From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 27 Dec 2016 10:20:16 -0500
Subject: [refpolicy] [PATCH] contrib: extend wm ability to launch
 confined graphical applications
In-Reply-To: <1482441707.20547.5.camel@trentalancia.net>
References: <1482441707.20547.5.camel@trentalancia.net>
Message-ID: <ae1ebbfe-aa6e-cc51-93b9-29b9d287ffa4@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/22/16 16:21, Guido Trentalancia via refpolicy wrote:
> Add the ability to launch other confined graphical applications
> from the new confined window manager ("wm" module).
>
> There might be other confined graphical applications that need
> the wm_application_domain() interface...
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/gift.te        |    4 ++++
>  policy/modules/contrib/telepathy.if   |    4 ++++
>  policy/modules/contrib/thunderbird.te |    5 ++++-
>  policy/modules/contrib/tvtime.te      |    5 ++++-
>  policy/modules/contrib/vmware.te      |    5 ++++-
>  policy/modules/contrib/wine.te        |    5 ++++-
>  policy/modules/contrib/wireshark.te   |    5 ++++-
>  7 files changed, 28 insertions(+), 5 deletions(-)
>
> diff -pru  a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
> --- a/policy/modules/contrib/gift.te	2016-08-14 21:28:11.492519574 +0200
> +++ b/policy/modules/contrib/gift.te	2016-12-22 22:14:18.753784589 +0100
> @@ -15,6 +15,10 @@ typealias gift_t alias { auditadm_gift_t
>  userdom_user_application_domain(gift_t, gift_exec_t)
>  role gift_roles types gift_t;
>
> +optional_policy(`
> +	wm_application_domain(gift_t, gift_exec_t)
> +')

Please move these to the end of the declarations section (here and in 
following hunks).


>  type gift_home_t;
>  typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
>  typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
> diff -pru  a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
> --- a/policy/modules/contrib/telepathy.if	2016-08-15 23:39:24.064783228 +0200
> +++ b/policy/modules/contrib/telepathy.if	2016-12-22 22:09:56.337766137 +0100
> @@ -19,6 +19,10 @@ template(`telepathy_domain_template',`
>  	type telepathy_$1_exec_t, telepathy_executable;
>  	userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
>
> +	optional_policy(`
> +		wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
> +	')
> +
>  	type telepathy_$1_tmp_t, telepathy_tmp_content;
>  	userdom_user_tmp_file(telepathy_$1_tmp_t)
>
> diff -pru  a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
> --- a/policy/modules/contrib/thunderbird.te	2016-12-09 01:16:17.773011439 +0100
> +++ b/policy/modules/contrib/thunderbird.te	2016-12-22 21:51:10.800647300 +0100
> @@ -11,9 +11,12 @@ type thunderbird_t;
>  type thunderbird_exec_t;
>  typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
>  typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
> -userdom_user_application_domain(thunderbird_t, thunderbird_exec_t)
>  role thunderbird_roles types thunderbird_t;
>
> +optional_policy(`
> +	wm_application_domain(thunderbird_t, thunderbird_exec_t)
> +')
> +
>  type thunderbird_home_t;
>  typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
>  typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
> diff -pru  a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
> --- a/policy/modules/contrib/tvtime.te	2016-08-14 21:28:11.585521003 +0200
> +++ b/policy/modules/contrib/tvtime.te	2016-12-22 21:50:27.173153799 +0100
> @@ -11,9 +11,12 @@ type tvtime_t;
>  type tvtime_exec_t;
>  typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
>  typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
> -userdom_user_application_domain(tvtime_t, tvtime_exec_t)

The basic application domain can't be removed otherwise this will 
completely break without wm.  There are other instances below.


>  role tvtime_roles types tvtime_t;
>
> +optional_policy(`
> +	wm_application_domain(tvtime_t, tvtime_exec_t)
> +')
> +
>  type tvtime_home_t alias tvtime_rw_t;
>  typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
>  typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
> diff -pru  a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
> --- a/policy/modules/contrib/vmware.te	2016-08-14 21:28:11.594521141 +0200
> +++ b/policy/modules/contrib/vmware.te	2016-12-22 21:55:05.311271298 +0100
> @@ -9,7 +9,10 @@ type vmware_t;
>  type vmware_exec_t;
>  typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
>  typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
> -userdom_user_application_domain(vmware_t, vmware_exec_t)
> +
> +optional_policy(`
> +	wm_application_domain(vmware_t, vmware_exec_t)
> +')
>
>  type vmware_conf_t;
>  typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
> diff -pru  a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
> --- a/policy/modules/contrib/wine.te	2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wine.te	2016-12-22 21:56:36.112275069 +0100
> @@ -19,9 +19,12 @@ roleattribute system_r wine_roles;
>
>  type wine_t;
>  type wine_exec_t;
> -userdom_user_application_domain(wine_t, wine_exec_t)
>  role wine_roles types wine_t;
>
> +optional_policy(`
> +	wm_application_domain(wine_t, wine_exec_t)
> +')
> +
>  type wine_home_t;
>  userdom_user_home_content(wine_home_t)
>
> diff -pru  a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
> --- a/policy/modules/contrib/wireshark.te	2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wireshark.te	2016-12-22 21:55:49.812764062 +0100
> @@ -11,9 +11,12 @@ type wireshark_t;
>  type wireshark_exec_t;
>  typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
>  typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
> -userdom_user_application_domain(wireshark_t, wireshark_exec_t)
>  role wireshark_roles types wireshark_t;
>
> +optional_policy(`
> +	wm_application_domain(wireshark_t, wireshark_exec_t)
> +')
> +
>  type wireshark_home_t;
>  typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
>  typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };


-- 
Chris PeBenito