From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 27 Dec 2016 10:20:16 -0500 Subject: [refpolicy] [PATCH] contrib: extend wm ability to launch confined graphical applications In-Reply-To: <1482441707.20547.5.camel@trentalancia.net> References: <1482441707.20547.5.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/22/16 16:21, Guido Trentalancia via refpolicy wrote: > Add the ability to launch other confined graphical applications > from the new confined window manager ("wm" module). > > There might be other confined graphical applications that need > the wm_application_domain() interface... > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/gift.te | 4 ++++ > policy/modules/contrib/telepathy.if | 4 ++++ > policy/modules/contrib/thunderbird.te | 5 ++++- > policy/modules/contrib/tvtime.te | 5 ++++- > policy/modules/contrib/vmware.te | 5 ++++- > policy/modules/contrib/wine.te | 5 ++++- > policy/modules/contrib/wireshark.te | 5 ++++- > 7 files changed, 28 insertions(+), 5 deletions(-) > > diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te > --- a/policy/modules/contrib/gift.te 2016-08-14 21:28:11.492519574 +0200 > +++ b/policy/modules/contrib/gift.te 2016-12-22 22:14:18.753784589 +0100 > @@ -15,6 +15,10 @@ typealias gift_t alias { auditadm_gift_t > userdom_user_application_domain(gift_t, gift_exec_t) > role gift_roles types gift_t; > > +optional_policy(` > + wm_application_domain(gift_t, gift_exec_t) > +') Please move these to the end of the declarations section (here and in following hunks). > type gift_home_t; > typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t }; > typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t }; > diff -pru a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if > --- a/policy/modules/contrib/telepathy.if 2016-08-15 23:39:24.064783228 +0200 > +++ b/policy/modules/contrib/telepathy.if 2016-12-22 22:09:56.337766137 +0100 > @@ -19,6 +19,10 @@ template(`telepathy_domain_template',` > type telepathy_$1_exec_t, telepathy_executable; > userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t) > > + optional_policy(` > + wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t) > + ') > + > type telepathy_$1_tmp_t, telepathy_tmp_content; > userdom_user_tmp_file(telepathy_$1_tmp_t) > > diff -pru a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te > --- a/policy/modules/contrib/thunderbird.te 2016-12-09 01:16:17.773011439 +0100 > +++ b/policy/modules/contrib/thunderbird.te 2016-12-22 21:51:10.800647300 +0100 > @@ -11,9 +11,12 @@ type thunderbird_t; > type thunderbird_exec_t; > typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t }; > typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t }; > -userdom_user_application_domain(thunderbird_t, thunderbird_exec_t) > role thunderbird_roles types thunderbird_t; > > +optional_policy(` > + wm_application_domain(thunderbird_t, thunderbird_exec_t) > +') > + > type thunderbird_home_t; > typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t }; > typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t }; > diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te > --- a/policy/modules/contrib/tvtime.te 2016-08-14 21:28:11.585521003 +0200 > +++ b/policy/modules/contrib/tvtime.te 2016-12-22 21:50:27.173153799 +0100 > @@ -11,9 +11,12 @@ type tvtime_t; > type tvtime_exec_t; > typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t }; > typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t }; > -userdom_user_application_domain(tvtime_t, tvtime_exec_t) The basic application domain can't be removed otherwise this will completely break without wm. There are other instances below. > role tvtime_roles types tvtime_t; > > +optional_policy(` > + wm_application_domain(tvtime_t, tvtime_exec_t) > +') > + > type tvtime_home_t alias tvtime_rw_t; > typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t }; > typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t }; > diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te > --- a/policy/modules/contrib/vmware.te 2016-08-14 21:28:11.594521141 +0200 > +++ b/policy/modules/contrib/vmware.te 2016-12-22 21:55:05.311271298 +0100 > @@ -9,7 +9,10 @@ type vmware_t; > type vmware_exec_t; > typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t }; > typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t }; > -userdom_user_application_domain(vmware_t, vmware_exec_t) > + > +optional_policy(` > + wm_application_domain(vmware_t, vmware_exec_t) > +') > > type vmware_conf_t; > typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t }; > diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te > --- a/policy/modules/contrib/wine.te 2016-08-14 21:28:11.597521187 +0200 > +++ b/policy/modules/contrib/wine.te 2016-12-22 21:56:36.112275069 +0100 > @@ -19,9 +19,12 @@ roleattribute system_r wine_roles; > > type wine_t; > type wine_exec_t; > -userdom_user_application_domain(wine_t, wine_exec_t) > role wine_roles types wine_t; > > +optional_policy(` > + wm_application_domain(wine_t, wine_exec_t) > +') > + > type wine_home_t; > userdom_user_home_content(wine_home_t) > > diff -pru a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te > --- a/policy/modules/contrib/wireshark.te 2016-08-14 21:28:11.597521187 +0200 > +++ b/policy/modules/contrib/wireshark.te 2016-12-22 21:55:49.812764062 +0100 > @@ -11,9 +11,12 @@ type wireshark_t; > type wireshark_exec_t; > typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t }; > typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t }; > -userdom_user_application_domain(wireshark_t, wireshark_exec_t) > role wireshark_roles types wireshark_t; > > +optional_policy(` > + wm_application_domain(wireshark_t, wireshark_exec_t) > +') > + > type wireshark_home_t; > typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t }; > typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t }; -- Chris PeBenito