From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 28 Dec 2016 14:11:33 -0500
Subject: [refpolicy] [PATCH v2] contrib: extend wm ability to launch
 confined graphical applications
In-Reply-To: <296478415.18117.1482872395126.JavaMail.open-xchange@popper10.register.it>
References: <1482441707.20547.5.camel@trentalancia.net>
	<ae1ebbfe-aa6e-cc51-93b9-29b9d287ffa4@ieee.org>
	<296478415.18117.1482872395126.JavaMail.open-xchange@popper10.register.it>
Message-ID: <a1d1affb-5275-6259-e2b3-9cc32c524272@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/27/16 15:59, Guido Trentalancia via refpolicy wrote:
> Add the ability to launch other confined graphical applications
> from the new confined window manager ("wm" module).
>
> There might be other confined graphical applications that need
> the wm_application_domain() interface...
>
> Thanks to Christopher PeBenito for the useful review.
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/gift.te        |    4 ++++
>  policy/modules/contrib/telepathy.if   |    4 ++++
>  policy/modules/contrib/thunderbird.te |    4 ++++
>  policy/modules/contrib/tvtime.te      |    4 ++++
>  policy/modules/contrib/vmware.te      |    4 ++++
>  policy/modules/contrib/wine.te        |    4 ++++
>  policy/modules/contrib/wireshark.te   |    4 ++++
>  7 files changed, 28 insertions(+)
>
> diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
> --- a/policy/modules/contrib/gift.te	2016-08-14 21:28:11.492519574 +0200
> +++ b/policy/modules/contrib/gift.te	2016-12-27 21:46:55.940779882 +0100
> @@ -32,6 +32,10 @@ typealias giftd_t alias { auditadm_giftd
>  userdom_user_application_domain(giftd_t, giftd_exec_t)
>  role giftd_roles types giftd_t;
>
> +optional_policy(`
> +	wm_application_domain(gift_t, gift_exec_t)
> +')
> +
>  ##############################
>  #
>  # Client local policy
> diff -pru a/policy/modules/contrib/telepathy.if
> b/policy/modules/contrib/telepathy.if
> --- a/policy/modules/contrib/telepathy.if	2016-08-15 23:39:24.064783228 +0200
> +++ b/policy/modules/contrib/telepathy.if	2016-12-27 21:48:38.748185501 +0100
> @@ -22,6 +22,10 @@ template(`telepathy_domain_template',`
>  	type telepathy_$1_tmp_t, telepathy_tmp_content;
>  	userdom_user_tmp_file(telepathy_$1_tmp_t)
>
> +	optional_policy(`
> +		wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
> +	')
> +
>  	auth_use_nsswitch(telepathy_$1_t)
>  ')
>
> diff -pru a/policy/modules/contrib/thunderbird.te
> b/policy/modules/contrib/thunderbird.te
> --- a/policy/modules/contrib/thunderbird.te	2016-12-09 01:16:17.773011439 +0100
> +++ b/policy/modules/contrib/thunderbird.te	2016-12-27 21:48:59.588470089 +0100
> @@ -24,6 +23,10 @@ typealias thunderbird_tmpfs_t alias { us
>  typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t
> secadm_thunderbird_tmpfs_t };
>  userdom_user_tmpfs_file(thunderbird_tmpfs_t)
>
> +optional_policy(`
> +	wm_application_domain(thunderbird_t, thunderbird_exec_t)
> +')
> +
>  ########################################
>  #
>  # Local policy
> diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
> --- a/policy/modules/contrib/tvtime.te	2016-08-14 21:28:11.585521003 +0200
> +++ b/policy/modules/contrib/tvtime.te	2016-12-27 21:49:20.773759267 +0100
> @@ -29,6 +28,10 @@ typealias tvtime_tmpfs_t alias { user_tv
>  typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t
> };
>  userdom_user_tmpfs_file(tvtime_tmpfs_t)
>
> +optional_policy(`
> +	wm_application_domain(tvtime_t, tvtime_exec_t)
> +')
> +
>  ########################################
>  #
>  # Local policy
> diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
> --- a/policy/modules/contrib/vmware.te	2016-08-14 21:28:11.594521141 +0200
> +++ b/policy/modules/contrib/vmware.te	2016-12-27 21:49:46.144105414 +0100
> @@ -60,6 +59,10 @@ ifdef(`enable_mcs',`
>  	init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 -
> mcs_systemhigh)
>  ')
>
> +optional_policy(`
> +	wm_application_domain(vmware_t, vmware_exec_t)
> +')
> +
>  ########################################
>  #
>  # Host local policy
> diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
> --- a/policy/modules/contrib/wine.te	2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wine.te	2016-12-27 21:50:02.956334703 +0100
> @@ -28,6 +27,10 @@ userdom_user_home_content(wine_home_t)
>  type wine_tmp_t;
>  userdom_user_tmp_file(wine_tmp_t)
>
> +optional_policy(`
> +	wm_application_domain(wine_t, wine_exec_t)
> +')
> +
>  ########################################
>  #
>  # Local policy
> diff -pru a/policy/modules/contrib/wireshark.te
> b/policy/modules/contrib/wireshark.te
> --- a/policy/modules/contrib/wireshark.te	2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wireshark.te	2016-12-27 21:50:20.466573433 +0100
> @@ -29,6 +28,10 @@ typealias wireshark_tmpfs_t alias { user
>  typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t
> secadm_wireshark_tmpfs_t };
>  userdom_user_tmpfs_file(wireshark_tmpfs_t)
>
> +optional_policy(`
> +	wm_application_domain(wireshark_t, wireshark_exec_t)
> +')
> +

Merged.

-- 
Chris PeBenito