From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 11 Dec 2016 15:47:59 -0500 Subject: [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template In-Reply-To: <1481487209.2628.12.camel@trentalancia.net> References: <1481130053.3300.9.camel@trentalancia.net> <1481217618.20182.8.camel@trentalancia.net> <1481322107.2989.1.camel@trentalancia.net> <8ab3fb4a-3892-0fd3-100f-97d375489432@ieee.org> <1481487209.2628.12.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/11/16 15:13, Guido Trentalancia via refpolicy wrote: > On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote: >> On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote: >>> >>> Enable the window manager role (wm contrib module) and update >>> the module to work with gnome-shell. >>> >>> This second version introduces better integration with common >>> desktop applications and requires the following recently posted >>> patch for the games module: >>> >>> [PATCH v3 1/2] games: general update and improved pulseaudio >>> integration >>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>> >>> This patch might need some more testing (I have received no >>> feedback yet). >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/wm.if | 42 ++++++++++++++++++++ >>> policy/modules/contrib/wm.te | 75 >>> ++++++++++++++++++++++++++++++++++++- >>> policy/modules/roles/staff.te | 1 >>> policy/modules/roles/sysadm.te | 1 >>> policy/modules/roles/unprivuser.te | 1 >>> 5 files changed, 119 insertions(+), 1 deletion(-) >> >> [...] >> >>> >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/staff.te refpolicy-git- >>> 07122016/policy/modules/roles/staff.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201 >>> 6-12-08 22:25:26.327711806 +0100 >>> @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(staff, staff_r, >>> staff_t) >>> + wm_role_template(staff, staff_r, staff_t) >>> ') >>> >>> optional_policy(` >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/sysadm.te refpolicy-git- >>> 07122016/policy/modules/roles/sysadm.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20 >>> 16-12-08 22:25:26.343712120 +0100 >>> @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(sysadm, sysadm_r, >>> sysadm_t) >>> + wm_role_template(sysadm, sysadm_r, >>> sysadm_t) >>> ') >>> ') >>> >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/unprivuser.te refpolicy-git- >>> 07122016/policy/modules/roles/unprivuser.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te >>> 2016-12-08 22:25:26.344712139 +0100 >>> @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(user, user_r, user_t) >>> + wm_role_template(user, user_r, user_t) >>> ') >> >> So this change is essentially saying is you can't use the gnome >> policy >> without the wm module. Is that really the case? It seems like they >> would be separate optionals. > > It's preferable to have a confined window manager, instead of one In this case, I'd emphasize "preferable" here. It's not for everyone. > running in the user domain and that is therefore more easily exploited. > > That's the meaning of this patch. > > However, I understand we should make sure it works with all window > managers, so I am actually seeking help to test it with window managers > other than gnome-shell. > > Because at the moment, the patch is only tested with gnome-shell (to be > honest, not even with gnome-panel/metacity because of a lack of time), > I do not suggest (yet) making them separate optionals. That would > mandate a confined window manager even for setups that have not been > tested yet. I don't understand how making separate optionals mandates a confined window manager. It does the reverse. -- Chris PeBenito