This patch aims to adapt the window manager (wm) module to
the userdomain permission changes introduced by this patchset.
It also introduces the ability to manage user files and directories
under /run/user (new "wm_var_run_t" file context).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/wm.fc | 2 ++
policy/modules/contrib/wm.if | 6 +++++-
policy/modules/contrib/wm.te | 27 ++++++++++++++++++++++++---
3 files changed, 31 insertions(+), 4 deletions(-)
diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/wm.fc refpolicy-git-19042017-wm/policy/modules/contrib/wm.fc
--- refpolicy-git-19042017-orig/policy/modules/contrib/wm.fc 2017-03-29 17:58:00.337386396 +0200
+++ refpolicy-git-19042017-wm/policy/modules/contrib/wm.fc 2017-04-20 01:23:53.524432324 +0200
@@ -2,3 +2,5 @@
/usr/bin/openbox -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/metacity -- gen_context(system_u:object_r:wm_exec_t,s0)
/usr/bin/twm -- gen_context(system_u:object_r:wm_exec_t,s0)
+
+/run/user/%{USERID}/gnome-shell(/.*)? gen_context(system_u:object_r:wm_var_run_t,s0)
diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/wm.if refpolicy-git-19042017-wm/policy/modules/contrib/wm.if
--- refpolicy-git-19042017-orig/policy/modules/contrib/wm.if 2017-04-19 15:24:48.041784797 +0200
+++ refpolicy-git-19042017-wm/policy/modules/contrib/wm.if 2017-04-20 01:23:53.524432324 +0200
@@ -30,7 +30,7 @@
template(`wm_role_template',`
gen_require(`
attribute wm_domain;
- type wm_exec_t;
+ type wm_var_run_t, wm_exec_t;
')
########################################
@@ -57,6 +57,10 @@ template(`wm_role_template',`
allow $1_wm_t $3:process { signull sigkill };
+ manage_dirs_pattern($1_wm_t, wm_var_run_t, wm_var_run_t)
+ manage_files_pattern($1_wm_t, wm_var_run_t, wm_var_run_t)
+ files_pid_filetrans($1_wm_t, wm_var_run_t, { dir file })
+
domtrans_pattern($3, wm_exec_t, $1_wm_t)
corecmd_bin_domtrans($1_wm_t, $3)
diff -pru refpolicy-git-19042017-orig/policy/modules/contrib/wm.te refpolicy-git-19042017-wm/policy/modules/contrib/wm.te
--- refpolicy-git-19042017-orig/policy/modules/contrib/wm.te 2017-04-19 15:24:48.041784797 +0200
+++ refpolicy-git-19042017-wm/policy/modules/contrib/wm.te 2017-04-20 01:26:32.114431676 +0200
@@ -16,6 +16,9 @@ userdom_user_tmp_file(wm_tmp_t)
type wm_tmpfs_t;
userdom_user_tmpfs_file(wm_tmpfs_t)
+type wm_var_run_t;
+files_pid_file(wm_var_run_t)
+
optional_policy(`
pulseaudio_tmpfs_content(wm_tmpfs_t)
')
@@ -41,6 +44,9 @@ manage_files_pattern(wm_domain, wm_tmpfs
manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+userdom_user_home_dir_filetrans_user_cache(wm_domain, dir, ".cache")
+userdom_user_home_dir_filetrans_user_data(wm_domain, dir, ".local")
+
can_exec(wm_domain, wm_exec_t)
kernel_read_system_state(wm_domain)
@@ -74,24 +80,39 @@ networkmanager_read_etc_files(wm_domain)
udev_read_pid_files(wm_domain)
-# the following is needed by gnome-shell
+# the following two are needed by gnome-shell
userdom_exec_user_home_content_files(wm_domain)
+userdom_manage_user_home_content_files(wm_domain)
+userdom_manage_user_tmp_dirs(wm_domain)
+userdom_manage_user_tmp_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
+userdom_user_runtime_filetrans(wm_domain, wm_var_run_t, dir)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
# to print error messages
userdom_use_inherited_user_terminals(wm_domain)
-userdom_manage_user_home_content_dirs(wm_domain)
-userdom_manage_user_home_content_files(wm_domain)
+userdom_manage_user_cache(wm_domain)
+userdom_manage_user_config(wm_domain)
+userdom_manage_user_data(wm_domain)
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
wm_dontaudit_exec_tmp_files(wm_domain)
wm_dontaudit_exec_tmpfs_files(wm_domain)
+# the following is needed by gnome-shell
+tunable_policy(`use_nfs_home_dirs',`
+ fs_exec_nfs_files(wm_domain)
+')
+
+# the following is needed by gnome-shell
+tunable_policy(`use_samba_home_dirs',`
+ fs_exec_cifs_files(wm_domain)
+')
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')