From mboxrd@z Thu Jan 1 00:00:00 1970 From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 11 Dec 2016 22:56:03 +0100 Subject: [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template In-Reply-To: References: <1481130053.3300.9.camel@trentalancia.net> <1481217618.20182.8.camel@trentalancia.net> <1481322107.2989.1.camel@trentalancia.net> <8ab3fb4a-3892-0fd3-100f-97d375489432@ieee.org> <1481487209.2628.12.camel@trentalancia.net> Message-ID: <1481493363.24999.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 11/12/2016 at 15.47 -0500, Chris PeBenito wrote: > On 12/11/16 15:13, Guido Trentalancia via refpolicy wrote: > > > > On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote: > > > > > > On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > Enable the window manager role (wm contrib module) and update > > > > the module to work with gnome-shell. > > > > > > > > This second version introduces better integration with common > > > > desktop applications and requires the following recently posted > > > > patch for the games module: > > > > > > > > [PATCH v3 1/2] games: general update and improved pulseaudio > > > > integration > > > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679. > > > > html > > > > > > > > This patch might need some more testing (I have received no > > > > feedback yet). > > > > > > > > Signed-off-by: Guido Trentalancia > > > > --- > > > > ?policy/modules/contrib/wm.if???????|???42 ++++++++++++++++++++ > > > > ?policy/modules/contrib/wm.te???????|???75 > > > > ++++++++++++++++++++++++++++++++++++- > > > > ?policy/modules/roles/staff.te??????|????1 > > > > ?policy/modules/roles/sysadm.te?????|????1 > > > > ?policy/modules/roles/unprivuser.te |????1 > > > > ?5 files changed, 119 insertions(+), 1 deletion(-) > > > > > > [...] > > > > > > > > > > > > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/staff.te refpolicy-git- > > > > 07122016/policy/modules/roles/staff.te > > > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te > > > > 201 > > > > 6-12-08 22:25:26.327711806 +0100 > > > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > > > > > > > ? optional_policy(` > > > > ? gnome_role_template(staff, staff_r, > > > > staff_t) > > > > + wm_role_template(staff, staff_r, > > > > staff_t) > > > > ? ') > > > > > > > > ? optional_policy(` > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/sysadm.te refpolicy-git- > > > > 07122016/policy/modules/roles/sysadm.te > > > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te > > > > 20 > > > > 16-12-08 22:25:26.343712120 +0100 > > > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > > > > > > > ? optional_policy(` > > > > ? gnome_role_template(sysadm, sysadm_r, > > > > sysadm_t) > > > > + wm_role_template(sysadm, sysadm_r, > > > > sysadm_t) > > > > ? ') > > > > ? ') > > > > > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/unprivuser.te refpolicy-git- > > > > 07122016/policy/modules/roles/unprivuser.te > > > > --- refpolicy-git-07122016- > > > > orig/policy/modules/roles/unprivuser.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te > > > > 2016-12-08 22:25:26.344712139 +0100 > > > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > > > > > > > ? optional_policy(` > > > > ? gnome_role_template(user, user_r, > > > > user_t) > > > > + wm_role_template(user, user_r, user_t) > > > > ? ') > > > > > > So this change is essentially saying is you can't use the gnome > > > policy > > > without the wm module.??Is that really the case???It seems like > > > they > > > would be separate optionals. > > > > It's preferable to have a confined window manager, instead of one > > In this case, I'd emphasize "preferable" here.??It's not for > everyone. > > > > > running in the user domain and that is therefore more easily > > exploited. > > > > That's the meaning of this patch. > ?> > > > > However, I understand we should make sure it works with all window > > managers, so I am actually seeking help to test it with window > > managers > > other than gnome-shell. > > > > Because at the moment, the patch is only tested with gnome-shell > > (to be > > honest, not even with gnome-panel/metacity because of a lack of > > time), > > I do not suggest (yet) making them separate optionals. That would > > mandate a confined window manager even for setups that have not > > been > > tested yet. > > I don't understand how making separate optionals mandates a confined? > window manager.??It does the reverse. As it is, the wm role should be enabled only if the dbus and gnome modules are loaded. Similarly, as it is, the gnome role should be enabled only if the dbus and the wm module are loaded. In particular, because the wm role has not been tested without gnome, it is currently enabled only in combination with the gnome role. Regards, Guido