From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 22 Dec 2016 22:21:47 +0100 Subject: [refpolicy] [PATCH] contrib: extend wm ability to launch confined graphical applications Message-ID: <1482441707.20547.5.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Add the ability to launch other confined graphical applications from the new confined window manager ("wm" module). There might be other confined graphical applications that need the wm_application_domain() interface... Signed-off-by: Guido Trentalancia --- policy/modules/contrib/gift.te | 4 ++++ policy/modules/contrib/telepathy.if | 4 ++++ policy/modules/contrib/thunderbird.te | 5 ++++- policy/modules/contrib/tvtime.te | 5 ++++- policy/modules/contrib/vmware.te | 5 ++++- policy/modules/contrib/wine.te | 5 ++++- policy/modules/contrib/wireshark.te | 5 ++++- 7 files changed, 28 insertions(+), 5 deletions(-) diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te --- a/policy/modules/contrib/gift.te 2016-08-14 21:28:11.492519574 +0200 +++ b/policy/modules/contrib/gift.te 2016-12-22 22:14:18.753784589 +0100 @@ -15,6 +15,10 @@ typealias gift_t alias { auditadm_gift_t userdom_user_application_domain(gift_t, gift_exec_t) role gift_roles types gift_t; +optional_policy(` + wm_application_domain(gift_t, gift_exec_t) +') + type gift_home_t; typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; diff -pru a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if --- a/policy/modules/contrib/telepathy.if 2016-08-15 23:39:24.064783228 +0200 +++ b/policy/modules/contrib/telepathy.if 2016-12-22 22:09:56.337766137 +0100 @@ -19,6 +19,10 @@ template(`telepathy_domain_template',` type telepathy_$1_exec_t, telepathy_executable; userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) + optional_policy(` + wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t) + ') + type telepathy_$1_tmp_t, telepathy_tmp_content; userdom_user_tmp_file(telepathy_$1_tmp_t) diff -pru a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te --- a/policy/modules/contrib/thunderbird.te 2016-12-09 01:16:17.773011439 +0100 +++ b/policy/modules/contrib/thunderbird.te 2016-12-22 21:51:10.800647300 +0100 @@ -11,9 +11,12 @@ type thunderbird_t; type thunderbird_exec_t; typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; -userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) role thunderbird_roles types thunderbird_t; +optional_policy(` + wm_application_domain(thunderbird_t, thunderbird_exec_t) +') + type thunderbird_home_t; typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te --- a/policy/modules/contrib/tvtime.te 2016-08-14 21:28:11.585521003 +0200 +++ b/policy/modules/contrib/tvtime.te 2016-12-22 21:50:27.173153799 +0100 @@ -11,9 +11,12 @@ type tvtime_t; type tvtime_exec_t; typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; -userdom_user_application_domain(tvtime_t, tvtime_exec_t) role tvtime_roles types tvtime_t; +optional_policy(` + wm_application_domain(tvtime_t, tvtime_exec_t) +') + type tvtime_home_t alias tvtime_rw_t; typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te --- a/policy/modules/contrib/vmware.te 2016-08-14 21:28:11.594521141 +0200 +++ b/policy/modules/contrib/vmware.te 2016-12-22 21:55:05.311271298 +0100 @@ -9,7 +9,10 @@ type vmware_t; type vmware_exec_t; typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; -userdom_user_application_domain(vmware_t, vmware_exec_t) + +optional_policy(` + wm_application_domain(vmware_t, vmware_exec_t) +') type vmware_conf_t; typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te --- a/policy/modules/contrib/wine.te 2016-08-14 21:28:11.597521187 +0200 +++ b/policy/modules/contrib/wine.te 2016-12-22 21:56:36.112275069 +0100 @@ -19,9 +19,12 @@ roleattribute system_r wine_roles; type wine_t; type wine_exec_t; -userdom_user_application_domain(wine_t, wine_exec_t) role wine_roles types wine_t; +optional_policy(` + wm_application_domain(wine_t, wine_exec_t) +') + type wine_home_t; userdom_user_home_content(wine_home_t) diff -pru a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te --- a/policy/modules/contrib/wireshark.te 2016-08-14 21:28:11.597521187 +0200 +++ b/policy/modules/contrib/wireshark.te 2016-12-22 21:55:49.812764062 +0100 @@ -11,9 +11,12 @@ type wireshark_t; type wireshark_exec_t; typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; -userdom_user_application_domain(wireshark_t, wireshark_exec_t) role wireshark_roles types wireshark_t; +optional_policy(` + wm_application_domain(wireshark_t, wireshark_exec_t) +') + type wireshark_home_t; typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };