Hello Jason,
you took the list off for this message, I think this is not
intentional, so I am bringing the reply back on the list...
On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote:
>
>
> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy@o
> ss.tresys.com> wrote:
> Enable the window manager role (wm contrib module) and update
> the module to work with gnome-shell.
>
> This patch requires the following recently posted patch for the
> games module:
>
> [PATCH v3 1/2] games: general update and improved pulseaudio
> integration
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>
> This patch has received some testing with the following two
> configurations:
> - gnome-shell executing in normal mode (with display managers
> other than gdm, such as xdm from XOrg);
> - gnome-shell executing in gdm mode (with the Gnome Display
> Manager).
>
> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
> in conjunction with gdm.
>
> Since the window managers are not limited by gnome-shell, this latter
> version of the patch (along with part 2/5) uses separate optional
> conditionals for the gnome and wm role templates.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> ?policy/modules/contrib/colord.te? ?|? ? 5 ++
> ?policy/modules/contrib/dbus.te? ? ?|? ? 5 ++
> ?policy/modules/contrib/wm.if? ? ? ?|? ?43 +++++++++++++++++-
> ?policy/modules/contrib/wm.te? ? ? ?|? ?88
> ++++++++++++++++++++++++++++++++++++-
> ?policy/modules/roles/staff.te? ? ? |? ? 8 ++-
> ?policy/modules/roles/sysadm.te? ? ?|? ? 4 +
> ?policy/modules/roles/unprivuser.te |? ? 8 ++-
> ?7 files changed, 155 insertions(+), 6 deletions(-)
>
> diff -pruN refpolicy-git-07122016-
> orig/policy/modules/contrib/colord.te refpolicy-git-
> 07122016/policy/modules/contrib/colord.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/colord.te? ? ?
> ? 2016-08-14 21:28:11.468519205 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/colord.te? ? ?2016-
> 12-14 02:45:54.815580399 +0100
>
> First off, can you use git format patch and git send email because
> refpolicy has contrib as a submodule and the way you've sent it won't
> apply.?
Yes, I remember, you told me already another time about that, but to be
honest I have experienced difficulties in creating patches using git.
However, apart from the slightly different formatting, it applies
cleanly to the contrib submodule: just use "patch -p1 <
name_of_the_patch.patch"
> @@ -137,3 +137,8 @@ optional_policy(`
> ? ? ? ? udev_read_db(colord_t)
> ? ? ? ? udev_read_pid_files(colord_t)
> ?')
> +
> +optional_policy(`
> +? ? ? ?xserver_read_xdm_lib_files(colord_t)
> +? ? ? ?xserver_use_xdm_fds(colord_t)
> +')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te
> refpolicy-git-07122016/policy/modules/contrib/dbus.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te? 2016-
> 08-14 21:28:11.477519343 +0200
> +++ refpolicy-git-07122016/policy/modules/contrib/dbus.te? ? ? ?2016-
> 12-14 02:24:00.796768671 +0100
> @@ -159,6 +159,11 @@ optional_policy(`
> ? ? ? ? udev_read_db(system_dbusd_t)
> ?')
>
> +optional_policy(`
> +? ? ? ?xserver_read_xdm_lib_files(system_dbusd_t)
> +? ? ? ?xserver_use_xdm_fds(system_dbusd_t)
> +')
> +
> ?########################################
> ?#
> ?# Common session bus local policy
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if
> refpolicy-git-07122016/policy/modules/contrib/wm.if
> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if? ? 2016-
> 12-14 02:24:53.377000472 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-13
> 22:53:54.445212825 +0100
> @@ -47,6 +47,8 @@ template(`wm_role_template',`
> ? ? ? ? # Policy
> ? ? ? ? #
>
> +? ? ? ?allow $3 $1_wm_t:fd use;
> +
> ? ? ? ? allow $1_wm_t $3:unix_stream_socket connectto;
> ? ? ? ? allow $3 $1_wm_t:unix_stream_socket connectto;
>
> @@ -72,6 +74,7 @@ template(`wm_role_template',`
> ? ? ? ? xserver_manage_core_devices($1_wm_t)
>
> ? ? ? ? optional_policy(`
> +? ? ? ? ? ? ? ?dbus_connect_spec_session_bus($1, $1_wm_t)
> ? ? ? ? ? ? ? ? dbus_spec_session_bus_client($1, $1_wm_t)
> ? ? ? ? ? ? ? ? dbus_system_bus_client($1_wm_t)
>
> @@ -81,7 +84,7 @@ template(`wm_role_template',`
> ? ? ? ? ')
>
> ? ? ? ? optional_policy(`
> -? ? ? ? ? ? ? ?gnome_stream_connect_gkeyringd($1, $1_wm_t)
> +? ? ? ? ? ? ? ?gnome_stream_connect_all_gkeyringd($1_wm_t)
> ? ? ? ? ')
>
> ? ? ? ? optional_policy(`
> @@ -134,3 +137,41 @@ interface(`wm_dbus_chat',`
> ? ? ? ? allow $2 $1_wm_t:dbus send_msg;
> ? ? ? ? allow $1_wm_t $2:dbus send_msg;
> ?')
> +
> +########################################
> +## <summary>
> +##? ? ?Do not audit attempts to execute
> +##? ? ?files in temporary directories.
> +## </summary>
> +## <param name="domain">
> +##? ? ?<summary>
> +##? ? ?Domain to not audit.
> +##? ? ?</summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmp_files',`
> +? ? ? ?gen_require(`
> +? ? ? ? ? ? ? ?type wm_tmp_t;
> +? ? ? ?')
> +
> +? ? ? ?dontaudit $1 wm_tmp_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##? ? ?Do not audit attempts to execute
> +##? ? ?files in temporary filesystems.
> +## </summary>
> +## <param name="domain">
> +##? ? ?<summary>
> +##? ? ?Domain to not audit.
> +##? ? ?</summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmpfs_files',`
> +? ? ? ?gen_require(`
> +? ? ? ? ? ? ? ?type wm_tmpfs_t;
> +? ? ? ?')
> +
> +? ? ? ?dontaudit $1 wm_tmpfs_t:file exec_file_perms;
> +')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
> refpolicy-git-07122016/policy/modules/contrib/wm.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te? ? 2016-
> 12-14 02:24:53.396000918 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13
> 00:34:34.876856837 +0100
> @@ -10,6 +10,18 @@ attribute wm_domain;
> ?type wm_exec_t;
> ?corecmd_executable_file(wm_exec_t)
>
> +type wm_tmp_t;
> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t
> sysadm_wm_tmp_t };
> +userdom_user_tmp_file(wm_tmp_t)
> +
> +type wm_tmpfs_t;
> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t
> sysadm_wm_tmpfs_t };
> +userdom_user_tmpfs_file(wm_tmpfs_t)
> +
> +optional_policy(`
> +? ? ? ?pulseaudio_tmpfs_content(wm_tmpfs_t)
> +')
> +
> ?########################################
> ?#
> ?# Common wm domain local policy
> @@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev
> ?allow wm_domain self:shm create_shm_perms;
> ?allow wm_domain self:unix_dgram_socket create_socket_perms;
>
> +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
> +
> +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
> +
> +can_exec(wm_domain, wm_exec_t)
> +
> ?kernel_read_system_state(wm_domain)
>
> ?corecmd_getattr_all_executables(wm_domain)
>
> +dev_read_rand(wm_domain)
> ?dev_read_sound(wm_domain)
> ?dev_read_sysfs(wm_domain)
> ?dev_read_urand(wm_domain)
> +dev_rw_dri(wm_domain)
>
> I'm pretty sure this is not required. This perm depends on your type
> of graphics card and driver. OpenGL on my machine needs it but other
> people I've talked to don't require it. I think I am going to add
> this as a Boolean to allow rw_dri(xdomain) so people with those kinds
> of cards can enable it everywhere instead of forcing it for people
> who don't need it.?
It is harmless and it benefits the DRI driver. If you haven't got a
graphic card with DRI or if you have DRI disabled, it just does
nothing.
It is simply a permission to write to devices in /dev/dri/*.
A boolean would just make things complicate without any benefit for
anyone.
It is not forcing anything, it is just supporting the natural behaviour
of an application carrying out a licit operation.
> ?dev_rw_wireless(wm_domain)
> ?dev_write_sound(wm_domain)
>
> +files_read_etc_runtime_files(wm_domain)
> ?files_read_usr_files(wm_domain)
>
> ?fs_getattr_all_fs(wm_domain)
>
> +kernel_read_fs_sysctls(wm_domain)
> +kernel_read_proc_symlinks(wm_domain)
> +kernel_read_sysctl(wm_domain)
> +
> ?miscfiles_read_fonts(wm_domain)
> +miscfiles_read_generic_certs(wm_domain)
> ?miscfiles_read_localization(wm_domain)
>
> +udev_read_pid_files(wm_domain)
> +
> +# this is needed by gnome-shell
> +userdom_exec_user_home_content_files(wm_domain)
> +
> ?userdom_manage_user_tmp_sockets(wm_domain)
> ?userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
> ?userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>
> ?userdom_manage_user_home_content_dirs(wm_domain)
> ?userdom_manage_user_home_content_files(wm_domain)
> +
> ?userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir
> file })
>
> +wm_dontaudit_exec_tmp_files(wm_domain)
> +wm_dontaudit_exec_tmpfs_files(wm_domain)
> +
> ?optional_policy(`
> ? ? ? ? accountsd_dbus_chat(wm_domain)
> ?')
> @@ -55,10 +96,51 @@ optional_policy(`
> ?')
>
> ?optional_policy(`
> +? ? ? ?consolekit_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> ? ? ? ? devicekit_dbus_chat_power(wm_domain)
> ?')
>
> ?optional_policy(`
> +? ? ? ?evolution_domtrans(wm_domain)
> +
> +? ? ? ?optional_policy(`
> +? ? ? ? ? ? ? ?evolution_dbus_chat(wm_domain)
> +? ? ? ? ? ? ? ?evolution_alarm_dbus_chat(wm_domain)
> +? ? ? ?')
> +')
> +
> +optional_policy(`
> +? ? ? ?games_domtrans(wm_domain)
> +
> +? ? ? ?optional_policy(`
> +? ? ? ? ? ? ? ?games_dbus_chat(wm_domain)
> +? ? ? ?')
> +')
> +
> +optional_policy(`
> +? ? ? ?java_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> +? ? ? ?mono_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> +? ? ? ?mozilla_domtrans(wm_domain)
> +
> +? ? ? ?optional_policy(`
> +? ? ? ? ? ? ? ?mozilla_dbus_chat(wm_domain)
> +? ? ? ?')
> +')
> +
> +optional_policy(`
> +? ? ? ?mplayer_domtrans(wm_domain)
> +')
> +
> +optional_policy(`
> ? ? ? ? networkmanager_dbus_chat(wm_domain)
> ?')
>
> Whoa are we going to have to add every single application to
> wm_domain to be able to run it? That will get annoying super fast.
> Isn't there an application_domain attribute we can use? If there
> isn't we might want to reverse this so X application types instead
> declare that wm can run them (something like the application_type
> interface)
I don't understand what you mean.
> @@ -67,9 +149,13 @@ optional_policy(`
> ?')
>
> ?optional_policy(`
> -? ? ? ?pulseaudio_stream_connect(wm_domain)
> +? ? ? ?telepathy_mission_control_dbus_chat(wm_domain)
> ?')
>
> ?optional_policy(`
> ? ? ? ? userhelper_exec_consolehelper(wm_domain)
> ?')
> +
> +optional_policy(`
> +? ? ? ?xserver_dbus_chat_xdm(wm_domain)
> +')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te
> refpolicy-git-07122016/policy/modules/roles/staff.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te? ?2016-
> 12-14 02:24:53.397000941 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/staff.te? ? ? ? 2016-
> 12-13 22:45:02.857851229 +0100
> @@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
> ? ? ? ? ? ? ? ? ')
>
> ? ? ? ? ? ? ? ? optional_policy(`
> -? ? ? ? ? ? ? ? ? ? ? ?pulseaudio_role(staff_r, staff_t)
> +? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(staff, staff_r,
> staff_t)
> ? ? ? ? ? ? ? ? ')
>
> ? ? ? ? ? ? ? ? optional_policy(`
> -? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(staff, staff_r,
> staff_t)
> +? ? ? ? ? ? ? ? ? ? ? ?wm_role_template(staff, staff_r, staff_t)
> ? ? ? ? ? ? ? ? ')
> ? ? ? ? ')
>
> @@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
> ? ? ? ? ')
>
> ? ? ? ? optional_policy(`
> +? ? ? ? ? ? ? ?pulseaudio_role(staff_r, staff_t)
> +? ? ? ?')
> +
>
> This has nothing to do with window managers. Pulse stuff should be in
> a separate patch.?
Yes, it has nothing to do with window managers.
It is a general bug in the current policy, because pulseaudio does not
depend on dbus.
I took a chance to fix it, which is probably better than not fixing it.
> +? ? ? ?optional_policy(`
> ? ? ? ? ? ? ? ? pyzor_role(staff_r, staff_t)
> ? ? ? ? ')
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te
> refpolicy-git-07122016/policy/modules/roles/sysadm.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te? 2016-
> 12-14 02:24:53.397000941 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te? ? ? ?2016-
> 12-13 22:45:25.577422292 +0100
> @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
> ? ? ? ? ? ? ? ? optional_policy(`
> ? ? ? ? ? ? ? ? ? ? ? ? gnome_role_template(sysadm, sysadm_r,
> sysadm_t)
> ? ? ? ? ? ? ? ? ')
> +
> +? ? ? ? ? ? ? ?optional_policy(`
> +? ? ? ? ? ? ? ? ? ? ? ?wm_role_template(sysadm, sysadm_r, sysadm_t)
> +? ? ? ? ? ? ? ?')
> ? ? ? ? ')
>
> ? ? ? ? optional_policy(`
> diff -pruN refpolicy-git-07122016-
> orig/policy/modules/roles/unprivuser.te refpolicy-git-
> 07122016/policy/modules/roles/unprivuser.te
> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te? ?
> ? 2016-12-14 02:24:53.398000965 +0100
> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te? ?2016-
> 12-13 22:44:50.493540449 +0100
> @@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
> ? ? ? ? ? ? ? ? ')
>
> ? ? ? ? ? ? ? ? optional_policy(`
> -? ? ? ? ? ? ? ? ? ? ? ?pulseaudio_role(user_r, user_t)
> +? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(user, user_r, user_t)
> ? ? ? ? ? ? ? ? ')
>
> ? ? ? ? ? ? ? ? optional_policy(`
> -? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(user, user_r, user_t)
> +? ? ? ? ? ? ? ? ? ? ? ?wm_role_template(user, user_r, user_t)
> ? ? ? ? ? ? ? ? ')
> ? ? ? ? ')
>
> @@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
> ? ? ? ? ')
>
> ? ? ? ? optional_policy(`
> +? ? ? ? ? ? ? ?pulseaudio_role(user_r, user_t)
> +? ? ? ?')
> +
>
> What's up with the random rearranging of the lines here? It makes the
> patch seem like it's doing more than it is.?
>
> +? ? ? ?optional_policy(`
> ? ? ? ? ? ? ? ? pyzor_role(user_r, user_t)
> ? ? ? ? ')
I have tested the patchset with and without gdm and it works fine.
I recommend to apply it as it brings benefits to all Reference Policy
users.
Guido
On 12/14/16 08:23, Guido Trentalancia via refpolicy wrote:
> Hello Jason,
>
> you took the list off for this message, I think this is not
> intentional, so I am bringing the reply back on the list...
>
> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote:
>>
>>
>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy@o
>> ss.tresys.com> wrote:
>> Enable the window manager role (wm contrib module) and update
>> the module to work with gnome-shell.
>>
>> This patch requires the following recently posted patch for the
>> games module:
>>
>> [PATCH v3 1/2] games: general update and improved pulseaudio
>> integration
>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>>
>> This patch has received some testing with the following two
>> configurations:
>> - gnome-shell executing in normal mode (with display managers
>> other than gdm, such as xdm from XOrg);
>> - gnome-shell executing in gdm mode (with the Gnome Display
>> Manager).
>>
>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
>> in conjunction with gdm.
>>
>> Since the window managers are not limited by gnome-shell, this latter
>> version of the patch (along with part 2/5) uses separate optional
>> conditionals for the gnome and wm role templates.
>>
>> Signed-off-by: Guido Trentalancia <[email protected]>
>> ---
>> policy/modules/contrib/colord.te | 5 ++
>> policy/modules/contrib/dbus.te | 5 ++
>> policy/modules/contrib/wm.if | 43 +++++++++++++++++-
>> policy/modules/contrib/wm.te | 88
>> ++++++++++++++++++++++++++++++++++++-
>> policy/modules/roles/staff.te | 8 ++-
>> policy/modules/roles/sysadm.te | 4 +
>> policy/modules/roles/unprivuser.te | 8 ++-
>> 7 files changed, 155 insertions(+), 6 deletions(-)
>>
[...]
>> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
>> refpolicy-git-07122016/policy/modules/contrib/wm.te
>> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-
>> 12-14 02:24:53.396000918 +0100
>> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13
>> 00:34:34.876856837 +0100
>> @@ -10,6 +10,18 @@ attribute wm_domain;
>> type wm_exec_t;
>> corecmd_executable_file(wm_exec_t)
>>
>> +type wm_tmp_t;
>> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t
>> sysadm_wm_tmp_t };
>> +userdom_user_tmp_file(wm_tmp_t)
>> +
>> +type wm_tmpfs_t;
>> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t
>> sysadm_wm_tmpfs_t };
>> +userdom_user_tmpfs_file(wm_tmpfs_t)
Don't add aliases. The alias types never existed, so there is no
compatibility to preserve.
--
Chris PeBenito
Yes, thanks for pointing that out.
The new revised version will be ready soon...
On the 14th December 2016 22:25:52 CET, Chris PeBenito <[email protected]> wrote:
>On 12/14/16 08:23, Guido Trentalancia via refpolicy wrote:
>> Hello Jason,
>>
>> you took the list off for this message, I think this is not
>> intentional, so I am bringing the reply back on the list...
>>
>> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote:
>>>
>>>
>>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy"
><refpolicy@o
>>> ss.tresys.com> wrote:
>>> Enable the window manager role (wm contrib module) and update
>>> the module to work with gnome-shell.
>>>
>>> This patch requires the following recently posted patch for the
>>> games module:
>>>
>>> [PATCH v3 1/2] games: general update and improved pulseaudio
>>> integration
>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>>>
>>> This patch has received some testing with the following two
>>> configurations:
>>> - gnome-shell executing in normal mode (with display managers
>>> other than gdm, such as xdm from XOrg);
>>> - gnome-shell executing in gdm mode (with the Gnome Display
>>> Manager).
>>>
>>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
>>> in conjunction with gdm.
>>>
>>> Since the window managers are not limited by gnome-shell, this
>latter
>>> version of the patch (along with part 2/5) uses separate optional
>>> conditionals for the gnome and wm role templates.
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/colord.te | 5 ++
>>> policy/modules/contrib/dbus.te | 5 ++
>>> policy/modules/contrib/wm.if | 43 +++++++++++++++++-
>>> policy/modules/contrib/wm.te | 88
>>> ++++++++++++++++++++++++++++++++++++-
>>> policy/modules/roles/staff.te | 8 ++-
>>> policy/modules/roles/sysadm.te | 4 +
>>> policy/modules/roles/unprivuser.te | 8 ++-
>>> 7 files changed, 155 insertions(+), 6 deletions(-)
>>>
>
>[...]
>
>>> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
>>> refpolicy-git-07122016/policy/modules/contrib/wm.te
>>> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te
>2016-
>>> 12-14 02:24:53.396000918 +0100
>>> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13
>>> 00:34:34.876856837 +0100
>>> @@ -10,6 +10,18 @@ attribute wm_domain;
>>> type wm_exec_t;
>>> corecmd_executable_file(wm_exec_t)
>>>
>>> +type wm_tmp_t;
>>> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t
>>> sysadm_wm_tmp_t };
>>> +userdom_user_tmp_file(wm_tmp_t)
>>> +
>>> +type wm_tmpfs_t;
>>> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t
>>> sysadm_wm_tmpfs_t };
>>> +userdom_user_tmpfs_file(wm_tmpfs_t)
>
>Don't add aliases. The alias types never existed, so there is no
>compatibility to preserve.
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).
Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.
This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/colord.te | 5 ++
policy/modules/contrib/dbus.te | 5 ++
policy/modules/contrib/evolution.te | 4 +
policy/modules/contrib/games.te | 4 +
policy/modules/contrib/java.te | 4 +
policy/modules/contrib/mono.te | 4 +
policy/modules/contrib/mozilla.te | 4 +
policy/modules/contrib/mplayer.te | 4 +
policy/modules/contrib/wm.if | 89 +++++++++++++++++++++++++++++++++++-
policy/modules/contrib/wm.te | 62 ++++++++++++++++++++++++-
policy/modules/roles/staff.te | 8 ++-
policy/modules/roles/sysadm.te | 4 +
policy/modules/roles/unprivuser.te | 8 ++-
13 files changed, 199 insertions(+), 6 deletions(-)
diff -pru a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
--- a/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200
+++ b/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100
@@ -137,3 +137,8 @@ optional_policy(`
udev_read_db(colord_t)
udev_read_pid_files(colord_t)
')
+
+optional_policy(`
+ xserver_read_xdm_lib_files(colord_t)
+ xserver_use_xdm_fds(colord_t)
+')
diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200
+++ b/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100
@@ -159,6 +159,11 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ xserver_read_xdm_lib_files(system_dbusd_t)
+ xserver_use_xdm_fds(system_dbusd_t)
+')
+
########################################
#
# Common session bus local policy
diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
--- a/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100
+++ b/policy/modules/contrib/evolution.te 2016-12-15 00:18:21.791452219 +0100
@@ -23,6 +23,10 @@ typealias evolution_t alias { auditadm_e
userdom_user_application_domain(evolution_t, evolution_exec_t)
role evolution_roles types evolution_t;
+optional_policy(`
+ wm_application_domain(evolution_t, evolution_exec_t)
+')
+
type evolution_alarm_t;
type evolution_alarm_exec_t;
typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
diff -pru a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
--- a/policy/modules/contrib/games.te 2016-12-12 01:59:37.872004679 +0100
+++ b/policy/modules/contrib/games.te 2016-12-15 00:19:55.191238925 +0100
@@ -14,6 +14,10 @@ typealias games_t alias { auditadm_games
userdom_user_application_domain(games_t, games_exec_t)
role games_roles types games_t;
+optional_policy(`
+ wm_application_domain(games_t, games_exec_t)
+')
+
type games_data_t;
typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
--- a/policy/modules/contrib/java.te 2016-08-14 21:28:11.504519758 +0200
+++ b/policy/modules/contrib/java.te 2016-12-15 00:23:12.650129586 +0100
@@ -27,6 +27,10 @@ typealias java_t alias { staff_javaplugi
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role java_roles types java_t;
+optional_policy(`
+ wm_application_domain(java_t, java_exec_t)
+')
+
type java_home_t;
userdom_user_home_content(java_home_t)
diff -pru a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te
--- a/policy/modules/contrib/mono.te 2016-08-14 21:28:11.520520004 +0200
+++ b/policy/modules/contrib/mono.te 2016-12-15 00:24:01.783117146 +0100
@@ -16,6 +16,10 @@ role mono_roles types mono_t;
application_type(mono_t)
+optional_policy(`
+ wm_application_domain(mono_t, mono_exec_t)
+')
+
########################################
#
# Common local policy
diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
--- a/policy/modules/contrib/mozilla.te 2016-12-14 16:31:11.432155580 +0100
+++ b/policy/modules/contrib/mozilla.te 2016-12-15 00:24:45.672785494 +0100
@@ -24,6 +24,10 @@ typealias mozilla_t alias { auditadm_moz
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
+optional_policy(`
+ wm_application_domain(mozilla_t, mozilla_exec_t)
+')
+
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
diff -pru a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
--- a/policy/modules/contrib/mplayer.te 2016-10-29 16:29:19.667325422 +0200
+++ b/policy/modules/contrib/mplayer.te 2016-12-15 00:25:40.085738055 +0100
@@ -30,6 +30,10 @@ typealias mplayer_t alias { auditadm_mpl
userdom_user_application_domain(mplayer_t, mplayer_exec_t)
role mplayer_roles types mplayer_t;
+optional_policy(`
+ wm_application_domain(mplayer_t, mplayer_exec_t)
+')
+
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
--- a/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100
+++ b/policy/modules/contrib/wm.if 2016-12-15 00:16:28.516076888 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,7 +84,7 @@ template(`wm_role_template',`
')
optional_policy(`
- gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ gnome_stream_connect_all_gkeyringd($1_wm_t)
')
optional_policy(`
@@ -134,3 +137,87 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Create a domain for applications
+## that are launched by the window
+## manager.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for applications that are launched by the
+## window manager (implying a domain transition). Typically
+## these are graphical applications that are run interactively.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## </desc>
+## <param name="target_domain">
+## <summary>
+## Type to be used in the domain transition as the application
+## domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="source_domain">
+## <summary>
+## Type to be used as the source window manager domain.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`wm_application_domain',`
+ gen_require(`
+ attribute wm_domain;
+ ')
+
+ application_type($1)
+ ubac_constrained($1)
+ application_executable_file($2)
+ domtrans_pattern(wm_domain, $2, $1)
+')
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-15 00:26:06.044631194 +0100
@@ -10,6 +10,16 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(wm_tmpfs_t)
+')
+
########################################
#
# Common wm domain local policy
@@ -21,31 +31,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +94,27 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ games_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ mozilla_dbus_chat(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -67,9 +123,13 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_stream_connect(wm_domain)
+ telepathy_mission_control_dbus_chat(wm_domain)
')
optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(wm_domain)
+')
diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
--- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100
+++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100
@@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(staff_r, staff_t)
+ telepathy_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- telepathy_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
')
@@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
--- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100
+++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100
@@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
')
+
+ optional_policy(`
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
')
optional_policy(`
diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100
+++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100
@@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(user_r, user_t)
+ telepathy_role_template(user, user_r, user_t)
')
optional_policy(`
- telepathy_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
')
@@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(user_r, user_t)
+ ')
+
+ optional_policy(`
pyzor_role(user_r, user_t)
')
On 12/14/16 18:43, Guido Trentalancia via refpolicy wrote:
> Enable the window manager role (wm contrib module) and update
> the module to work with gnome-shell.
>
> This patch requires the following recently posted patch for the
> games module:
>
> [PATCH v3 1/2] games: general update and improved pulseaudio integration
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>
> This patch has received some testing with the following two
> configurations:
> - gnome-shell executing in normal mode (with display managers
> other than gdm, such as xdm from XOrg);
> - gnome-shell executing in gdm mode (with the Gnome Display
> Manager).
>
> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
> in conjunction with gdm.
>
> Since the window managers are not limited by gnome-shell, this latter
> version of the patch (along with part 2/5) uses separate optional
> conditionals for the gnome and wm role templates.
>
> The new wm_application_domain() interface introduced in the sixth
> version of this patch is an idea of Jason Zaman.
>
> This patch also fixes a minor bug in the way the pulseaudio_role()
> interface is optionally included by the role templates (pulseaudio
> does not depend on dbus).
I'm willing to merge this set, but the patches need to be broken up so I
can commit them to contrib and base separately.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/colord.te | 5 ++
> policy/modules/contrib/dbus.te | 5 ++
> policy/modules/contrib/evolution.te | 4 +
> policy/modules/contrib/games.te | 4 +
> policy/modules/contrib/java.te | 4 +
> policy/modules/contrib/mono.te | 4 +
> policy/modules/contrib/mozilla.te | 4 +
> policy/modules/contrib/mplayer.te | 4 +
> policy/modules/contrib/wm.if | 89 +++++++++++++++++++++++++++++++++++-
> policy/modules/contrib/wm.te | 62 ++++++++++++++++++++++++-
> policy/modules/roles/staff.te | 8 ++-
> policy/modules/roles/sysadm.te | 4 +
> policy/modules/roles/unprivuser.te | 8 ++-
> 13 files changed, 199 insertions(+), 6 deletions(-)
>
> diff -pru a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
> --- a/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200
> +++ b/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100
> @@ -137,3 +137,8 @@ optional_policy(`
> udev_read_db(colord_t)
> udev_read_pid_files(colord_t)
> ')
> +
> +optional_policy(`
> + xserver_read_xdm_lib_files(colord_t)
> + xserver_use_xdm_fds(colord_t)
> +')
> diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
> --- a/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200
> +++ b/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100
> @@ -159,6 +159,11 @@ optional_policy(`
> udev_read_db(system_dbusd_t)
> ')
>
> +optional_policy(`
> + xserver_read_xdm_lib_files(system_dbusd_t)
> + xserver_use_xdm_fds(system_dbusd_t)
> +')
> +
> ########################################
> #
> # Common session bus local policy
> diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
> --- a/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100
> +++ b/policy/modules/contrib/evolution.te 2016-12-15 00:18:21.791452219 +0100
> @@ -23,6 +23,10 @@ typealias evolution_t alias { auditadm_e
> userdom_user_application_domain(evolution_t, evolution_exec_t)
> role evolution_roles types evolution_t;
>
> +optional_policy(`
> + wm_application_domain(evolution_t, evolution_exec_t)
> +')
> +
> type evolution_alarm_t;
> type evolution_alarm_exec_t;
> typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
> diff -pru a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
> --- a/policy/modules/contrib/games.te 2016-12-12 01:59:37.872004679 +0100
> +++ b/policy/modules/contrib/games.te 2016-12-15 00:19:55.191238925 +0100
> @@ -14,6 +14,10 @@ typealias games_t alias { auditadm_games
> userdom_user_application_domain(games_t, games_exec_t)
> role games_roles types games_t;
>
> +optional_policy(`
> + wm_application_domain(games_t, games_exec_t)
> +')
> +
> type games_data_t;
> typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
> typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
> diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
> --- a/policy/modules/contrib/java.te 2016-08-14 21:28:11.504519758 +0200
> +++ b/policy/modules/contrib/java.te 2016-12-15 00:23:12.650129586 +0100
> @@ -27,6 +27,10 @@ typealias java_t alias { staff_javaplugi
> typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
> role java_roles types java_t;
>
> +optional_policy(`
> + wm_application_domain(java_t, java_exec_t)
> +')
> +
> type java_home_t;
> userdom_user_home_content(java_home_t)
>
> diff -pru a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te
> --- a/policy/modules/contrib/mono.te 2016-08-14 21:28:11.520520004 +0200
> +++ b/policy/modules/contrib/mono.te 2016-12-15 00:24:01.783117146 +0100
> @@ -16,6 +16,10 @@ role mono_roles types mono_t;
>
> application_type(mono_t)
>
> +optional_policy(`
> + wm_application_domain(mono_t, mono_exec_t)
> +')
> +
> ########################################
> #
> # Common local policy
> diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
> --- a/policy/modules/contrib/mozilla.te 2016-12-14 16:31:11.432155580 +0100
> +++ b/policy/modules/contrib/mozilla.te 2016-12-15 00:24:45.672785494 +0100
> @@ -24,6 +24,10 @@ typealias mozilla_t alias { auditadm_moz
> userdom_user_application_domain(mozilla_t, mozilla_exec_t)
> role mozilla_roles types mozilla_t;
>
> +optional_policy(`
> + wm_application_domain(mozilla_t, mozilla_exec_t)
> +')
> +
> type mozilla_home_t;
> typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
> typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
> diff -pru a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
> --- a/policy/modules/contrib/mplayer.te 2016-10-29 16:29:19.667325422 +0200
> +++ b/policy/modules/contrib/mplayer.te 2016-12-15 00:25:40.085738055 +0100
> @@ -30,6 +30,10 @@ typealias mplayer_t alias { auditadm_mpl
> userdom_user_application_domain(mplayer_t, mplayer_exec_t)
> role mplayer_roles types mplayer_t;
>
> +optional_policy(`
> + wm_application_domain(mplayer_t, mplayer_exec_t)
> +')
> +
> type mplayer_etc_t;
> files_config_file(mplayer_etc_t)
>
> diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
> --- a/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100
> +++ b/policy/modules/contrib/wm.if 2016-12-15 00:16:28.516076888 +0100
> @@ -47,6 +47,8 @@ template(`wm_role_template',`
> # Policy
> #
>
> + allow $3 $1_wm_t:fd use;
> +
> allow $1_wm_t $3:unix_stream_socket connectto;
> allow $3 $1_wm_t:unix_stream_socket connectto;
>
> @@ -72,6 +74,7 @@ template(`wm_role_template',`
> xserver_manage_core_devices($1_wm_t)
>
> optional_policy(`
> + dbus_connect_spec_session_bus($1, $1_wm_t)
> dbus_spec_session_bus_client($1, $1_wm_t)
> dbus_system_bus_client($1_wm_t)
>
> @@ -81,7 +84,7 @@ template(`wm_role_template',`
> ')
>
> optional_policy(`
> - gnome_stream_connect_gkeyringd($1, $1_wm_t)
> + gnome_stream_connect_all_gkeyringd($1_wm_t)
> ')
>
> optional_policy(`
> @@ -134,3 +137,87 @@ interface(`wm_dbus_chat',`
> allow $2 $1_wm_t:dbus send_msg;
> allow $1_wm_t $2:dbus send_msg;
> ')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to execute
> +## files in temporary directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmp_files',`
> + gen_require(`
> + type wm_tmp_t;
> + ')
> +
> + dontaudit $1 wm_tmp_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to execute
> +## files in temporary filesystems.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmpfs_files',`
> + gen_require(`
> + type wm_tmpfs_t;
> + ')
> +
> + dontaudit $1 wm_tmpfs_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Create a domain for applications
> +## that are launched by the window
> +## manager.
> +## </summary>
> +## <desc>
> +## <p>
> +## Create a domain for applications that are launched by the
> +## window manager (implying a domain transition). Typically
> +## these are graphical applications that are run interactively.
> +## </p>
> +## <p>
> +## The types will be made usable as a domain and file, making
> +## calls to domain_type() and files_type() redundant.
> +## </p>
> +## </desc>
> +## <param name="target_domain">
> +## <summary>
> +## Type to be used in the domain transition as the application
> +## domain.
> +## </summary>
> +## </param>
> +## <param name="entry_point">
> +## <summary>
> +## Type of the program to be used as an entry point to this domain.
> +## </summary>
> +## </param>
> +## <param name="source_domain">
> +## <summary>
> +## Type to be used as the source window manager domain.
> +## </summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`wm_application_domain',`
> + gen_require(`
> + attribute wm_domain;
> + ')
> +
> + application_type($1)
> + ubac_constrained($1)
> + application_executable_file($2)
> + domtrans_pattern(wm_domain, $2, $1)
> +')
> diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
> --- a/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100
> +++ b/policy/modules/contrib/wm.te 2016-12-15 00:26:06.044631194 +0100
> @@ -10,6 +10,16 @@ attribute wm_domain;
> type wm_exec_t;
> corecmd_executable_file(wm_exec_t)
>
> +type wm_tmp_t;
> +userdom_user_tmp_file(wm_tmp_t)
> +
> +type wm_tmpfs_t;
> +userdom_user_tmpfs_file(wm_tmpfs_t)
> +
> +optional_policy(`
> + pulseaudio_tmpfs_content(wm_tmpfs_t)
> +')
> +
> ########################################
> #
> # Common wm domain local policy
> @@ -21,31 +31,60 @@ allow wm_domain self:netlink_kobject_uev
> allow wm_domain self:shm create_shm_perms;
> allow wm_domain self:unix_dgram_socket create_socket_perms;
>
> +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
> +
> +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
> +
> +can_exec(wm_domain, wm_exec_t)
> +
> kernel_read_system_state(wm_domain)
>
> corecmd_getattr_all_executables(wm_domain)
>
> +dev_read_rand(wm_domain)
> dev_read_sound(wm_domain)
> dev_read_sysfs(wm_domain)
> dev_read_urand(wm_domain)
> +dev_rw_dri(wm_domain)
> dev_rw_wireless(wm_domain)
> dev_write_sound(wm_domain)
>
> +files_read_etc_runtime_files(wm_domain)
> files_read_usr_files(wm_domain)
>
> fs_getattr_all_fs(wm_domain)
>
> +kernel_read_fs_sysctls(wm_domain)
> +kernel_read_proc_symlinks(wm_domain)
> +kernel_read_sysctl(wm_domain)
> +
> miscfiles_read_fonts(wm_domain)
> +miscfiles_read_generic_certs(wm_domain)
> miscfiles_read_localization(wm_domain)
>
> +udev_read_pid_files(wm_domain)
> +
> +# this is needed by gnome-shell
> +userdom_exec_user_home_content_files(wm_domain)
> +
> userdom_manage_user_tmp_sockets(wm_domain)
> userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
> userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>
> userdom_manage_user_home_content_dirs(wm_domain)
> userdom_manage_user_home_content_files(wm_domain)
> +
> userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
>
> +wm_dontaudit_exec_tmp_files(wm_domain)
> +wm_dontaudit_exec_tmpfs_files(wm_domain)
> +
> optional_policy(`
> accountsd_dbus_chat(wm_domain)
> ')
> @@ -55,10 +94,27 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> devicekit_dbus_chat_power(wm_domain)
> ')
>
> optional_policy(`
> + evolution_dbus_chat(wm_domain)
> + evolution_alarm_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> + games_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> + mozilla_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> networkmanager_dbus_chat(wm_domain)
> ')
>
> @@ -67,9 +123,13 @@ optional_policy(`
> ')
>
> optional_policy(`
> - pulseaudio_stream_connect(wm_domain)
> + telepathy_mission_control_dbus_chat(wm_domain)
> ')
>
> optional_policy(`
> userhelper_exec_consolehelper(wm_domain)
> ')
> +
> +optional_policy(`
> + xserver_dbus_chat_xdm(wm_domain)
> +')
> diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> --- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100
> +++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100
> @@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> - pulseaudio_role(staff_r, staff_t)
> + telepathy_role_template(staff, staff_r, staff_t)
> ')
>
> optional_policy(`
> - telepathy_role_template(staff, staff_r, staff_t)
> + wm_role_template(staff, staff_r, staff_t)
> ')
> ')
>
> @@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + pulseaudio_role(staff_r, staff_t)
> + ')
> +
> + optional_policy(`
> pyzor_role(staff_r, staff_t)
> ')
>
> diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> --- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100
> +++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100
> @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(sysadm, sysadm_r, sysadm_t)
> ')
> +
> + optional_policy(`
> + wm_role_template(sysadm, sysadm_r, sysadm_t)
> + ')
> ')
>
> optional_policy(`
> diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100
> +++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100
> @@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> - pulseaudio_role(user_r, user_t)
> + telepathy_role_template(user, user_r, user_t)
> ')
>
> optional_policy(`
> - telepathy_role_template(user, user_r, user_t)
> + wm_role_template(user, user_r, user_t)
> ')
> ')
>
> @@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + pulseaudio_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> pyzor_role(user_r, user_t)
> ')
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Chris PeBenito
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).
Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.
This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).
This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.
THIS IS THE BASE POLICY PART.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/roles/staff.te | 8 ++++++--
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/roles/unprivuser.te | 8 ++++++--
3 files changed, 16 insertions(+), 4 deletions(-)
diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
--- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100
+++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100
@@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(staff_r, staff_t)
+ telepathy_role_template(staff, staff_r, staff_t)
')
optional_policy(`
- telepathy_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
')
@@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(staff_r, staff_t)
+ ')
+
+ optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
--- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100
+++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100
@@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
')
+
+ optional_policy(`
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
+ ')
')
optional_policy(`
diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
--- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100
+++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100
@@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- pulseaudio_role(user_r, user_t)
+ telepathy_role_template(user, user_r, user_t)
')
optional_policy(`
- telepathy_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
')
@@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ pulseaudio_role(user_r, user_t)
+ ')
+
+ optional_policy(`
pyzor_role(user_r, user_t)
')
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch requires the following recently posted patch for the
games module:
[PATCH v3 1/2] games: general update and improved pulseaudio integration
http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
This patch has received some testing with the following two
configurations:
- gnome-shell executing in normal mode (with display managers
other than gdm, such as xdm from XOrg);
- gnome-shell executing in gdm mode (with the Gnome Display
Manager).
Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
in conjunction with gdm.
Since the window managers are not limited by gnome-shell, this latter
version of the patch (along with part 2/5) uses separate optional
conditionals for the gnome and wm role templates.
The new wm_application_domain() interface introduced in the sixth
version of this patch is an idea of Jason Zaman.
This patch also fixes a minor bug in the way the pulseaudio_role()
interface is optionally included by the role templates (pulseaudio
does not depend on dbus).
This seventh version splits the 1/5 patch in two separate patches:
one for the base policy and one for the contrib policy.
THIS IS THE CONTRIB POLICY PART.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/colord.te | 5 ++
policy/modules/contrib/dbus.te | 5 ++
policy/modules/contrib/evolution.te | 4 +
policy/modules/contrib/games.te | 4 +
policy/modules/contrib/java.te | 4 +
policy/modules/contrib/mono.te | 4 +
policy/modules/contrib/mozilla.te | 4 +
policy/modules/contrib/mplayer.te | 4 +
policy/modules/contrib/wm.if | 89 +++++++++++++++++++++++++++++++++++-
policy/modules/contrib/wm.te | 62 ++++++++++++++++++++++++-
10 files changed, 183 insertions(+), 2 deletions(-)
diff -pru a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
--- a/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200
+++ b/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100
@@ -137,3 +137,8 @@ optional_policy(`
udev_read_db(colord_t)
udev_read_pid_files(colord_t)
')
+
+optional_policy(`
+ xserver_read_xdm_lib_files(colord_t)
+ xserver_use_xdm_fds(colord_t)
+')
diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
--- a/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200
+++ b/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100
@@ -159,6 +159,11 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ xserver_read_xdm_lib_files(system_dbusd_t)
+ xserver_use_xdm_fds(system_dbusd_t)
+')
+
########################################
#
# Common session bus local policy
diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
--- a/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100
+++ b/policy/modules/contrib/evolution.te 2016-12-15 00:18:21.791452219 +0100
@@ -23,6 +23,10 @@ typealias evolution_t alias { auditadm_e
userdom_user_application_domain(evolution_t, evolution_exec_t)
role evolution_roles types evolution_t;
+optional_policy(`
+ wm_application_domain(evolution_t, evolution_exec_t)
+')
+
type evolution_alarm_t;
type evolution_alarm_exec_t;
typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
diff -pru a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
--- a/policy/modules/contrib/games.te 2016-12-12 01:59:37.872004679 +0100
+++ b/policy/modules/contrib/games.te 2016-12-15 00:19:55.191238925 +0100
@@ -14,6 +14,10 @@ typealias games_t alias { auditadm_games
userdom_user_application_domain(games_t, games_exec_t)
role games_roles types games_t;
+optional_policy(`
+ wm_application_domain(games_t, games_exec_t)
+')
+
type games_data_t;
typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
--- a/policy/modules/contrib/java.te 2016-08-14 21:28:11.504519758 +0200
+++ b/policy/modules/contrib/java.te 2016-12-15 00:23:12.650129586 +0100
@@ -27,6 +27,10 @@ typealias java_t alias { staff_javaplugi
typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
role java_roles types java_t;
+optional_policy(`
+ wm_application_domain(java_t, java_exec_t)
+')
+
type java_home_t;
userdom_user_home_content(java_home_t)
diff -pru a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te
--- a/policy/modules/contrib/mono.te 2016-08-14 21:28:11.520520004 +0200
+++ b/policy/modules/contrib/mono.te 2016-12-15 00:24:01.783117146 +0100
@@ -16,6 +16,10 @@ role mono_roles types mono_t;
application_type(mono_t)
+optional_policy(`
+ wm_application_domain(mono_t, mono_exec_t)
+')
+
########################################
#
# Common local policy
diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
--- a/policy/modules/contrib/mozilla.te 2016-12-14 16:31:11.432155580 +0100
+++ b/policy/modules/contrib/mozilla.te 2016-12-15 00:24:45.672785494 +0100
@@ -24,6 +24,10 @@ typealias mozilla_t alias { auditadm_moz
userdom_user_application_domain(mozilla_t, mozilla_exec_t)
role mozilla_roles types mozilla_t;
+optional_policy(`
+ wm_application_domain(mozilla_t, mozilla_exec_t)
+')
+
type mozilla_home_t;
typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
diff -pru a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
--- a/policy/modules/contrib/mplayer.te 2016-10-29 16:29:19.667325422 +0200
+++ b/policy/modules/contrib/mplayer.te 2016-12-15 00:25:40.085738055 +0100
@@ -30,6 +30,10 @@ typealias mplayer_t alias { auditadm_mpl
userdom_user_application_domain(mplayer_t, mplayer_exec_t)
role mplayer_roles types mplayer_t;
+optional_policy(`
+ wm_application_domain(mplayer_t, mplayer_exec_t)
+')
+
type mplayer_etc_t;
files_config_file(mplayer_etc_t)
diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
--- a/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100
+++ b/policy/modules/contrib/wm.if 2016-12-15 00:16:28.516076888 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,7 +84,7 @@ template(`wm_role_template',`
')
optional_policy(`
- gnome_stream_connect_gkeyringd($1, $1_wm_t)
+ gnome_stream_connect_all_gkeyringd($1_wm_t)
')
optional_policy(`
@@ -134,3 +137,87 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Create a domain for applications
+## that are launched by the window
+## manager.
+## </summary>
+## <desc>
+## <p>
+## Create a domain for applications that are launched by the
+## window manager (implying a domain transition). Typically
+## these are graphical applications that are run interactively.
+## </p>
+## <p>
+## The types will be made usable as a domain and file, making
+## calls to domain_type() and files_type() redundant.
+## </p>
+## </desc>
+## <param name="target_domain">
+## <summary>
+## Type to be used in the domain transition as the application
+## domain.
+## </summary>
+## </param>
+## <param name="entry_point">
+## <summary>
+## Type of the program to be used as an entry point to this domain.
+## </summary>
+## </param>
+## <param name="source_domain">
+## <summary>
+## Type to be used as the source window manager domain.
+## </summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`wm_application_domain',`
+ gen_require(`
+ attribute wm_domain;
+ ')
+
+ application_type($1)
+ ubac_constrained($1)
+ application_executable_file($2)
+ domtrans_pattern(wm_domain, $2, $1)
+')
diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
--- a/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-15 00:26:06.044631194 +0100
@@ -10,6 +10,16 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
+optional_policy(`
+ pulseaudio_tmpfs_content(wm_tmpfs_t)
+')
+
########################################
#
# Common wm domain local policy
@@ -21,31 +31,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +94,27 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ games_dbus_chat(wm_domain)
+')
+
+optional_policy(`
+ mozilla_dbus_chat(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -67,9 +123,13 @@ optional_policy(`
')
optional_policy(`
- pulseaudio_stream_connect(wm_domain)
+ telepathy_mission_control_dbus_chat(wm_domain)
')
optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
+
+optional_policy(`
+ xserver_dbus_chat_xdm(wm_domain)
+')
On 12/16/16 10:59, Guido Trentalancia via refpolicy wrote:
> Enable the window manager role (wm contrib module) and update
> the module to work with gnome-shell.
>
> This patch requires the following recently posted patch for the
> games module:
>
> [PATCH v3 1/2] games: general update and improved pulseaudio integration
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>
> This patch has received some testing with the following two
> configurations:
> - gnome-shell executing in normal mode (with display managers
> other than gdm, such as xdm from XOrg);
> - gnome-shell executing in gdm mode (with the Gnome Display
> Manager).
>
> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
> in conjunction with gdm.
>
> Since the window managers are not limited by gnome-shell, this latter
> version of the patch (along with part 2/5) uses separate optional
> conditionals for the gnome and wm role templates.
>
> The new wm_application_domain() interface introduced in the sixth
> version of this patch is an idea of Jason Zaman.
>
> This patch also fixes a minor bug in the way the pulseaudio_role()
> interface is optionally included by the role templates (pulseaudio
> does not depend on dbus).
>
> This seventh version splits the 1/5 patch in two separate patches:
> one for the base policy and one for the contrib policy.
>
> THIS IS THE BASE POLICY PART.
I've merged this set. However, after I applied them, I realized there
was an invalid interface added in xserver (nonexistant xdm_domain
attribute) and a missing interface called in wm. I've removed them.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/roles/staff.te | 8 ++++++--
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/roles/unprivuser.te | 8 ++++++--
> 3 files changed, 16 insertions(+), 4 deletions(-)
>
> diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> --- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100
> +++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100
> @@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> - pulseaudio_role(staff_r, staff_t)
> + telepathy_role_template(staff, staff_r, staff_t)
> ')
>
> optional_policy(`
> - telepathy_role_template(staff, staff_r, staff_t)
> + wm_role_template(staff, staff_r, staff_t)
> ')
> ')
>
> @@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + pulseaudio_role(staff_r, staff_t)
> + ')
> +
> + optional_policy(`
> pyzor_role(staff_r, staff_t)
> ')
>
> diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> --- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100
> +++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100
> @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(sysadm, sysadm_r, sysadm_t)
> ')
> +
> + optional_policy(`
> + wm_role_template(sysadm, sysadm_r, sysadm_t)
> + ')
> ')
>
> optional_policy(`
> diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100
> +++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100
> @@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> - pulseaudio_role(user_r, user_t)
> + telepathy_role_template(user, user_r, user_t)
> ')
>
> optional_policy(`
> - telepathy_role_template(user, user_r, user_t)
> + wm_role_template(user, user_r, user_t)
> ')
> ')
>
> @@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + pulseaudio_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> pyzor_role(user_r, user_t)
> ')
--
Chris PeBenito
Hello Christopher.
On Sat, 17/12/2016 at 09.05 -0500, Chris PeBenito wrote:
> On 12/16/16 10:59, Guido Trentalancia via refpolicy wrote:
> >
> > Enable the window manager role (wm contrib module) and update
> > the module to work with gnome-shell.
> >
> > This patch requires the following recently posted patch for the
> > games module:
> >
> > [PATCH v3 1/2] games: general update and improved pulseaudio
> > integration
> > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
[...]
> I've merged this set.??However, after I applied them, I realized
> there?
> was an invalid interface added in xserver (nonexistant xdm_domain?
> attribute) and a missing interface called in wm.??I've removed them.
I suppose the missing interface called in wm is games_dbus_chat(). Can
you confirm ?
Such interface has been introduced by the recent games patch (see
above). The patch description mentions that it depends on the games
patch, which for some reason has not been applied yet.
What is the invalid interface added in xserver ??
Regards,
Guido
On 12/17/16 11:56, Guido Trentalancia via refpolicy wrote:
> Hello Christopher.
>
> On Sat, 17/12/2016 at 09.05 -0500, Chris PeBenito wrote:
>> On 12/16/16 10:59, Guido Trentalancia via refpolicy wrote:
>>>
>>> Enable the window manager role (wm contrib module) and update
>>> the module to work with gnome-shell.
>>>
>>> This patch requires the following recently posted patch for the
>>> games module:
>>>
>>> [PATCH v3 1/2] games: general update and improved pulseaudio
>>> integration
>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>
> [...]
>
>> I've merged this set. However, after I applied them, I realized
>> there
>> was an invalid interface added in xserver (nonexistant xdm_domain
>> attribute) and a missing interface called in wm. I've removed them.
>
> I suppose the missing interface called in wm is games_dbus_chat(). Can
> you confirm ?
Yes.
> Such interface has been introduced by the recent games patch (see
> above). The patch description mentions that it depends on the games
> patch, which for some reason has not been applied yet.
You've made many patch sets with partial revisions. It is difficult to
keep track of all the patches. You'll have to submit a new patch set.
--
Chris PeBenito