From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 27 Dec 2016 21:35:28 +0100 (CET)
Subject: [refpolicy] [PATCH] contrib: extend wm ability to launch
 confined graphical applications
In-Reply-To: <ae1ebbfe-aa6e-cc51-93b9-29b9d287ffa4@ieee.org>
References: <1482441707.20547.5.camel@trentalancia.net>
	<ae1ebbfe-aa6e-cc51-93b9-29b9d287ffa4@ieee.org>
Message-ID: <2142741280.17864.1482870928645.JavaMail.open-xchange@popper10.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Christopher.

> On the 27th December 2016 at 16.20 Chris PeBenito <pebenito@ieee.org> wrote:
> 
> 
> On 12/22/16 16:21, Guido Trentalancia via refpolicy wrote:
> > Add the ability to launch other confined graphical applications
> > from the new confined window manager ("wm" module).
> >
> > There might be other confined graphical applications that need
> > the wm_application_domain() interface...
> >
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> >  policy/modules/contrib/gift.te        |    4 ++++
> >  policy/modules/contrib/telepathy.if   |    4 ++++
> >  policy/modules/contrib/thunderbird.te |    5 ++++-
> >  policy/modules/contrib/tvtime.te      |    5 ++++-
> >  policy/modules/contrib/vmware.te      |    5 ++++-
> >  policy/modules/contrib/wine.te        |    5 ++++-
> >  policy/modules/contrib/wireshark.te   |    5 ++++-
> >  7 files changed, 28 insertions(+), 5 deletions(-)

[...]

> > diff -pru  a/policy/modules/contrib/tvtime.te
> > b/policy/modules/contrib/tvtime.te
> > --- a/policy/modules/contrib/tvtime.te	2016-08-14 21:28:11.585521003 +0200
> > +++ b/policy/modules/contrib/tvtime.te	2016-12-22 21:50:27.173153799 +0100
> > @@ -11,9 +11,12 @@ type tvtime_t;
> >  type tvtime_exec_t;
> >  typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
> >  typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
> > -userdom_user_application_domain(tvtime_t, tvtime_exec_t)
> 
> The basic application domain can't be removed otherwise this will 
> completely break without wm.  There are other instances below.

Yes, thanks for telling me, this is a very good point. I have been fooled
to do so by the fact that some applications only run under the graphical
interface.

But, as you noted, there might always be someone around that for whatever
reason does not use the wm module.

> >  role tvtime_roles types tvtime_t;
> >
> > +optional_policy(`
> > +	wm_application_domain(tvtime_t, tvtime_exec_t)
> > +')
> > +
> >  type tvtime_home_t alias tvtime_rw_t;
> >  typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t
> > sysadm_tvtime_home_t };
> >  typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t
> > };
> > diff -pru  a/policy/modules/contrib/vmware.te
> > b/policy/modules/contrib/vmware.te
> > --- a/policy/modules/contrib/vmware.te	2016-08-14 21:28:11.594521141 +0200
> > +++ b/policy/modules/contrib/vmware.te	2016-12-22 21:55:05.311271298 +0100
> > @@ -9,7 +9,10 @@ type vmware_t;
> >  type vmware_exec_t;
> >  typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
> >  typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
> > -userdom_user_application_domain(vmware_t, vmware_exec_t)
> > +
> > +optional_policy(`
> > +	wm_application_domain(vmware_t, vmware_exec_t)
> > +')
> >
> >  type vmware_conf_t;
> >  typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t
> > sysadm_vmware_conf_t };
> > diff -pru  a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
> > --- a/policy/modules/contrib/wine.te	2016-08-14 21:28:11.597521187 +0200
> > +++ b/policy/modules/contrib/wine.te	2016-12-22 21:56:36.112275069 +0100
> > @@ -19,9 +19,12 @@ roleattribute system_r wine_roles;
> >
> >  type wine_t;
> >  type wine_exec_t;
> > -userdom_user_application_domain(wine_t, wine_exec_t)
> >  role wine_roles types wine_t;
> >
> > +optional_policy(`
> > +	wm_application_domain(wine_t, wine_exec_t)
> > +')
> > +
> >  type wine_home_t;
> >  userdom_user_home_content(wine_home_t)
> >
> > diff -pru  a/policy/modules/contrib/wireshark.te
> > b/policy/modules/contrib/wireshark.te
> > --- a/policy/modules/contrib/wireshark.te	2016-08-14 21:28:11.597521187
> > +0200
> > +++ b/policy/modules/contrib/wireshark.te	2016-12-22 21:55:49.812764062
> > +0100
> > @@ -11,9 +11,12 @@ type wireshark_t;
> >  type wireshark_exec_t;
> >  typealias wireshark_t alias { user_wireshark_t staff_wireshark_t
> > sysadm_wireshark_t };
> >  typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
> > -userdom_user_application_domain(wireshark_t, wireshark_exec_t)
> >  role wireshark_roles types wireshark_t;
> >
> > +optional_policy(`
> > +	wm_application_domain(wireshark_t, wireshark_exec_t)
> > +')
> > +
> >  type wireshark_home_t;
> >  typealias wireshark_home_t alias { user_wireshark_home_t
> > staff_wireshark_home_t sysadm_wireshark_home_t };
> >  typealias wireshark_home_t alias { auditadm_wireshark_home_t
> > secadm_wireshark_home_t };

Best regards,

Guido