Add the ability to launch other confined graphical applications
from the new confined window manager ("wm" module).
There might be other confined graphical applications that need
the wm_application_domain() interface...
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gift.te | 4 ++++
policy/modules/contrib/telepathy.if | 4 ++++
policy/modules/contrib/thunderbird.te | 5 ++++-
policy/modules/contrib/tvtime.te | 5 ++++-
policy/modules/contrib/vmware.te | 5 ++++-
policy/modules/contrib/wine.te | 5 ++++-
policy/modules/contrib/wireshark.te | 5 ++++-
7 files changed, 28 insertions(+), 5 deletions(-)
diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
--- a/policy/modules/contrib/gift.te 2016-08-14 21:28:11.492519574 +0200
+++ b/policy/modules/contrib/gift.te 2016-12-22 22:14:18.753784589 +0100
@@ -15,6 +15,10 @@ typealias gift_t alias { auditadm_gift_t
userdom_user_application_domain(gift_t, gift_exec_t)
role gift_roles types gift_t;
+optional_policy(`
+ wm_application_domain(gift_t, gift_exec_t)
+')
+
type gift_home_t;
typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
diff -pru a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
--- a/policy/modules/contrib/telepathy.if 2016-08-15 23:39:24.064783228 +0200
+++ b/policy/modules/contrib/telepathy.if 2016-12-22 22:09:56.337766137 +0100
@@ -19,6 +19,10 @@ template(`telepathy_domain_template',`
type telepathy_$1_exec_t, telepathy_executable;
userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ optional_policy(`
+ wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ')
+
type telepathy_$1_tmp_t, telepathy_tmp_content;
userdom_user_tmp_file(telepathy_$1_tmp_t)
diff -pru a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
--- a/policy/modules/contrib/thunderbird.te 2016-12-09 01:16:17.773011439 +0100
+++ b/policy/modules/contrib/thunderbird.te 2016-12-22 21:51:10.800647300 +0100
@@ -11,9 +11,12 @@ type thunderbird_t;
type thunderbird_exec_t;
typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
-userdom_user_application_domain(thunderbird_t, thunderbird_exec_t)
role thunderbird_roles types thunderbird_t;
+optional_policy(`
+ wm_application_domain(thunderbird_t, thunderbird_exec_t)
+')
+
type thunderbird_home_t;
typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
--- a/policy/modules/contrib/tvtime.te 2016-08-14 21:28:11.585521003 +0200
+++ b/policy/modules/contrib/tvtime.te 2016-12-22 21:50:27.173153799 +0100
@@ -11,9 +11,12 @@ type tvtime_t;
type tvtime_exec_t;
typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
-userdom_user_application_domain(tvtime_t, tvtime_exec_t)
role tvtime_roles types tvtime_t;
+optional_policy(`
+ wm_application_domain(tvtime_t, tvtime_exec_t)
+')
+
type tvtime_home_t alias tvtime_rw_t;
typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
--- a/policy/modules/contrib/vmware.te 2016-08-14 21:28:11.594521141 +0200
+++ b/policy/modules/contrib/vmware.te 2016-12-22 21:55:05.311271298 +0100
@@ -9,7 +9,10 @@ type vmware_t;
type vmware_exec_t;
typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
-userdom_user_application_domain(vmware_t, vmware_exec_t)
+
+optional_policy(`
+ wm_application_domain(vmware_t, vmware_exec_t)
+')
type vmware_conf_t;
typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
--- a/policy/modules/contrib/wine.te 2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wine.te 2016-12-22 21:56:36.112275069 +0100
@@ -19,9 +19,12 @@ roleattribute system_r wine_roles;
type wine_t;
type wine_exec_t;
-userdom_user_application_domain(wine_t, wine_exec_t)
role wine_roles types wine_t;
+optional_policy(`
+ wm_application_domain(wine_t, wine_exec_t)
+')
+
type wine_home_t;
userdom_user_home_content(wine_home_t)
diff -pru a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
--- a/policy/modules/contrib/wireshark.te 2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wireshark.te 2016-12-22 21:55:49.812764062 +0100
@@ -11,9 +11,12 @@ type wireshark_t;
type wireshark_exec_t;
typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
-userdom_user_application_domain(wireshark_t, wireshark_exec_t)
role wireshark_roles types wireshark_t;
+optional_policy(`
+ wm_application_domain(wireshark_t, wireshark_exec_t)
+')
+
type wireshark_home_t;
typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
On 12/22/16 16:21, Guido Trentalancia via refpolicy wrote:
> Add the ability to launch other confined graphical applications
> from the new confined window manager ("wm" module).
>
> There might be other confined graphical applications that need
> the wm_application_domain() interface...
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gift.te | 4 ++++
> policy/modules/contrib/telepathy.if | 4 ++++
> policy/modules/contrib/thunderbird.te | 5 ++++-
> policy/modules/contrib/tvtime.te | 5 ++++-
> policy/modules/contrib/vmware.te | 5 ++++-
> policy/modules/contrib/wine.te | 5 ++++-
> policy/modules/contrib/wireshark.te | 5 ++++-
> 7 files changed, 28 insertions(+), 5 deletions(-)
>
> diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
> --- a/policy/modules/contrib/gift.te 2016-08-14 21:28:11.492519574 +0200
> +++ b/policy/modules/contrib/gift.te 2016-12-22 22:14:18.753784589 +0100
> @@ -15,6 +15,10 @@ typealias gift_t alias { auditadm_gift_t
> userdom_user_application_domain(gift_t, gift_exec_t)
> role gift_roles types gift_t;
>
> +optional_policy(`
> + wm_application_domain(gift_t, gift_exec_t)
> +')
Please move these to the end of the declarations section (here and in
following hunks).
> type gift_home_t;
> typealias gift_home_t alias { user_gift_home_t staff_gift_home_t sysadm_gift_home_t };
> typealias gift_home_t alias { auditadm_gift_home_t secadm_gift_home_t };
> diff -pru a/policy/modules/contrib/telepathy.if b/policy/modules/contrib/telepathy.if
> --- a/policy/modules/contrib/telepathy.if 2016-08-15 23:39:24.064783228 +0200
> +++ b/policy/modules/contrib/telepathy.if 2016-12-22 22:09:56.337766137 +0100
> @@ -19,6 +19,10 @@ template(`telepathy_domain_template',`
> type telepathy_$1_exec_t, telepathy_executable;
> userdom_user_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
>
> + optional_policy(`
> + wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
> + ')
> +
> type telepathy_$1_tmp_t, telepathy_tmp_content;
> userdom_user_tmp_file(telepathy_$1_tmp_t)
>
> diff -pru a/policy/modules/contrib/thunderbird.te b/policy/modules/contrib/thunderbird.te
> --- a/policy/modules/contrib/thunderbird.te 2016-12-09 01:16:17.773011439 +0100
> +++ b/policy/modules/contrib/thunderbird.te 2016-12-22 21:51:10.800647300 +0100
> @@ -11,9 +11,12 @@ type thunderbird_t;
> type thunderbird_exec_t;
> typealias thunderbird_t alias { user_thunderbird_t staff_thunderbird_t sysadm_thunderbird_t };
> typealias thunderbird_t alias { auditadm_thunderbird_t secadm_thunderbird_t };
> -userdom_user_application_domain(thunderbird_t, thunderbird_exec_t)
> role thunderbird_roles types thunderbird_t;
>
> +optional_policy(`
> + wm_application_domain(thunderbird_t, thunderbird_exec_t)
> +')
> +
> type thunderbird_home_t;
> typealias thunderbird_home_t alias { user_thunderbird_home_t staff_thunderbird_home_t sysadm_thunderbird_home_t };
> typealias thunderbird_home_t alias { auditadm_thunderbird_home_t secadm_thunderbird_home_t };
> diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
> --- a/policy/modules/contrib/tvtime.te 2016-08-14 21:28:11.585521003 +0200
> +++ b/policy/modules/contrib/tvtime.te 2016-12-22 21:50:27.173153799 +0100
> @@ -11,9 +11,12 @@ type tvtime_t;
> type tvtime_exec_t;
> typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
> typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
> -userdom_user_application_domain(tvtime_t, tvtime_exec_t)
The basic application domain can't be removed otherwise this will
completely break without wm. There are other instances below.
> role tvtime_roles types tvtime_t;
>
> +optional_policy(`
> + wm_application_domain(tvtime_t, tvtime_exec_t)
> +')
> +
> type tvtime_home_t alias tvtime_rw_t;
> typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t sysadm_tvtime_home_t };
> typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t };
> diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
> --- a/policy/modules/contrib/vmware.te 2016-08-14 21:28:11.594521141 +0200
> +++ b/policy/modules/contrib/vmware.te 2016-12-22 21:55:05.311271298 +0100
> @@ -9,7 +9,10 @@ type vmware_t;
> type vmware_exec_t;
> typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
> typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
> -userdom_user_application_domain(vmware_t, vmware_exec_t)
> +
> +optional_policy(`
> + wm_application_domain(vmware_t, vmware_exec_t)
> +')
>
> type vmware_conf_t;
> typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t sysadm_vmware_conf_t };
> diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
> --- a/policy/modules/contrib/wine.te 2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wine.te 2016-12-22 21:56:36.112275069 +0100
> @@ -19,9 +19,12 @@ roleattribute system_r wine_roles;
>
> type wine_t;
> type wine_exec_t;
> -userdom_user_application_domain(wine_t, wine_exec_t)
> role wine_roles types wine_t;
>
> +optional_policy(`
> + wm_application_domain(wine_t, wine_exec_t)
> +')
> +
> type wine_home_t;
> userdom_user_home_content(wine_home_t)
>
> diff -pru a/policy/modules/contrib/wireshark.te b/policy/modules/contrib/wireshark.te
> --- a/policy/modules/contrib/wireshark.te 2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wireshark.te 2016-12-22 21:55:49.812764062 +0100
> @@ -11,9 +11,12 @@ type wireshark_t;
> type wireshark_exec_t;
> typealias wireshark_t alias { user_wireshark_t staff_wireshark_t sysadm_wireshark_t };
> typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
> -userdom_user_application_domain(wireshark_t, wireshark_exec_t)
> role wireshark_roles types wireshark_t;
>
> +optional_policy(`
> + wm_application_domain(wireshark_t, wireshark_exec_t)
> +')
> +
> type wireshark_home_t;
> typealias wireshark_home_t alias { user_wireshark_home_t staff_wireshark_home_t sysadm_wireshark_home_t };
> typealias wireshark_home_t alias { auditadm_wireshark_home_t secadm_wireshark_home_t };
--
Chris PeBenito
Hello Christopher.
> On the 27th December 2016 at 16.20 Chris PeBenito <[email protected]> wrote:
>
>
> On 12/22/16 16:21, Guido Trentalancia via refpolicy wrote:
> > Add the ability to launch other confined graphical applications
> > from the new confined window manager ("wm" module).
> >
> > There might be other confined graphical applications that need
> > the wm_application_domain() interface...
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > policy/modules/contrib/gift.te | 4 ++++
> > policy/modules/contrib/telepathy.if | 4 ++++
> > policy/modules/contrib/thunderbird.te | 5 ++++-
> > policy/modules/contrib/tvtime.te | 5 ++++-
> > policy/modules/contrib/vmware.te | 5 ++++-
> > policy/modules/contrib/wine.te | 5 ++++-
> > policy/modules/contrib/wireshark.te | 5 ++++-
> > 7 files changed, 28 insertions(+), 5 deletions(-)
[...]
> > diff -pru a/policy/modules/contrib/tvtime.te
> > b/policy/modules/contrib/tvtime.te
> > --- a/policy/modules/contrib/tvtime.te 2016-08-14 21:28:11.585521003 +0200
> > +++ b/policy/modules/contrib/tvtime.te 2016-12-22 21:50:27.173153799 +0100
> > @@ -11,9 +11,12 @@ type tvtime_t;
> > type tvtime_exec_t;
> > typealias tvtime_t alias { user_tvtime_t staff_tvtime_t sysadm_tvtime_t };
> > typealias tvtime_t alias { auditadm_tvtime_t secadm_tvtime_t };
> > -userdom_user_application_domain(tvtime_t, tvtime_exec_t)
>
> The basic application domain can't be removed otherwise this will
> completely break without wm. There are other instances below.
Yes, thanks for telling me, this is a very good point. I have been fooled
to do so by the fact that some applications only run under the graphical
interface.
But, as you noted, there might always be someone around that for whatever
reason does not use the wm module.
> > role tvtime_roles types tvtime_t;
> >
> > +optional_policy(`
> > + wm_application_domain(tvtime_t, tvtime_exec_t)
> > +')
> > +
> > type tvtime_home_t alias tvtime_rw_t;
> > typealias tvtime_home_t alias { user_tvtime_home_t staff_tvtime_home_t
> > sysadm_tvtime_home_t };
> > typealias tvtime_home_t alias { auditadm_tvtime_home_t secadm_tvtime_home_t
> > };
> > diff -pru a/policy/modules/contrib/vmware.te
> > b/policy/modules/contrib/vmware.te
> > --- a/policy/modules/contrib/vmware.te 2016-08-14 21:28:11.594521141 +0200
> > +++ b/policy/modules/contrib/vmware.te 2016-12-22 21:55:05.311271298 +0100
> > @@ -9,7 +9,10 @@ type vmware_t;
> > type vmware_exec_t;
> > typealias vmware_t alias { user_vmware_t staff_vmware_t sysadm_vmware_t };
> > typealias vmware_t alias { auditadm_vmware_t secadm_vmware_t };
> > -userdom_user_application_domain(vmware_t, vmware_exec_t)
> > +
> > +optional_policy(`
> > + wm_application_domain(vmware_t, vmware_exec_t)
> > +')
> >
> > type vmware_conf_t;
> > typealias vmware_conf_t alias { user_vmware_conf_t staff_vmware_conf_t
> > sysadm_vmware_conf_t };
> > diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
> > --- a/policy/modules/contrib/wine.te 2016-08-14 21:28:11.597521187 +0200
> > +++ b/policy/modules/contrib/wine.te 2016-12-22 21:56:36.112275069 +0100
> > @@ -19,9 +19,12 @@ roleattribute system_r wine_roles;
> >
> > type wine_t;
> > type wine_exec_t;
> > -userdom_user_application_domain(wine_t, wine_exec_t)
> > role wine_roles types wine_t;
> >
> > +optional_policy(`
> > + wm_application_domain(wine_t, wine_exec_t)
> > +')
> > +
> > type wine_home_t;
> > userdom_user_home_content(wine_home_t)
> >
> > diff -pru a/policy/modules/contrib/wireshark.te
> > b/policy/modules/contrib/wireshark.te
> > --- a/policy/modules/contrib/wireshark.te 2016-08-14 21:28:11.597521187
> > +0200
> > +++ b/policy/modules/contrib/wireshark.te 2016-12-22 21:55:49.812764062
> > +0100
> > @@ -11,9 +11,12 @@ type wireshark_t;
> > type wireshark_exec_t;
> > typealias wireshark_t alias { user_wireshark_t staff_wireshark_t
> > sysadm_wireshark_t };
> > typealias wireshark_t alias { auditadm_wireshark_t secadm_wireshark_t };
> > -userdom_user_application_domain(wireshark_t, wireshark_exec_t)
> > role wireshark_roles types wireshark_t;
> >
> > +optional_policy(`
> > + wm_application_domain(wireshark_t, wireshark_exec_t)
> > +')
> > +
> > type wireshark_home_t;
> > typealias wireshark_home_t alias { user_wireshark_home_t
> > staff_wireshark_home_t sysadm_wireshark_home_t };
> > typealias wireshark_home_t alias { auditadm_wireshark_home_t
> > secadm_wireshark_home_t };
Best regards,
Guido
Add the ability to launch other confined graphical applications
from the new confined window manager ("wm" module).
There might be other confined graphical applications that need
the wm_application_domain() interface...
Thanks to Christopher PeBenito for the useful review.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gift.te | 4 ++++
policy/modules/contrib/telepathy.if | 4 ++++
policy/modules/contrib/thunderbird.te | 4 ++++
policy/modules/contrib/tvtime.te | 4 ++++
policy/modules/contrib/vmware.te | 4 ++++
policy/modules/contrib/wine.te | 4 ++++
policy/modules/contrib/wireshark.te | 4 ++++
7 files changed, 28 insertions(+)
diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
--- a/policy/modules/contrib/gift.te 2016-08-14 21:28:11.492519574 +0200
+++ b/policy/modules/contrib/gift.te 2016-12-27 21:46:55.940779882 +0100
@@ -32,6 +32,10 @@ typealias giftd_t alias { auditadm_giftd
userdom_user_application_domain(giftd_t, giftd_exec_t)
role giftd_roles types giftd_t;
+optional_policy(`
+ wm_application_domain(gift_t, gift_exec_t)
+')
+
##############################
#
# Client local policy
diff -pru a/policy/modules/contrib/telepathy.if
b/policy/modules/contrib/telepathy.if
--- a/policy/modules/contrib/telepathy.if 2016-08-15 23:39:24.064783228 +0200
+++ b/policy/modules/contrib/telepathy.if 2016-12-27 21:48:38.748185501 +0100
@@ -22,6 +22,10 @@ template(`telepathy_domain_template',`
type telepathy_$1_tmp_t, telepathy_tmp_content;
userdom_user_tmp_file(telepathy_$1_tmp_t)
+ optional_policy(`
+ wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
+ ')
+
auth_use_nsswitch(telepathy_$1_t)
')
diff -pru a/policy/modules/contrib/thunderbird.te
b/policy/modules/contrib/thunderbird.te
--- a/policy/modules/contrib/thunderbird.te 2016-12-09 01:16:17.773011439 +0100
+++ b/policy/modules/contrib/thunderbird.te 2016-12-27 21:48:59.588470089 +0100
@@ -24,6 +23,10 @@ typealias thunderbird_tmpfs_t alias { us
typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t
secadm_thunderbird_tmpfs_t };
userdom_user_tmpfs_file(thunderbird_tmpfs_t)
+optional_policy(`
+ wm_application_domain(thunderbird_t, thunderbird_exec_t)
+')
+
########################################
#
# Local policy
diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
--- a/policy/modules/contrib/tvtime.te 2016-08-14 21:28:11.585521003 +0200
+++ b/policy/modules/contrib/tvtime.te 2016-12-27 21:49:20.773759267 +0100
@@ -29,6 +28,10 @@ typealias tvtime_tmpfs_t alias { user_tv
typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t
};
userdom_user_tmpfs_file(tvtime_tmpfs_t)
+optional_policy(`
+ wm_application_domain(tvtime_t, tvtime_exec_t)
+')
+
########################################
#
# Local policy
diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
--- a/policy/modules/contrib/vmware.te 2016-08-14 21:28:11.594521141 +0200
+++ b/policy/modules/contrib/vmware.te 2016-12-27 21:49:46.144105414 +0100
@@ -60,6 +59,10 @@ ifdef(`enable_mcs',`
init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 -
mcs_systemhigh)
')
+optional_policy(`
+ wm_application_domain(vmware_t, vmware_exec_t)
+')
+
########################################
#
# Host local policy
diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
--- a/policy/modules/contrib/wine.te 2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wine.te 2016-12-27 21:50:02.956334703 +0100
@@ -28,6 +27,10 @@ userdom_user_home_content(wine_home_t)
type wine_tmp_t;
userdom_user_tmp_file(wine_tmp_t)
+optional_policy(`
+ wm_application_domain(wine_t, wine_exec_t)
+')
+
########################################
#
# Local policy
diff -pru a/policy/modules/contrib/wireshark.te
b/policy/modules/contrib/wireshark.te
--- a/policy/modules/contrib/wireshark.te 2016-08-14 21:28:11.597521187 +0200
+++ b/policy/modules/contrib/wireshark.te 2016-12-27 21:50:20.466573433 +0100
@@ -29,6 +28,10 @@ typealias wireshark_tmpfs_t alias { user
typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t
secadm_wireshark_tmpfs_t };
userdom_user_tmpfs_file(wireshark_tmpfs_t)
+optional_policy(`
+ wm_application_domain(wireshark_t, wireshark_exec_t)
+')
+
##############################
#
# Local Policy
On 12/27/16 15:59, Guido Trentalancia via refpolicy wrote:
> Add the ability to launch other confined graphical applications
> from the new confined window manager ("wm" module).
>
> There might be other confined graphical applications that need
> the wm_application_domain() interface...
>
> Thanks to Christopher PeBenito for the useful review.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gift.te | 4 ++++
> policy/modules/contrib/telepathy.if | 4 ++++
> policy/modules/contrib/thunderbird.te | 4 ++++
> policy/modules/contrib/tvtime.te | 4 ++++
> policy/modules/contrib/vmware.te | 4 ++++
> policy/modules/contrib/wine.te | 4 ++++
> policy/modules/contrib/wireshark.te | 4 ++++
> 7 files changed, 28 insertions(+)
>
> diff -pru a/policy/modules/contrib/gift.te b/policy/modules/contrib/gift.te
> --- a/policy/modules/contrib/gift.te 2016-08-14 21:28:11.492519574 +0200
> +++ b/policy/modules/contrib/gift.te 2016-12-27 21:46:55.940779882 +0100
> @@ -32,6 +32,10 @@ typealias giftd_t alias { auditadm_giftd
> userdom_user_application_domain(giftd_t, giftd_exec_t)
> role giftd_roles types giftd_t;
>
> +optional_policy(`
> + wm_application_domain(gift_t, gift_exec_t)
> +')
> +
> ##############################
> #
> # Client local policy
> diff -pru a/policy/modules/contrib/telepathy.if
> b/policy/modules/contrib/telepathy.if
> --- a/policy/modules/contrib/telepathy.if 2016-08-15 23:39:24.064783228 +0200
> +++ b/policy/modules/contrib/telepathy.if 2016-12-27 21:48:38.748185501 +0100
> @@ -22,6 +22,10 @@ template(`telepathy_domain_template',`
> type telepathy_$1_tmp_t, telepathy_tmp_content;
> userdom_user_tmp_file(telepathy_$1_tmp_t)
>
> + optional_policy(`
> + wm_application_domain(telepathy_$1_t, telepathy_$1_exec_t)
> + ')
> +
> auth_use_nsswitch(telepathy_$1_t)
> ')
>
> diff -pru a/policy/modules/contrib/thunderbird.te
> b/policy/modules/contrib/thunderbird.te
> --- a/policy/modules/contrib/thunderbird.te 2016-12-09 01:16:17.773011439 +0100
> +++ b/policy/modules/contrib/thunderbird.te 2016-12-27 21:48:59.588470089 +0100
> @@ -24,6 +23,10 @@ typealias thunderbird_tmpfs_t alias { us
> typealias thunderbird_tmpfs_t alias { auditadm_thunderbird_tmpfs_t
> secadm_thunderbird_tmpfs_t };
> userdom_user_tmpfs_file(thunderbird_tmpfs_t)
>
> +optional_policy(`
> + wm_application_domain(thunderbird_t, thunderbird_exec_t)
> +')
> +
> ########################################
> #
> # Local policy
> diff -pru a/policy/modules/contrib/tvtime.te b/policy/modules/contrib/tvtime.te
> --- a/policy/modules/contrib/tvtime.te 2016-08-14 21:28:11.585521003 +0200
> +++ b/policy/modules/contrib/tvtime.te 2016-12-27 21:49:20.773759267 +0100
> @@ -29,6 +28,10 @@ typealias tvtime_tmpfs_t alias { user_tv
> typealias tvtime_tmpfs_t alias { auditadm_tvtime_tmpfs_t secadm_tvtime_tmpfs_t
> };
> userdom_user_tmpfs_file(tvtime_tmpfs_t)
>
> +optional_policy(`
> + wm_application_domain(tvtime_t, tvtime_exec_t)
> +')
> +
> ########################################
> #
> # Local policy
> diff -pru a/policy/modules/contrib/vmware.te b/policy/modules/contrib/vmware.te
> --- a/policy/modules/contrib/vmware.te 2016-08-14 21:28:11.594521141 +0200
> +++ b/policy/modules/contrib/vmware.te 2016-12-27 21:49:46.144105414 +0100
> @@ -60,6 +59,10 @@ ifdef(`enable_mcs',`
> init_ranged_daemon_domain(vmware_host_t, vmware_host_exec_t, s0 -
> mcs_systemhigh)
> ')
>
> +optional_policy(`
> + wm_application_domain(vmware_t, vmware_exec_t)
> +')
> +
> ########################################
> #
> # Host local policy
> diff -pru a/policy/modules/contrib/wine.te b/policy/modules/contrib/wine.te
> --- a/policy/modules/contrib/wine.te 2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wine.te 2016-12-27 21:50:02.956334703 +0100
> @@ -28,6 +27,10 @@ userdom_user_home_content(wine_home_t)
> type wine_tmp_t;
> userdom_user_tmp_file(wine_tmp_t)
>
> +optional_policy(`
> + wm_application_domain(wine_t, wine_exec_t)
> +')
> +
> ########################################
> #
> # Local policy
> diff -pru a/policy/modules/contrib/wireshark.te
> b/policy/modules/contrib/wireshark.te
> --- a/policy/modules/contrib/wireshark.te 2016-08-14 21:28:11.597521187 +0200
> +++ b/policy/modules/contrib/wireshark.te 2016-12-27 21:50:20.466573433 +0100
> @@ -29,6 +28,10 @@ typealias wireshark_tmpfs_t alias { user
> typealias wireshark_tmpfs_t alias { auditadm_wireshark_tmpfs_t
> secadm_wireshark_tmpfs_t };
> userdom_user_tmpfs_file(wireshark_tmpfs_t)
>
> +optional_policy(`
> + wm_application_domain(wireshark_t, wireshark_exec_t)
> +')
> +
Merged.
--
Chris PeBenito