restore DESTINATION ${CMAKE_INSTALL_FULL_LIBEXECDIR})
 endif()

unix/vncserver/vncserver@.service.in

@@ -35,6 +35,7 @@ After=syslog.target network.target
 
 [Service]
 Type=forking
+ExecStartPre=+@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-restore %i
 ExecStart=@CMAKE_INSTALL_FULL_LIBEXECDIR@/vncsession-start %i
 PIDFile=/run/vncsession-%i.pid
 SELinuxContext=system_u:system_r:vnc_session_t:s0

unix/vncserver/vncsession-restore.in

@@ -0,0 +1,68 @@
+#!/bin/bash
+#
+#  Copyright 2022 Jan Grulich <[email protected]>
+#
+#  This is free software; you can redistribute it and/or modify
+#  it under the terms of the GNU General Public License as published by
+#  the Free Software Foundation; either version 2 of the License, or
+#  (at your option) any later version.
+#
+#  This software is distributed in the hope that it will be useful,
+#  but WITHOUT ANY WARRANTY; without even the implied warranty of
+#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#  GNU General Public License for more details.
+#
+#  You should have received a copy of the GNU General Public License
+#  along with this software; if not, write to the Free Software
+#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307,
+#  USA.
+#
+
+USERSFILE="@CMAKE_INSTALL_FULL_SYSCONFDIR@/tigervnc/vncserver.users"
+
+if [ $# -ne 1 ]; then
+	echo "Syntax:" >&2
+	echo "    $0 <display>" >&2
+	exit 1
+fi
+
+if [ ! -f "${USERSFILE}" ]; then
+	echo "Users file ${USERSFILE} missing" >&2
+	exit 1
+fi
+
+DISPLAY="$1"
+
+USER=`grep "^ *${DISPLAY}=" "${USERSFILE}" 2>/dev/null | head -1 | cut -d = -f 2- | sed 's/ *$//g'`
+
+if [ -z "${USER}" ]; then
+	echo "No user configured for display ${DISPLAY}" >&2
+	exit 1
+fi
+
+USER_HOMEDIR=`getent passwd ${USER} | cut -f6 -d:`
+
+if [ -z "${USER_HOMEDIR}" ]; then
+	echo "Failed to get home directory for ${USER}" >&2
+	exit 1
+fi
+
+if [ ! -d "${USER_HOMEDIR}/.vnc" ]; then
+	exit 0
+fi
+
+SELABEL_LOOKUP=`which selabel_lookup`
+
+if [ $? -eq 0 ]; then
+	matchpathcon -V "${USER_HOMEDIR}/.vnc" &>/dev/null
+	if [ $? -eq 0 ]; then
+		exit 0
+	fi
+fi
+
+RESTORECON=`which restorecon`
+
+if [ $? -eq 0 ]; then
+	exec "${RESTORECON}" "${USER_HOMEDIR}/.vnc" >&2
+	return $?
+fi