From: guido@trentalancia.net (Guido Trentalancia)
Date: Thu, 22 Dec 2016 22:21:47 +0100
Subject: [refpolicy] [PATCH] contrib: extend wm ability to launch confined
 graphical applications
Message-ID: <1482441707.20547.5.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Add the ability to launch other confined graphical applications
from the new confined window manager ("wm" module).

There might be other confined graphical applications that need
the wm_application_domain() interface...

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/gift.te        |    4 ++++
 policy/modules/contrib/telepathy.if   |    4 ++++
 policy/modules/contrib/thunderbird.te |    5 ++++-
 policy/modules/contrib/tvtime.te      |    5 ++++-
 policy/modules/contrib/vmware.te      |    5 ++++-
 policy/modules/contrib/wine.te        |    5 ++++-
 policy/modules/contrib/wireshark.te   |    5 ++++-
 7 files changed, 28 insertions(+), 5 deletions(-)

diff -pru  a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
--- a/policy/modules/contrib/gift.te	2016-08-14 21:28:11.492519574 +0200
+++ b/policy/modules/contrib/gift.te	2016-12-22 22:14:18.753784589 +0100
@@ -15,6 +15,10 @@ typealias gift_t alias { auditadm_gift_t
 userdom_user_application_domain(gift_t, gift_exec_t)
 role gift_roles types gift_t;
 
+optional_policy(`
+	wm_application_domain(gift_t, gift_exec_t)
+')
+
 type gift_home_t;
 typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
 typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
diff -pru  a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
--- a/policy/modules/contrib/telepathy.if	2016-08-15 23:39:24.064783228 +0200
+++ b/policy/modules/contrib/telepathy.if	2016-12-22 22:09:56.337766137 +0100
@@ -19,6 +19,10 @@ template(`telepathy_domain_template',`
 	type telepathy_$1_exec_t, telepathy_executable;
 	userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
 
+	optional_policy(`
+		wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+	')
+
 	type telepathy_$1_tmp_t, telepathy_tmp_content;
 	userdom_user_tmp_file(telepathy_$1_tmp_t)
 
diff -pru  a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
--- a/policy/modules/contrib/thunderbird.te	2016-12-09 01:16:17.773011439 +0100
+++ b/policy/modules/contrib/thunderbird.te	2016-12-22 21:51:10.800647300 +0100
@@ -11,9 +11,12 @@ type thunderbird_t;
 type thunderbird_exec_t;
 typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
 typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
-userdom_user_application_domain(thunderbird_t, thunderbird_exec_t)
 role thunderbird_roles types thunderbird_t;
 
+optional_policy(`
+	wm_application_domain(thunderbird_t, thunderbird_exec_t)
+')
+
 type thunderbird_home_t;
 typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
 typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
diff -pru  a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
--- a/policy/modules/contrib/tvtime.te	2016-08-14 21:28:11.585521003 +0200
+++ b/policy/modules/contrib/tvtime.te	2016-12-22 21:50:27.173153799 +0100
@@ -11,9 +11,12 @@ type tvtime_t;
 type tvtime_exec_t;
 typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
 typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
-userdom_user_application_domain(tvtime_t, tvtime_exec_t)
 role tvtime_roles types tvtime_t;
 
+optional_policy(`
+	wm_application_domain(tvtime_t, tvtime_exec_t)
+')
+
 type tvtime_home_t alias tvtime_rw_t;
 typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
 typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
diff -pru  a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
--- a/policy/modules/contrib/vmware.te	2016-08-14 21:28:11.594521141 +0200
+++ b/policy/modules/contrib/vmware.te	2016-12-22 21:55:05.311271298 +0100
@@ -9,7 +9,10 @@ type vmware_t;
 type vmware_exec_t;
 typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
 typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
-userdom_user_application_domain(vmware_t, vmware_exec_t)
+
+optional_policy(`
+	wm_application_domain(vmware_t, vmware_exec_t)
+')
 
 type vmware_conf_t;
 typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
diff -pru  a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
--- a/policy/modules/contrib/wine.te	2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wine.te	2016-12-22 21:56:36.112275069 +0100
@@ -19,9 +19,12 @@ roleattribute system_r wine_roles;
 
 type wine_t;
 type wine_exec_t;
-userdom_user_application_domain(wine_t, wine_exec_t)
 role wine_roles types wine_t;
 
+optional_policy(`
+	wm_application_domain(wine_t, wine_exec_t)
+')
+
 type wine_home_t;
 userdom_user_home_content(wine_home_t)
 
diff -pru  a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
--- a/policy/modules/contrib/wireshark.te	2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wireshark.te	2016-12-22 21:55:49.812764062 +0100
@@ -11,9 +11,12 @@ type wireshark_t;
 type wireshark_exec_t;
 typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
 typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
-userdom_user_application_domain(wireshark_t, wireshark_exec_t)
 role wireshark_roles types wireshark_t;
 
+optional_policy(`
+	wm_application_domain(wireshark_t, wireshark_exec_t)
+')
+
 type wireshark_home_t;
 typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
 typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };