From: guido@trentalancia.net (Guido Trentalancia)
Date: Tue, 27 Dec 2016 21:59:55 +0100 (CET)
Subject: [refpolicy] [PATCH v2] contrib: extend wm ability to launch
 confined graphical applications
In-Reply-To: <ae1ebbfe-aa6e-cc51-93b9-29b9d287ffa4@ieee.org>
References: <1482441707.20547.5.camel@trentalancia.net>
	<ae1ebbfe-aa6e-cc51-93b9-29b9d287ffa4@ieee.org>
Message-ID: <296478415.18117.1482872395126.JavaMail.open-xchange@popper10.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Add the ability to launch other confined graphical applications
from the new confined window manager ("wm" module).

There might be other confined graphical applications that need
the wm_application_domain() interface...

Thanks to Christopher PeBenito for the useful review.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/gift.te        |    4 ++++
 policy/modules/contrib/telepathy.if   |    4 ++++
 policy/modules/contrib/thunderbird.te |    4 ++++
 policy/modules/contrib/tvtime.te      |    4 ++++
 policy/modules/contrib/vmware.te      |    4 ++++
 policy/modules/contrib/wine.te        |    4 ++++
 policy/modules/contrib/wireshark.te   |    4 ++++
 7 files changed, 28 insertions(+)

diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
--- a/policy/modules/contrib/gift.te	2016-08-14 21:28:11.492519574 +0200
+++ b/policy/modules/contrib/gift.te	2016-12-27 21:46:55.940779882 +0100
@@ -32,6 +32,10 @@ typealias giftd_t alias { auditadm_giftd
 userdom_user_application_domain(giftd_t, giftd_exec_t)
 role giftd_roles types giftd_t;
 
+optional_policy(`
+	wm_application_domain(gift_t, gift_exec_t)
+')
+
 ##############################
 #
 # Client local policy
diff -pru a/policy/modules/contrib/telepathy.if
b/policy/modules/contrib/telepathy.if
--- a/policy/modules/contrib/telepathy.if	2016-08-15 23:39:24.064783228 +0200
+++ b/policy/modules/contrib/telepathy.if	2016-12-27 21:48:38.748185501 +0100
@@ -22,6 +22,10 @@ template(`telepathy_domain_template',`
 	type telepathy_$1_tmp_t, telepathy_tmp_content;
 	userdom_user_tmp_file(telepathy_$1_tmp_t)
 
+	optional_policy(`
+		wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+	')
+
 	auth_use_nsswitch(telepathy_$1_t)
 ')
 
diff -pru a/policy/modules/contrib/thunderbird.te
b/policy/modules/contrib/thunderbird.te
--- a/policy/modules/contrib/thunderbird.te	2016-12-09 01:16:17.773011439 +0100
+++ b/policy/modules/contrib/thunderbird.te	2016-12-27 21:48:59.588470089 +0100
@@ -24,6 +23,10 @@ typealias thunderbird_tmpfs_t alias { us
 typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t
secadm_thunderbird_tmpfs_t };
 userdom_user_tmpfs_file(thunderbird_tmpfs_t)
 
+optional_policy(`
+	wm_application_domain(thunderbird_t, thunderbird_exec_t)
+')
+
 ########################################
 #
 # Local policy
diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
--- a/policy/modules/contrib/tvtime.te	2016-08-14 21:28:11.585521003 +0200
+++ b/policy/modules/contrib/tvtime.te	2016-12-27 21:49:20.773759267 +0100
@@ -29,6 +28,10 @@ typealias tvtime_tmpfs_t alias { user_tv
 typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t
};
 userdom_user_tmpfs_file(tvtime_tmpfs_t)
 
+optional_policy(`
+	wm_application_domain(tvtime_t, tvtime_exec_t)
+')
+
 ########################################
 #
 # Local policy
diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
--- a/policy/modules/contrib/vmware.te	2016-08-14 21:28:11.594521141 +0200
+++ b/policy/modules/contrib/vmware.te	2016-12-27 21:49:46.144105414 +0100
@@ -60,6 +59,10 @@ ifdef(`enable_mcs',`
 	init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 -
mcs_systemhigh)
 ')
 
+optional_policy(`
+	wm_application_domain(vmware_t, vmware_exec_t)
+')
+
 ########################################
 #
 # Host local policy
diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
--- a/policy/modules/contrib/wine.te	2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wine.te	2016-12-27 21:50:02.956334703 +0100
@@ -28,6 +27,10 @@ userdom_user_home_content(wine_home_t)
 type wine_tmp_t;
 userdom_user_tmp_file(wine_tmp_t)
 
+optional_policy(`
+	wm_application_domain(wine_t, wine_exec_t)
+')
+
 ########################################
 #
 # Local policy
diff -pru a/policy/modules/contrib/wireshark.te
b/policy/modules/contrib/wireshark.te
--- a/policy/modules/contrib/wireshark.te	2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wireshark.te	2016-12-27 21:50:20.466573433 +0100
@@ -29,6 +28,10 @@ typealias wireshark_tmpfs_t alias { user
 typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t
secadm_wireshark_tmpfs_t };
 userdom_user_tmpfs_file(wireshark_tmpfs_t)
 
+optional_policy(`
+	wm_application_domain(wireshark_t, wireshark_exec_t)
+')
+
 ##############################
 #
 # Local Policy