Update the window manager (wm) module (support starting
gnome-shell from an X terminal).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++
policy/modules/contrib/wm.te | 7 ++++++-
2 files changed, 33 insertions(+), 1 deletion(-)
diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.if refpolicy-2.20170204/policy/modules/contrib/wm.if
--- refpolicy-2.20170204-orig/policy/modules/contrib/wm.if 2016-12-22 22:03:34.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/wm.if 2017-04-13 14:05:06.957330403 +0200
@@ -73,6 +73,8 @@ template(`wm_role_template',`
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
+ wm_write_pipes($1, $3)
+
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
@@ -219,3 +221,28 @@ interface(`wm_application_domain',`
userdom_user_application_domain($1, $2)
domtrans_pattern(wm_domain, $2, $1)
')
+
+########################################
+### <summary>
+### Write wm unnamed pipes.
+### </summary>
+## <param name="role_prefix">
+### <summary>
+### The prefix of the user domain (e.g., user
+### is the prefix for user_t).
+### </summary>
+### </param>
+### <param name="domain">
+### <summary>
+### Domain allowed access.
+### </summary>
+### </param>
+### </param>
+##
+interface(`wm_write_pipes',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow $2 $1_wm_t:fifo_file write;
+')
diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.te refpolicy-2.20170204/policy/modules/contrib/wm.te
--- refpolicy-2.20170204-orig/policy/modules/contrib/wm.te 2017-02-04 19:30:47.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/wm.te 2017-04-13 14:05:26.993330321 +0200
@@ -64,19 +64,24 @@ kernel_read_fs_sysctls(wm_domain)
kernel_read_proc_symlinks(wm_domain)
kernel_read_sysctl(wm_domain)
+locallogin_dontaudit_use_fds(wm_domain)
+
miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
udev_read_pid_files(wm_domain)
-# this is needed by gnome-shell
+# the following is needed by gnome-shell
userdom_exec_user_home_content_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
+# to print error messages
+userdom_use_user_terminals(wm_domain)
+
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
2017-04-14 1:24 GMT+02:00 Guido Trentalancia via refpolicy
<[email protected]>:
> Update the window manager (wm) module (support starting
> gnome-shell from an X terminal).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++
> policy/modules/contrib/wm.te | 7 ++++++-
> 2 files changed, 33 insertions(+), 1 deletion(-)
>
> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.if refpolicy-2.20170204/policy/modules/contrib/wm.if
> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.if 2016-12-22 22:03:34.000000000 +0100
> +++ refpolicy-2.20170204/policy/modules/contrib/wm.if 2017-04-13 14:05:06.957330403 +0200
> @@ -73,6 +73,8 @@ template(`wm_role_template',`
> xserver_role($2, $1_wm_t)
> xserver_manage_core_devices($1_wm_t)
>
> + wm_write_pipes($1, $3)
> +
> optional_policy(`
> dbus_connect_spec_session_bus($1, $1_wm_t)
> dbus_spec_session_bus_client($1, $1_wm_t)
> @@ -219,3 +221,28 @@ interface(`wm_application_domain',`
> userdom_user_application_domain($1, $2)
> domtrans_pattern(wm_domain, $2, $1)
> ')
> +
> +########################################
> +### <summary>
> +### Write wm unnamed pipes.
> +### </summary>
> +## <param name="role_prefix">
> +### <summary>
> +### The prefix of the user domain (e.g., user
> +### is the prefix for user_t).
> +### </summary>
> +### </param>
> +### <param name="domain">
> +### <summary>
> +### Domain allowed access.
> +### </summary>
> +### </param>
> +### </param>
> +##
> +interface(`wm_write_pipes',`
> + gen_require(`
> + type $1_t;
> + ')
> +
> + allow $2 $1_wm_t:fifo_file write;
> +')
> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.te refpolicy-2.20170204/policy/modules/contrib/wm.te
> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.te 2017-02-04 19:30:47.000000000 +0100
> +++ refpolicy-2.20170204/policy/modules/contrib/wm.te 2017-04-13 14:05:26.993330321 +0200
> @@ -64,19 +64,24 @@ kernel_read_fs_sysctls(wm_domain)
> kernel_read_proc_symlinks(wm_domain)
> kernel_read_sysctl(wm_domain)
>
> +locallogin_dontaudit_use_fds(wm_domain)
> +
> miscfiles_read_fonts(wm_domain)
> miscfiles_read_generic_certs(wm_domain)
> miscfiles_read_localization(wm_domain)
>
> udev_read_pid_files(wm_domain)
>
> -# this is needed by gnome-shell
> +# the following is needed by gnome-shell
> userdom_exec_user_home_content_files(wm_domain)
>
> userdom_manage_user_tmp_sockets(wm_domain)
> userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
> userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>
> +# to print error messages
> +userdom_use_user_terminals(wm_domain)
maybe userdom_use_inherited_user_terminals()?
> +
> userdom_manage_user_home_content_dirs(wm_domain)
> userdom_manage_user_home_content_files(wm_domain)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
Hello.
Thanks for getting back on this and for your tip.
I think it should be possibile to curb on the "open" permission and use userdom_use_inherited_user_terminals() instead of userdom_use_user_terminals().
However, before submitting a revised patch, I would prefer to test it again and at the moment, I do not have access to the development system.
I will get back as soon as possible and hopefully improve this patch as you suggested.
Best regards,
Guido
On the 14th of April 2017 11:35:05 CEST, "Christian G?ttsche" <[email protected]> wrote:
>2017-04-14 1:24 GMT+02:00 Guido Trentalancia via refpolicy
><[email protected]>:
>> Update the window manager (wm) module (support starting
>> gnome-shell from an X terminal).
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++
>> policy/modules/contrib/wm.te | 7 ++++++-
>> 2 files changed, 33 insertions(+), 1 deletion(-)
>>
>> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.if
>refpolicy-2.20170204/policy/modules/contrib/wm.if
>> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.if
>2016-12-22 22:03:34.000000000 +0100
>> +++ refpolicy-2.20170204/policy/modules/contrib/wm.if 2017-04-13
>14:05:06.957330403 +0200
>> @@ -73,6 +73,8 @@ template(`wm_role_template',`
>> xserver_role($2, $1_wm_t)
>> xserver_manage_core_devices($1_wm_t)
>>
>> + wm_write_pipes($1, $3)
>> +
>> optional_policy(`
>> dbus_connect_spec_session_bus($1, $1_wm_t)
>> dbus_spec_session_bus_client($1, $1_wm_t)
>> @@ -219,3 +221,28 @@ interface(`wm_application_domain',`
>> userdom_user_application_domain($1, $2)
>> domtrans_pattern(wm_domain, $2, $1)
>> ')
>> +
>> +########################################
>> +### <summary>
>> +### Write wm unnamed pipes.
>> +### </summary>
>> +## <param name="role_prefix">
>> +### <summary>
>> +### The prefix of the user domain (e.g., user
>> +### is the prefix for user_t).
>> +### </summary>
>> +### </param>
>> +### <param name="domain">
>> +### <summary>
>> +### Domain allowed access.
>> +### </summary>
>> +### </param>
>> +### </param>
>> +##
>> +interface(`wm_write_pipes',`
>> + gen_require(`
>> + type $1_t;
>> + ')
>> +
>> + allow $2 $1_wm_t:fifo_file write;
>> +')
>> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.te
>refpolicy-2.20170204/policy/modules/contrib/wm.te
>> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.te
>2017-02-04 19:30:47.000000000 +0100
>> +++ refpolicy-2.20170204/policy/modules/contrib/wm.te 2017-04-13
>14:05:26.993330321 +0200
>> @@ -64,19 +64,24 @@ kernel_read_fs_sysctls(wm_domain)
>> kernel_read_proc_symlinks(wm_domain)
>> kernel_read_sysctl(wm_domain)
>>
>> +locallogin_dontaudit_use_fds(wm_domain)
>> +
>> miscfiles_read_fonts(wm_domain)
>> miscfiles_read_generic_certs(wm_domain)
>> miscfiles_read_localization(wm_domain)
>>
>> udev_read_pid_files(wm_domain)
>>
>> -# this is needed by gnome-shell
>> +# the following is needed by gnome-shell
>> userdom_exec_user_home_content_files(wm_domain)
>>
>> userdom_manage_user_tmp_sockets(wm_domain)
>> userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
>> userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>>
>> +# to print error messages
>> +userdom_use_user_terminals(wm_domain)
>
>maybe userdom_use_inherited_user_terminals()?
>
>> +
>> userdom_manage_user_home_content_dirs(wm_domain)
>> userdom_manage_user_home_content_files(wm_domain)
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
Update the window manager (wm) module (support starting
gnome-shell from an X terminal).
This second version curbs on an open permission when dealing with the user terminal (terminal is already opened by the X terminal application, thanks to Christian G?ttsche for the tip).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++
policy/modules/contrib/wm.te | 7 ++++++-
2 files changed, 33 insertions(+), 1 deletion(-)
diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.if refpolicy-2.20170204/policy/modules/contrib/wm.if
--- refpolicy-2.20170204-orig/policy/modules/contrib/wm.if 2016-12-22 22:03:34.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/wm.if 2017-04-13 14:05:06.957330403 +0200
@@ -73,6 +73,8 @@ template(`wm_role_template',`
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
+ wm_write_pipes($1, $3)
+
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
@@ -219,3 +221,28 @@ interface(`wm_application_domain',`
userdom_user_application_domain($1, $2)
domtrans_pattern(wm_domain, $2, $1)
')
+
+########################################
+### <summary>
+### Write wm unnamed pipes.
+### </summary>
+## <param name="role_prefix">
+### <summary>
+### The prefix of the user domain (e.g., user
+### is the prefix for user_t).
+### </summary>
+### </param>
+### <param name="domain">
+### <summary>
+### Domain allowed access.
+### </summary>
+### </param>
+### </param>
+##
+interface(`wm_write_pipes',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow $2 $1_wm_t:fifo_file write;
+')
diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.te refpolicy-2.20170204/policy/modules/contrib/wm.te
--- refpolicy-2.20170204-orig/policy/modules/contrib/wm.te 2017-02-04 19:30:47.000000000 +0100
+++ refpolicy-2.20170204/policy/modules/contrib/wm.te 2017-04-13 14:05:26.993330321 +0200
@@ -64,19 +64,24 @@ kernel_read_fs_sysctls(wm_domain)
kernel_read_proc_symlinks(wm_domain)
kernel_read_sysctl(wm_domain)
+locallogin_dontaudit_use_fds(wm_domain)
+
miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
udev_read_pid_files(wm_domain)
-# this is needed by gnome-shell
+# the following is needed by gnome-shell
userdom_exec_user_home_content_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
+# to print error messages
+userdom_use_inherited_user_terminals(wm_domain)
+
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)