From: cgzones@googlemail.com (=?UTF-8?Q?Christian_G=C3=B6ttsche?=)
Date: Fri, 14 Apr 2017 11:35:05 +0200
Subject: [refpolicy] [PATCH 2/10] wm: interactive start
In-Reply-To: <1492125877.14193.40.camel@trentalancia.net>
References: <1492125877.14193.40.camel@trentalancia.net>
Message-ID: <CAJ2a_DfuO3gdGxpzer6u_1VptcXxV7r_MdHHdPoWUFUssWT84Q@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

2017-04-14 1:24 GMT+02:00 Guido Trentalancia via refpolicy
<refpolicy@oss.tresys.com>:
> Update the window manager (wm) module (support starting
> gnome-shell from an X terminal).
>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/wm.if |   27 +++++++++++++++++++++++++++
>  policy/modules/contrib/wm.te |    7 ++++++-
>  2 files changed, 33 insertions(+), 1 deletion(-)
>
> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.if refpolicy-2.20170204/policy/modules/contrib/wm.if
> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.if      2016-12-22 22:03:34.000000000 +0100
> +++ refpolicy-2.20170204/policy/modules/contrib/wm.if   2017-04-13 14:05:06.957330403 +0200
> @@ -73,6 +73,8 @@ template(`wm_role_template',`
>         xserver_role($2, $1_wm_t)
>         xserver_manage_core_devices($1_wm_t)
>
> +       wm_write_pipes($1, $3)
> +
>         optional_policy(`
>                 dbus_connect_spec_session_bus($1, $1_wm_t)
>                 dbus_spec_session_bus_client($1, $1_wm_t)
> @@ -219,3 +221,28 @@ interface(`wm_application_domain',`
>         userdom_user_application_domain($1, $2)
>         domtrans_pattern(wm_domain, $2, $1)
>  ')
> +
> +########################################
> +### <summary>
> +###    Write wm unnamed pipes.
> +### </summary>
> +## <param name="role_prefix">
> +###    <summary>
> +###    The prefix of the user domain (e.g., user
> +###    is the prefix for user_t).
> +###    </summary>
> +### </param>
> +### <param name="domain">
> +###    <summary>
> +###    Domain allowed access.
> +###    </summary>
> +### </param>
> +### </param>
> +##
> +interface(`wm_write_pipes',`
> +       gen_require(`
> +               type $1_t;
> +       ')
> +
> +       allow $2 $1_wm_t:fifo_file write;
> +')
> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.te refpolicy-2.20170204/policy/modules/contrib/wm.te
> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.te      2017-02-04 19:30:47.000000000 +0100
> +++ refpolicy-2.20170204/policy/modules/contrib/wm.te   2017-04-13 14:05:26.993330321 +0200
> @@ -64,19 +64,24 @@ kernel_read_fs_sysctls(wm_domain)
>  kernel_read_proc_symlinks(wm_domain)
>  kernel_read_sysctl(wm_domain)
>
> +locallogin_dontaudit_use_fds(wm_domain)
> +
>  miscfiles_read_fonts(wm_domain)
>  miscfiles_read_generic_certs(wm_domain)
>  miscfiles_read_localization(wm_domain)
>
>  udev_read_pid_files(wm_domain)
>
> -# this is needed by gnome-shell
> +# the following is needed by gnome-shell
>  userdom_exec_user_home_content_files(wm_domain)
>
>  userdom_manage_user_tmp_sockets(wm_domain)
>  userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
>  userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>
> +# to print error messages
> +userdom_use_user_terminals(wm_domain)

maybe userdom_use_inherited_user_terminals()?

> +
>  userdom_manage_user_home_content_dirs(wm_domain)
>  userdom_manage_user_home_content_files(wm_domain)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy