From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 14 Apr 2017 16:21:38 +0200 Subject: [refpolicy] [PATCH 2/10] wm: interactive start In-Reply-To: References: <1492125877.14193.40.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. Thanks for getting back on this and for your tip. I think it should be possibile to curb on the "open" permission and use userdom_use_inherited_user_terminals() instead of userdom_use_user_terminals(). However, before submitting a revised patch, I would prefer to test it again and at the moment, I do not have access to the development system. I will get back as soon as possible and hopefully improve this patch as you suggested. Best regards, Guido On the 14th of April 2017 11:35:05 CEST, "Christian G?ttsche" wrote: >2017-04-14 1:24 GMT+02:00 Guido Trentalancia via refpolicy >: >> Update the window manager (wm) module (support starting >> gnome-shell from an X terminal). >> >> Signed-off-by: Guido Trentalancia >> --- >> policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++ >> policy/modules/contrib/wm.te | 7 ++++++- >> 2 files changed, 33 insertions(+), 1 deletion(-) >> >> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.if >refpolicy-2.20170204/policy/modules/contrib/wm.if >> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.if >2016-12-22 22:03:34.000000000 +0100 >> +++ refpolicy-2.20170204/policy/modules/contrib/wm.if 2017-04-13 >14:05:06.957330403 +0200 >> @@ -73,6 +73,8 @@ template(`wm_role_template',` >> xserver_role($2, $1_wm_t) >> xserver_manage_core_devices($1_wm_t) >> >> + wm_write_pipes($1, $3) >> + >> optional_policy(` >> dbus_connect_spec_session_bus($1, $1_wm_t) >> dbus_spec_session_bus_client($1, $1_wm_t) >> @@ -219,3 +221,28 @@ interface(`wm_application_domain',` >> userdom_user_application_domain($1, $2) >> domtrans_pattern(wm_domain, $2, $1) >> ') >> + >> +######################################## >> +### >> +### Write wm unnamed pipes. >> +### >> +## >> +### >> +### The prefix of the user domain (e.g., user >> +### is the prefix for user_t). >> +### >> +### >> +### >> +### >> +### Domain allowed access. >> +### >> +### >> +### >> +## >> +interface(`wm_write_pipes',` >> + gen_require(` >> + type $1_t; >> + ') >> + >> + allow $2 $1_wm_t:fifo_file write; >> +') >> diff -pru refpolicy-2.20170204-orig/policy/modules/contrib/wm.te >refpolicy-2.20170204/policy/modules/contrib/wm.te >> --- refpolicy-2.20170204-orig/policy/modules/contrib/wm.te >2017-02-04 19:30:47.000000000 +0100 >> +++ refpolicy-2.20170204/policy/modules/contrib/wm.te 2017-04-13 >14:05:26.993330321 +0200 >> @@ -64,19 +64,24 @@ kernel_read_fs_sysctls(wm_domain) >> kernel_read_proc_symlinks(wm_domain) >> kernel_read_sysctl(wm_domain) >> >> +locallogin_dontaudit_use_fds(wm_domain) >> + >> miscfiles_read_fonts(wm_domain) >> miscfiles_read_generic_certs(wm_domain) >> miscfiles_read_localization(wm_domain) >> >> udev_read_pid_files(wm_domain) >> >> -# this is needed by gnome-shell >> +# the following is needed by gnome-shell >> userdom_exec_user_home_content_files(wm_domain) >> >> userdom_manage_user_tmp_sockets(wm_domain) >> userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) >> userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) >> >> +# to print error messages >> +userdom_use_user_terminals(wm_domain) > >maybe userdom_use_inherited_user_terminals()? > >> + >> userdom_manage_user_home_content_dirs(wm_domain) >> userdom_manage_user_home_content_files(wm_domain) >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy