From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 16 Dec 2016 16:59:31 +0100 Subject: [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) In-Reply-To: <29c383f9-6aba-1f9d-94fc-7b1d72cd1a9f@ieee.org> References: <1481130053.3300.9.camel@trentalancia.net> <1481217618.20182.8.camel@trentalancia.net> <1481322107.2989.1.camel@trentalancia.net> <1481676520.17446.9.camel@trentalancia.net> <1481680495.3551.1.camel@trentalancia.net> <1481721818.2981.9.camel@trentalancia.net> <1481758999.3080.4.camel@trentalancia.net> <29c383f9-6aba-1f9d-94fc-7b1d72cd1a9f@ieee.org> Message-ID: <1481903971.2610.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This patch requires the following recently posted patch for the games module: [PATCH v3 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html This patch has received some testing with the following two configurations: - gnome-shell executing in normal mode (with display managers other than gdm, such as xdm from XOrg); - gnome-shell executing in gdm mode (with the Gnome Display Manager). Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used in conjunction with gdm. Since the window managers are not limited by gnome-shell, this latter version of the patch (along with part 2/5) uses separate optional conditionals for the gnome and wm role templates. The new wm_application_domain() interface introduced in the sixth version of this patch is an idea of Jason Zaman. This patch also fixes a minor bug in the way the pulseaudio_role() interface is optionally included by the role templates (pulseaudio does not depend on dbus). This seventh version splits the 1/5 patch in two separate patches: one for the base policy and one for the contrib policy. THIS IS THE BASE POLICY PART. Signed-off-by: Guido Trentalancia --- policy/modules/roles/staff.te | 8 ++++++-- policy/modules/roles/sysadm.te | 4 ++++ policy/modules/roles/unprivuser.te | 8 ++++++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te --- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100 +++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100 @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(staff_r, staff_t) + telepathy_role_template(staff, staff_r, staff_t) ') optional_policy(` - telepathy_role_template(staff, staff_r, staff_t) + wm_role_template(staff, staff_r, staff_t) ') ') @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te --- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100 +++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100 @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(sysadm, sysadm_r, sysadm_t) ') + + optional_policy(` + wm_role_template(sysadm, sysadm_r, sysadm_t) + ') ') optional_policy(` diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te --- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100 +++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100 @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(user_r, user_t) + telepathy_role_template(user, user_r, user_t) ') optional_policy(` - telepathy_role_template(user, user_r, user_t) + wm_role_template(user, user_r, user_t) ') ') @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(user_r, user_t) + ') + + optional_policy(` pyzor_role(user_r, user_t) ')