From mboxrd@z Thu Jan 1 00:00:00 1970 From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 11 Dec 2016 21:13:29 +0100 Subject: [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template In-Reply-To: <8ab3fb4a-3892-0fd3-100f-97d375489432@ieee.org> References: <1481130053.3300.9.camel@trentalancia.net> <1481217618.20182.8.camel@trentalancia.net> <1481322107.2989.1.camel@trentalancia.net> <8ab3fb4a-3892-0fd3-100f-97d375489432@ieee.org> Message-ID: <1481487209.2628.12.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote: > On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote: > > > > Enable the window manager role (wm contrib module) and update > > the module to work with gnome-shell. > > > > This second version introduces better integration with common > > desktop applications and requires the following recently posted > > patch for the games module: > > > > [PATCH v3 1/2] games: general update and improved pulseaudio > > integration > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > > > This patch might need some more testing (I have received no > > feedback yet). > > > > Signed-off-by: Guido Trentalancia > > --- > > ?policy/modules/contrib/wm.if???????|???42 ++++++++++++++++++++ > > ?policy/modules/contrib/wm.te???????|???75 > > ++++++++++++++++++++++++++++++++++++- > > ?policy/modules/roles/staff.te??????|????1 > > ?policy/modules/roles/sysadm.te?????|????1 > > ?policy/modules/roles/unprivuser.te |????1 > > ?5 files changed, 119 insertions(+), 1 deletion(-) > > [...] > > > > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/staff.te refpolicy-git- > > 07122016/policy/modules/roles/staff.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201 > > 6-12-08 22:25:26.327711806 +0100 > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > > > ? optional_policy(` > > ? gnome_role_template(staff, staff_r, > > staff_t) > > + wm_role_template(staff, staff_r, staff_t) > > ? ') > > > > ? optional_policy(` > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/sysadm.te refpolicy-git- > > 07122016/policy/modules/roles/sysadm.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20 > > 16-12-08 22:25:26.343712120 +0100 > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > > > ? optional_policy(` > > ? gnome_role_template(sysadm, sysadm_r, > > sysadm_t) > > + wm_role_template(sysadm, sysadm_r, > > sysadm_t) > > ? ') > > ? ') > > > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/unprivuser.te refpolicy-git- > > 07122016/policy/modules/roles/unprivuser.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te > > 2016-12-08 22:25:26.344712139 +0100 > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > > > ? optional_policy(` > > ? gnome_role_template(user, user_r, user_t) > > + wm_role_template(user, user_r, user_t) > > ? ') > > So this change is essentially saying is you can't use the gnome > policy? > without the wm module.??Is that really the case???It seems like they? > would be separate optionals. It's preferable to have a confined window manager, instead of one running in the user domain and that is therefore more easily exploited. That's the meaning of this patch. However, I understand we should make sure it works with all window managers, so I am actually seeking help to test it with window managers other than gnome-shell. Because at the moment, the patch is only tested with gnome-shell (to be honest, not even with gnome-panel/metacity because of a lack of time), I do not suggest (yet) making them separate optionals. That would mandate a confined window manager even for setups that have not been tested yet. Regards, Guido