Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch might need some more testing.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/pulseaudio.if | 19 +++++++++++
policy/modules/contrib/wm.if | 44 +++++++++++++++++++++++++
policy/modules/contrib/wm.te | 60 +++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 1
policy/modules/roles/sysadm.te | 1
policy/modules/roles/unprivuser.te | 1
6 files changed, 126 insertions(+)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if 2016-09-27 16:28:51.964139648 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if 2016-12-07 15:10:27.059274266 +0100
@@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
+
+#######################################
+## <summary>
+## Manage pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-07 15:35:20.731380616 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,11 +84,14 @@ template(`wm_role_template',`
')
optional_policy(`
+ gnome_dbus_chat_gkeyringd($1, $1_wm_t)
gnome_stream_connect_gkeyringd($1, $1_wm_t)
')
optional_policy(`
pulseaudio_run($1_wm_t, $2)
+ pulseaudio_manage_tmpfs_files($1_wm_t)
+ pulseaudio_use_fds($1_wm_t)
')
')
@@ -134,3 +140,41 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-07 17:31:22.224279047 +0100
@@ -10,6 +10,14 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t };
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t };
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
########################################
#
# Common wm domain local policy
@@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +92,29 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+ evolution_domtrans(wm_domain)
+')
+
+optional_policy(`
+ java_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mozilla_domtrans(wm_domain)
+ mozilla_dbus_chat(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -71,5 +127,9 @@ optional_policy(`
')
optional_policy(`
+ telepathy_mission_control_dbus_chat(wm_domain)
+')
+
+optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
--- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-07 14:25:33.901912856 +0100
@@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
--- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-07 14:25:47.421044474 +0100
@@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
')
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
--- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-07 14:25:08.289662967 +0100
@@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
optional_policy(`
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This second version introduces better integration with common
desktop applications and requires the following recently posted
patch for the games module:
[PATCH 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html
This patch might need some more testing.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/pulseaudio.if | 19 +++++++++
policy/modules/contrib/wm.if | 44 +++++++++++++++++++++
policy/modules/contrib/wm.te | 73 +++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 1
policy/modules/roles/sysadm.te | 1
policy/modules/roles/unprivuser.te | 1
6 files changed, 139 insertions(+)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if 2016-09-27 16:28:51.964139648 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if 2016-12-08 15:47:40.117740787 +0100
@@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
+
+#######################################
+## <summary>
+## Manage pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-08 15:47:40.118740804 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,11 +84,14 @@ template(`wm_role_template',`
')
optional_policy(`
+ gnome_dbus_chat_gkeyringd($1, $1_wm_t)
gnome_stream_connect_gkeyringd($1, $1_wm_t)
')
optional_policy(`
pulseaudio_run($1_wm_t, $2)
+ pulseaudio_manage_tmpfs_files($1_wm_t)
+ pulseaudio_use_fds($1_wm_t)
')
')
@@ -134,3 +140,41 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-08 17:57:40.843768477 +0100
@@ -10,6 +10,14 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t };
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t };
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
########################################
#
# Common wm domain local policy
@@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +92,42 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+ evolution_domtrans(wm_domain)
+')
+
+optional_policy(`
+ games_dbus_chat(wm_domain)
+ games_domtrans(wm_domain)
+')
+
+optional_policy(`
+ java_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mono_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mozilla_domtrans(wm_domain)
+ mozilla_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ mplayer_domtrans(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -71,5 +140,9 @@ optional_policy(`
')
optional_policy(`
+ telepathy_mission_control_dbus_chat(wm_domain)
+')
+
+optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
--- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 15:47:40.140741170 +0100
@@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
--- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 15:47:40.141741187 +0100
@@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
')
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
--- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 15:47:40.141741187 +0100
@@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
optional_policy(`
i
On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote:
> Enable the window manager role (wm contrib module) and update
> the module to work with gnome-shell.
>
> This second version introduces better integration with common
> desktop applications and requires the following recently posted
> patch for the games module:
>
> [PATCH 1/2] games: general update and improved pulseaudio integration
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html
>
> This patch might need some more testing.
Yes, i dont think this should be merged.
Also gnome-shell is a wm but its not every wm needs the permissions that
gnome-shell needs. We should either give gnome-shell its own domain or
add the gnome-shell specific rules to a tunable.
For example: gnome-shell is a wayland compositor. but there are many
more things that gnome shell needs that a "normal" window manager should
never need.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/pulseaudio.if | 19 +++++++++
> policy/modules/contrib/wm.if | 44 +++++++++++++++++++++
> policy/modules/contrib/wm.te | 73 +++++++++++++++++++++++++++++++++++
> policy/modules/roles/staff.te | 1
> policy/modules/roles/sysadm.te | 1
> policy/modules/roles/unprivuser.te | 1
> 6 files changed, 139 insertions(+)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if
> --- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if 2016-09-27 16:28:51.964139648 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if 2016-12-08 15:47:40.117740787 +0100
> @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',`
> fs_search_tmpfs($1)
> rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Manage pulseaudio tmpfs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`pulseaudio_manage_tmpfs_files',`
> + gen_require(`
> + type pulseaudio_tmpfs_t;
> + ')
> +
> + fs_search_tmpfs($1)
> + manage_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
> +')
does not make sense, and i would like to know what prompted you to add
this (preferably backed with avc denials)
wm should is a pulseaudio_client and pulseaudio_client can already rw
and delete pulseaudio_tmpfs_files. It should not need more than that.
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if
> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-08 15:47:40.118740804 +0100
> @@ -47,6 +47,8 @@ template(`wm_role_template',`
> # Policy
> #
>
> + allow $3 $1_wm_t:fd use;
> +
> allow $1_wm_t $3:unix_stream_socket connectto;
> allow $3 $1_wm_t:unix_stream_socket connectto;
>
> @@ -72,6 +74,7 @@ template(`wm_role_template',`
> xserver_manage_core_devices($1_wm_t)
>
> optional_policy(`
> + dbus_connect_spec_session_bus($1, $1_wm_t)
> dbus_spec_session_bus_client($1, $1_wm_t)
> dbus_system_bus_client($1_wm_t)
>
> @@ -81,11 +84,14 @@ template(`wm_role_template',`
> ')
>
> optional_policy(`
> + gnome_dbus_chat_gkeyringd($1, $1_wm_t)
> gnome_stream_connect_gkeyringd($1, $1_wm_t)
> ')
>
> optional_policy(`
> pulseaudio_run($1_wm_t, $2)
> + pulseaudio_manage_tmpfs_files($1_wm_t)
> + pulseaudio_use_fds($1_wm_t)
these shouldnt be needed. what prompted you to add these? (preferably
show avc denials)
> ')
> ')
>
> @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',`
> allow $2 $1_wm_t:dbus send_msg;
> allow $1_wm_t $2:dbus send_msg;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to execute
> +## files in temporary directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmp_files',`
> + gen_require(`
> + type wm_tmp_t;
> + ')
> +
> + dontaudit $1 wm_tmp_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to execute
> +## files in temporary filesystems.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmpfs_files',`
> + gen_require(`
> + type wm_tmpfs_t;
> + ')
> +
> + dontaudit $1 wm_tmpfs_t:file exec_file_perms;
> +')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-08 17:57:40.843768477 +0100
> @@ -10,6 +10,14 @@ attribute wm_domain;
> type wm_exec_t;
> corecmd_executable_file(wm_exec_t)
>
> +type wm_tmp_t;
> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t };
> +userdom_user_tmp_file(wm_tmp_t)
> +
> +type wm_tmpfs_t;
> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t };
> +userdom_user_tmpfs_file(wm_tmpfs_t)
this is a pulseaudio_tmpfs_file()
> +
> ########################################
> #
> # Common wm domain local policy
> @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev
> allow wm_domain self:shm create_shm_perms;
> allow wm_domain self:unix_dgram_socket create_socket_perms;
>
> +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
> +
> +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
> +
> +can_exec(wm_domain, wm_exec_t)
> +
> kernel_read_system_state(wm_domain)
>
> corecmd_getattr_all_executables(wm_domain)
>
> +dev_read_rand(wm_domain)
> dev_read_sound(wm_domain)
> dev_read_sysfs(wm_domain)
> dev_read_urand(wm_domain)
> +dev_rw_dri(wm_domain)
> dev_rw_wireless(wm_domain)
> dev_write_sound(wm_domain)
>
> +files_read_etc_runtime_files(wm_domain)
> files_read_usr_files(wm_domain)
>
> fs_getattr_all_fs(wm_domain)
>
> +kernel_read_fs_sysctls(wm_domain)
> +kernel_read_proc_symlinks(wm_domain)
> +kernel_read_sysctl(wm_domain)
> +
> miscfiles_read_fonts(wm_domain)
> +miscfiles_read_generic_certs(wm_domain)
> miscfiles_read_localization(wm_domain)
>
> +udev_read_pid_files(wm_domain)
> +
> +# this is needed by gnome-shell
> +userdom_exec_user_home_content_files(wm_domain)
What exactly is it executing here?
> +
> userdom_manage_user_tmp_sockets(wm_domain)
> userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
> userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>
> userdom_manage_user_home_content_dirs(wm_domain)
> userdom_manage_user_home_content_files(wm_domain)
> +
> userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
>
> +wm_dontaudit_exec_tmp_files(wm_domain)
> +wm_dontaudit_exec_tmpfs_files(wm_domain)
why dontaudit the above? gnome-shell needs to mmap some files
> +
> optional_policy(`
> accountsd_dbus_chat(wm_domain)
> ')
> @@ -55,10 +92,42 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> devicekit_dbus_chat_power(wm_domain)
> ')
>
> optional_policy(`
> + evolution_dbus_chat(wm_domain)
> + evolution_alarm_dbus_chat(wm_domain)
> + evolution_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> + games_dbus_chat(wm_domain)
> + games_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> + java_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> + mono_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> + mozilla_domtrans(wm_domain)
> + mozilla_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> + mplayer_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> networkmanager_dbus_chat(wm_domain)
> ')
>
> @@ -71,5 +140,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + telepathy_mission_control_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> userhelper_exec_consolehelper(wm_domain)
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 15:47:40.140741170 +0100
> @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
>
> optional_policy(`
> gnome_role_template(staff, staff_r, staff_t)
> + wm_role_template(staff, staff_r, staff_t)
> ')
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 15:47:40.141741187 +0100
> @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
>
> optional_policy(`
> gnome_role_template(sysadm, sysadm_r, sysadm_t)
> + wm_role_template(sysadm, sysadm_r, sysadm_t)
> ')
> ')
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 15:47:40.141741187 +0100
> @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
>
> optional_policy(`
> gnome_role_template(user, user_r, user_t)
> + wm_role_template(user, user_r, user_t)
> ')
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161208/531781e2/attachment.bin
On Thu, 08/12/2016 at 18.51 +0100, Dominick Grift via refpolicy wrote:
> i
> On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote:
> >
> > Enable the window manager role (wm contrib module) and update
> > the module to work with gnome-shell.
> >
> > This second version introduces better integration with common
> > desktop applications and requires the following recently posted
> > patch for the games module:
> >
> > [PATCH 1/2] games: general update and improved pulseaudio
> > integration
> > http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html
> >
> > This patch might need some more testing.
>
> Yes, i dont think this should be merged.
It needs to be tested with other window managers.
Have you found any actual limitation with the old gnome (gnome-
panel/metacity), kde or others ?
> Also gnome-shell is a wm but its not every wm needs the permissions
> that
> gnome-shell needs. We should either give gnome-shell its own domain
> or
> add the gnome-shell specific rules to a tunable.
>
> For example: gnome-shell is a wayland compositor. but there are many
> more things that gnome shell needs that a "normal" window manager
> should
> never need.
The permissions that have been added are very general and harmless.?
Therefore, although theoretically one could distinguish between gnome-
shell and other window managers, there is very little benefit in
forking the policy.
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/pulseaudio.if |???19 +++++++++
> > ?policy/modules/contrib/wm.if?????????|???44 +++++++++++++++++++++
> > ?policy/modules/contrib/wm.te?????????|???73
> > +++++++++++++++++++++++++++++++++++
> > ?policy/modules/roles/staff.te????????|????1
> > ?policy/modules/roles/sysadm.te???????|????1
> > ?policy/modules/roles/unprivuser.te???|????1
> > ?6 files changed, 139 insertions(+)
> >
> > diff -pruN refpolicy-git-07122016-
> > orig/policy/modules/contrib/pulseaudio.if refpolicy-git-
> > 07122016/policy/modules/contrib/pulseaudio.if
> > --- refpolicy-git-07122016-
> > orig/policy/modules/contrib/pulseaudio.if 2016-09-27
> > 16:28:51.964139648 +0200
> > +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if
> > 2016-12-08 15:47:40.117740787 +0100
> > @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',`
> > ? fs_search_tmpfs($1)
> > ? rw_files_pattern($1, pulseaudio_tmpfs_t,
> > pulseaudio_tmpfs_t)
> > ?')
> > +
> > +#######################################
> > +## <summary>
> > +## Manage pulseaudio tmpfs files.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`pulseaudio_manage_tmpfs_files',`
> > + gen_require(`
> > + type pulseaudio_tmpfs_t;
> > + ')
> > +
> > + fs_search_tmpfs($1)
> > + manage_files_pattern($1, pulseaudio_tmpfs_t,
> > pulseaudio_tmpfs_t)
> > +')
>
> does not make sense, and i would like to know what prompted you to
> add
> this (preferably backed with avc denials)
It's needed to unlink them. Probably stale files from previous
sessions.
> wm should is a pulseaudio_client and pulseaudio_client can already rw
> and delete pulseaudio_tmpfs_files. It should not need more than that.
I decided to avoid using the pulseaudio_client attribute because it
implies other unneeded permissions, including corenet permissions that
are quite undesirable.
> > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if
> > refpolicy-git-07122016/policy/modules/contrib/wm.if
> > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if
> > 2016-08-14 21:28:11.597521187 +0200
> > +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016
> > -12-08 15:47:40.118740804 +0100
> > @@ -47,6 +47,8 @@ template(`wm_role_template',`
> > ? # Policy
> > ? #
> > ?
> > + allow $3 $1_wm_t:fd use;
> > +
> > ? allow $1_wm_t $3:unix_stream_socket connectto;
> > ? allow $3 $1_wm_t:unix_stream_socket connectto;
> > ?
> > @@ -72,6 +74,7 @@ template(`wm_role_template',`
> > ? xserver_manage_core_devices($1_wm_t)
> > ?
> > ? optional_policy(`
> > + dbus_connect_spec_session_bus($1, $1_wm_t)
> > ? dbus_spec_session_bus_client($1, $1_wm_t)
> > ? dbus_system_bus_client($1_wm_t)
> > ?
> > @@ -81,11 +84,14 @@ template(`wm_role_template',`
> > ? ')
> > ?
> > ? optional_policy(`
> > + gnome_dbus_chat_gkeyringd($1, $1_wm_t)
> > ? gnome_stream_connect_gkeyringd($1, $1_wm_t)
> > ? ')
> > ?
> > ? optional_policy(`
> > ? pulseaudio_run($1_wm_t, $2)
> > + pulseaudio_manage_tmpfs_files($1_wm_t)
> > + pulseaudio_use_fds($1_wm_t)
>
> these shouldnt be needed. what prompted you to add these? (preferably
> show avc denials)
See above. Stale files need to be unlinked.
> > ? ')
> > ?')
> > ?
> > @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',`
> > ? allow $2 $1_wm_t:dbus send_msg;
> > ? allow $1_wm_t $2:dbus send_msg;
> > ?')
> > +
> > +########################################
> > +## <summary>
> > +## Do not audit attempts to execute
> > +## files in temporary directories.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to not audit.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`wm_dontaudit_exec_tmp_files',`
> > + gen_require(`
> > + type wm_tmp_t;
> > + ')
> > +
> > + dontaudit $1 wm_tmp_t:file exec_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Do not audit attempts to execute
> > +## files in temporary filesystems.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to not audit.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`wm_dontaudit_exec_tmpfs_files',`
> > + gen_require(`
> > + type wm_tmpfs_t;
> > + ')
> > +
> > + dontaudit $1 wm_tmpfs_t:file exec_file_perms;
> > +')
> > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
> > refpolicy-git-07122016/policy/modules/contrib/wm.te
> > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
> > 2016-10-29 16:29:19.762328008 +0200
> > +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016
> > -12-08 17:57:40.843768477 +0100
> > @@ -10,6 +10,14 @@ attribute wm_domain;
> > ?type wm_exec_t;
> > ?corecmd_executable_file(wm_exec_t)
> > ?
> > +type wm_tmp_t;
> > +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t
> > sysadm_wm_tmp_t };
> > +userdom_user_tmp_file(wm_tmp_t)
> > +
> > +type wm_tmpfs_t;
> > +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t
> > sysadm_wm_tmpfs_t };
> > +userdom_user_tmpfs_file(wm_tmpfs_t)
>
> this is a pulseaudio_tmpfs_file()
I am not sure about that.
It works fine, so at the moment I can't see a reason to change it.
It is probably used to create libffi files and not pulseaudio files
(that I expect to be created by the pulseaudio process). See below.
> > +
> > ?########################################
> > ?#
> > ?# Common wm domain local policy
> > @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev
> > ?allow wm_domain self:shm create_shm_perms;
> > ?allow wm_domain self:unix_dgram_socket create_socket_perms;
> > ?
> > +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> > +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> > +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> > +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
> > +
> > +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> > +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> > +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> > +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
> > +
> > +can_exec(wm_domain, wm_exec_t)
> > +
> > ?kernel_read_system_state(wm_domain)
> > ?
> > ?corecmd_getattr_all_executables(wm_domain)
> > ?
> > +dev_read_rand(wm_domain)
> > ?dev_read_sound(wm_domain)
> > ?dev_read_sysfs(wm_domain)
> > ?dev_read_urand(wm_domain)
> > +dev_rw_dri(wm_domain)
> > ?dev_rw_wireless(wm_domain)
> > ?dev_write_sound(wm_domain)
> > ?
> > +files_read_etc_runtime_files(wm_domain)
> > ?files_read_usr_files(wm_domain)
> > ?
> > ?fs_getattr_all_fs(wm_domain)
> > ?
> > +kernel_read_fs_sysctls(wm_domain)
> > +kernel_read_proc_symlinks(wm_domain)
> > +kernel_read_sysctl(wm_domain)
> > +
> > ?miscfiles_read_fonts(wm_domain)
> > +miscfiles_read_generic_certs(wm_domain)
> > ?miscfiles_read_localization(wm_domain)
> > ?
> > +udev_read_pid_files(wm_domain)
> > +
> > +# this is needed by gnome-shell
> > +userdom_exec_user_home_content_files(wm_domain)
>
> What exactly is it executing here?
I think it is executing files generated by libffi.
> > +
> > ?userdom_manage_user_tmp_sockets(wm_domain)
> > ?userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
> > ?userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
> > ?
> > ?userdom_manage_user_home_content_dirs(wm_domain)
> > ?userdom_manage_user_home_content_files(wm_domain)
> > +
> > ?userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir
> > file })
> > ?
> > +wm_dontaudit_exec_tmp_files(wm_domain)
> > +wm_dontaudit_exec_tmpfs_files(wm_domain)
>
> why dontaudit the above? gnome-shell needs to mmap some files
See above. I decided to let gnome-shell create and execute libffi files
in the home directory instead of tmp. This is much safer.
> > +
> > ?optional_policy(`
> > ? accountsd_dbus_chat(wm_domain)
> > ?')
> > @@ -55,10 +92,42 @@ optional_policy(`
> > ?')
> > ?
> > ?optional_policy(`
> > + consolekit_dbus_chat(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > ? devicekit_dbus_chat_power(wm_domain)
> > ?')
> > ?
> > ?optional_policy(`
> > + evolution_dbus_chat(wm_domain)
> > + evolution_alarm_dbus_chat(wm_domain)
> > + evolution_domtrans(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > + games_dbus_chat(wm_domain)
> > + games_domtrans(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > + java_domtrans(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > + mono_domtrans(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > + mozilla_domtrans(wm_domain)
> > + mozilla_dbus_chat(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > + mplayer_domtrans(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > ? networkmanager_dbus_chat(wm_domain)
> > ?')
> > ?
> > @@ -71,5 +140,9 @@ optional_policy(`
> > ?')
> > ?
> > ?optional_policy(`
> > + telepathy_mission_control_dbus_chat(wm_domain)
> > +')
> > +
> > +optional_policy(`
> > ? userhelper_exec_consolehelper(wm_domain)
> > ?')
> > diff -pruN refpolicy-git-07122016-
> > orig/policy/modules/roles/staff.te refpolicy-git-
> > 07122016/policy/modules/roles/staff.te
> > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te
> > 2016-12-07 13:39:08.669449296 +0100
> > +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201
> > 6-12-08 15:47:40.140741170 +0100
> > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
> > ?
> > ? optional_policy(`
> > ? gnome_role_template(staff, staff_r,
> > staff_t)
> > + wm_role_template(staff, staff_r, staff_t)
> > ? ')
> > ?
> > ? optional_policy(`
> > diff -pruN refpolicy-git-07122016-
> > orig/policy/modules/roles/sysadm.te refpolicy-git-
> > 07122016/policy/modules/roles/sysadm.te
> > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te
> > 2016-12-07 13:39:08.669449296 +0100
> > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20
> > 16-12-08 15:47:40.141741187 +0100
> > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
> > ?
> > ? optional_policy(`
> > ? gnome_role_template(sysadm, sysadm_r,
> > sysadm_t)
> > + wm_role_template(sysadm, sysadm_r,
> > sysadm_t)
> > ? ')
> > ? ')
> > ?
> > diff -pruN refpolicy-git-07122016-
> > orig/policy/modules/roles/unprivuser.te refpolicy-git-
> > 07122016/policy/modules/roles/unprivuser.te
> > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te
> > 2016-12-07 13:39:08.669449296 +0100
> > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te
> > 2016-12-08 15:47:40.141741187 +0100
> > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
> > ?
> > ? optional_policy(`
> > ? gnome_role_template(user, user_r, user_t)
> > + wm_role_template(user, user_r, user_t)
> > ? ')
> > ?
> > ? optional_policy(`
Guido
On 12/08/2016 09:53 PM, Guido Trentalancia via refpolicy wrote:
> On Thu, 08/12/2016 at 18.51 +0100, Dominick Grift via refpolicy wrote:
>> i
>> On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote:
>>>
>>> Enable the window manager role (wm contrib module) and update
>>> the module to work with gnome-shell.
>>>
>>> This second version introduces better integration with common
>>> desktop applications and requires the following recently posted
>>> patch for the games module:
>>>
>>> [PATCH 1/2] games: general update and improved pulseaudio
>>> integration
>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html
>>>
>>> This patch might need some more testing.
>>
>> Yes, i dont think this should be merged.
>
> It needs to be tested with other window managers.
>
> Have you found any actual limitation with the old gnome (gnome-
> panel/metacity), kde or others ?
>
It is hard to explain but consider some of this stuff. gnome-shell
connects to http ports, gnome-shell needs to be able to run programs on
behalf of the calling user (ALT-f2), gnome-shell is a pulseaudio client,
gnome-shell needs comms with: bluetooth, accountsd, geoclue, upower,
logind: all things that a normal windows manager does not need.
Not to mention that gnome requires permissions that are specific to
wayland compositors
>> Also gnome-shell is a wm but its not every wm needs the permissions
>> that
>> gnome-shell needs. We should either give gnome-shell its own domain
>> or
>> add the gnome-shell specific rules to a tunable.
>>
>> For example: gnome-shell is a wayland compositor. but there are many
>> more things that gnome shell needs that a "normal" window manager
>> should
>> never need.
>
> The permissions that have been added are very general and harmless.
For now maybe because the policy is not comprehensive
>>> policy/modules/contrib/pulseaudio.if | 19 +++++++++
>>> policy/modules/contrib/wm.if | 44 +++++++++++++++++++++
>>> policy/modules/contrib/wm.te | 73
>>> +++++++++++++++++++++++++++++++++++
>>> policy/modules/roles/staff.te | 1
>>> policy/modules/roles/sysadm.te | 1
>>> policy/modules/roles/unprivuser.te | 1
>>> 6 files changed, 139 insertions(+)
>>>
>>> diff -pruN refpolicy-git-07122016-
>>> orig/policy/modules/contrib/pulseaudio.if refpolicy-git-
>>> 07122016/policy/modules/contrib/pulseaudio.if
>>> --- refpolicy-git-07122016-
>>> orig/policy/modules/contrib/pulseaudio.if 2016-09-27
>>> 16:28:51.964139648 +0200
>>> +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if
>>> 2016-12-08 15:47:40.117740787 +0100
>>> @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',`
>>> fs_search_tmpfs($1)
>>> rw_files_pattern($1, pulseaudio_tmpfs_t,
>>> pulseaudio_tmpfs_t)
>>> ')
>>> +
>>> +#######################################
>>> +## <summary>
>>> +## Manage pulseaudio tmpfs files.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`pulseaudio_manage_tmpfs_files',`
>>> + gen_require(`
>>> + type pulseaudio_tmpfs_t;
>>> + ')
>>> +
>>> + fs_search_tmpfs($1)
>>> + manage_files_pattern($1, pulseaudio_tmpfs_t,
>>> pulseaudio_tmpfs_t)
>>> +')
>>
>> does not make sense, and i would like to know what prompted you to
>> add
>> this (preferably backed with avc denials)
>
> It's needed to unlink them. Probably stale files from previous
> sessions.
>
>> wm should is a pulseaudio_client and pulseaudio_client can already rw
>> and delete pulseaudio_tmpfs_files. It should not need more than that.
>
> I decided to avoid using the pulseaudio_client attribute because it
> implies other unneeded permissions, including corenet permissions that
> are quite undesirable.
>
Those permissions aren't unneeded. They should be conditional maybe but
there are configurations where clients may want to connect to pulseaudio
via the network.
>>> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if
>>> refpolicy-git-07122016/policy/modules/contrib/wm.if
>>> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if
>>> 2016-08-14 21:28:11.597521187 +0200
>>> +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016
>>> -12-08 15:47:40.118740804 +0100
>>> @@ -47,6 +47,8 @@ template(`wm_role_template',`
>>> # Policy
>>> #
>>>
>>> + allow $3 $1_wm_t:fd use;
>>> +
>>> allow $1_wm_t $3:unix_stream_socket connectto;
>>> allow $3 $1_wm_t:unix_stream_socket connectto;
>>>
>>> @@ -72,6 +74,7 @@ template(`wm_role_template',`
>>> xserver_manage_core_devices($1_wm_t)
>>>
>>> optional_policy(`
>>> + dbus_connect_spec_session_bus($1, $1_wm_t)
>>> dbus_spec_session_bus_client($1, $1_wm_t)
>>> dbus_system_bus_client($1_wm_t)
>>>
>>> @@ -81,11 +84,14 @@ template(`wm_role_template',`
>>> ')
>>>
>>> optional_policy(`
>>> + gnome_dbus_chat_gkeyringd($1, $1_wm_t)
>>> gnome_stream_connect_gkeyringd($1, $1_wm_t)
>>> ')
>>>
>>> optional_policy(`
>>> pulseaudio_run($1_wm_t, $2)
>>> + pulseaudio_manage_tmpfs_files($1_wm_t)
>>> + pulseaudio_use_fds($1_wm_t)
>>
>> these shouldnt be needed. what prompted you to add these? (preferably
>> show avc denials)
>
> See above. Stale files need to be unlinked.
That is a bug here then:
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/pulseaudio.te#L241
clients should then also be able to delete pulseaudio tmpfs files
>
>>> ')
>>> ')
>>>
>>> @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',`
>>> allow $2 $1_wm_t:dbus send_msg;
>>> allow $1_wm_t $2:dbus send_msg;
>>> ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Do not audit attempts to execute
>>> +## files in temporary directories.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain to not audit.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`wm_dontaudit_exec_tmp_files',`
>>> + gen_require(`
>>> + type wm_tmp_t;
>>> + ')
>>> +
>>> + dontaudit $1 wm_tmp_t:file exec_file_perms;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Do not audit attempts to execute
>>> +## files in temporary filesystems.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain to not audit.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`wm_dontaudit_exec_tmpfs_files',`
>>> + gen_require(`
>>> + type wm_tmpfs_t;
>>> + ')
>>> +
>>> + dontaudit $1 wm_tmpfs_t:file exec_file_perms;
>>> +')
>>> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
>>> refpolicy-git-07122016/policy/modules/contrib/wm.te
>>> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
>>> 2016-10-29 16:29:19.762328008 +0200
>>> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016
>>> -12-08 17:57:40.843768477 +0100
>>> @@ -10,6 +10,14 @@ attribute wm_domain;
>>> type wm_exec_t;
>>> corecmd_executable_file(wm_exec_t)
>>>
>>> +type wm_tmp_t;
>>> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t
>>> sysadm_wm_tmp_t };
>>> +userdom_user_tmp_file(wm_tmp_t)
>>> +
>>> +type wm_tmpfs_t;
>>> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t
>>> sysadm_wm_tmpfs_t };
>>> +userdom_user_tmpfs_file(wm_tmpfs_t)
>>
>> this is a pulseaudio_tmpfs_file()
>
> I am not sure about that.
>
> It works fine, so at the moment I can't see a reason to change it.
>
> It is probably used to create libffi files and not pulseaudio files
> (that I expect to be created by the pulseaudio process). See below.
>
All pulseaudio clients need to be able to read/write/unlink eachother
tmpfs files.
>>> +
>>> ########################################
>>> #
>>> # Common wm domain local policy
>>> @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev
>>> allow wm_domain self:shm create_shm_perms;
>>> allow wm_domain self:unix_dgram_socket create_socket_perms;
>>>
>>> +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
>>> +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
>>> +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
>>> +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
>>> +
>>> +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
>>> +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
>>> +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
>>> +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
>>> +
>>> +can_exec(wm_domain, wm_exec_t)
>>> +
>>> kernel_read_system_state(wm_domain)
>>>
>>> corecmd_getattr_all_executables(wm_domain)
>>>
>>> +dev_read_rand(wm_domain)
>>> dev_read_sound(wm_domain)
>>> dev_read_sysfs(wm_domain)
>>> dev_read_urand(wm_domain)
>>> +dev_rw_dri(wm_domain)
>>> dev_rw_wireless(wm_domain)
>>> dev_write_sound(wm_domain)
>>>
>>> +files_read_etc_runtime_files(wm_domain)
>>> files_read_usr_files(wm_domain)
>>>
>>> fs_getattr_all_fs(wm_domain)
>>>
>>> +kernel_read_fs_sysctls(wm_domain)
>>> +kernel_read_proc_symlinks(wm_domain)
>>> +kernel_read_sysctl(wm_domain)
>>> +
>>> miscfiles_read_fonts(wm_domain)
>>> +miscfiles_read_generic_certs(wm_domain)
>>> miscfiles_read_localization(wm_domain)
>>>
>>> +udev_read_pid_files(wm_domain)
>>> +
>>> +# this is needed by gnome-shell
>>> +userdom_exec_user_home_content_files(wm_domain)
>>
>> What exactly is it executing here?
>
> I think it is executing files generated by libffi.
and how do those files end up in $HOME, maybe because you're blocking
access to tmp (XDG_RUNTIME_DIR)?
/run/user/UID is first choice
>
>>> +
>>> userdom_manage_user_tmp_sockets(wm_domain)
>>> userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
>>> userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>>>
>>> userdom_manage_user_home_content_dirs(wm_domain)
>>> userdom_manage_user_home_content_files(wm_domain)
>>> +
>>> userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir
>>> file })
>>>
>>> +wm_dontaudit_exec_tmp_files(wm_domain)
>>> +wm_dontaudit_exec_tmpfs_files(wm_domain)
>>
>> why dontaudit the above? gnome-sheM
These files are probably initially created in $CDG_RUNTIME_DIR which is
the best place. However if you block that then it falls back to ~/.cache
(which is second best)
>
>>> +
>>> optional_policy(`
>>> accountsd_dbus_chat(wm_domain)
>>> ')
>>> @@ -55,10 +92,42 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>> + consolekit_dbus_chat(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> devicekit_dbus_chat_power(wm_domain)
>>> ')
>>>
>>> optional_policy(`
>>> + evolution_dbus_chat(wm_domain)
>>> + evolution_alarm_dbus_chat(wm_domain)
>>> + evolution_domtrans(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> + games_dbus_chat(wm_domain)
>>> + games_domtrans(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> + java_domtrans(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> + mono_domtrans(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> + mozilla_domtrans(wm_domain)
>>> + mozilla_dbus_chat(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> + mplayer_domtrans(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> networkmanager_dbus_chat(wm_domain)
>>> ')
>>>
>>> @@ -71,5 +140,9 @@ optional_policy(`
>>> ')
>>>
>>> optional_policy(`
>>> + telepathy_mission_control_dbus_chat(wm_domain)
>>> +')
>>> +
>>> +optional_policy(`
>>> userhelper_exec_consolehelper(wm_domain)
>>> ')
>>> diff -pruN refpolicy-git-07122016-
>>> orig/policy/modules/roles/staff.te refpolicy-git-
>>> 07122016/policy/modules/roles/staff.te
>>> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te
>>> 2016-12-07 13:39:08.669449296 +0100
>>> +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201
>>> 6-12-08 15:47:40.140741170 +0100
>>> @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
>>>
>>> optional_policy(`
>>> gnome_role_template(staff, staff_r,
>>> staff_t)
>>> + wm_role_template(staff, staff_r, staff_t)
>>> ')
>>>
>>> optional_policy(`
>>> diff -pruN refpolicy-git-07122016-
>>> orig/policy/modules/roles/sysadm.te refpolicy-git-
>>> 07122016/policy/modules/roles/sysadm.te
>>> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te
>>> 2016-12-07 13:39:08.669449296 +0100
>>> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20
>>> 16-12-08 15:47:40.141741187 +0100
>>> @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
>>>
>>> optional_policy(`
>>> gnome_role_template(sysadm, sysadm_r,
>>> sysadm_t)
>>> + wm_role_template(sysadm, sysadm_r,
>>> sysadm_t)
>>> ')
>>> ')
>>>
>>> diff -pruN refpolicy-git-07122016-
>>> orig/policy/modules/roles/unprivuser.te refpolicy-git-
>>> 07122016/policy/modules/roles/unprivuser.te
>>> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te
>>> 2016-12-07 13:39:08.669449296 +0100
>>> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te
>>> 2016-12-08 15:47:40.141741187 +0100
>>> @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
>>>
>>> optional_policy(`
>>> gnome_role_template(user, user_r, user_t)
>>> + wm_role_template(user, user_r, user_t)
>>> ')
>>>
>>> optional_policy(`
>
> Guido
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161208/dd863caa/attachment-0001.bin
On Thu, 08/12/2016 at 22.13 +0100, Dominick Grift via refpolicy wrote:
> On 12/08/2016 09:53 PM, Guido Trentalancia via refpolicy wrote:
> >
> > On Thu, 08/12/2016 at 18.51 +0100, Dominick Grift via refpolicy
> > wrote:
> > >
> > > i
> > > On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote:
> > > >
> > > >
> > > > Enable the window manager role (wm contrib module) and update
> > > > the module to work with gnome-shell.
> > > >
> > > > This second version introduces better integration with common
> > > > desktop applications and requires the following recently posted
> > > > patch for the games module:
> > > >
> > > > [PATCH 1/2] games: general update and improved pulseaudio
> > > > integration
> > > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.
> > > > html
> > > >
> > > > This patch might need some more testing.
> > >
> > > Yes, i dont think this should be merged.
> >
> > It needs to be tested with other window managers.
> >
> > Have you found any actual limitation with the old gnome (gnome-
> > panel/metacity), kde or others ?
> >
>
> It is hard to explain but consider some of this stuff. gnome-shell
> connects to http ports, gnome-shell needs to be able to run programs
> on
> behalf of the calling user (ALT-f2), gnome-shell is a pulseaudio
> client,
> gnome-shell needs comms with: bluetooth, accountsd, geoclue, upower,
> logind: all things that a normal windows manager does not need.
gnome-shell does not need to connect to http ports and the Alt-F2 key
combination is not used to run programs.
Once again, the difference in terms of permissions compared to the
actual module is mostly general and harmless.
> Not to mention that gnome requires permissions that are specific to
> wayland compositors
The module is only tested with the X server and not wayland.
If and when support for wayland will be introduced, we'll decide
whether or not to fork new policy specifically for gnome-shell. As
already explained, at the moment, it definitely doesn't pay back.
> > > Also gnome-shell is a wm but its not every wm needs the
> > > permissions
> > > that
> > > gnome-shell needs. We should either give gnome-shell its own
> > > domain
> > > or
> > > add the gnome-shell specific rules to a tunable.
> > >
> > > For example: gnome-shell is a wayland compositor. but there are
> > > many
> > > more things that gnome shell needs that a "normal" window manager
> > > should
> > > never need.
> >
> > The permissions that have been added are very general and
> > harmless.?
>
> For now maybe because the policy is not comprehensive
>
> >
> > >
> > > >
> > > > ?policy/modules/contrib/pulseaudio.if |???19 +++++++++
> > > > ?policy/modules/contrib/wm.if?????????|???44
> > > > +++++++++++++++++++++
> > > > ?policy/modules/contrib/wm.te?????????|???73
> > > > +++++++++++++++++++++++++++++++++++
> > > > ?policy/modules/roles/staff.te????????|????1
> > > > ?policy/modules/roles/sysadm.te???????|????1
> > > > ?policy/modules/roles/unprivuser.te??|????1
> > > > ?6 files changed, 139 insertions(+)
> > > >
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/contrib/pulseaudio.if refpolicy-git-
> > > > 07122016/policy/modules/contrib/pulseaudio.if
> > > > --- refpolicy-git-07122016-
> > > > orig/policy/modules/contrib/pulseaudio.if 2016-09-27
> > > > 16:28:51.964139648 +0200
> > > > +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if
> > > >
> > > > 2016-12-08 15:47:40.117740787 +0100
> > > > @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',`
> > > > ? fs_search_tmpfs($1)
> > > > ? rw_files_pattern($1, pulseaudio_tmpfs_t,
> > > > pulseaudio_tmpfs_t)
> > > > ?')
> > > > +
> > > > +#######################################
> > > > +## <summary>
> > > > +## Manage pulseaudio tmpfs files.
> > > > +## </summary>
> > > > +## <param name="domain">
> > > > +## <summary>
> > > > +## Domain allowed access.
> > > > +## </summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`pulseaudio_manage_tmpfs_files',`
> > > > + gen_require(`
> > > > + type pulseaudio_tmpfs_t;
> > > > + ')
> > > > +
> > > > + fs_search_tmpfs($1)
> > > > + manage_files_pattern($1, pulseaudio_tmpfs_t,
> > > > pulseaudio_tmpfs_t)
> > > > +')
> > >
> > > does not make sense, and i would like to know what prompted you
> > > to
> > > add
> > > this (preferably backed with avc denials)
> >
> > It's needed to unlink them. Probably stale files from previous
> > sessions.
> >
> > >
> > > wm should is a pulseaudio_client and pulseaudio_client can
> > > already rw
> > > and delete pulseaudio_tmpfs_files. It should not need more than
> > > that.
> >
> > I decided to avoid using the pulseaudio_client attribute because it
> > implies other unneeded permissions, including corenet permissions
> > that
> > are quite undesirable.
> >
>
> Those permissions aren't unneeded. They should be conditional maybe
> but
> there are configurations where clients may want to connect to
> pulseaudio
> via the network.
>
> >
> > >
> > > >
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/contrib/wm.if?
> > > > refpolicy-git-07122016/policy/modules/contrib/wm.if
> > > > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if
> > > > 2016-08-14 21:28:11.597521187 +0200
> > > > +++ refpolicy-git-07122016/policy/modules/contrib/wm.if
> > > > 2016
> > > > -12-08 15:47:40.118740804 +0100
> > > > @@ -47,6 +47,8 @@ template(`wm_role_template',`
> > > > ? # Policy
> > > > ? #
> > > > ?
> > > > + allow $3 $1_wm_t:fd use;
> > > > +
> > > > ? allow $1_wm_t $3:unix_stream_socket connectto;
> > > > ? allow $3 $1_wm_t:unix_stream_socket connectto;
> > > > ?
> > > > @@ -72,6 +74,7 @@ template(`wm_role_template',`
> > > > ? xserver_manage_core_devices($1_wm_t)
> > > > ?
> > > > ? optional_policy(`
> > > > + dbus_connect_spec_session_bus($1, $1_wm_t)
> > > > ? dbus_spec_session_bus_client($1, $1_wm_t)
> > > > ? dbus_system_bus_client($1_wm_t)
> > > > ?
> > > > @@ -81,11 +84,14 @@ template(`wm_role_template',`
> > > > ? ')
> > > > ?
> > > > ? optional_policy(`
> > > > + gnome_dbus_chat_gkeyringd($1, $1_wm_t)
> > > > ? gnome_stream_connect_gkeyringd($1, $1_wm_t)
> > > > ? ')
> > > > ?
> > > > ? optional_policy(`
> > > > ? pulseaudio_run($1_wm_t, $2)
> > > > + pulseaudio_manage_tmpfs_files($1_wm_t)
> > > > + pulseaudio_use_fds($1_wm_t)
> > >
> > > these shouldnt be needed. what prompted you to add these?
> > > (preferably
> > > show avc denials)
> >
> > See above. Stale files need to be unlinked.
>
> That is a bug here then:
>
> https://github.com/TresysTechnology/refpolicy-contrib/blob/master/pul
> seaudio.te#L241
>
> clients should then also be able to delete pulseaudio tmpfs files
>
> >
> >
> > >
> > > >
> > > > ? ')
> > > > ?')
> > > > ?
> > > > @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',`
> > > > ? allow $2 $1_wm_t:dbus send_msg;
> > > > ? allow $1_wm_t $2:dbus send_msg;
> > > > ?')
> > > > +
> > > > +########################################
> > > > +## <summary>
> > > > +## Do not audit attempts to execute
> > > > +## files in temporary directories.
> > > > +## </summary>
> > > > +## <param name="domain">
> > > > +## <summary>
> > > > +## Domain to not audit.
> > > > +## </summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`wm_dontaudit_exec_tmp_files',`
> > > > + gen_require(`
> > > > + type wm_tmp_t;
> > > > + ')
> > > > +
> > > > + dontaudit $1 wm_tmp_t:file exec_file_perms;
> > > > +')
> > > > +
> > > > +########################################
> > > > +## <summary>
> > > > +## Do not audit attempts to execute
> > > > +## files in temporary filesystems.
> > > > +## </summary>
> > > > +## <param name="domain">
> > > > +## <summary>
> > > > +## Domain to not audit.
> > > > +## </summary>
> > > > +## </param>
> > > > +#
> > > > +interface(`wm_dontaudit_exec_tmpfs_files',`
> > > > + gen_require(`
> > > > + type wm_tmpfs_t;
> > > > + ')
> > > > +
> > > > + dontaudit $1 wm_tmpfs_t:file exec_file_perms;
> > > > +')
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/contrib/wm.te?
> > > > refpolicy-git-07122016/policy/modules/contrib/wm.te
> > > > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
> > > > 2016-10-29 16:29:19.762328008 +0200
> > > > +++ refpolicy-git-07122016/policy/modules/contrib/wm.te
> > > > 2016
> > > > -12-08 17:57:40.843768477 +0100
> > > > @@ -10,6 +10,14 @@ attribute wm_domain;
> > > > ?type wm_exec_t;
> > > > ?corecmd_executable_file(wm_exec_t)
> > > > ?
> > > > +type wm_tmp_t;
> > > > +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t
> > > > sysadm_wm_tmp_t };
> > > > +userdom_user_tmp_file(wm_tmp_t)
> > > > +
> > > > +type wm_tmpfs_t;
> > > > +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t
> > > > sysadm_wm_tmpfs_t };
> > > > +userdom_user_tmpfs_file(wm_tmpfs_t)
> > >
> > > this is a pulseaudio_tmpfs_file()
> >
> > I am not sure about that.
> >
> > It works fine, so at the moment I can't see a reason to change it.
> >
> > It is probably used to create libffi files and not pulseaudio files
> > (that I expect to be created by the pulseaudio process). See below.
> >
>
> All pulseaudio clients need to be able to read/write/unlink eachother
> tmpfs files.
>
> >
> > >
> > > >
> > > > +
> > > > ?########################################
> > > > ?#
> > > > ?# Common wm domain local policy
> > > > @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev
> > > > ?allow wm_domain self:shm create_shm_perms;
> > > > ?allow wm_domain self:unix_dgram_socket create_socket_perms;
> > > > ?
> > > > +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> > > > +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> > > > +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> > > > +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file
> > > > })
> > > > +
> > > > +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> > > > +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> > > > +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> > > > +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file
> > > > })
> > > > +
> > > > +can_exec(wm_domain, wm_exec_t)
> > > > +
> > > > ?kernel_read_system_state(wm_domain)
> > > > ?
> > > > ?corecmd_getattr_all_executables(wm_domain)
> > > > ?
> > > > +dev_read_rand(wm_domain)
> > > > ?dev_read_sound(wm_domain)
> > > > ?dev_read_sysfs(wm_domain)
> > > > ?dev_read_urand(wm_domain)
> > > > +dev_rw_dri(wm_domain)
> > > > ?dev_rw_wireless(wm_domain)
> > > > ?dev_write_sound(wm_domain)
> > > > ?
> > > > +files_read_etc_runtime_files(wm_domain)
> > > > ?files_read_usr_files(wm_domain)
> > > > ?
> > > > ?fs_getattr_all_fs(wm_domain)
> > > > ?
> > > > +kernel_read_fs_sysctls(wm_domain)
> > > > +kernel_read_proc_symlinks(wm_domain)
> > > > +kernel_read_sysctl(wm_domain)
> > > > +
> > > > ?miscfiles_read_fonts(wm_domain)
> > > > +miscfiles_read_generic_certs(wm_domain)
> > > > ?miscfiles_read_localization(wm_domain)
> > > > ?
> > > > +udev_read_pid_files(wm_domain)
> > > > +
> > > > +# this is needed by gnome-shell
> > > > +userdom_exec_user_home_content_files(wm_domain)
> > >
> > > What exactly is it executing here?
> >
> > I think it is executing files generated by libffi.
>
> and how do those files end up in $HOME, maybe because you're blocking
> access to tmp (XDG_RUNTIME_DIR)?
>
> /run/user/UID is first choice
No, it doesn't work like that.
And the home directory is the safest option.
> > > > +
> > > > ?userdom_manage_user_tmp_sockets(wm_domain)
> > > > ?userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
> > > > ?userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
> > > > ?
> > > > ?userdom_manage_user_home_content_dirs(wm_domain)
> > > > ?userdom_manage_user_home_content_files(wm_domain)
> > > > +
> > > > ?userdom_user_home_dir_filetrans_user_home_content(wm_domain, {
> > > > dir
> > > > file })
> > > > ?
> > > > +wm_dontaudit_exec_tmp_files(wm_domain)
> > > > +wm_dontaudit_exec_tmpfs_files(wm_domain)
> > >
> > > why dontaudit the above? gnome-sheM
>
>
> These files are probably initially created in $CDG_RUNTIME_DIR which
> is
> the best place. However if you block that then it falls back to
> ~/.cache
> (which is second best)
>
> >
> >
> > >
> > > >
> > > > +
> > > > ?optional_policy(`
> > > > ? accountsd_dbus_chat(wm_domain)
> > > > ?')
> > > > @@ -55,10 +92,42 @@ optional_policy(`
> > > > ?')
> > > > ?
> > > > ?optional_policy(`
> > > > + consolekit_dbus_chat(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > ? devicekit_dbus_chat_power(wm_domain)
> > > > ?')
> > > > ?
> > > > ?optional_policy(`
> > > > + evolution_dbus_chat(wm_domain)
> > > > + evolution_alarm_dbus_chat(wm_domain)
> > > > + evolution_domtrans(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > + games_dbus_chat(wm_domain)
> > > > + games_domtrans(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > + java_domtrans(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > + mono_domtrans(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > + mozilla_domtrans(wm_domain)
> > > > + mozilla_dbus_chat(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > + mplayer_domtrans(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > ? networkmanager_dbus_chat(wm_domain)
> > > > ?')
> > > > ?
> > > > @@ -71,5 +140,9 @@ optional_policy(`
> > > > ?')
> > > > ?
> > > > ?optional_policy(`
> > > > + telepathy_mission_control_dbus_chat(wm_domain)
> > > > +')
> > > > +
> > > > +optional_policy(`
> > > > ? userhelper_exec_consolehelper(wm_domain)
> > > > ?')
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/roles/staff.te refpolicy-git-
> > > > 07122016/policy/modules/roles/staff.te
> > > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te
> > > > 2016-12-07 13:39:08.669449296 +0100
> > > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te
> > > > 201
> > > > 6-12-08 15:47:40.140741170 +0100
> > > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
> > > > ?
> > > > ? optional_policy(`
> > > > ? gnome_role_template(staff, staff_r,
> > > > staff_t)
> > > > + wm_role_template(staff, staff_r,
> > > > staff_t)
> > > > ? ')
> > > > ?
> > > > ? optional_policy(`
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/roles/sysadm.te refpolicy-git-
> > > > 07122016/policy/modules/roles/sysadm.te
> > > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te
> > > > 2016-12-07 13:39:08.669449296 +0100
> > > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te
> > > > 20
> > > > 16-12-08 15:47:40.141741187 +0100
> > > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
> > > > ?
> > > > ? optional_policy(`
> > > > ? gnome_role_template(sysadm, sysadm_r,
> > > > sysadm_t)
> > > > + wm_role_template(sysadm, sysadm_r,
> > > > sysadm_t)
> > > > ? ')
> > > > ? ')
> > > > ?
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/roles/unprivuser.te refpolicy-git-
> > > > 07122016/policy/modules/roles/unprivuser.te
> > > > --- refpolicy-git-07122016-
> > > > orig/policy/modules/roles/unprivuser.te
> > > > 2016-12-07 13:39:08.669449296 +0100
> > > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te
> > > > 2016-12-08 15:47:40.141741187 +0100
> > > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
> > > > ?
> > > > ? optional_policy(`
> > > > ? gnome_role_template(user, user_r,
> > > > user_t)
> > > > + wm_role_template(user, user_r, user_t)
> > > > ? ')
> > > > ?
> > > > ? optional_policy(`
Guido
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This second version introduces better integration with common
desktop applications and requires the following recently posted
patch for the games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch might need some more testing (I have received no
feedback yet).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/wm.if | 42 ++++++++++++++++++++
policy/modules/contrib/wm.te | 75 ++++++++++++++++++++++++++++++++++++-
policy/modules/roles/staff.te | 1
policy/modules/roles/sysadm.te | 1
policy/modules/roles/unprivuser.te | 1
5 files changed, 119 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-09 22:40:06.077448696 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,6 +84,7 @@ template(`wm_role_template',`
')
optional_policy(`
+ gnome_dbus_chat_gkeyringd($1, $1_wm_t)
gnome_stream_connect_gkeyringd($1, $1_wm_t)
')
@@ -134,3 +138,41 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-09 23:02:20.296031215 +0100
@@ -10,6 +10,18 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t };
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t };
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(wm_tmpfs_t)
+')
+
########################################
#
# Common wm domain local policy
@@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +96,42 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+ evolution_domtrans(wm_domain)
+')
+
+optional_policy(`
+ games_dbus_chat(wm_domain)
+ games_domtrans(wm_domain)
+')
+
+optional_policy(`
+ java_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mono_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mozilla_domtrans(wm_domain)
+ mozilla_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ mplayer_domtrans(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -67,7 +140,7 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_stream_connect(wm_domain)
+ telepathy_mission_control_dbus_chat(wm_domain)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
--- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 22:25:26.327711806 +0100
@@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
--- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 22:25:26.343712120 +0100
@@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
')
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
--- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 22:25:26.344712139 +0100
@@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
optional_policy(`
On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote:
> Enable the window manager role (wm contrib module) and update
> the module to work with gnome-shell.
>
> This second version introduces better integration with common
> desktop applications and requires the following recently posted
> patch for the games module:
>
> [PATCH v3 1/2] games: general update and improved pulseaudio integration
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>
> This patch might need some more testing (I have received no
> feedback yet).
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/wm.if | 42 ++++++++++++++++++++
> policy/modules/contrib/wm.te | 75 ++++++++++++++++++++++++++++++++++++-
> policy/modules/roles/staff.te | 1
> policy/modules/roles/sysadm.te | 1
> policy/modules/roles/unprivuser.te | 1
> 5 files changed, 119 insertions(+), 1 deletion(-)
[...]
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 22:25:26.327711806 +0100
> @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
>
> optional_policy(`
> gnome_role_template(staff, staff_r, staff_t)
> + wm_role_template(staff, staff_r, staff_t)
> ')
>
> optional_policy(`
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 22:25:26.343712120 +0100
> @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
>
> optional_policy(`
> gnome_role_template(sysadm, sysadm_r, sysadm_t)
> + wm_role_template(sysadm, sysadm_r, sysadm_t)
> ')
> ')
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 22:25:26.344712139 +0100
> @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
>
> optional_policy(`
> gnome_role_template(user, user_r, user_t)
> + wm_role_template(user, user_r, user_t)
> ')
So this change is essentially saying is you can't use the gnome policy
without the wm module. Is that really the case? It seems like they
would be separate optionals.
--
Chris PeBenito
On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote:
> On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote:
> >
> > Enable the window manager role (wm contrib module) and update
> > the module to work with gnome-shell.
> >
> > This second version introduces better integration with common
> > desktop applications and requires the following recently posted
> > patch for the games module:
> >
> > [PATCH v3 1/2] games: general update and improved pulseaudio
> > integration
> > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
> >
> > This patch might need some more testing (I have received no
> > feedback yet).
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/wm.if???????|???42 ++++++++++++++++++++
> > ?policy/modules/contrib/wm.te???????|???75
> > ++++++++++++++++++++++++++++++++++++-
> > ?policy/modules/roles/staff.te??????|????1
> > ?policy/modules/roles/sysadm.te?????|????1
> > ?policy/modules/roles/unprivuser.te |????1
> > ?5 files changed, 119 insertions(+), 1 deletion(-)
>
> [...]
>
> >
> > diff -pruN refpolicy-git-07122016-
> > orig/policy/modules/roles/staff.te refpolicy-git-
> > 07122016/policy/modules/roles/staff.te
> > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te
> > 2016-12-07 13:39:08.669449296 +0100
> > +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201
> > 6-12-08 22:25:26.327711806 +0100
> > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
> >
> > ? optional_policy(`
> > ? gnome_role_template(staff, staff_r,
> > staff_t)
> > + wm_role_template(staff, staff_r, staff_t)
> > ? ')
> >
> > ? optional_policy(`
> > diff -pruN refpolicy-git-07122016-
> > orig/policy/modules/roles/sysadm.te refpolicy-git-
> > 07122016/policy/modules/roles/sysadm.te
> > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te
> > 2016-12-07 13:39:08.669449296 +0100
> > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20
> > 16-12-08 22:25:26.343712120 +0100
> > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
> >
> > ? optional_policy(`
> > ? gnome_role_template(sysadm, sysadm_r,
> > sysadm_t)
> > + wm_role_template(sysadm, sysadm_r,
> > sysadm_t)
> > ? ')
> > ? ')
> >
> > diff -pruN refpolicy-git-07122016-
> > orig/policy/modules/roles/unprivuser.te refpolicy-git-
> > 07122016/policy/modules/roles/unprivuser.te
> > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te
> > 2016-12-07 13:39:08.669449296 +0100
> > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te
> > 2016-12-08 22:25:26.344712139 +0100
> > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
> >
> > ? optional_policy(`
> > ? gnome_role_template(user, user_r, user_t)
> > + wm_role_template(user, user_r, user_t)
> > ? ')
>
> So this change is essentially saying is you can't use the gnome
> policy?
> without the wm module.??Is that really the case???It seems like they?
> would be separate optionals.
It's preferable to have a confined window manager, instead of one
running in the user domain and that is therefore more easily exploited.
That's the meaning of this patch.
However, I understand we should make sure it works with all window
managers, so I am actually seeking help to test it with window managers
other than gnome-shell.
Because at the moment, the patch is only tested with gnome-shell (to be
honest, not even with gnome-panel/metacity because of a lack of time),
I do not suggest (yet) making them separate optionals. That would
mandate a confined window manager even for setups that have not been
tested yet.
Regards,
Guido
On 12/11/16 15:13, Guido Trentalancia via refpolicy wrote:
> On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote:
>> On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote:
>>>
>>> Enable the window manager role (wm contrib module) and update
>>> the module to work with gnome-shell.
>>>
>>> This second version introduces better integration with common
>>> desktop applications and requires the following recently posted
>>> patch for the games module:
>>>
>>> [PATCH v3 1/2] games: general update and improved pulseaudio
>>> integration
>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>>>
>>> This patch might need some more testing (I have received no
>>> feedback yet).
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/wm.if | 42 ++++++++++++++++++++
>>> policy/modules/contrib/wm.te | 75
>>> ++++++++++++++++++++++++++++++++++++-
>>> policy/modules/roles/staff.te | 1
>>> policy/modules/roles/sysadm.te | 1
>>> policy/modules/roles/unprivuser.te | 1
>>> 5 files changed, 119 insertions(+), 1 deletion(-)
>>
>> [...]
>>
>>>
>>> diff -pruN refpolicy-git-07122016-
>>> orig/policy/modules/roles/staff.te refpolicy-git-
>>> 07122016/policy/modules/roles/staff.te
>>> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te
>>> 2016-12-07 13:39:08.669449296 +0100
>>> +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201
>>> 6-12-08 22:25:26.327711806 +0100
>>> @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
>>>
>>> optional_policy(`
>>> gnome_role_template(staff, staff_r,
>>> staff_t)
>>> + wm_role_template(staff, staff_r, staff_t)
>>> ')
>>>
>>> optional_policy(`
>>> diff -pruN refpolicy-git-07122016-
>>> orig/policy/modules/roles/sysadm.te refpolicy-git-
>>> 07122016/policy/modules/roles/sysadm.te
>>> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te
>>> 2016-12-07 13:39:08.669449296 +0100
>>> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20
>>> 16-12-08 22:25:26.343712120 +0100
>>> @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
>>>
>>> optional_policy(`
>>> gnome_role_template(sysadm, sysadm_r,
>>> sysadm_t)
>>> + wm_role_template(sysadm, sysadm_r,
>>> sysadm_t)
>>> ')
>>> ')
>>>
>>> diff -pruN refpolicy-git-07122016-
>>> orig/policy/modules/roles/unprivuser.te refpolicy-git-
>>> 07122016/policy/modules/roles/unprivuser.te
>>> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te
>>> 2016-12-07 13:39:08.669449296 +0100
>>> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te
>>> 2016-12-08 22:25:26.344712139 +0100
>>> @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
>>>
>>> optional_policy(`
>>> gnome_role_template(user, user_r, user_t)
>>> + wm_role_template(user, user_r, user_t)
>>> ')
>>
>> So this change is essentially saying is you can't use the gnome
>> policy
>> without the wm module. Is that really the case? It seems like they
>> would be separate optionals.
>
> It's preferable to have a confined window manager, instead of one
In this case, I'd emphasize "preferable" here. It's not for everyone.
> running in the user domain and that is therefore more easily exploited.
>
> That's the meaning of this patch.
>
> However, I understand we should make sure it works with all window
> managers, so I am actually seeking help to test it with window managers
> other than gnome-shell.
>
> Because at the moment, the patch is only tested with gnome-shell (to be
> honest, not even with gnome-panel/metacity because of a lack of time),
> I do not suggest (yet) making them separate optionals. That would
> mandate a confined window manager even for setups that have not been
> tested yet.
I don't understand how making separate optionals mandates a confined
window manager. It does the reverse.
--
Chris PeBenito
On Sun, 11/12/2016 at 15.47 -0500, Chris PeBenito wrote:
> On 12/11/16 15:13, Guido Trentalancia via refpolicy wrote:
> >
> > On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote:
> > >
> > > On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote:
> > > >
> > > >
> > > > Enable the window manager role (wm contrib module) and update
> > > > the module to work with gnome-shell.
> > > >
> > > > This second version introduces better integration with common
> > > > desktop applications and requires the following recently posted
> > > > patch for the games module:
> > > >
> > > > [PATCH v3 1/2] games: general update and improved pulseaudio
> > > > integration
> > > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.
> > > > html
> > > >
> > > > This patch might need some more testing (I have received no
> > > > feedback yet).
> > > >
> > > > Signed-off-by: Guido Trentalancia <[email protected]>
> > > > ---
> > > > ?policy/modules/contrib/wm.if???????|???42 ++++++++++++++++++++
> > > > ?policy/modules/contrib/wm.te???????|???75
> > > > ++++++++++++++++++++++++++++++++++++-
> > > > ?policy/modules/roles/staff.te??????|????1
> > > > ?policy/modules/roles/sysadm.te?????|????1
> > > > ?policy/modules/roles/unprivuser.te |????1
> > > > ?5 files changed, 119 insertions(+), 1 deletion(-)
> > >
> > > [...]
> > >
> > > >
> > > >
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/roles/staff.te refpolicy-git-
> > > > 07122016/policy/modules/roles/staff.te
> > > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te
> > > > 2016-12-07 13:39:08.669449296 +0100
> > > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te
> > > > 201
> > > > 6-12-08 22:25:26.327711806 +0100
> > > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
> > > >
> > > > ? optional_policy(`
> > > > ? gnome_role_template(staff, staff_r,
> > > > staff_t)
> > > > + wm_role_template(staff, staff_r,
> > > > staff_t)
> > > > ? ')
> > > >
> > > > ? optional_policy(`
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/roles/sysadm.te refpolicy-git-
> > > > 07122016/policy/modules/roles/sysadm.te
> > > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te
> > > > 2016-12-07 13:39:08.669449296 +0100
> > > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te
> > > > 20
> > > > 16-12-08 22:25:26.343712120 +0100
> > > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
> > > >
> > > > ? optional_policy(`
> > > > ? gnome_role_template(sysadm, sysadm_r,
> > > > sysadm_t)
> > > > + wm_role_template(sysadm, sysadm_r,
> > > > sysadm_t)
> > > > ? ')
> > > > ? ')
> > > >
> > > > diff -pruN refpolicy-git-07122016-
> > > > orig/policy/modules/roles/unprivuser.te refpolicy-git-
> > > > 07122016/policy/modules/roles/unprivuser.te
> > > > --- refpolicy-git-07122016-
> > > > orig/policy/modules/roles/unprivuser.te
> > > > 2016-12-07 13:39:08.669449296 +0100
> > > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te
> > > > 2016-12-08 22:25:26.344712139 +0100
> > > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
> > > >
> > > > ? optional_policy(`
> > > > ? gnome_role_template(user, user_r,
> > > > user_t)
> > > > + wm_role_template(user, user_r, user_t)
> > > > ? ')
> > >
> > > So this change is essentially saying is you can't use the gnome
> > > policy
> > > without the wm module.??Is that really the case???It seems like
> > > they
> > > would be separate optionals.
> >
> > It's preferable to have a confined window manager, instead of one
>
> In this case, I'd emphasize "preferable" here.??It's not for
> everyone.
>
> >
> > running in the user domain and that is therefore more easily
> > exploited.
> >
> > That's the meaning of this patch.
> ?>
> >
> > However, I understand we should make sure it works with all window
> > managers, so I am actually seeking help to test it with window
> > managers
> > other than gnome-shell.
> >
> > Because at the moment, the patch is only tested with gnome-shell
> > (to be
> > honest, not even with gnome-panel/metacity because of a lack of
> > time),
> > I do not suggest (yet) making them separate optionals. That would
> > mandate a confined window manager even for setups that have not
> > been
> > tested yet.
>
> I don't understand how making separate optionals mandates a confined?
> window manager.??It does the reverse.
As it is, the wm role should be enabled only if the dbus and gnome
modules are loaded.
Similarly, as it is, the gnome role should be enabled only if the dbus
and the wm module are loaded.
In particular, because the wm role has not been tested without gnome,
it is currently enabled only in combination with the gnome role.
Regards,
Guido
On Sun, 11 Dec 2016 22:56:03 +0100
Guido Trentalancia via refpolicy <[email protected]> wrote:
> > I don't understand how making separate optionals mandates a
> > confined window manager.??It does the reverse.
>
> As it is, the wm role should be enabled only if the dbus and gnome
> modules are loaded.
I agree with both of you here. :)
Ideally, we would do
"
optional_policy
gnome...
optional_policy
wm...
"
but AFAIK, that's not possible.
Therefore, I'd suggest we use Chris' option (two separate
optional_policy blocks) and just recommend (out-of-band) not to use wm
without gnome in its present state. This has two added benefits:
* Makes it easier for gnome folks *not* to use the wm module, in case
it's still lacking some required permissions.
* Makes it easier for non-gnome folks to test the wm module.
Regards,
Luis Ressel
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch needs some more testing (it has only been minimally
tested with gnome-shell running in normal mode, i.e. not in gdm
mode). In particular, it might break the current functioning of
systems employing gnome-shell and gdm.
Patches 3/5, 4/5 and 5/5 might be needed when gnome-shell is used
in conjunction with gdm (untested, might require further permissions).
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/wm.if | 43 +++++++++++++++++-
policy/modules/contrib/wm.te | 88 ++++++++++++++++++++++++++++++++++++-
policy/modules/roles/staff.te | 8 ++-
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 8 ++-
5 files changed, 145 insertions(+), 6 deletions(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-13 22:53:54.445212825 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,7 +84,7 @@ template(`wm_role_template',`
')
optional_policy(`
- gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ gnome_stream_connect_all_gkeyringd($1_wm_t)
')
optional_policy(`
@@ -134,3 +137,41 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13 00:34:34.876856837 +0100
@@ -10,6 +10,18 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t };
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t };
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(wm_tmpfs_t)
+')
+
########################################
#
# Common wm domain local policy
@@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +96,51 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_domtrans(wm_domain)
+
+ optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+ ')
+')
+
+optional_policy(`
+ games_domtrans(wm_domain)
+
+ optional_policy(`
+ games_dbus_chat(wm_domain)
+ ')
+')
+
+optional_policy(`
+ java_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mono_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mozilla_domtrans(wm_domain)
+
+ optional_policy(`
+ mozilla_dbus_chat(wm_domain)
+ ')
+')
+
+optional_policy(`
+ mplayer_domtrans(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -67,9 +149,13 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_stream_connect(wm_domain)
+ telepathy_mission_control_dbus_chat(wm_domain)
')
optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(wm_domain)
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
--- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100
@@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(staff_r, staff_t)
+ telepathy_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- telepathy_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
')
@@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
--- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100
@@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
')
+
+ optional_policy(`
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
--- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100
@@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(user_r, user_t)
+ telepathy_role_template(user, user_r, user_t)
')
optional_policy(`
- telepathy_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
')
@@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(user_r, user_t)
+ ')
+
+ optional_policy(`
pyzor_role(user_r, user_t)
')
Since the window managers are not limited by gnome-shell, the
userdomain module is modified by this patch in order to use
separate optional conditionals for the gnome and wm role templates.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/system/userdomain.if | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/system/userdomain.if refpolicy-git-07122016/policy/modules/system/userdomain.if
--- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if 2016-12-07 13:39:08.672449330 +0100
+++ refpolicy-git-07122016/policy/modules/system/userdomain.if 2016-12-14 00:57:22.948430919 +0100
@@ -1003,11 +1003,10 @@ template(`userdom_restricted_xwindows_us
optional_policy(`
gnome_role_template($1, $1_r, $1_t)
- wm_role_template($1, $1_r, $1_t)
')
optional_policy(`
- pulseaudio_role($1_r, $1_t)
+ wm_role_template($1, $1_r, $1_t)
')
')
@@ -1016,6 +1015,10 @@ template(`userdom_restricted_xwindows_us
')
optional_policy(`
+ pulseaudio_role($1_r, $1_t)
+ ')
+
+ optional_policy(`
setroubleshoot_dontaudit_stream_connect($1_t)
')
')
Enable dbus messaging between the X Display Manager (XDM) and
Network Manager.
This patch (along with parts 4/5 and 5/5) might be needed when
running gdm.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/networkmanager.te | 4 ++++
1 file changed, 4 insertions(+)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te 2016-10-29 16:29:19.759327926 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te 2016-12-12 23:52:08.990012946 +0100
@@ -227,6 +227,10 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(NetworkManager_t)
')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(NetworkManager_t)
+ ')
')
optional_policy(`
Enable dbus messaging between the X Display Manager (XDM) and
PolicyKit.
Also, let PolicyKit read the urandom device.
This patch (along with parts 3/5 and 5/5) might be needed when
running gdm.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/policykit.te | 6 ++++++
1 file changed, 6 insertions(+)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/policykit.te refpolicy-git-07122016/policy/modules/contrib/policykit.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/policykit.te 2016-10-29 16:29:19.759327926 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/policykit.te 2016-12-12 23:50:23.856370382 +0100
@@ -88,6 +88,8 @@ domtrans_pattern(policykit_t, policykit_
kernel_read_kernel_sysctls(policykit_t)
kernel_read_system_state(policykit_t)
+dev_read_urand(policykit_t)
+
domain_read_all_domains_state(policykit_t)
files_dontaudit_search_all_mountpoints(policykit_t)
@@ -110,6 +112,10 @@ optional_policy(`
optional_policy(`
rpm_dbus_chat(policykit_t)
')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(policykit_t)
+ ')
')
optional_policy(`
Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.
Also, let the rtkit daemon set the priority of the X Display
Manager (XDM).
This patch (along with parts 3/5 and 4/5) might be needed when
running gdm.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/rtkit.te | 8 ++++++++
policy/modules/services/xserver.if | 20 +++++++++++++++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100
@@ -42,4 +42,12 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(rtkit_daemon_t)
+ ')
+')
+
+optional_policy(`
+ xserver_setsched_xdm(rtkit_daemon_t)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if
--- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100
@@ -162,7 +162,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
')
#######################################
@@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Set the priority of X Display
+## Manager (XDM).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_setsched_xdm',`
+ gen_require(`
+ attribute xdm_domain;
+ ')
+
+ allow $1 xdm_domain:process setsched;
+')
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).
Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/colord.te | 5 ++
policy/modules/contrib/dbus.te | 5 ++
policy/modules/contrib/wm.if | 43 +++++++++++++++++-
policy/modules/contrib/wm.te | 88 ++++++++++++++++++++++++++++++++++++-
policy/modules/roles/staff.te | 8 ++-
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 8 ++-
7 files changed, 155 insertions(+), 6 deletions(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/colord.te refpolicy-git-07122016/policy/modules/contrib/colord.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100
@@ -137,3 +137,8 @@ optional_policy(`
udev_read_db(colord_t)
udev_read_pid_files(colord_t)
')
+
+optional_policy(`
+ xserver_read_xdm_lib_files(colord_t)
+ xserver_use_xdm_fds(colord_t)
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te refpolicy-git-07122016/policy/modules/contrib/dbus.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100
@@ -159,6 +159,11 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ xserver_read_xdm_lib_files(system_dbusd_t)
+ xserver_use_xdm_fds(system_dbusd_t)
+')
+
########################################
#
# Common session bus local policy
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-13 22:53:54.445212825 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,7 +84,7 @@ template(`wm_role_template',`
')
optional_policy(`
- gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ gnome_stream_connect_all_gkeyringd($1_wm_t)
')
optional_policy(`
@@ -134,3 +137,41 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13 00:34:34.876856837 +0100
@@ -10,6 +10,18 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t };
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t };
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(wm_tmpfs_t)
+')
+
########################################
#
# Common wm domain local policy
@@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +96,51 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_domtrans(wm_domain)
+
+ optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+ ')
+')
+
+optional_policy(`
+ games_domtrans(wm_domain)
+
+ optional_policy(`
+ games_dbus_chat(wm_domain)
+ ')
+')
+
+optional_policy(`
+ java_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mono_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mozilla_domtrans(wm_domain)
+
+ optional_policy(`
+ mozilla_dbus_chat(wm_domain)
+ ')
+')
+
+optional_policy(`
+ mplayer_domtrans(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -67,9 +149,13 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_stream_connect(wm_domain)
+ telepathy_mission_control_dbus_chat(wm_domain)
')
optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(wm_domain)
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
--- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100
+++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100
@@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(staff_r, staff_t)
+ telepathy_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- telepathy_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
')
@@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
--- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100
+++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100
@@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
')
+
+ optional_policy(`
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
--- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100
+++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100
@@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(user_r, user_t)
+ telepathy_role_template(user, user_r, user_t)
')
optional_policy(`
- telepathy_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
')
@@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(user_r, user_t)
+ ')
+
+ optional_policy(`
pyzor_role(user_r, user_t)
')
What does the network configuration have to do with logging in?
On 14 Dec 2016 08:49, "Guido Trentalancia via refpolicy" <
[email protected]> wrote:
Enable dbus messaging between the X Display Manager (XDM) and
Network Manager.
This patch (along with parts 4/5 and 5/5) might be needed when
running gdm.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/networkmanager.te | 4 ++++
1 file changed, 4 insertions(+)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te
refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te
2016-10-29 16:29:19.759327926 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
2016-12-12 23:52:08.990012946 +0100
@@ -227,6 +227,10 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(NetworkManager_t)
')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(NetworkManager_t)
+ ')
')
optional_policy(`
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/c83177ec/attachment.html
On 12/14/2016 01:44 PM, Jason Zaman via refpolicy wrote:
> What does the network configuration have to do with logging in?
gdm displays some network information (indirectly probably via
gnome-shell) which it gets from nm , anyhow gdm is not your average
desktop manager. Its very bloated.
>
> On 14 Dec 2016 08:49, "Guido Trentalancia via refpolicy" <
> refpolicy at oss.tresys.com> wrote:
>
> Enable dbus messaging between the X Display Manager (XDM) and
> Network Manager.
>
> This patch (along with parts 4/5 and 5/5) might be needed when
> running gdm.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/networkmanager.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te
> refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te
> 2016-10-29 16:29:19.759327926 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te
> 2016-12-12 23:52:08.990012946 +0100
> @@ -227,6 +227,10 @@ optional_policy(`
> optional_policy(`
> policykit_dbus_chat(NetworkManager_t)
> ')
> +
> + optional_policy(`
> + xserver_dbus_chat_xdm(NetworkManager_t)
> + ')
> ')
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/29993955/attachment.bin
On 12/13/16 19:49, Guido Trentalancia via refpolicy wrote:
> Enable dbus messaging between the X Display Manager (XDM) and
> the rtkit daemon.
>
> Also, let the rtkit daemon set the priority of the X Display
> Manager (XDM).
>
> This patch (along with parts 3/5 and 4/5) might be needed when
> running gdm.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/rtkit.te | 8 ++++++++
> policy/modules/services/xserver.if | 20 +++++++++++++++++++-
> 2 files changed, 27 insertions(+), 1 deletion(-)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100
> @@ -42,4 +42,12 @@ optional_policy(`
> optional_policy(`
> policykit_dbus_chat(rtkit_daemon_t)
> ')
> +
> + optional_policy(`
> + xserver_dbus_chat_xdm(rtkit_daemon_t)
> + ')
> +')
> +
> +optional_policy(`
> + xserver_setsched_xdm(rtkit_daemon_t)
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if
> --- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100
> @@ -162,7 +162,6 @@ interface(`xserver_role',`
> manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
> relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
> relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
> -
> ')
>
> #######################################
> @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Set the priority of X Display
> +## Manager (XDM).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_setsched_xdm',`
> + gen_require(`
> + attribute xdm_domain;
> + ')
> +
> + allow $1 xdm_domain:process setsched;
> +')
Since you're operating on an attribute, it should be
xserver_setsched_all_xdms(). Otherwise it implies just on xdm_t.
--
Chris PeBenito
Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.
Also, let the rtkit daemon set the priority of all X Display
Managers (XDM).
This patch (along with parts 3/5 and 4/5) is needed when
running gdm.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/rtkit.te | 8 ++++++++
policy/modules/services/xserver.if | 20 +++++++++++++++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
--- a/policy/modules/contrib/rtkit.te 2016-12-14 02:25:03.296232854 +0100
+++ b/policy/modules/contrib/rtkit.te 2016-12-15 00:02:39.744279486 +0100
@@ -42,4 +42,12 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(rtkit_daemon_t)
+ ')
+')
+
+optional_policy(`
+ xserver_setsched_all_xdms(rtkit_daemon_t)
')
--- a/policy/modules/services/xserver.if 2016-12-14 02:25:03.297232878 +0100
+++ b/policy/modules/services/xserver.if 2016-12-15 00:03:37.656417716 +0100
@@ -162,7 +162,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
')
#######################################
@@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Set the priority of all X
+## Display Managers (XDM).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_setsched_all_xdms',`
+ gen_require(`
+ attribute xdm_domain;
+ ')
+
+ allow $1 xdm_domain:process setsched;
+')
Hello Christopher.
I think for some reason this patch has been forgotten...
It is part 5/5 of a patchset that you have just applied, but this is
missing from the git tree.
On Thu, 15/12/2016 at 00.09 +0100, Guido Trentalancia via refpolicy
wrote:
> Enable dbus messaging between the X Display Manager (XDM) and
> the rtkit daemon.
>
> Also, let the rtkit daemon set the priority of all X Display
> Managers (XDM).
>
> This patch (along with parts 3/5 and 4/5) is needed when
> running gdm.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> ?policy/modules/contrib/rtkit.te????|????8 ++++++++
> ?policy/modules/services/xserver.if |???20 +++++++++++++++++++-
> ?2 files changed, 27 insertions(+), 1 deletion(-)
>
> --- a/policy/modules/contrib/rtkit.te 2016-12-14
> 02:25:03.296232854 +0100
> +++ b/policy/modules/contrib/rtkit.te 2016-12-15
> 00:02:39.744279486 +0100
> @@ -42,4 +42,12 @@ optional_policy(`
> ? optional_policy(`
> ? policykit_dbus_chat(rtkit_daemon_t)
> ? ')
> +
> + optional_policy(`
> + xserver_dbus_chat_xdm(rtkit_daemon_t)
> + ')
> +')
> +
> +optional_policy(`
> + xserver_setsched_all_xdms(rtkit_daemon_t)
> ?')
> --- a/policy/modules/services/xserver.if 2016-12-14
> 02:25:03.297232878 +0100
> +++ b/policy/modules/services/xserver.if 2016-12-15
> 00:03:37.656417716 +0100
> @@ -162,7 +162,6 @@ interface(`xserver_role',`
> ? manage_files_pattern($2, user_fonts_config_t,
> user_fonts_config_t)
> ? relabel_dirs_pattern($2, user_fonts_config_t,
> user_fonts_config_t)
> ? relabel_files_pattern($2, user_fonts_config_t,
> user_fonts_config_t)
> -
> ?')
> ?
> ?#######################################
> @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',`
> ? typeattribute $1 x_domain;
> ? typeattribute $1 xserver_unconfined_type;
> ?')
> +
> +########################################
> +## <summary>
> +## Set the priority of all X
> +## Display Managers (XDM).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_setsched_all_xdms',`
> + gen_require(`
> + attribute xdm_domain;
> + ')
> +
> + allow $1 xdm_domain:process setsched;
> +')
Regards,
Guido
On 12/17/16 11:43, Guido Trentalancia via refpolicy wrote:
> Hello Christopher.
>
> I think for some reason this patch has been forgotten...
>
> It is part 5/5 of a patchset that you have just applied, but this is
> missing from the git tree.
>
>> +
>> +########################################
>> +## <summary>
>> +## Set the priority of all X
>> +## Display Managers (XDM).
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain allowed access.
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`xserver_setsched_all_xdms',`
>> + gen_require(`
>> + attribute xdm_domain;
>> + ')
>> +
>> + allow $1 xdm_domain:process setsched;
>> +')
There is no xdm_domain attribute in refpolicy. This is an invalid interface.
--
Chris PeBenito
Enable dbus messaging between the X Display Manager (XDM) and
the rtkit daemon.
Also, let the rtkit daemon set the priority of the X Display
Manager (XDM).
This patch (along with parts 3/5 and 4/5) might be needed when
running gdm.
I do apologize for the broken interface in the previous version
of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/rtkit.te | 8 ++++++++
policy/modules/services/xserver.if | 20 +++++++++++++++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100
@@ -42,4 +42,12 @@ optional_policy(`
optional_policy(`
policykit_dbus_chat(rtkit_daemon_t)
')
+
+ optional_policy(`
+ xserver_dbus_chat_xdm(rtkit_daemon_t)
+ ')
+')
+
+optional_policy(`
+ xserver_setsched_xdm(rtkit_daemon_t)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if
--- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
+++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100
@@ -162,7 +162,6 @@ interface(`xserver_role',`
manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
-
')
#######################################
@@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Set the priority of the X Display
+## Manager (XDM).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_setsched_xdm',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:process setsched;
+')
On 12/17/16 13:06, Guido Trentalancia via refpolicy wrote:
> Enable dbus messaging between the X Display Manager (XDM) and
> the rtkit daemon.
>
> Also, let the rtkit daemon set the priority of the X Display
> Manager (XDM).
>
> This patch (along with parts 3/5 and 4/5) might be needed when
> running gdm.
>
> I do apologize for the broken interface in the previous version
> of this patch.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/rtkit.te | 8 ++++++++
> policy/modules/services/xserver.if | 20 +++++++++++++++++++-
> 2 files changed, 27 insertions(+), 1 deletion(-)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100
> @@ -42,4 +42,12 @@ optional_policy(`
> optional_policy(`
> policykit_dbus_chat(rtkit_daemon_t)
> ')
> +
> + optional_policy(`
> + xserver_dbus_chat_xdm(rtkit_daemon_t)
> + ')
> +')
> +
> +optional_policy(`
> + xserver_setsched_xdm(rtkit_daemon_t)
> ')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if
> --- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100
> +++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100
> @@ -162,7 +162,6 @@ interface(`xserver_role',`
> manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
> relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t)
> relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t)
> -
> ')
>
> #######################################
> @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Set the priority of the X Display
> +## Manager (XDM).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_setsched_xdm',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + allow $1 xdm_t:process setsched;
> +')
Merged.
Again, in the future please separate base and contrib changes for ALL
patches.
--
Chris PeBenito