* [refpolicy] [PATCH] wm: update the window manager (wm) module and enable its role template
@ 2016-12-07 17:00 Guido Trentalancia
2016-12-08 17:20 ` [refpolicy] [PATCH v2] " Guido Trentalancia
0 siblings, 1 reply; 47+ messages in thread
From: Guido Trentalancia @ 2016-12-07 17:00 UTC (permalink / raw)
To: refpolicy
Enable the window manager role (wm contrib module) and update
the module to work with gnome-shell.
This patch might need some more testing.
Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
policy/modules/contrib/pulseaudio.if | 19 +++++++++++
policy/modules/contrib/wm.if | 44 +++++++++++++++++++++++++
policy/modules/contrib/wm.te | 60 +++++++++++++++++++++++++++++++++++
policy/modules/roles/staff.te | 1
policy/modules/roles/sysadm.te | 1
policy/modules/roles/unprivuser.te | 1
6 files changed, 126 insertions(+)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if 2016-09-27 16:28:51.964139648 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if 2016-12-07 15:10:27.059274266 +0100
@@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',`
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
+
+#######################################
+## <summary>
+## Manage pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_tmpfs_files',`
+ gen_require(`
+ type pulseaudio_tmpfs_t;
+ ')
+
+ fs_search_tmpfs($1)
+ manage_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-07 15:35:20.731380616 +0100
@@ -47,6 +47,8 @@ template(`wm_role_template',`
# Policy
#
+ allow $3 $1_wm_t:fd use;
+
allow $1_wm_t $3:unix_stream_socket connectto;
allow $3 $1_wm_t:unix_stream_socket connectto;
@@ -72,6 +74,7 @@ template(`wm_role_template',`
xserver_manage_core_devices($1_wm_t)
optional_policy(`
+ dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
dbus_system_bus_client($1_wm_t)
@@ -81,11 +84,14 @@ template(`wm_role_template',`
')
optional_policy(`
+ gnome_dbus_chat_gkeyringd($1, $1_wm_t)
gnome_stream_connect_gkeyringd($1, $1_wm_t)
')
optional_policy(`
pulseaudio_run($1_wm_t, $2)
+ pulseaudio_manage_tmpfs_files($1_wm_t)
+ pulseaudio_use_fds($1_wm_t)
')
')
@@ -134,3 +140,41 @@ interface(`wm_dbus_chat',`
allow $2 $1_wm_t:dbus send_msg;
allow $1_wm_t $2:dbus send_msg;
')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmp_files',`
+ gen_require(`
+ type wm_tmp_t;
+ ')
+
+ dontaudit $1 wm_tmp_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to execute
+## files in temporary filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`wm_dontaudit_exec_tmpfs_files',`
+ gen_require(`
+ type wm_tmpfs_t;
+ ')
+
+ dontaudit $1 wm_tmpfs_t:file exec_file_perms;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200
+++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-07 17:31:22.224279047 +0100
@@ -10,6 +10,14 @@ attribute wm_domain;
type wm_exec_t;
corecmd_executable_file(wm_exec_t)
+type wm_tmp_t;
+typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t };
+userdom_user_tmp_file(wm_tmp_t)
+
+type wm_tmpfs_t;
+typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t };
+userdom_user_tmpfs_file(wm_tmpfs_t)
+
########################################
#
# Common wm domain local policy
@@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev
allow wm_domain self:shm create_shm_perms;
allow wm_domain self:unix_dgram_socket create_socket_perms;
+manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
+files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
+
+manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
+fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
+
+can_exec(wm_domain, wm_exec_t)
+
kernel_read_system_state(wm_domain)
corecmd_getattr_all_executables(wm_domain)
+dev_read_rand(wm_domain)
dev_read_sound(wm_domain)
dev_read_sysfs(wm_domain)
dev_read_urand(wm_domain)
+dev_rw_dri(wm_domain)
dev_rw_wireless(wm_domain)
dev_write_sound(wm_domain)
+files_read_etc_runtime_files(wm_domain)
files_read_usr_files(wm_domain)
fs_getattr_all_fs(wm_domain)
+kernel_read_fs_sysctls(wm_domain)
+kernel_read_proc_symlinks(wm_domain)
+kernel_read_sysctl(wm_domain)
+
miscfiles_read_fonts(wm_domain)
+miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
+udev_read_pid_files(wm_domain)
+
+# this is needed by gnome-shell
+userdom_exec_user_home_content_files(wm_domain)
+
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
+
userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
+wm_dontaudit_exec_tmp_files(wm_domain)
+wm_dontaudit_exec_tmpfs_files(wm_domain)
+
optional_policy(`
accountsd_dbus_chat(wm_domain)
')
@@ -55,10 +92,29 @@ optional_policy(`
')
optional_policy(`
+ consolekit_dbus_chat(wm_domain)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(wm_domain)
')
optional_policy(`
+ evolution_dbus_chat(wm_domain)
+ evolution_alarm_dbus_chat(wm_domain)
+ evolution_domtrans(wm_domain)
+')
+
+optional_policy(`
+ java_domtrans(wm_domain)
+')
+
+optional_policy(`
+ mozilla_domtrans(wm_domain)
+ mozilla_dbus_chat(wm_domain)
+')
+
+optional_policy(`
networkmanager_dbus_chat(wm_domain)
')
@@ -71,5 +127,9 @@ optional_policy(`
')
optional_policy(`
+ telepathy_mission_control_dbus_chat(wm_domain)
+')
+
+optional_policy(`
userhelper_exec_consolehelper(wm_domain)
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te
--- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-07 14:25:33.901912856 +0100
@@ -85,6 +85,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(staff, staff_r, staff_t)
+ wm_role_template(staff, staff_r, staff_t)
')
optional_policy(`
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te
--- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-07 14:25:47.421044474 +0100
@@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(sysadm, sysadm_r, sysadm_t)
+ wm_role_template(sysadm, sysadm_r, sysadm_t)
')
')
diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te
--- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100
+++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-07 14:25:08.289662967 +0100
@@ -54,6 +54,7 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(user, user_r, user_t)
+ wm_role_template(user, user_r, user_t)
')
optional_policy(`
^ permalink raw reply [flat|nested] 47+ messages in thread* [refpolicy] [PATCH v2] wm: update the window manager (wm) module and enable its role template 2016-12-07 17:00 [refpolicy] [PATCH] wm: update the window manager (wm) module and enable its role template Guido Trentalancia @ 2016-12-08 17:20 ` Guido Trentalancia 2016-12-08 17:51 ` Dominick Grift 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia 0 siblings, 2 replies; 47+ messages in thread From: Guido Trentalancia @ 2016-12-08 17:20 UTC (permalink / raw) To: refpolicy Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This second version introduces better integration with common desktop applications and requires the following recently posted patch for the games module: [PATCH 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html This patch might need some more testing. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/pulseaudio.if | 19 +++++++++ policy/modules/contrib/wm.if | 44 +++++++++++++++++++++ policy/modules/contrib/wm.te | 73 +++++++++++++++++++++++++++++++++++ policy/modules/roles/staff.te | 1 policy/modules/roles/sysadm.te | 1 policy/modules/roles/unprivuser.te | 1 6 files changed, 139 insertions(+) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if --- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if 2016-09-27 16:28:51.964139648 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if 2016-12-08 15:47:40.117740787 +0100 @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',` fs_search_tmpfs($1) rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) ') + +####################################### +## <summary> +## Manage pulseaudio tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_manage_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-08 15:47:40.118740804 +0100 @@ -47,6 +47,8 @@ template(`wm_role_template',` # Policy # + allow $3 $1_wm_t:fd use; + allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; @@ -72,6 +74,7 @@ template(`wm_role_template',` xserver_manage_core_devices($1_wm_t) optional_policy(` + dbus_connect_spec_session_bus($1, $1_wm_t) dbus_spec_session_bus_client($1, $1_wm_t) dbus_system_bus_client($1_wm_t) @@ -81,11 +84,14 @@ template(`wm_role_template',` ') optional_policy(` + gnome_dbus_chat_gkeyringd($1, $1_wm_t) gnome_stream_connect_gkeyringd($1, $1_wm_t) ') optional_policy(` pulseaudio_run($1_wm_t, $2) + pulseaudio_manage_tmpfs_files($1_wm_t) + pulseaudio_use_fds($1_wm_t) ') ') @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',` allow $2 $1_wm_t:dbus send_msg; allow $1_wm_t $2:dbus send_msg; ') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmp_files',` + gen_require(` + type wm_tmp_t; + ') + + dontaudit $1 wm_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmpfs_files',` + gen_require(` + type wm_tmpfs_t; + ') + + dontaudit $1 wm_tmpfs_t:file exec_file_perms; +') diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-08 17:57:40.843768477 +0100 @@ -10,6 +10,14 @@ attribute wm_domain; type wm_exec_t; corecmd_executable_file(wm_exec_t) +type wm_tmp_t; +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t }; +userdom_user_tmp_file(wm_tmp_t) + +type wm_tmpfs_t; +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t }; +userdom_user_tmpfs_file(wm_tmpfs_t) + ######################################## # # Common wm domain local policy @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) + +can_exec(wm_domain, wm_exec_t) + kernel_read_system_state(wm_domain) corecmd_getattr_all_executables(wm_domain) +dev_read_rand(wm_domain) dev_read_sound(wm_domain) dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) +dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain) +kernel_read_fs_sysctls(wm_domain) +kernel_read_proc_symlinks(wm_domain) +kernel_read_sysctl(wm_domain) + miscfiles_read_fonts(wm_domain) +miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) +udev_read_pid_files(wm_domain) + +# this is needed by gnome-shell +userdom_exec_user_home_content_files(wm_domain) + userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) + userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) +wm_dontaudit_exec_tmp_files(wm_domain) +wm_dontaudit_exec_tmpfs_files(wm_domain) + optional_policy(` accountsd_dbus_chat(wm_domain) ') @@ -55,10 +92,42 @@ optional_policy(` ') optional_policy(` + consolekit_dbus_chat(wm_domain) +') + +optional_policy(` devicekit_dbus_chat_power(wm_domain) ') optional_policy(` + evolution_dbus_chat(wm_domain) + evolution_alarm_dbus_chat(wm_domain) + evolution_domtrans(wm_domain) +') + +optional_policy(` + games_dbus_chat(wm_domain) + games_domtrans(wm_domain) +') + +optional_policy(` + java_domtrans(wm_domain) +') + +optional_policy(` + mono_domtrans(wm_domain) +') + +optional_policy(` + mozilla_domtrans(wm_domain) + mozilla_dbus_chat(wm_domain) +') + +optional_policy(` + mplayer_domtrans(wm_domain) +') + +optional_policy(` networkmanager_dbus_chat(wm_domain) ') @@ -71,5 +140,9 @@ optional_policy(` ') optional_policy(` + telepathy_mission_control_dbus_chat(wm_domain) +') + +optional_policy(` userhelper_exec_consolehelper(wm_domain) ') diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 15:47:40.140741170 +0100 @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(staff, staff_r, staff_t) + wm_role_template(staff, staff_r, staff_t) ') optional_policy(` diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 15:47:40.141741187 +0100 @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(sysadm, sysadm_r, sysadm_t) + wm_role_template(sysadm, sysadm_r, sysadm_t) ') ') diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 15:47:40.141741187 +0100 @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(user, user_r, user_t) + wm_role_template(user, user_r, user_t) ') optional_policy(` ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2] wm: update the window manager (wm) module and enable its role template 2016-12-08 17:20 ` [refpolicy] [PATCH v2] " Guido Trentalancia @ 2016-12-08 17:51 ` Dominick Grift 2016-12-08 20:53 ` Guido Trentalancia 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia 1 sibling, 1 reply; 47+ messages in thread From: Dominick Grift @ 2016-12-08 17:51 UTC (permalink / raw) To: refpolicy i On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote: > Enable the window manager role (wm contrib module) and update > the module to work with gnome-shell. > > This second version introduces better integration with common > desktop applications and requires the following recently posted > patch for the games module: > > [PATCH 1/2] games: general update and improved pulseaudio integration > http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html > > This patch might need some more testing. Yes, i dont think this should be merged. Also gnome-shell is a wm but its not every wm needs the permissions that gnome-shell needs. We should either give gnome-shell its own domain or add the gnome-shell specific rules to a tunable. For example: gnome-shell is a wayland compositor. but there are many more things that gnome shell needs that a "normal" window manager should never need. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/pulseaudio.if | 19 +++++++++ > policy/modules/contrib/wm.if | 44 +++++++++++++++++++++ > policy/modules/contrib/wm.te | 73 +++++++++++++++++++++++++++++++++++ > policy/modules/roles/staff.te | 1 > policy/modules/roles/sysadm.te | 1 > policy/modules/roles/unprivuser.te | 1 > 6 files changed, 139 insertions(+) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if > --- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if 2016-09-27 16:28:51.964139648 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if 2016-12-08 15:47:40.117740787 +0100 > @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',` > fs_search_tmpfs($1) > rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > ') > + > +####################################### > +## <summary> > +## Manage pulseaudio tmpfs files. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`pulseaudio_manage_tmpfs_files',` > + gen_require(` > + type pulseaudio_tmpfs_t; > + ') > + > + fs_search_tmpfs($1) > + manage_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +') does not make sense, and i would like to know what prompted you to add this (preferably backed with avc denials) wm should is a pulseaudio_client and pulseaudio_client can already rw and delete pulseaudio_tmpfs_files. It should not need more than that. > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-08 15:47:40.118740804 +0100 > @@ -47,6 +47,8 @@ template(`wm_role_template',` > # Policy > # > > + allow $3 $1_wm_t:fd use; > + > allow $1_wm_t $3:unix_stream_socket connectto; > allow $3 $1_wm_t:unix_stream_socket connectto; > > @@ -72,6 +74,7 @@ template(`wm_role_template',` > xserver_manage_core_devices($1_wm_t) > > optional_policy(` > + dbus_connect_spec_session_bus($1, $1_wm_t) > dbus_spec_session_bus_client($1, $1_wm_t) > dbus_system_bus_client($1_wm_t) > > @@ -81,11 +84,14 @@ template(`wm_role_template',` > ') > > optional_policy(` > + gnome_dbus_chat_gkeyringd($1, $1_wm_t) > gnome_stream_connect_gkeyringd($1, $1_wm_t) > ') > > optional_policy(` > pulseaudio_run($1_wm_t, $2) > + pulseaudio_manage_tmpfs_files($1_wm_t) > + pulseaudio_use_fds($1_wm_t) these shouldnt be needed. what prompted you to add these? (preferably show avc denials) > ') > ') > > @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',` > allow $2 $1_wm_t:dbus send_msg; > allow $1_wm_t $2:dbus send_msg; > ') > + > +######################################## > +## <summary> > +## Do not audit attempts to execute > +## files in temporary directories. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain to not audit. > +## </summary> > +## </param> > +# > +interface(`wm_dontaudit_exec_tmp_files',` > + gen_require(` > + type wm_tmp_t; > + ') > + > + dontaudit $1 wm_tmp_t:file exec_file_perms; > +') > + > +######################################## > +## <summary> > +## Do not audit attempts to execute > +## files in temporary filesystems. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain to not audit. > +## </summary> > +## </param> > +# > +interface(`wm_dontaudit_exec_tmpfs_files',` > + gen_require(` > + type wm_tmpfs_t; > + ') > + > + dontaudit $1 wm_tmpfs_t:file exec_file_perms; > +') > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-08 17:57:40.843768477 +0100 > @@ -10,6 +10,14 @@ attribute wm_domain; > type wm_exec_t; > corecmd_executable_file(wm_exec_t) > > +type wm_tmp_t; > +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t }; > +userdom_user_tmp_file(wm_tmp_t) > + > +type wm_tmpfs_t; > +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t }; > +userdom_user_tmpfs_file(wm_tmpfs_t) this is a pulseaudio_tmpfs_file() > + > ######################################## > # > # Common wm domain local policy > @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev > allow wm_domain self:shm create_shm_perms; > allow wm_domain self:unix_dgram_socket create_socket_perms; > > +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) > + > +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) > + > +can_exec(wm_domain, wm_exec_t) > + > kernel_read_system_state(wm_domain) > > corecmd_getattr_all_executables(wm_domain) > > +dev_read_rand(wm_domain) > dev_read_sound(wm_domain) > dev_read_sysfs(wm_domain) > dev_read_urand(wm_domain) > +dev_rw_dri(wm_domain) > dev_rw_wireless(wm_domain) > dev_write_sound(wm_domain) > > +files_read_etc_runtime_files(wm_domain) > files_read_usr_files(wm_domain) > > fs_getattr_all_fs(wm_domain) > > +kernel_read_fs_sysctls(wm_domain) > +kernel_read_proc_symlinks(wm_domain) > +kernel_read_sysctl(wm_domain) > + > miscfiles_read_fonts(wm_domain) > +miscfiles_read_generic_certs(wm_domain) > miscfiles_read_localization(wm_domain) > > +udev_read_pid_files(wm_domain) > + > +# this is needed by gnome-shell > +userdom_exec_user_home_content_files(wm_domain) What exactly is it executing here? > + > userdom_manage_user_tmp_sockets(wm_domain) > userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) > userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) > > userdom_manage_user_home_content_dirs(wm_domain) > userdom_manage_user_home_content_files(wm_domain) > + > userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) > > +wm_dontaudit_exec_tmp_files(wm_domain) > +wm_dontaudit_exec_tmpfs_files(wm_domain) why dontaudit the above? gnome-shell needs to mmap some files > + > optional_policy(` > accountsd_dbus_chat(wm_domain) > ') > @@ -55,10 +92,42 @@ optional_policy(` > ') > > optional_policy(` > + consolekit_dbus_chat(wm_domain) > +') > + > +optional_policy(` > devicekit_dbus_chat_power(wm_domain) > ') > > optional_policy(` > + evolution_dbus_chat(wm_domain) > + evolution_alarm_dbus_chat(wm_domain) > + evolution_domtrans(wm_domain) > +') > + > +optional_policy(` > + games_dbus_chat(wm_domain) > + games_domtrans(wm_domain) > +') > + > +optional_policy(` > + java_domtrans(wm_domain) > +') > + > +optional_policy(` > + mono_domtrans(wm_domain) > +') > + > +optional_policy(` > + mozilla_domtrans(wm_domain) > + mozilla_dbus_chat(wm_domain) > +') > + > +optional_policy(` > + mplayer_domtrans(wm_domain) > +') > + > +optional_policy(` > networkmanager_dbus_chat(wm_domain) > ') > > @@ -71,5 +140,9 @@ optional_policy(` > ') > > optional_policy(` > + telepathy_mission_control_dbus_chat(wm_domain) > +') > + > +optional_policy(` > userhelper_exec_consolehelper(wm_domain) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 15:47:40.140741170 +0100 > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > optional_policy(` > gnome_role_template(staff, staff_r, staff_t) > + wm_role_template(staff, staff_r, staff_t) > ') > > optional_policy(` > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 15:47:40.141741187 +0100 > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > optional_policy(` > gnome_role_template(sysadm, sysadm_r, sysadm_t) > + wm_role_template(sysadm, sysadm_r, sysadm_t) > ') > ') > > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 15:47:40.141741187 +0100 > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > optional_policy(` > gnome_role_template(user, user_r, user_t) > + wm_role_template(user, user_r, user_t) > ') > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161208/531781e2/attachment.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2] wm: update the window manager (wm) module and enable its role template 2016-12-08 17:51 ` Dominick Grift @ 2016-12-08 20:53 ` Guido Trentalancia 2016-12-08 21:13 ` Dominick Grift 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-08 20:53 UTC (permalink / raw) To: refpolicy On Thu, 08/12/2016 at 18.51 +0100, Dominick Grift via refpolicy wrote: > i > On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote: > > > > Enable the window manager role (wm contrib module) and update > > the module to work with gnome-shell. > > > > This second version introduces better integration with common > > desktop applications and requires the following recently posted > > patch for the games module: > > > > [PATCH 1/2] games: general update and improved pulseaudio > > integration > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html > > > > This patch might need some more testing. > > Yes, i dont think this should be merged. It needs to be tested with other window managers. Have you found any actual limitation with the old gnome (gnome- panel/metacity), kde or others ? > Also gnome-shell is a wm but its not every wm needs the permissions > that > gnome-shell needs. We should either give gnome-shell its own domain > or > add the gnome-shell specific rules to a tunable. > > For example: gnome-shell is a wayland compositor. but there are many > more things that gnome shell needs that a "normal" window manager > should > never need. The permissions that have been added are very general and harmless.? Therefore, although theoretically one could distinguish between gnome- shell and other window managers, there is very little benefit in forking the policy. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > --- > > ?policy/modules/contrib/pulseaudio.if |???19 +++++++++ > > ?policy/modules/contrib/wm.if?????????|???44 +++++++++++++++++++++ > > ?policy/modules/contrib/wm.te?????????|???73 > > +++++++++++++++++++++++++++++++++++ > > ?policy/modules/roles/staff.te????????|????1 > > ?policy/modules/roles/sysadm.te???????|????1 > > ?policy/modules/roles/unprivuser.te???|????1 > > ?6 files changed, 139 insertions(+) > > > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/contrib/pulseaudio.if refpolicy-git- > > 07122016/policy/modules/contrib/pulseaudio.if > > --- refpolicy-git-07122016- > > orig/policy/modules/contrib/pulseaudio.if 2016-09-27 > > 16:28:51.964139648 +0200 > > +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if > > 2016-12-08 15:47:40.117740787 +0100 > > @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',` > > ? fs_search_tmpfs($1) > > ? rw_files_pattern($1, pulseaudio_tmpfs_t, > > pulseaudio_tmpfs_t) > > ?') > > + > > +####################################### > > +## <summary> > > +## Manage pulseaudio tmpfs files. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain allowed access. > > +## </summary> > > +## </param> > > +# > > +interface(`pulseaudio_manage_tmpfs_files',` > > + gen_require(` > > + type pulseaudio_tmpfs_t; > > + ') > > + > > + fs_search_tmpfs($1) > > + manage_files_pattern($1, pulseaudio_tmpfs_t, > > pulseaudio_tmpfs_t) > > +') > > does not make sense, and i would like to know what prompted you to > add > this (preferably backed with avc denials) It's needed to unlink them. Probably stale files from previous sessions. > wm should is a pulseaudio_client and pulseaudio_client can already rw > and delete pulseaudio_tmpfs_files. It should not need more than that. I decided to avoid using the pulseaudio_client attribute because it implies other unneeded permissions, including corenet permissions that are quite undesirable. > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if > > refpolicy-git-07122016/policy/modules/contrib/wm.if > > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if > > 2016-08-14 21:28:11.597521187 +0200 > > +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016 > > -12-08 15:47:40.118740804 +0100 > > @@ -47,6 +47,8 @@ template(`wm_role_template',` > > ? # Policy > > ? # > > ? > > + allow $3 $1_wm_t:fd use; > > + > > ? allow $1_wm_t $3:unix_stream_socket connectto; > > ? allow $3 $1_wm_t:unix_stream_socket connectto; > > ? > > @@ -72,6 +74,7 @@ template(`wm_role_template',` > > ? xserver_manage_core_devices($1_wm_t) > > ? > > ? optional_policy(` > > + dbus_connect_spec_session_bus($1, $1_wm_t) > > ? dbus_spec_session_bus_client($1, $1_wm_t) > > ? dbus_system_bus_client($1_wm_t) > > ? > > @@ -81,11 +84,14 @@ template(`wm_role_template',` > > ? ') > > ? > > ? optional_policy(` > > + gnome_dbus_chat_gkeyringd($1, $1_wm_t) > > ? gnome_stream_connect_gkeyringd($1, $1_wm_t) > > ? ') > > ? > > ? optional_policy(` > > ? pulseaudio_run($1_wm_t, $2) > > + pulseaudio_manage_tmpfs_files($1_wm_t) > > + pulseaudio_use_fds($1_wm_t) > > these shouldnt be needed. what prompted you to add these? (preferably > show avc denials) See above. Stale files need to be unlinked. > > ? ') > > ?') > > ? > > @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',` > > ? allow $2 $1_wm_t:dbus send_msg; > > ? allow $1_wm_t $2:dbus send_msg; > > ?') > > + > > +######################################## > > +## <summary> > > +## Do not audit attempts to execute > > +## files in temporary directories. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain to not audit. > > +## </summary> > > +## </param> > > +# > > +interface(`wm_dontaudit_exec_tmp_files',` > > + gen_require(` > > + type wm_tmp_t; > > + ') > > + > > + dontaudit $1 wm_tmp_t:file exec_file_perms; > > +') > > + > > +######################################## > > +## <summary> > > +## Do not audit attempts to execute > > +## files in temporary filesystems. > > +## </summary> > > +## <param name="domain"> > > +## <summary> > > +## Domain to not audit. > > +## </summary> > > +## </param> > > +# > > +interface(`wm_dontaudit_exec_tmpfs_files',` > > + gen_require(` > > + type wm_tmpfs_t; > > + ') > > + > > + dontaudit $1 wm_tmpfs_t:file exec_file_perms; > > +') > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te > > refpolicy-git-07122016/policy/modules/contrib/wm.te > > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te > > 2016-10-29 16:29:19.762328008 +0200 > > +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016 > > -12-08 17:57:40.843768477 +0100 > > @@ -10,6 +10,14 @@ attribute wm_domain; > > ?type wm_exec_t; > > ?corecmd_executable_file(wm_exec_t) > > ? > > +type wm_tmp_t; > > +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t > > sysadm_wm_tmp_t }; > > +userdom_user_tmp_file(wm_tmp_t) > > + > > +type wm_tmpfs_t; > > +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t > > sysadm_wm_tmpfs_t }; > > +userdom_user_tmpfs_file(wm_tmpfs_t) > > this is a pulseaudio_tmpfs_file() I am not sure about that. It works fine, so at the moment I can't see a reason to change it. It is probably used to create libffi files and not pulseaudio files (that I expect to be created by the pulseaudio process). See below. > > + > > ?######################################## > > ?# > > ?# Common wm domain local policy > > @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev > > ?allow wm_domain self:shm create_shm_perms; > > ?allow wm_domain self:unix_dgram_socket create_socket_perms; > > ? > > +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > > +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > > +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > > +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) > > + > > +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > > +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > > +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > > +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) > > + > > +can_exec(wm_domain, wm_exec_t) > > + > > ?kernel_read_system_state(wm_domain) > > ? > > ?corecmd_getattr_all_executables(wm_domain) > > ? > > +dev_read_rand(wm_domain) > > ?dev_read_sound(wm_domain) > > ?dev_read_sysfs(wm_domain) > > ?dev_read_urand(wm_domain) > > +dev_rw_dri(wm_domain) > > ?dev_rw_wireless(wm_domain) > > ?dev_write_sound(wm_domain) > > ? > > +files_read_etc_runtime_files(wm_domain) > > ?files_read_usr_files(wm_domain) > > ? > > ?fs_getattr_all_fs(wm_domain) > > ? > > +kernel_read_fs_sysctls(wm_domain) > > +kernel_read_proc_symlinks(wm_domain) > > +kernel_read_sysctl(wm_domain) > > + > > ?miscfiles_read_fonts(wm_domain) > > +miscfiles_read_generic_certs(wm_domain) > > ?miscfiles_read_localization(wm_domain) > > ? > > +udev_read_pid_files(wm_domain) > > + > > +# this is needed by gnome-shell > > +userdom_exec_user_home_content_files(wm_domain) > > What exactly is it executing here? I think it is executing files generated by libffi. > > + > > ?userdom_manage_user_tmp_sockets(wm_domain) > > ?userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) > > ?userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) > > ? > > ?userdom_manage_user_home_content_dirs(wm_domain) > > ?userdom_manage_user_home_content_files(wm_domain) > > + > > ?userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir > > file }) > > ? > > +wm_dontaudit_exec_tmp_files(wm_domain) > > +wm_dontaudit_exec_tmpfs_files(wm_domain) > > why dontaudit the above? gnome-shell needs to mmap some files See above. I decided to let gnome-shell create and execute libffi files in the home directory instead of tmp. This is much safer. > > + > > ?optional_policy(` > > ? accountsd_dbus_chat(wm_domain) > > ?') > > @@ -55,10 +92,42 @@ optional_policy(` > > ?') > > ? > > ?optional_policy(` > > + consolekit_dbus_chat(wm_domain) > > +') > > + > > +optional_policy(` > > ? devicekit_dbus_chat_power(wm_domain) > > ?') > > ? > > ?optional_policy(` > > + evolution_dbus_chat(wm_domain) > > + evolution_alarm_dbus_chat(wm_domain) > > + evolution_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > + games_dbus_chat(wm_domain) > > + games_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > + java_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > + mono_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > + mozilla_domtrans(wm_domain) > > + mozilla_dbus_chat(wm_domain) > > +') > > + > > +optional_policy(` > > + mplayer_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > ? networkmanager_dbus_chat(wm_domain) > > ?') > > ? > > @@ -71,5 +140,9 @@ optional_policy(` > > ?') > > ? > > ?optional_policy(` > > + telepathy_mission_control_dbus_chat(wm_domain) > > +') > > + > > +optional_policy(` > > ? userhelper_exec_consolehelper(wm_domain) > > ?') > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/staff.te refpolicy-git- > > 07122016/policy/modules/roles/staff.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201 > > 6-12-08 15:47:40.140741170 +0100 > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > ? > > ? optional_policy(` > > ? gnome_role_template(staff, staff_r, > > staff_t) > > + wm_role_template(staff, staff_r, staff_t) > > ? ') > > ? > > ? optional_policy(` > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/sysadm.te refpolicy-git- > > 07122016/policy/modules/roles/sysadm.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20 > > 16-12-08 15:47:40.141741187 +0100 > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > ? > > ? optional_policy(` > > ? gnome_role_template(sysadm, sysadm_r, > > sysadm_t) > > + wm_role_template(sysadm, sysadm_r, > > sysadm_t) > > ? ') > > ? ') > > ? > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/unprivuser.te refpolicy-git- > > 07122016/policy/modules/roles/unprivuser.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te > > 2016-12-08 15:47:40.141741187 +0100 > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > ? > > ? optional_policy(` > > ? gnome_role_template(user, user_r, user_t) > > + wm_role_template(user, user_r, user_t) > > ? ') > > ? > > ? optional_policy(` Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2] wm: update the window manager (wm) module and enable its role template 2016-12-08 20:53 ` Guido Trentalancia @ 2016-12-08 21:13 ` Dominick Grift 2016-12-08 21:51 ` Guido Trentalancia 0 siblings, 1 reply; 47+ messages in thread From: Dominick Grift @ 2016-12-08 21:13 UTC (permalink / raw) To: refpolicy On 12/08/2016 09:53 PM, Guido Trentalancia via refpolicy wrote: > On Thu, 08/12/2016 at 18.51 +0100, Dominick Grift via refpolicy wrote: >> i >> On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote: >>> >>> Enable the window manager role (wm contrib module) and update >>> the module to work with gnome-shell. >>> >>> This second version introduces better integration with common >>> desktop applications and requires the following recently posted >>> patch for the games module: >>> >>> [PATCH 1/2] games: general update and improved pulseaudio >>> integration >>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008650.html >>> >>> This patch might need some more testing. >> >> Yes, i dont think this should be merged. > > It needs to be tested with other window managers. > > Have you found any actual limitation with the old gnome (gnome- > panel/metacity), kde or others ? > It is hard to explain but consider some of this stuff. gnome-shell connects to http ports, gnome-shell needs to be able to run programs on behalf of the calling user (ALT-f2), gnome-shell is a pulseaudio client, gnome-shell needs comms with: bluetooth, accountsd, geoclue, upower, logind: all things that a normal windows manager does not need. Not to mention that gnome requires permissions that are specific to wayland compositors >> Also gnome-shell is a wm but its not every wm needs the permissions >> that >> gnome-shell needs. We should either give gnome-shell its own domain >> or >> add the gnome-shell specific rules to a tunable. >> >> For example: gnome-shell is a wayland compositor. but there are many >> more things that gnome shell needs that a "normal" window manager >> should >> never need. > > The permissions that have been added are very general and harmless. For now maybe because the policy is not comprehensive >>> policy/modules/contrib/pulseaudio.if | 19 +++++++++ >>> policy/modules/contrib/wm.if | 44 +++++++++++++++++++++ >>> policy/modules/contrib/wm.te | 73 >>> +++++++++++++++++++++++++++++++++++ >>> policy/modules/roles/staff.te | 1 >>> policy/modules/roles/sysadm.te | 1 >>> policy/modules/roles/unprivuser.te | 1 >>> 6 files changed, 139 insertions(+) >>> >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/contrib/pulseaudio.if refpolicy-git- >>> 07122016/policy/modules/contrib/pulseaudio.if >>> --- refpolicy-git-07122016- >>> orig/policy/modules/contrib/pulseaudio.if 2016-09-27 >>> 16:28:51.964139648 +0200 >>> +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if >>> 2016-12-08 15:47:40.117740787 +0100 >>> @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',` >>> fs_search_tmpfs($1) >>> rw_files_pattern($1, pulseaudio_tmpfs_t, >>> pulseaudio_tmpfs_t) >>> ') >>> + >>> +####################################### >>> +## <summary> >>> +## Manage pulseaudio tmpfs files. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain allowed access. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`pulseaudio_manage_tmpfs_files',` >>> + gen_require(` >>> + type pulseaudio_tmpfs_t; >>> + ') >>> + >>> + fs_search_tmpfs($1) >>> + manage_files_pattern($1, pulseaudio_tmpfs_t, >>> pulseaudio_tmpfs_t) >>> +') >> >> does not make sense, and i would like to know what prompted you to >> add >> this (preferably backed with avc denials) > > It's needed to unlink them. Probably stale files from previous > sessions. > >> wm should is a pulseaudio_client and pulseaudio_client can already rw >> and delete pulseaudio_tmpfs_files. It should not need more than that. > > I decided to avoid using the pulseaudio_client attribute because it > implies other unneeded permissions, including corenet permissions that > are quite undesirable. > Those permissions aren't unneeded. They should be conditional maybe but there are configurations where clients may want to connect to pulseaudio via the network. >>> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if >>> refpolicy-git-07122016/policy/modules/contrib/wm.if >>> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if >>> 2016-08-14 21:28:11.597521187 +0200 >>> +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016 >>> -12-08 15:47:40.118740804 +0100 >>> @@ -47,6 +47,8 @@ template(`wm_role_template',` >>> # Policy >>> # >>> >>> + allow $3 $1_wm_t:fd use; >>> + >>> allow $1_wm_t $3:unix_stream_socket connectto; >>> allow $3 $1_wm_t:unix_stream_socket connectto; >>> >>> @@ -72,6 +74,7 @@ template(`wm_role_template',` >>> xserver_manage_core_devices($1_wm_t) >>> >>> optional_policy(` >>> + dbus_connect_spec_session_bus($1, $1_wm_t) >>> dbus_spec_session_bus_client($1, $1_wm_t) >>> dbus_system_bus_client($1_wm_t) >>> >>> @@ -81,11 +84,14 @@ template(`wm_role_template',` >>> ') >>> >>> optional_policy(` >>> + gnome_dbus_chat_gkeyringd($1, $1_wm_t) >>> gnome_stream_connect_gkeyringd($1, $1_wm_t) >>> ') >>> >>> optional_policy(` >>> pulseaudio_run($1_wm_t, $2) >>> + pulseaudio_manage_tmpfs_files($1_wm_t) >>> + pulseaudio_use_fds($1_wm_t) >> >> these shouldnt be needed. what prompted you to add these? (preferably >> show avc denials) > > See above. Stale files need to be unlinked. That is a bug here then: https://github.com/TresysTechnology/refpolicy-contrib/blob/master/pulseaudio.te#L241 clients should then also be able to delete pulseaudio tmpfs files > >>> ') >>> ') >>> >>> @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',` >>> allow $2 $1_wm_t:dbus send_msg; >>> allow $1_wm_t $2:dbus send_msg; >>> ') >>> + >>> +######################################## >>> +## <summary> >>> +## Do not audit attempts to execute >>> +## files in temporary directories. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain to not audit. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`wm_dontaudit_exec_tmp_files',` >>> + gen_require(` >>> + type wm_tmp_t; >>> + ') >>> + >>> + dontaudit $1 wm_tmp_t:file exec_file_perms; >>> +') >>> + >>> +######################################## >>> +## <summary> >>> +## Do not audit attempts to execute >>> +## files in temporary filesystems. >>> +## </summary> >>> +## <param name="domain"> >>> +## <summary> >>> +## Domain to not audit. >>> +## </summary> >>> +## </param> >>> +# >>> +interface(`wm_dontaudit_exec_tmpfs_files',` >>> + gen_require(` >>> + type wm_tmpfs_t; >>> + ') >>> + >>> + dontaudit $1 wm_tmpfs_t:file exec_file_perms; >>> +') >>> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te >>> refpolicy-git-07122016/policy/modules/contrib/wm.te >>> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te >>> 2016-10-29 16:29:19.762328008 +0200 >>> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016 >>> -12-08 17:57:40.843768477 +0100 >>> @@ -10,6 +10,14 @@ attribute wm_domain; >>> type wm_exec_t; >>> corecmd_executable_file(wm_exec_t) >>> >>> +type wm_tmp_t; >>> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t >>> sysadm_wm_tmp_t }; >>> +userdom_user_tmp_file(wm_tmp_t) >>> + >>> +type wm_tmpfs_t; >>> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t >>> sysadm_wm_tmpfs_t }; >>> +userdom_user_tmpfs_file(wm_tmpfs_t) >> >> this is a pulseaudio_tmpfs_file() > > I am not sure about that. > > It works fine, so at the moment I can't see a reason to change it. > > It is probably used to create libffi files and not pulseaudio files > (that I expect to be created by the pulseaudio process). See below. > All pulseaudio clients need to be able to read/write/unlink eachother tmpfs files. >>> + >>> ######################################## >>> # >>> # Common wm domain local policy >>> @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev >>> allow wm_domain self:shm create_shm_perms; >>> allow wm_domain self:unix_dgram_socket create_socket_perms; >>> >>> +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) >>> +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) >>> +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) >>> +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) >>> + >>> +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) >>> +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) >>> +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) >>> +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) >>> + >>> +can_exec(wm_domain, wm_exec_t) >>> + >>> kernel_read_system_state(wm_domain) >>> >>> corecmd_getattr_all_executables(wm_domain) >>> >>> +dev_read_rand(wm_domain) >>> dev_read_sound(wm_domain) >>> dev_read_sysfs(wm_domain) >>> dev_read_urand(wm_domain) >>> +dev_rw_dri(wm_domain) >>> dev_rw_wireless(wm_domain) >>> dev_write_sound(wm_domain) >>> >>> +files_read_etc_runtime_files(wm_domain) >>> files_read_usr_files(wm_domain) >>> >>> fs_getattr_all_fs(wm_domain) >>> >>> +kernel_read_fs_sysctls(wm_domain) >>> +kernel_read_proc_symlinks(wm_domain) >>> +kernel_read_sysctl(wm_domain) >>> + >>> miscfiles_read_fonts(wm_domain) >>> +miscfiles_read_generic_certs(wm_domain) >>> miscfiles_read_localization(wm_domain) >>> >>> +udev_read_pid_files(wm_domain) >>> + >>> +# this is needed by gnome-shell >>> +userdom_exec_user_home_content_files(wm_domain) >> >> What exactly is it executing here? > > I think it is executing files generated by libffi. and how do those files end up in $HOME, maybe because you're blocking access to tmp (XDG_RUNTIME_DIR)? /run/user/UID is first choice > >>> + >>> userdom_manage_user_tmp_sockets(wm_domain) >>> userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) >>> userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) >>> >>> userdom_manage_user_home_content_dirs(wm_domain) >>> userdom_manage_user_home_content_files(wm_domain) >>> + >>> userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir >>> file }) >>> >>> +wm_dontaudit_exec_tmp_files(wm_domain) >>> +wm_dontaudit_exec_tmpfs_files(wm_domain) >> >> why dontaudit the above? gnome-sheM These files are probably initially created in $CDG_RUNTIME_DIR which is the best place. However if you block that then it falls back to ~/.cache (which is second best) > >>> + >>> optional_policy(` >>> accountsd_dbus_chat(wm_domain) >>> ') >>> @@ -55,10 +92,42 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + consolekit_dbus_chat(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> devicekit_dbus_chat_power(wm_domain) >>> ') >>> >>> optional_policy(` >>> + evolution_dbus_chat(wm_domain) >>> + evolution_alarm_dbus_chat(wm_domain) >>> + evolution_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> + games_dbus_chat(wm_domain) >>> + games_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> + java_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> + mono_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> + mozilla_domtrans(wm_domain) >>> + mozilla_dbus_chat(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> + mplayer_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> networkmanager_dbus_chat(wm_domain) >>> ') >>> >>> @@ -71,5 +140,9 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + telepathy_mission_control_dbus_chat(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> userhelper_exec_consolehelper(wm_domain) >>> ') >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/staff.te refpolicy-git- >>> 07122016/policy/modules/roles/staff.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201 >>> 6-12-08 15:47:40.140741170 +0100 >>> @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(staff, staff_r, >>> staff_t) >>> + wm_role_template(staff, staff_r, staff_t) >>> ') >>> >>> optional_policy(` >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/sysadm.te refpolicy-git- >>> 07122016/policy/modules/roles/sysadm.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20 >>> 16-12-08 15:47:40.141741187 +0100 >>> @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(sysadm, sysadm_r, >>> sysadm_t) >>> + wm_role_template(sysadm, sysadm_r, >>> sysadm_t) >>> ') >>> ') >>> >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/unprivuser.te refpolicy-git- >>> 07122016/policy/modules/roles/unprivuser.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te >>> 2016-12-08 15:47:40.141741187 +0100 >>> @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(user, user_r, user_t) >>> + wm_role_template(user, user_r, user_t) >>> ') >>> >>> optional_policy(` > > Guido > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161208/dd863caa/attachment-0001.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2] wm: update the window manager (wm) module and enable its role template 2016-12-08 21:13 ` Dominick Grift @ 2016-12-08 21:51 ` Guido Trentalancia 0 siblings, 0 replies; 47+ messages in thread From: Guido Trentalancia @ 2016-12-08 21:51 UTC (permalink / raw) To: refpolicy On Thu, 08/12/2016 at 22.13 +0100, Dominick Grift via refpolicy wrote: > On 12/08/2016 09:53 PM, Guido Trentalancia via refpolicy wrote: > > > > On Thu, 08/12/2016 at 18.51 +0100, Dominick Grift via refpolicy > > wrote: > > > > > > i > > > On 12/08/2016 06:20 PM, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > Enable the window manager role (wm contrib module) and update > > > > the module to work with gnome-shell. > > > > > > > > This second version introduces better integration with common > > > > desktop applications and requires the following recently posted > > > > patch for the games module: > > > > > > > > [PATCH 1/2] games: general update and improved pulseaudio > > > > integration > > > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008650. > > > > html > > > > > > > > This patch might need some more testing. > > > > > > Yes, i dont think this should be merged. > > > > It needs to be tested with other window managers. > > > > Have you found any actual limitation with the old gnome (gnome- > > panel/metacity), kde or others ? > > > > It is hard to explain but consider some of this stuff. gnome-shell > connects to http ports, gnome-shell needs to be able to run programs > on > behalf of the calling user (ALT-f2), gnome-shell is a pulseaudio > client, > gnome-shell needs comms with: bluetooth, accountsd, geoclue, upower, > logind: all things that a normal windows manager does not need. gnome-shell does not need to connect to http ports and the Alt-F2 key combination is not used to run programs. Once again, the difference in terms of permissions compared to the actual module is mostly general and harmless. > Not to mention that gnome requires permissions that are specific to > wayland compositors The module is only tested with the X server and not wayland. If and when support for wayland will be introduced, we'll decide whether or not to fork new policy specifically for gnome-shell. As already explained, at the moment, it definitely doesn't pay back. > > > Also gnome-shell is a wm but its not every wm needs the > > > permissions > > > that > > > gnome-shell needs. We should either give gnome-shell its own > > > domain > > > or > > > add the gnome-shell specific rules to a tunable. > > > > > > For example: gnome-shell is a wayland compositor. but there are > > > many > > > more things that gnome shell needs that a "normal" window manager > > > should > > > never need. > > > > The permissions that have been added are very general and > > harmless.? > > For now maybe because the policy is not comprehensive > > > > > > > > > > > > > > ?policy/modules/contrib/pulseaudio.if |???19 +++++++++ > > > > ?policy/modules/contrib/wm.if?????????|???44 > > > > +++++++++++++++++++++ > > > > ?policy/modules/contrib/wm.te?????????|???73 > > > > +++++++++++++++++++++++++++++++++++ > > > > ?policy/modules/roles/staff.te????????|????1 > > > > ?policy/modules/roles/sysadm.te???????|????1 > > > > ?policy/modules/roles/unprivuser.te??|????1 > > > > ?6 files changed, 139 insertions(+) > > > > > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/contrib/pulseaudio.if refpolicy-git- > > > > 07122016/policy/modules/contrib/pulseaudio.if > > > > --- refpolicy-git-07122016- > > > > orig/policy/modules/contrib/pulseaudio.if 2016-09-27 > > > > 16:28:51.964139648 +0200 > > > > +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if > > > > > > > > 2016-12-08 15:47:40.117740787 +0100 > > > > @@ -424,3 +424,22 @@ interface(`pulseaudio_rw_tmpfs_files',` > > > > ? fs_search_tmpfs($1) > > > > ? rw_files_pattern($1, pulseaudio_tmpfs_t, > > > > pulseaudio_tmpfs_t) > > > > ?') > > > > + > > > > +####################################### > > > > +## <summary> > > > > +## Manage pulseaudio tmpfs files. > > > > +## </summary> > > > > +## <param name="domain"> > > > > +## <summary> > > > > +## Domain allowed access. > > > > +## </summary> > > > > +## </param> > > > > +# > > > > +interface(`pulseaudio_manage_tmpfs_files',` > > > > + gen_require(` > > > > + type pulseaudio_tmpfs_t; > > > > + ') > > > > + > > > > + fs_search_tmpfs($1) > > > > + manage_files_pattern($1, pulseaudio_tmpfs_t, > > > > pulseaudio_tmpfs_t) > > > > +') > > > > > > does not make sense, and i would like to know what prompted you > > > to > > > add > > > this (preferably backed with avc denials) > > > > It's needed to unlink them. Probably stale files from previous > > sessions. > > > > > > > > wm should is a pulseaudio_client and pulseaudio_client can > > > already rw > > > and delete pulseaudio_tmpfs_files. It should not need more than > > > that. > > > > I decided to avoid using the pulseaudio_client attribute because it > > implies other unneeded permissions, including corenet permissions > > that > > are quite undesirable. > > > > Those permissions aren't unneeded. They should be conditional maybe > but > there are configurations where clients may want to connect to > pulseaudio > via the network. > > > > > > > > > > > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/contrib/wm.if? > > > > refpolicy-git-07122016/policy/modules/contrib/wm.if > > > > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if > > > > 2016-08-14 21:28:11.597521187 +0200 > > > > +++ refpolicy-git-07122016/policy/modules/contrib/wm.if > > > > 2016 > > > > -12-08 15:47:40.118740804 +0100 > > > > @@ -47,6 +47,8 @@ template(`wm_role_template',` > > > > ? # Policy > > > > ? # > > > > ? > > > > + allow $3 $1_wm_t:fd use; > > > > + > > > > ? allow $1_wm_t $3:unix_stream_socket connectto; > > > > ? allow $3 $1_wm_t:unix_stream_socket connectto; > > > > ? > > > > @@ -72,6 +74,7 @@ template(`wm_role_template',` > > > > ? xserver_manage_core_devices($1_wm_t) > > > > ? > > > > ? optional_policy(` > > > > + dbus_connect_spec_session_bus($1, $1_wm_t) > > > > ? dbus_spec_session_bus_client($1, $1_wm_t) > > > > ? dbus_system_bus_client($1_wm_t) > > > > ? > > > > @@ -81,11 +84,14 @@ template(`wm_role_template',` > > > > ? ') > > > > ? > > > > ? optional_policy(` > > > > + gnome_dbus_chat_gkeyringd($1, $1_wm_t) > > > > ? gnome_stream_connect_gkeyringd($1, $1_wm_t) > > > > ? ') > > > > ? > > > > ? optional_policy(` > > > > ? pulseaudio_run($1_wm_t, $2) > > > > + pulseaudio_manage_tmpfs_files($1_wm_t) > > > > + pulseaudio_use_fds($1_wm_t) > > > > > > these shouldnt be needed. what prompted you to add these? > > > (preferably > > > show avc denials) > > > > See above. Stale files need to be unlinked. > > That is a bug here then: > > https://github.com/TresysTechnology/refpolicy-contrib/blob/master/pul > seaudio.te#L241 > > clients should then also be able to delete pulseaudio tmpfs files > > > > > > > > > > > > > > > > ? ') > > > > ?') > > > > ? > > > > @@ -134,3 +140,41 @@ interface(`wm_dbus_chat',` > > > > ? allow $2 $1_wm_t:dbus send_msg; > > > > ? allow $1_wm_t $2:dbus send_msg; > > > > ?') > > > > + > > > > +######################################## > > > > +## <summary> > > > > +## Do not audit attempts to execute > > > > +## files in temporary directories. > > > > +## </summary> > > > > +## <param name="domain"> > > > > +## <summary> > > > > +## Domain to not audit. > > > > +## </summary> > > > > +## </param> > > > > +# > > > > +interface(`wm_dontaudit_exec_tmp_files',` > > > > + gen_require(` > > > > + type wm_tmp_t; > > > > + ') > > > > + > > > > + dontaudit $1 wm_tmp_t:file exec_file_perms; > > > > +') > > > > + > > > > +######################################## > > > > +## <summary> > > > > +## Do not audit attempts to execute > > > > +## files in temporary filesystems. > > > > +## </summary> > > > > +## <param name="domain"> > > > > +## <summary> > > > > +## Domain to not audit. > > > > +## </summary> > > > > +## </param> > > > > +# > > > > +interface(`wm_dontaudit_exec_tmpfs_files',` > > > > + gen_require(` > > > > + type wm_tmpfs_t; > > > > + ') > > > > + > > > > + dontaudit $1 wm_tmpfs_t:file exec_file_perms; > > > > +') > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/contrib/wm.te? > > > > refpolicy-git-07122016/policy/modules/contrib/wm.te > > > > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te > > > > 2016-10-29 16:29:19.762328008 +0200 > > > > +++ refpolicy-git-07122016/policy/modules/contrib/wm.te > > > > 2016 > > > > -12-08 17:57:40.843768477 +0100 > > > > @@ -10,6 +10,14 @@ attribute wm_domain; > > > > ?type wm_exec_t; > > > > ?corecmd_executable_file(wm_exec_t) > > > > ? > > > > +type wm_tmp_t; > > > > +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t > > > > sysadm_wm_tmp_t }; > > > > +userdom_user_tmp_file(wm_tmp_t) > > > > + > > > > +type wm_tmpfs_t; > > > > +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t > > > > sysadm_wm_tmpfs_t }; > > > > +userdom_user_tmpfs_file(wm_tmpfs_t) > > > > > > this is a pulseaudio_tmpfs_file() > > > > I am not sure about that. > > > > It works fine, so at the moment I can't see a reason to change it. > > > > It is probably used to create libffi files and not pulseaudio files > > (that I expect to be created by the pulseaudio process). See below. > > > > All pulseaudio clients need to be able to read/write/unlink eachother > tmpfs files. > > > > > > > > > > > > > > + > > > > ?######################################## > > > > ?# > > > > ?# Common wm domain local policy > > > > @@ -21,31 +29,60 @@ allow wm_domain self:netlink_kobject_uev > > > > ?allow wm_domain self:shm create_shm_perms; > > > > ?allow wm_domain self:unix_dgram_socket create_socket_perms; > > > > ? > > > > +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > > > > +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > > > > +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > > > > +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file > > > > }) > > > > + > > > > +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > > > > +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > > > > +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > > > > +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file > > > > }) > > > > + > > > > +can_exec(wm_domain, wm_exec_t) > > > > + > > > > ?kernel_read_system_state(wm_domain) > > > > ? > > > > ?corecmd_getattr_all_executables(wm_domain) > > > > ? > > > > +dev_read_rand(wm_domain) > > > > ?dev_read_sound(wm_domain) > > > > ?dev_read_sysfs(wm_domain) > > > > ?dev_read_urand(wm_domain) > > > > +dev_rw_dri(wm_domain) > > > > ?dev_rw_wireless(wm_domain) > > > > ?dev_write_sound(wm_domain) > > > > ? > > > > +files_read_etc_runtime_files(wm_domain) > > > > ?files_read_usr_files(wm_domain) > > > > ? > > > > ?fs_getattr_all_fs(wm_domain) > > > > ? > > > > +kernel_read_fs_sysctls(wm_domain) > > > > +kernel_read_proc_symlinks(wm_domain) > > > > +kernel_read_sysctl(wm_domain) > > > > + > > > > ?miscfiles_read_fonts(wm_domain) > > > > +miscfiles_read_generic_certs(wm_domain) > > > > ?miscfiles_read_localization(wm_domain) > > > > ? > > > > +udev_read_pid_files(wm_domain) > > > > + > > > > +# this is needed by gnome-shell > > > > +userdom_exec_user_home_content_files(wm_domain) > > > > > > What exactly is it executing here? > > > > I think it is executing files generated by libffi. > > and how do those files end up in $HOME, maybe because you're blocking > access to tmp (XDG_RUNTIME_DIR)? > > /run/user/UID is first choice No, it doesn't work like that. And the home directory is the safest option. > > > > + > > > > ?userdom_manage_user_tmp_sockets(wm_domain) > > > > ?userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) > > > > ?userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) > > > > ? > > > > ?userdom_manage_user_home_content_dirs(wm_domain) > > > > ?userdom_manage_user_home_content_files(wm_domain) > > > > + > > > > ?userdom_user_home_dir_filetrans_user_home_content(wm_domain, { > > > > dir > > > > file }) > > > > ? > > > > +wm_dontaudit_exec_tmp_files(wm_domain) > > > > +wm_dontaudit_exec_tmpfs_files(wm_domain) > > > > > > why dontaudit the above? gnome-sheM > > > These files are probably initially created in $CDG_RUNTIME_DIR which > is > the best place. However if you block that then it falls back to > ~/.cache > (which is second best) > > > > > > > > > > > > > > > > + > > > > ?optional_policy(` > > > > ? accountsd_dbus_chat(wm_domain) > > > > ?') > > > > @@ -55,10 +92,42 @@ optional_policy(` > > > > ?') > > > > ? > > > > ?optional_policy(` > > > > + consolekit_dbus_chat(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > ? devicekit_dbus_chat_power(wm_domain) > > > > ?') > > > > ? > > > > ?optional_policy(` > > > > + evolution_dbus_chat(wm_domain) > > > > + evolution_alarm_dbus_chat(wm_domain) > > > > + evolution_domtrans(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > + games_dbus_chat(wm_domain) > > > > + games_domtrans(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > + java_domtrans(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > + mono_domtrans(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > + mozilla_domtrans(wm_domain) > > > > + mozilla_dbus_chat(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > + mplayer_domtrans(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > ? networkmanager_dbus_chat(wm_domain) > > > > ?') > > > > ? > > > > @@ -71,5 +140,9 @@ optional_policy(` > > > > ?') > > > > ? > > > > ?optional_policy(` > > > > + telepathy_mission_control_dbus_chat(wm_domain) > > > > +') > > > > + > > > > +optional_policy(` > > > > ? userhelper_exec_consolehelper(wm_domain) > > > > ?') > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/staff.te refpolicy-git- > > > > 07122016/policy/modules/roles/staff.te > > > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te > > > > 201 > > > > 6-12-08 15:47:40.140741170 +0100 > > > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > > > ? > > > > ? optional_policy(` > > > > ? gnome_role_template(staff, staff_r, > > > > staff_t) > > > > + wm_role_template(staff, staff_r, > > > > staff_t) > > > > ? ') > > > > ? > > > > ? optional_policy(` > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/sysadm.te refpolicy-git- > > > > 07122016/policy/modules/roles/sysadm.te > > > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te > > > > 20 > > > > 16-12-08 15:47:40.141741187 +0100 > > > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > > > ? > > > > ? optional_policy(` > > > > ? gnome_role_template(sysadm, sysadm_r, > > > > sysadm_t) > > > > + wm_role_template(sysadm, sysadm_r, > > > > sysadm_t) > > > > ? ') > > > > ? ') > > > > ? > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/unprivuser.te refpolicy-git- > > > > 07122016/policy/modules/roles/unprivuser.te > > > > --- refpolicy-git-07122016- > > > > orig/policy/modules/roles/unprivuser.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te > > > > 2016-12-08 15:47:40.141741187 +0100 > > > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > > > ? > > > > ? optional_policy(` > > > > ? gnome_role_template(user, user_r, > > > > user_t) > > > > + wm_role_template(user, user_r, user_t) > > > > ? ') > > > > ? > > > > ? optional_policy(` Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template 2016-12-08 17:20 ` [refpolicy] [PATCH v2] " Guido Trentalancia 2016-12-08 17:51 ` Dominick Grift @ 2016-12-09 22:21 ` Guido Trentalancia 2016-12-11 20:04 ` Chris PeBenito ` (5 more replies) 1 sibling, 6 replies; 47+ messages in thread From: Guido Trentalancia @ 2016-12-09 22:21 UTC (permalink / raw) To: refpolicy Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This second version introduces better integration with common desktop applications and requires the following recently posted patch for the games module: [PATCH v3 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html This patch might need some more testing (I have received no feedback yet). Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/wm.if | 42 ++++++++++++++++++++ policy/modules/contrib/wm.te | 75 ++++++++++++++++++++++++++++++++++++- policy/modules/roles/staff.te | 1 policy/modules/roles/sysadm.te | 1 policy/modules/roles/unprivuser.te | 1 5 files changed, 119 insertions(+), 1 deletion(-) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-09 22:40:06.077448696 +0100 @@ -47,6 +47,8 @@ template(`wm_role_template',` # Policy # + allow $3 $1_wm_t:fd use; + allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; @@ -72,6 +74,7 @@ template(`wm_role_template',` xserver_manage_core_devices($1_wm_t) optional_policy(` + dbus_connect_spec_session_bus($1, $1_wm_t) dbus_spec_session_bus_client($1, $1_wm_t) dbus_system_bus_client($1_wm_t) @@ -81,6 +84,7 @@ template(`wm_role_template',` ') optional_policy(` + gnome_dbus_chat_gkeyringd($1, $1_wm_t) gnome_stream_connect_gkeyringd($1, $1_wm_t) ') @@ -134,3 +138,41 @@ interface(`wm_dbus_chat',` allow $2 $1_wm_t:dbus send_msg; allow $1_wm_t $2:dbus send_msg; ') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmp_files',` + gen_require(` + type wm_tmp_t; + ') + + dontaudit $1 wm_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmpfs_files',` + gen_require(` + type wm_tmpfs_t; + ') + + dontaudit $1 wm_tmpfs_t:file exec_file_perms; +') diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-09 23:02:20.296031215 +0100 @@ -10,6 +10,18 @@ attribute wm_domain; type wm_exec_t; corecmd_executable_file(wm_exec_t) +type wm_tmp_t; +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t }; +userdom_user_tmp_file(wm_tmp_t) + +type wm_tmpfs_t; +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t }; +userdom_user_tmpfs_file(wm_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(wm_tmpfs_t) +') + ######################################## # # Common wm domain local policy @@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) + +can_exec(wm_domain, wm_exec_t) + kernel_read_system_state(wm_domain) corecmd_getattr_all_executables(wm_domain) +dev_read_rand(wm_domain) dev_read_sound(wm_domain) dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) +dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain) +kernel_read_fs_sysctls(wm_domain) +kernel_read_proc_symlinks(wm_domain) +kernel_read_sysctl(wm_domain) + miscfiles_read_fonts(wm_domain) +miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) +udev_read_pid_files(wm_domain) + +# this is needed by gnome-shell +userdom_exec_user_home_content_files(wm_domain) + userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) + userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) +wm_dontaudit_exec_tmp_files(wm_domain) +wm_dontaudit_exec_tmpfs_files(wm_domain) + optional_policy(` accountsd_dbus_chat(wm_domain) ') @@ -55,10 +96,42 @@ optional_policy(` ') optional_policy(` + consolekit_dbus_chat(wm_domain) +') + +optional_policy(` devicekit_dbus_chat_power(wm_domain) ') optional_policy(` + evolution_dbus_chat(wm_domain) + evolution_alarm_dbus_chat(wm_domain) + evolution_domtrans(wm_domain) +') + +optional_policy(` + games_dbus_chat(wm_domain) + games_domtrans(wm_domain) +') + +optional_policy(` + java_domtrans(wm_domain) +') + +optional_policy(` + mono_domtrans(wm_domain) +') + +optional_policy(` + mozilla_domtrans(wm_domain) + mozilla_dbus_chat(wm_domain) +') + +optional_policy(` + mplayer_domtrans(wm_domain) +') + +optional_policy(` networkmanager_dbus_chat(wm_domain) ') @@ -67,7 +140,7 @@ optional_policy(` ') optional_policy(` - pulseaudio_stream_connect(wm_domain) + telepathy_mission_control_dbus_chat(wm_domain) ') optional_policy(` diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 22:25:26.327711806 +0100 @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(staff, staff_r, staff_t) + wm_role_template(staff, staff_r, staff_t) ') optional_policy(` diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 22:25:26.343712120 +0100 @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(sysadm, sysadm_r, sysadm_t) + wm_role_template(sysadm, sysadm_r, sysadm_t) ') ') diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 22:25:26.344712139 +0100 @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(user, user_r, user_t) + wm_role_template(user, user_r, user_t) ') optional_policy(` ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia @ 2016-12-11 20:04 ` Chris PeBenito 2016-12-11 20:13 ` Guido Trentalancia 2016-12-14 0:48 ` [refpolicy] [PATCH 1/5] wm: update the window manager (wm) module and enable its role template (v4) Guido Trentalancia ` (4 subsequent siblings) 5 siblings, 1 reply; 47+ messages in thread From: Chris PeBenito @ 2016-12-11 20:04 UTC (permalink / raw) To: refpolicy On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote: > Enable the window manager role (wm contrib module) and update > the module to work with gnome-shell. > > This second version introduces better integration with common > desktop applications and requires the following recently posted > patch for the games module: > > [PATCH v3 1/2] games: general update and improved pulseaudio integration > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > This patch might need some more testing (I have received no > feedback yet). > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/wm.if | 42 ++++++++++++++++++++ > policy/modules/contrib/wm.te | 75 ++++++++++++++++++++++++++++++++++++- > policy/modules/roles/staff.te | 1 > policy/modules/roles/sysadm.te | 1 > policy/modules/roles/unprivuser.te | 1 > 5 files changed, 119 insertions(+), 1 deletion(-) [...] > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-08 22:25:26.327711806 +0100 > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > optional_policy(` > gnome_role_template(staff, staff_r, staff_t) > + wm_role_template(staff, staff_r, staff_t) > ') > > optional_policy(` > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-08 22:25:26.343712120 +0100 > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > optional_policy(` > gnome_role_template(sysadm, sysadm_r, sysadm_t) > + wm_role_template(sysadm, sysadm_r, sysadm_t) > ') > ') > > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-08 22:25:26.344712139 +0100 > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > optional_policy(` > gnome_role_template(user, user_r, user_t) > + wm_role_template(user, user_r, user_t) > ') So this change is essentially saying is you can't use the gnome policy without the wm module. Is that really the case? It seems like they would be separate optionals. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template 2016-12-11 20:04 ` Chris PeBenito @ 2016-12-11 20:13 ` Guido Trentalancia 2016-12-11 20:47 ` Chris PeBenito 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-11 20:13 UTC (permalink / raw) To: refpolicy On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote: > On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote: > > > > Enable the window manager role (wm contrib module) and update > > the module to work with gnome-shell. > > > > This second version introduces better integration with common > > desktop applications and requires the following recently posted > > patch for the games module: > > > > [PATCH v3 1/2] games: general update and improved pulseaudio > > integration > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > > > This patch might need some more testing (I have received no > > feedback yet). > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > --- > > ?policy/modules/contrib/wm.if???????|???42 ++++++++++++++++++++ > > ?policy/modules/contrib/wm.te???????|???75 > > ++++++++++++++++++++++++++++++++++++- > > ?policy/modules/roles/staff.te??????|????1 > > ?policy/modules/roles/sysadm.te?????|????1 > > ?policy/modules/roles/unprivuser.te |????1 > > ?5 files changed, 119 insertions(+), 1 deletion(-) > > [...] > > > > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/staff.te refpolicy-git- > > 07122016/policy/modules/roles/staff.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201 > > 6-12-08 22:25:26.327711806 +0100 > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > > > ? optional_policy(` > > ? gnome_role_template(staff, staff_r, > > staff_t) > > + wm_role_template(staff, staff_r, staff_t) > > ? ') > > > > ? optional_policy(` > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/sysadm.te refpolicy-git- > > 07122016/policy/modules/roles/sysadm.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20 > > 16-12-08 22:25:26.343712120 +0100 > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > > > ? optional_policy(` > > ? gnome_role_template(sysadm, sysadm_r, > > sysadm_t) > > + wm_role_template(sysadm, sysadm_r, > > sysadm_t) > > ? ') > > ? ') > > > > diff -pruN refpolicy-git-07122016- > > orig/policy/modules/roles/unprivuser.te refpolicy-git- > > 07122016/policy/modules/roles/unprivuser.te > > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te > > 2016-12-07 13:39:08.669449296 +0100 > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te > > 2016-12-08 22:25:26.344712139 +0100 > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > > > ? optional_policy(` > > ? gnome_role_template(user, user_r, user_t) > > + wm_role_template(user, user_r, user_t) > > ? ') > > So this change is essentially saying is you can't use the gnome > policy? > without the wm module.??Is that really the case???It seems like they? > would be separate optionals. It's preferable to have a confined window manager, instead of one running in the user domain and that is therefore more easily exploited. That's the meaning of this patch. However, I understand we should make sure it works with all window managers, so I am actually seeking help to test it with window managers other than gnome-shell. Because at the moment, the patch is only tested with gnome-shell (to be honest, not even with gnome-panel/metacity because of a lack of time), I do not suggest (yet) making them separate optionals. That would mandate a confined window manager even for setups that have not been tested yet. Regards, Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template 2016-12-11 20:13 ` Guido Trentalancia @ 2016-12-11 20:47 ` Chris PeBenito 2016-12-11 21:56 ` Guido Trentalancia 0 siblings, 1 reply; 47+ messages in thread From: Chris PeBenito @ 2016-12-11 20:47 UTC (permalink / raw) To: refpolicy On 12/11/16 15:13, Guido Trentalancia via refpolicy wrote: > On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote: >> On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote: >>> >>> Enable the window manager role (wm contrib module) and update >>> the module to work with gnome-shell. >>> >>> This second version introduces better integration with common >>> desktop applications and requires the following recently posted >>> patch for the games module: >>> >>> [PATCH v3 1/2] games: general update and improved pulseaudio >>> integration >>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>> >>> This patch might need some more testing (I have received no >>> feedback yet). >>> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>> --- >>> policy/modules/contrib/wm.if | 42 ++++++++++++++++++++ >>> policy/modules/contrib/wm.te | 75 >>> ++++++++++++++++++++++++++++++++++++- >>> policy/modules/roles/staff.te | 1 >>> policy/modules/roles/sysadm.te | 1 >>> policy/modules/roles/unprivuser.te | 1 >>> 5 files changed, 119 insertions(+), 1 deletion(-) >> >> [...] >> >>> >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/staff.te refpolicy-git- >>> 07122016/policy/modules/roles/staff.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/staff.te 201 >>> 6-12-08 22:25:26.327711806 +0100 >>> @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(staff, staff_r, >>> staff_t) >>> + wm_role_template(staff, staff_r, staff_t) >>> ') >>> >>> optional_policy(` >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/sysadm.te refpolicy-git- >>> 07122016/policy/modules/roles/sysadm.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 20 >>> 16-12-08 22:25:26.343712120 +0100 >>> @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(sysadm, sysadm_r, >>> sysadm_t) >>> + wm_role_template(sysadm, sysadm_r, >>> sysadm_t) >>> ') >>> ') >>> >>> diff -pruN refpolicy-git-07122016- >>> orig/policy/modules/roles/unprivuser.te refpolicy-git- >>> 07122016/policy/modules/roles/unprivuser.te >>> --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te >>> 2016-12-07 13:39:08.669449296 +0100 >>> +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te >>> 2016-12-08 22:25:26.344712139 +0100 >>> @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` >>> >>> optional_policy(` >>> gnome_role_template(user, user_r, user_t) >>> + wm_role_template(user, user_r, user_t) >>> ') >> >> So this change is essentially saying is you can't use the gnome >> policy >> without the wm module. Is that really the case? It seems like they >> would be separate optionals. > > It's preferable to have a confined window manager, instead of one In this case, I'd emphasize "preferable" here. It's not for everyone. > running in the user domain and that is therefore more easily exploited. > > That's the meaning of this patch. > > However, I understand we should make sure it works with all window > managers, so I am actually seeking help to test it with window managers > other than gnome-shell. > > Because at the moment, the patch is only tested with gnome-shell (to be > honest, not even with gnome-panel/metacity because of a lack of time), > I do not suggest (yet) making them separate optionals. That would > mandate a confined window manager even for setups that have not been > tested yet. I don't understand how making separate optionals mandates a confined window manager. It does the reverse. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template 2016-12-11 20:47 ` Chris PeBenito @ 2016-12-11 21:56 ` Guido Trentalancia 2016-12-12 2:35 ` Luis Ressel 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-11 21:56 UTC (permalink / raw) To: refpolicy On Sun, 11/12/2016 at 15.47 -0500, Chris PeBenito wrote: > On 12/11/16 15:13, Guido Trentalancia via refpolicy wrote: > > > > On Sun, 11/12/2016 at 15.04 -0500, Chris PeBenito wrote: > > > > > > On 12/09/16 17:21, Guido Trentalancia via refpolicy wrote: > > > > > > > > > > > > Enable the window manager role (wm contrib module) and update > > > > the module to work with gnome-shell. > > > > > > > > This second version introduces better integration with common > > > > desktop applications and requires the following recently posted > > > > patch for the games module: > > > > > > > > [PATCH v3 1/2] games: general update and improved pulseaudio > > > > integration > > > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679. > > > > html > > > > > > > > This patch might need some more testing (I have received no > > > > feedback yet). > > > > > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > > > --- > > > > ?policy/modules/contrib/wm.if???????|???42 ++++++++++++++++++++ > > > > ?policy/modules/contrib/wm.te???????|???75 > > > > ++++++++++++++++++++++++++++++++++++- > > > > ?policy/modules/roles/staff.te??????|????1 > > > > ?policy/modules/roles/sysadm.te?????|????1 > > > > ?policy/modules/roles/unprivuser.te |????1 > > > > ?5 files changed, 119 insertions(+), 1 deletion(-) > > > > > > [...] > > > > > > > > > > > > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/staff.te refpolicy-git- > > > > 07122016/policy/modules/roles/staff.te > > > > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/staff.te > > > > 201 > > > > 6-12-08 22:25:26.327711806 +0100 > > > > @@ -85,6 +85,7 @@ ifndef(`distro_redhat',` > > > > > > > > ? optional_policy(` > > > > ? gnome_role_template(staff, staff_r, > > > > staff_t) > > > > + wm_role_template(staff, staff_r, > > > > staff_t) > > > > ? ') > > > > > > > > ? optional_policy(` > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/sysadm.te refpolicy-git- > > > > 07122016/policy/modules/roles/sysadm.te > > > > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te > > > > 20 > > > > 16-12-08 22:25:26.343712120 +0100 > > > > @@ -1245,6 +1245,7 @@ ifndef(`distro_redhat',` > > > > > > > > ? optional_policy(` > > > > ? gnome_role_template(sysadm, sysadm_r, > > > > sysadm_t) > > > > + wm_role_template(sysadm, sysadm_r, > > > > sysadm_t) > > > > ? ') > > > > ? ') > > > > > > > > diff -pruN refpolicy-git-07122016- > > > > orig/policy/modules/roles/unprivuser.te refpolicy-git- > > > > 07122016/policy/modules/roles/unprivuser.te > > > > --- refpolicy-git-07122016- > > > > orig/policy/modules/roles/unprivuser.te > > > > 2016-12-07 13:39:08.669449296 +0100 > > > > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te > > > > 2016-12-08 22:25:26.344712139 +0100 > > > > @@ -54,6 +54,7 @@ ifndef(`distro_redhat',` > > > > > > > > ? optional_policy(` > > > > ? gnome_role_template(user, user_r, > > > > user_t) > > > > + wm_role_template(user, user_r, user_t) > > > > ? ') > > > > > > So this change is essentially saying is you can't use the gnome > > > policy > > > without the wm module.??Is that really the case???It seems like > > > they > > > would be separate optionals. > > > > It's preferable to have a confined window manager, instead of one > > In this case, I'd emphasize "preferable" here.??It's not for > everyone. > > > > > running in the user domain and that is therefore more easily > > exploited. > > > > That's the meaning of this patch. > ?> > > > > However, I understand we should make sure it works with all window > > managers, so I am actually seeking help to test it with window > > managers > > other than gnome-shell. > > > > Because at the moment, the patch is only tested with gnome-shell > > (to be > > honest, not even with gnome-panel/metacity because of a lack of > > time), > > I do not suggest (yet) making them separate optionals. That would > > mandate a confined window manager even for setups that have not > > been > > tested yet. > > I don't understand how making separate optionals mandates a confined? > window manager.??It does the reverse. As it is, the wm role should be enabled only if the dbus and gnome modules are loaded. Similarly, as it is, the gnome role should be enabled only if the dbus and the wm module are loaded. In particular, because the wm role has not been tested without gnome, it is currently enabled only in combination with the gnome role. Regards, Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3] wm: update the window manager (wm) module and enable its role template 2016-12-11 21:56 ` Guido Trentalancia @ 2016-12-12 2:35 ` Luis Ressel 0 siblings, 0 replies; 47+ messages in thread From: Luis Ressel @ 2016-12-12 2:35 UTC (permalink / raw) To: refpolicy On Sun, 11 Dec 2016 22:56:03 +0100 Guido Trentalancia via refpolicy <refpolicy@oss.tresys.com> wrote: > > I don't understand how making separate optionals mandates a > > confined window manager.??It does the reverse. > > As it is, the wm role should be enabled only if the dbus and gnome > modules are loaded. I agree with both of you here. :) Ideally, we would do " optional_policy gnome... optional_policy wm... " but AFAIK, that's not possible. Therefore, I'd suggest we use Chris' option (two separate optional_policy blocks) and just recommend (out-of-band) not to use wm without gnome in its present state. This has two added benefits: * Makes it easier for gnome folks *not* to use the wm module, in case it's still lacking some required permissions. * Makes it easier for non-gnome folks to test the wm module. Regards, Luis Ressel ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 1/5] wm: update the window manager (wm) module and enable its role template (v4) 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia 2016-12-11 20:04 ` Chris PeBenito @ 2016-12-14 0:48 ` Guido Trentalancia 2016-12-14 1:54 ` [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) Guido Trentalancia 2016-12-14 0:48 ` [refpolicy] [PATCH 2/5] userdomain: separate optional conditionals for gnome and wm role templates Guido Trentalancia ` (3 subsequent siblings) 5 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 0:48 UTC (permalink / raw) To: refpolicy Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This patch requires the following recently posted patch for the games module: [PATCH v3 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html This patch needs some more testing (it has only been minimally tested with gnome-shell running in normal mode, i.e. not in gdm mode). In particular, it might break the current functioning of systems employing gnome-shell and gdm. Patches 3/5, 4/5 and 5/5 might be needed when gnome-shell is used in conjunction with gdm (untested, might require further permissions). Since the window managers are not limited by gnome-shell, this latter version of the patch (along with part 2/5) uses separate optional conditionals for the gnome and wm role templates. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/wm.if | 43 +++++++++++++++++- policy/modules/contrib/wm.te | 88 ++++++++++++++++++++++++++++++++++++- policy/modules/roles/staff.te | 8 ++- policy/modules/roles/sysadm.te | 4 + policy/modules/roles/unprivuser.te | 8 ++- 5 files changed, 145 insertions(+), 6 deletions(-) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-08-14 21:28:11.597521187 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-13 22:53:54.445212825 +0100 @@ -47,6 +47,8 @@ template(`wm_role_template',` # Policy # + allow $3 $1_wm_t:fd use; + allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; @@ -72,6 +74,7 @@ template(`wm_role_template',` xserver_manage_core_devices($1_wm_t) optional_policy(` + dbus_connect_spec_session_bus($1, $1_wm_t) dbus_spec_session_bus_client($1, $1_wm_t) dbus_system_bus_client($1_wm_t) @@ -81,7 +84,7 @@ template(`wm_role_template',` ') optional_policy(` - gnome_stream_connect_gkeyringd($1, $1_wm_t) + gnome_stream_connect_all_gkeyringd($1_wm_t) ') optional_policy(` @@ -134,3 +137,41 @@ interface(`wm_dbus_chat',` allow $2 $1_wm_t:dbus send_msg; allow $1_wm_t $2:dbus send_msg; ') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmp_files',` + gen_require(` + type wm_tmp_t; + ') + + dontaudit $1 wm_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmpfs_files',` + gen_require(` + type wm_tmpfs_t; + ') + + dontaudit $1 wm_tmpfs_t:file exec_file_perms; +') diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-10-29 16:29:19.762328008 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13 00:34:34.876856837 +0100 @@ -10,6 +10,18 @@ attribute wm_domain; type wm_exec_t; corecmd_executable_file(wm_exec_t) +type wm_tmp_t; +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t }; +userdom_user_tmp_file(wm_tmp_t) + +type wm_tmpfs_t; +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t }; +userdom_user_tmpfs_file(wm_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(wm_tmpfs_t) +') + ######################################## # # Common wm domain local policy @@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) + +can_exec(wm_domain, wm_exec_t) + kernel_read_system_state(wm_domain) corecmd_getattr_all_executables(wm_domain) +dev_read_rand(wm_domain) dev_read_sound(wm_domain) dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) +dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain) +kernel_read_fs_sysctls(wm_domain) +kernel_read_proc_symlinks(wm_domain) +kernel_read_sysctl(wm_domain) + miscfiles_read_fonts(wm_domain) +miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) +udev_read_pid_files(wm_domain) + +# this is needed by gnome-shell +userdom_exec_user_home_content_files(wm_domain) + userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) + userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) +wm_dontaudit_exec_tmp_files(wm_domain) +wm_dontaudit_exec_tmpfs_files(wm_domain) + optional_policy(` accountsd_dbus_chat(wm_domain) ') @@ -55,10 +96,51 @@ optional_policy(` ') optional_policy(` + consolekit_dbus_chat(wm_domain) +') + +optional_policy(` devicekit_dbus_chat_power(wm_domain) ') optional_policy(` + evolution_domtrans(wm_domain) + + optional_policy(` + evolution_dbus_chat(wm_domain) + evolution_alarm_dbus_chat(wm_domain) + ') +') + +optional_policy(` + games_domtrans(wm_domain) + + optional_policy(` + games_dbus_chat(wm_domain) + ') +') + +optional_policy(` + java_domtrans(wm_domain) +') + +optional_policy(` + mono_domtrans(wm_domain) +') + +optional_policy(` + mozilla_domtrans(wm_domain) + + optional_policy(` + mozilla_dbus_chat(wm_domain) + ') +') + +optional_policy(` + mplayer_domtrans(wm_domain) +') + +optional_policy(` networkmanager_dbus_chat(wm_domain) ') @@ -67,9 +149,13 @@ optional_policy(` ') optional_policy(` - pulseaudio_stream_connect(wm_domain) + telepathy_mission_control_dbus_chat(wm_domain) ') optional_policy(` userhelper_exec_consolehelper(wm_domain) ') + +optional_policy(` + xserver_dbus_chat_xdm(wm_domain) +') diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100 @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(staff_r, staff_t) + telepathy_role_template(staff, staff_r, staff_t) ') optional_policy(` - telepathy_role_template(staff, staff_r, staff_t) + wm_role_template(staff, staff_r, staff_t) ') ') @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100 @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(sysadm, sysadm_r, sysadm_t) ') + + optional_policy(` + wm_role_template(sysadm, sysadm_r, sysadm_t) + ') ') optional_policy(` diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-07 13:39:08.669449296 +0100 +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100 @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(user_r, user_t) + telepathy_role_template(user, user_r, user_t) ') optional_policy(` - telepathy_role_template(user, user_r, user_t) + wm_role_template(user, user_r, user_t) ') ') @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(user_r, user_t) + ') + + optional_policy(` pyzor_role(user_r, user_t) ') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 0:48 ` [refpolicy] [PATCH 1/5] wm: update the window manager (wm) module and enable its role template (v4) Guido Trentalancia @ 2016-12-14 1:54 ` Guido Trentalancia [not found] ` <CAPuKSJbhx+9kkU_KK5qX8s6ALknojqTeqmtjrkJR0fkVBn=wWg@mail.gmail.com> 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 1:54 UTC (permalink / raw) To: refpolicy Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This patch requires the following recently posted patch for the games module: [PATCH v3 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html This patch has received some testing with the following two configurations: - gnome-shell executing in normal mode (with display managers other than gdm, such as xdm from XOrg); - gnome-shell executing in gdm mode (with the Gnome Display Manager). Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used in conjunction with gdm. Since the window managers are not limited by gnome-shell, this latter version of the patch (along with part 2/5) uses separate optional conditionals for the gnome and wm role templates. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/colord.te | 5 ++ policy/modules/contrib/dbus.te | 5 ++ policy/modules/contrib/wm.if | 43 +++++++++++++++++- policy/modules/contrib/wm.te | 88 ++++++++++++++++++++++++++++++++++++- policy/modules/roles/staff.te | 8 ++- policy/modules/roles/sysadm.te | 4 + policy/modules/roles/unprivuser.te | 8 ++- 7 files changed, 155 insertions(+), 6 deletions(-) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/colord.te refpolicy-git-07122016/policy/modules/contrib/colord.te --- refpolicy-git-07122016-orig/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100 @@ -137,3 +137,8 @@ optional_policy(` udev_read_db(colord_t) udev_read_pid_files(colord_t) ') + +optional_policy(` + xserver_read_xdm_lib_files(colord_t) + xserver_use_xdm_fds(colord_t) +') diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te refpolicy-git-07122016/policy/modules/contrib/dbus.te --- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100 @@ -159,6 +159,11 @@ optional_policy(` udev_read_db(system_dbusd_t) ') +optional_policy(` + xserver_read_xdm_lib_files(system_dbusd_t) + xserver_use_xdm_fds(system_dbusd_t) +') + ######################################## # # Common session bus local policy diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if refpolicy-git-07122016/policy/modules/contrib/wm.if --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100 +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-13 22:53:54.445212825 +0100 @@ -47,6 +47,8 @@ template(`wm_role_template',` # Policy # + allow $3 $1_wm_t:fd use; + allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; @@ -72,6 +74,7 @@ template(`wm_role_template',` xserver_manage_core_devices($1_wm_t) optional_policy(` + dbus_connect_spec_session_bus($1, $1_wm_t) dbus_spec_session_bus_client($1, $1_wm_t) dbus_system_bus_client($1_wm_t) @@ -81,7 +84,7 @@ template(`wm_role_template',` ') optional_policy(` - gnome_stream_connect_gkeyringd($1, $1_wm_t) + gnome_stream_connect_all_gkeyringd($1_wm_t) ') optional_policy(` @@ -134,3 +137,41 @@ interface(`wm_dbus_chat',` allow $2 $1_wm_t:dbus send_msg; allow $1_wm_t $2:dbus send_msg; ') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmp_files',` + gen_require(` + type wm_tmp_t; + ') + + dontaudit $1 wm_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmpfs_files',` + gen_require(` + type wm_tmpfs_t; + ') + + dontaudit $1 wm_tmpfs_t:file exec_file_perms; +') diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te refpolicy-git-07122016/policy/modules/contrib/wm.te --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100 +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13 00:34:34.876856837 +0100 @@ -10,6 +10,18 @@ attribute wm_domain; type wm_exec_t; corecmd_executable_file(wm_exec_t) +type wm_tmp_t; +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t sysadm_wm_tmp_t }; +userdom_user_tmp_file(wm_tmp_t) + +type wm_tmpfs_t; +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t sysadm_wm_tmpfs_t }; +userdom_user_tmpfs_file(wm_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(wm_tmpfs_t) +') + ######################################## # # Common wm domain local policy @@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) + +can_exec(wm_domain, wm_exec_t) + kernel_read_system_state(wm_domain) corecmd_getattr_all_executables(wm_domain) +dev_read_rand(wm_domain) dev_read_sound(wm_domain) dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) +dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain) +kernel_read_fs_sysctls(wm_domain) +kernel_read_proc_symlinks(wm_domain) +kernel_read_sysctl(wm_domain) + miscfiles_read_fonts(wm_domain) +miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) +udev_read_pid_files(wm_domain) + +# this is needed by gnome-shell +userdom_exec_user_home_content_files(wm_domain) + userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) + userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) +wm_dontaudit_exec_tmp_files(wm_domain) +wm_dontaudit_exec_tmpfs_files(wm_domain) + optional_policy(` accountsd_dbus_chat(wm_domain) ') @@ -55,10 +96,51 @@ optional_policy(` ') optional_policy(` + consolekit_dbus_chat(wm_domain) +') + +optional_policy(` devicekit_dbus_chat_power(wm_domain) ') optional_policy(` + evolution_domtrans(wm_domain) + + optional_policy(` + evolution_dbus_chat(wm_domain) + evolution_alarm_dbus_chat(wm_domain) + ') +') + +optional_policy(` + games_domtrans(wm_domain) + + optional_policy(` + games_dbus_chat(wm_domain) + ') +') + +optional_policy(` + java_domtrans(wm_domain) +') + +optional_policy(` + mono_domtrans(wm_domain) +') + +optional_policy(` + mozilla_domtrans(wm_domain) + + optional_policy(` + mozilla_dbus_chat(wm_domain) + ') +') + +optional_policy(` + mplayer_domtrans(wm_domain) +') + +optional_policy(` networkmanager_dbus_chat(wm_domain) ') @@ -67,9 +149,13 @@ optional_policy(` ') optional_policy(` - pulseaudio_stream_connect(wm_domain) + telepathy_mission_control_dbus_chat(wm_domain) ') optional_policy(` userhelper_exec_consolehelper(wm_domain) ') + +optional_policy(` + xserver_dbus_chat_xdm(wm_domain) +') diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te refpolicy-git-07122016/policy/modules/roles/staff.te --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100 +++ refpolicy-git-07122016/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100 @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(staff_r, staff_t) + telepathy_role_template(staff, staff_r, staff_t) ') optional_policy(` - telepathy_role_template(staff, staff_r, staff_t) + wm_role_template(staff, staff_r, staff_t) ') ') @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te refpolicy-git-07122016/policy/modules/roles/sysadm.te --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100 +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100 @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(sysadm, sysadm_r, sysadm_t) ') + + optional_policy(` + wm_role_template(sysadm, sysadm_r, sysadm_t) + ') ') optional_policy(` diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te refpolicy-git-07122016/policy/modules/roles/unprivuser.te --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100 +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100 @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(user_r, user_t) + telepathy_role_template(user, user_r, user_t) ') optional_policy(` - telepathy_role_template(user, user_r, user_t) + wm_role_template(user, user_r, user_t) ') ') @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(user_r, user_t) + ') + + optional_policy(` pyzor_role(user_r, user_t) ') ^ permalink raw reply [flat|nested] 47+ messages in thread
[parent not found: <CAPuKSJbhx+9kkU_KK5qX8s6ALknojqTeqmtjrkJR0fkVBn=wWg@mail.gmail.com>]
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) [not found] ` <CAPuKSJbhx+9kkU_KK5qX8s6ALknojqTeqmtjrkJR0fkVBn=wWg@mail.gmail.com> @ 2016-12-14 13:23 ` Guido Trentalancia 2016-12-14 21:25 ` Chris PeBenito 2016-12-14 14:37 ` [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) Guido Trentalancia 1 sibling, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 13:23 UTC (permalink / raw) To: refpolicy Hello Jason, you took the list off for this message, I think this is not intentional, so I am bringing the reply back on the list... On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: > > > On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy@o > ss.tresys.com> wrote: > Enable the window manager role (wm contrib module) and update > the module to work with gnome-shell. > > This patch requires the following recently posted patch for the > games module: > > [PATCH v3 1/2] games: general update and improved pulseaudio > integration > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > This patch has received some testing with the following two > configurations: > - gnome-shell executing in normal mode (with display managers > other than gdm, such as xdm from XOrg); > - gnome-shell executing in gdm mode (with the Gnome Display > Manager). > > Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used > in conjunction with gdm. > > Since the window managers are not limited by gnome-shell, this latter > version of the patch (along with part 2/5) uses separate optional > conditionals for the gnome and wm role templates. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > ?policy/modules/contrib/colord.te? ?|? ? 5 ++ > ?policy/modules/contrib/dbus.te? ? ?|? ? 5 ++ > ?policy/modules/contrib/wm.if? ? ? ?|? ?43 +++++++++++++++++- > ?policy/modules/contrib/wm.te? ? ? ?|? ?88 > ++++++++++++++++++++++++++++++++++++- > ?policy/modules/roles/staff.te? ? ? |? ? 8 ++- > ?policy/modules/roles/sysadm.te? ? ?|? ? 4 + > ?policy/modules/roles/unprivuser.te |? ? 8 ++- > ?7 files changed, 155 insertions(+), 6 deletions(-) > > diff -pruN refpolicy-git-07122016- > orig/policy/modules/contrib/colord.te refpolicy-git- > 07122016/policy/modules/contrib/colord.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/colord.te? ? ? > ? 2016-08-14 21:28:11.468519205 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/colord.te? ? ?2016- > 12-14 02:45:54.815580399 +0100 > > First off, can you use git format patch and git send email because > refpolicy has contrib as a submodule and the way you've sent it won't > apply.? Yes, I remember, you told me already another time about that, but to be honest I have experienced difficulties in creating patches using git. However, apart from the slightly different formatting, it applies cleanly to the contrib submodule: just use "patch -p1 < name_of_the_patch.patch" > @@ -137,3 +137,8 @@ optional_policy(` > ? ? ? ? udev_read_db(colord_t) > ? ? ? ? udev_read_pid_files(colord_t) > ?') > + > +optional_policy(` > +? ? ? ?xserver_read_xdm_lib_files(colord_t) > +? ? ? ?xserver_use_xdm_fds(colord_t) > +') > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te > refpolicy-git-07122016/policy/modules/contrib/dbus.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/dbus.te? 2016- > 08-14 21:28:11.477519343 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/dbus.te? ? ? ?2016- > 12-14 02:24:00.796768671 +0100 > @@ -159,6 +159,11 @@ optional_policy(` > ? ? ? ? udev_read_db(system_dbusd_t) > ?') > > +optional_policy(` > +? ? ? ?xserver_read_xdm_lib_files(system_dbusd_t) > +? ? ? ?xserver_use_xdm_fds(system_dbusd_t) > +') > + > ?######################################## > ?# > ?# Common session bus local policy > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.if > refpolicy-git-07122016/policy/modules/contrib/wm.if > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.if? ? 2016- > 12-14 02:24:53.377000472 +0100 > +++ refpolicy-git-07122016/policy/modules/contrib/wm.if 2016-12-13 > 22:53:54.445212825 +0100 > @@ -47,6 +47,8 @@ template(`wm_role_template',` > ? ? ? ? # Policy > ? ? ? ? # > > +? ? ? ?allow $3 $1_wm_t:fd use; > + > ? ? ? ? allow $1_wm_t $3:unix_stream_socket connectto; > ? ? ? ? allow $3 $1_wm_t:unix_stream_socket connectto; > > @@ -72,6 +74,7 @@ template(`wm_role_template',` > ? ? ? ? xserver_manage_core_devices($1_wm_t) > > ? ? ? ? optional_policy(` > +? ? ? ? ? ? ? ?dbus_connect_spec_session_bus($1, $1_wm_t) > ? ? ? ? ? ? ? ? dbus_spec_session_bus_client($1, $1_wm_t) > ? ? ? ? ? ? ? ? dbus_system_bus_client($1_wm_t) > > @@ -81,7 +84,7 @@ template(`wm_role_template',` > ? ? ? ? ') > > ? ? ? ? optional_policy(` > -? ? ? ? ? ? ? ?gnome_stream_connect_gkeyringd($1, $1_wm_t) > +? ? ? ? ? ? ? ?gnome_stream_connect_all_gkeyringd($1_wm_t) > ? ? ? ? ') > > ? ? ? ? optional_policy(` > @@ -134,3 +137,41 @@ interface(`wm_dbus_chat',` > ? ? ? ? allow $2 $1_wm_t:dbus send_msg; > ? ? ? ? allow $1_wm_t $2:dbus send_msg; > ?') > + > +######################################## > +## <summary> > +##? ? ?Do not audit attempts to execute > +##? ? ?files in temporary directories. > +## </summary> > +## <param name="domain"> > +##? ? ?<summary> > +##? ? ?Domain to not audit. > +##? ? ?</summary> > +## </param> > +# > +interface(`wm_dontaudit_exec_tmp_files',` > +? ? ? ?gen_require(` > +? ? ? ? ? ? ? ?type wm_tmp_t; > +? ? ? ?') > + > +? ? ? ?dontaudit $1 wm_tmp_t:file exec_file_perms; > +') > + > +######################################## > +## <summary> > +##? ? ?Do not audit attempts to execute > +##? ? ?files in temporary filesystems. > +## </summary> > +## <param name="domain"> > +##? ? ?<summary> > +##? ? ?Domain to not audit. > +##? ? ?</summary> > +## </param> > +# > +interface(`wm_dontaudit_exec_tmpfs_files',` > +? ? ? ?gen_require(` > +? ? ? ? ? ? ? ?type wm_tmpfs_t; > +? ? ? ?') > + > +? ? ? ?dontaudit $1 wm_tmpfs_t:file exec_file_perms; > +') > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te > refpolicy-git-07122016/policy/modules/contrib/wm.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te? ? 2016- > 12-14 02:24:53.396000918 +0100 > +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13 > 00:34:34.876856837 +0100 > @@ -10,6 +10,18 @@ attribute wm_domain; > ?type wm_exec_t; > ?corecmd_executable_file(wm_exec_t) > > +type wm_tmp_t; > +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t > sysadm_wm_tmp_t }; > +userdom_user_tmp_file(wm_tmp_t) > + > +type wm_tmpfs_t; > +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t > sysadm_wm_tmpfs_t }; > +userdom_user_tmpfs_file(wm_tmpfs_t) > + > +optional_policy(` > +? ? ? ?pulseaudio_tmpfs_content(wm_tmpfs_t) > +') > + > ?######################################## > ?# > ?# Common wm domain local policy > @@ -21,31 +33,60 @@ allow wm_domain self:netlink_kobject_uev > ?allow wm_domain self:shm create_shm_perms; > ?allow wm_domain self:unix_dgram_socket create_socket_perms; > > +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) > + > +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) > + > +can_exec(wm_domain, wm_exec_t) > + > ?kernel_read_system_state(wm_domain) > > ?corecmd_getattr_all_executables(wm_domain) > > +dev_read_rand(wm_domain) > ?dev_read_sound(wm_domain) > ?dev_read_sysfs(wm_domain) > ?dev_read_urand(wm_domain) > +dev_rw_dri(wm_domain) > > I'm pretty sure this is not required. This perm depends on your type > of graphics card and driver. OpenGL on my machine needs it but other > people I've talked to don't require it. I think I am going to add > this as a Boolean to allow rw_dri(xdomain) so people with those kinds > of cards can enable it everywhere instead of forcing it for people > who don't need it.? It is harmless and it benefits the DRI driver. If you haven't got a graphic card with DRI or if you have DRI disabled, it just does nothing. It is simply a permission to write to devices in /dev/dri/*. A boolean would just make things complicate without any benefit for anyone. It is not forcing anything, it is just supporting the natural behaviour of an application carrying out a licit operation. > ?dev_rw_wireless(wm_domain) > ?dev_write_sound(wm_domain) > > +files_read_etc_runtime_files(wm_domain) > ?files_read_usr_files(wm_domain) > > ?fs_getattr_all_fs(wm_domain) > > +kernel_read_fs_sysctls(wm_domain) > +kernel_read_proc_symlinks(wm_domain) > +kernel_read_sysctl(wm_domain) > + > ?miscfiles_read_fonts(wm_domain) > +miscfiles_read_generic_certs(wm_domain) > ?miscfiles_read_localization(wm_domain) > > +udev_read_pid_files(wm_domain) > + > +# this is needed by gnome-shell > +userdom_exec_user_home_content_files(wm_domain) > + > ?userdom_manage_user_tmp_sockets(wm_domain) > ?userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) > ?userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) > > ?userdom_manage_user_home_content_dirs(wm_domain) > ?userdom_manage_user_home_content_files(wm_domain) > + > ?userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir > file }) > > +wm_dontaudit_exec_tmp_files(wm_domain) > +wm_dontaudit_exec_tmpfs_files(wm_domain) > + > ?optional_policy(` > ? ? ? ? accountsd_dbus_chat(wm_domain) > ?') > @@ -55,10 +96,51 @@ optional_policy(` > ?') > > ?optional_policy(` > +? ? ? ?consolekit_dbus_chat(wm_domain) > +') > + > +optional_policy(` > ? ? ? ? devicekit_dbus_chat_power(wm_domain) > ?') > > ?optional_policy(` > +? ? ? ?evolution_domtrans(wm_domain) > + > +? ? ? ?optional_policy(` > +? ? ? ? ? ? ? ?evolution_dbus_chat(wm_domain) > +? ? ? ? ? ? ? ?evolution_alarm_dbus_chat(wm_domain) > +? ? ? ?') > +') > + > +optional_policy(` > +? ? ? ?games_domtrans(wm_domain) > + > +? ? ? ?optional_policy(` > +? ? ? ? ? ? ? ?games_dbus_chat(wm_domain) > +? ? ? ?') > +') > + > +optional_policy(` > +? ? ? ?java_domtrans(wm_domain) > +') > + > +optional_policy(` > +? ? ? ?mono_domtrans(wm_domain) > +') > + > +optional_policy(` > +? ? ? ?mozilla_domtrans(wm_domain) > + > +? ? ? ?optional_policy(` > +? ? ? ? ? ? ? ?mozilla_dbus_chat(wm_domain) > +? ? ? ?') > +') > + > +optional_policy(` > +? ? ? ?mplayer_domtrans(wm_domain) > +') > + > +optional_policy(` > ? ? ? ? networkmanager_dbus_chat(wm_domain) > ?') > > Whoa are we going to have to add every single application to > wm_domain to be able to run it? That will get annoying super fast. > Isn't there an application_domain attribute we can use? If there > isn't we might want to reverse this so X application types instead > declare that wm can run them (something like the application_type > interface) I don't understand what you mean. > @@ -67,9 +149,13 @@ optional_policy(` > ?') > > ?optional_policy(` > -? ? ? ?pulseaudio_stream_connect(wm_domain) > +? ? ? ?telepathy_mission_control_dbus_chat(wm_domain) > ?') > > ?optional_policy(` > ? ? ? ? userhelper_exec_consolehelper(wm_domain) > ?') > + > +optional_policy(` > +? ? ? ?xserver_dbus_chat_xdm(wm_domain) > +') > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/staff.te > refpolicy-git-07122016/policy/modules/roles/staff.te > --- refpolicy-git-07122016-orig/policy/modules/roles/staff.te? ?2016- > 12-14 02:24:53.397000941 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/staff.te? ? ? ? 2016- > 12-13 22:45:02.857851229 +0100 > @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` > ? ? ? ? ? ? ? ? ') > > ? ? ? ? ? ? ? ? optional_policy(` > -? ? ? ? ? ? ? ? ? ? ? ?pulseaudio_role(staff_r, staff_t) > +? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(staff, staff_r, > staff_t) > ? ? ? ? ? ? ? ? ') > > ? ? ? ? ? ? ? ? optional_policy(` > -? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(staff, staff_r, > staff_t) > +? ? ? ? ? ? ? ? ? ? ? ?wm_role_template(staff, staff_r, staff_t) > ? ? ? ? ? ? ? ? ') > ? ? ? ? ') > > @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` > ? ? ? ? ') > > ? ? ? ? optional_policy(` > +? ? ? ? ? ? ? ?pulseaudio_role(staff_r, staff_t) > +? ? ? ?') > + > > This has nothing to do with window managers. Pulse stuff should be in > a separate patch.? Yes, it has nothing to do with window managers. It is a general bug in the current policy, because pulseaudio does not depend on dbus. I took a chance to fix it, which is probably better than not fixing it. > +? ? ? ?optional_policy(` > ? ? ? ? ? ? ? ? pyzor_role(staff_r, staff_t) > ? ? ? ? ') > > diff -pruN refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te > refpolicy-git-07122016/policy/modules/roles/sysadm.te > --- refpolicy-git-07122016-orig/policy/modules/roles/sysadm.te? 2016- > 12-14 02:24:53.397000941 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/sysadm.te? ? ? ?2016- > 12-13 22:45:25.577422292 +0100 > @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` > ? ? ? ? ? ? ? ? optional_policy(` > ? ? ? ? ? ? ? ? ? ? ? ? gnome_role_template(sysadm, sysadm_r, > sysadm_t) > ? ? ? ? ? ? ? ? ') > + > +? ? ? ? ? ? ? ?optional_policy(` > +? ? ? ? ? ? ? ? ? ? ? ?wm_role_template(sysadm, sysadm_r, sysadm_t) > +? ? ? ? ? ? ? ?') > ? ? ? ? ') > > ? ? ? ? optional_policy(` > diff -pruN refpolicy-git-07122016- > orig/policy/modules/roles/unprivuser.te refpolicy-git- > 07122016/policy/modules/roles/unprivuser.te > --- refpolicy-git-07122016-orig/policy/modules/roles/unprivuser.te? ? > ? 2016-12-14 02:24:53.398000965 +0100 > +++ refpolicy-git-07122016/policy/modules/roles/unprivuser.te? ?2016- > 12-13 22:44:50.493540449 +0100 > @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` > ? ? ? ? ? ? ? ? ') > > ? ? ? ? ? ? ? ? optional_policy(` > -? ? ? ? ? ? ? ? ? ? ? ?pulseaudio_role(user_r, user_t) > +? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(user, user_r, user_t) > ? ? ? ? ? ? ? ? ') > > ? ? ? ? ? ? ? ? optional_policy(` > -? ? ? ? ? ? ? ? ? ? ? ?telepathy_role_template(user, user_r, user_t) > +? ? ? ? ? ? ? ? ? ? ? ?wm_role_template(user, user_r, user_t) > ? ? ? ? ? ? ? ? ') > ? ? ? ? ') > > @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` > ? ? ? ? ') > > ? ? ? ? optional_policy(` > +? ? ? ? ? ? ? ?pulseaudio_role(user_r, user_t) > +? ? ? ?') > + > > What's up with the random rearranging of the lines here? It makes the > patch seem like it's doing more than it is.? > > +? ? ? ?optional_policy(` > ? ? ? ? ? ? ? ? pyzor_role(user_r, user_t) > ? ? ? ? ') I have tested the patchset with and without gdm and it works fine. I recommend to apply it as it brings benefits to all Reference Policy users. Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 13:23 ` Guido Trentalancia @ 2016-12-14 21:25 ` Chris PeBenito 2016-12-14 21:29 ` Guido Trentalancia 2016-12-14 23:43 ` [refpolicy] [PATCH v3 1/5] wm: update the window manager (wm) module and enable its role template (v6) Guido Trentalancia 0 siblings, 2 replies; 47+ messages in thread From: Chris PeBenito @ 2016-12-14 21:25 UTC (permalink / raw) To: refpolicy On 12/14/16 08:23, Guido Trentalancia via refpolicy wrote: > Hello Jason, > > you took the list off for this message, I think this is not > intentional, so I am bringing the reply back on the list... > > On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: >> >> >> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy@o >> ss.tresys.com> wrote: >> Enable the window manager role (wm contrib module) and update >> the module to work with gnome-shell. >> >> This patch requires the following recently posted patch for the >> games module: >> >> [PATCH v3 1/2] games: general update and improved pulseaudio >> integration >> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >> >> This patch has received some testing with the following two >> configurations: >> - gnome-shell executing in normal mode (with display managers >> other than gdm, such as xdm from XOrg); >> - gnome-shell executing in gdm mode (with the Gnome Display >> Manager). >> >> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used >> in conjunction with gdm. >> >> Since the window managers are not limited by gnome-shell, this latter >> version of the patch (along with part 2/5) uses separate optional >> conditionals for the gnome and wm role templates. >> >> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >> --- >> policy/modules/contrib/colord.te | 5 ++ >> policy/modules/contrib/dbus.te | 5 ++ >> policy/modules/contrib/wm.if | 43 +++++++++++++++++- >> policy/modules/contrib/wm.te | 88 >> ++++++++++++++++++++++++++++++++++++- >> policy/modules/roles/staff.te | 8 ++- >> policy/modules/roles/sysadm.te | 4 + >> policy/modules/roles/unprivuser.te | 8 ++- >> 7 files changed, 155 insertions(+), 6 deletions(-) >> [...] >> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te >> refpolicy-git-07122016/policy/modules/contrib/wm.te >> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te 2016- >> 12-14 02:24:53.396000918 +0100 >> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13 >> 00:34:34.876856837 +0100 >> @@ -10,6 +10,18 @@ attribute wm_domain; >> type wm_exec_t; >> corecmd_executable_file(wm_exec_t) >> >> +type wm_tmp_t; >> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t >> sysadm_wm_tmp_t }; >> +userdom_user_tmp_file(wm_tmp_t) >> + >> +type wm_tmpfs_t; >> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t >> sysadm_wm_tmpfs_t }; >> +userdom_user_tmpfs_file(wm_tmpfs_t) Don't add aliases. The alias types never existed, so there is no compatibility to preserve. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 21:25 ` Chris PeBenito @ 2016-12-14 21:29 ` Guido Trentalancia 2016-12-14 23:43 ` [refpolicy] [PATCH v3 1/5] wm: update the window manager (wm) module and enable its role template (v6) Guido Trentalancia 1 sibling, 0 replies; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 21:29 UTC (permalink / raw) To: refpolicy Yes, thanks for pointing that out. The new revised version will be ready soon... On the 14th December 2016 22:25:52 CET, Chris PeBenito <pebenito@ieee.org> wrote: >On 12/14/16 08:23, Guido Trentalancia via refpolicy wrote: >> Hello Jason, >> >> you took the list off for this message, I think this is not >> intentional, so I am bringing the reply back on the list... >> >> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: >>> >>> >>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" ><refpolicy@o >>> ss.tresys.com> wrote: >>> Enable the window manager role (wm contrib module) and update >>> the module to work with gnome-shell. >>> >>> This patch requires the following recently posted patch for the >>> games module: >>> >>> [PATCH v3 1/2] games: general update and improved pulseaudio >>> integration >>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>> >>> This patch has received some testing with the following two >>> configurations: >>> - gnome-shell executing in normal mode (with display managers >>> other than gdm, such as xdm from XOrg); >>> - gnome-shell executing in gdm mode (with the Gnome Display >>> Manager). >>> >>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used >>> in conjunction with gdm. >>> >>> Since the window managers are not limited by gnome-shell, this >latter >>> version of the patch (along with part 2/5) uses separate optional >>> conditionals for the gnome and wm role templates. >>> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>> --- >>> policy/modules/contrib/colord.te | 5 ++ >>> policy/modules/contrib/dbus.te | 5 ++ >>> policy/modules/contrib/wm.if | 43 +++++++++++++++++- >>> policy/modules/contrib/wm.te | 88 >>> ++++++++++++++++++++++++++++++++++++- >>> policy/modules/roles/staff.te | 8 ++- >>> policy/modules/roles/sysadm.te | 4 + >>> policy/modules/roles/unprivuser.te | 8 ++- >>> 7 files changed, 155 insertions(+), 6 deletions(-) >>> > >[...] > >>> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/wm.te >>> refpolicy-git-07122016/policy/modules/contrib/wm.te >>> --- refpolicy-git-07122016-orig/policy/modules/contrib/wm.te >2016- >>> 12-14 02:24:53.396000918 +0100 >>> +++ refpolicy-git-07122016/policy/modules/contrib/wm.te 2016-12-13 >>> 00:34:34.876856837 +0100 >>> @@ -10,6 +10,18 @@ attribute wm_domain; >>> type wm_exec_t; >>> corecmd_executable_file(wm_exec_t) >>> >>> +type wm_tmp_t; >>> +typealias wm_tmp_t alias { user_wm_tmp_t staff_wm_tmp_t >>> sysadm_wm_tmp_t }; >>> +userdom_user_tmp_file(wm_tmp_t) >>> + >>> +type wm_tmpfs_t; >>> +typealias wm_tmpfs_t alias { user_wm_tmpfs_t staff_wm_tmpfs_t >>> sysadm_wm_tmpfs_t }; >>> +userdom_user_tmpfs_file(wm_tmpfs_t) > >Don't add aliases. The alias types never existed, so there is no >compatibility to preserve. ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3 1/5] wm: update the window manager (wm) module and enable its role template (v6) 2016-12-14 21:25 ` Chris PeBenito 2016-12-14 21:29 ` Guido Trentalancia @ 2016-12-14 23:43 ` Guido Trentalancia 2016-12-16 0:31 ` Chris PeBenito 1 sibling, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 23:43 UTC (permalink / raw) To: refpolicy Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This patch requires the following recently posted patch for the games module: [PATCH v3 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html This patch has received some testing with the following two configurations: - gnome-shell executing in normal mode (with display managers other than gdm, such as xdm from XOrg); - gnome-shell executing in gdm mode (with the Gnome Display Manager). Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used in conjunction with gdm. Since the window managers are not limited by gnome-shell, this latter version of the patch (along with part 2/5) uses separate optional conditionals for the gnome and wm role templates. The new wm_application_domain() interface introduced in the sixth version of this patch is an idea of Jason Zaman. This patch also fixes a minor bug in the way the pulseaudio_role() interface is optionally included by the role templates (pulseaudio does not depend on dbus). Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/colord.te | 5 ++ policy/modules/contrib/dbus.te | 5 ++ policy/modules/contrib/evolution.te | 4 + policy/modules/contrib/games.te | 4 + policy/modules/contrib/java.te | 4 + policy/modules/contrib/mono.te | 4 + policy/modules/contrib/mozilla.te | 4 + policy/modules/contrib/mplayer.te | 4 + policy/modules/contrib/wm.if | 89 +++++++++++++++++++++++++++++++++++- policy/modules/contrib/wm.te | 62 ++++++++++++++++++++++++- policy/modules/roles/staff.te | 8 ++- policy/modules/roles/sysadm.te | 4 + policy/modules/roles/unprivuser.te | 8 ++- 13 files changed, 199 insertions(+), 6 deletions(-) diff -pru a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te --- a/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 +++ b/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100 @@ -137,3 +137,8 @@ optional_policy(` udev_read_db(colord_t) udev_read_pid_files(colord_t) ') + +optional_policy(` + xserver_read_xdm_lib_files(colord_t) + xserver_use_xdm_fds(colord_t) +') diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te --- a/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200 +++ b/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100 @@ -159,6 +159,11 @@ optional_policy(` udev_read_db(system_dbusd_t) ') +optional_policy(` + xserver_read_xdm_lib_files(system_dbusd_t) + xserver_use_xdm_fds(system_dbusd_t) +') + ######################################## # # Common session bus local policy diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te --- a/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100 +++ b/policy/modules/contrib/evolution.te 2016-12-15 00:18:21.791452219 +0100 @@ -23,6 +23,10 @@ typealias evolution_t alias { auditadm_e userdom_user_application_domain(evolution_t, evolution_exec_t) role evolution_roles types evolution_t; +optional_policy(` + wm_application_domain(evolution_t, evolution_exec_t) +') + type evolution_alarm_t; type evolution_alarm_exec_t; typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; diff -pru a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te --- a/policy/modules/contrib/games.te 2016-12-12 01:59:37.872004679 +0100 +++ b/policy/modules/contrib/games.te 2016-12-15 00:19:55.191238925 +0100 @@ -14,6 +14,10 @@ typealias games_t alias { auditadm_games userdom_user_application_domain(games_t, games_exec_t) role games_roles types games_t; +optional_policy(` + wm_application_domain(games_t, games_exec_t) +') + type games_data_t; typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2016-08-14 21:28:11.504519758 +0200 +++ b/policy/modules/contrib/java.te 2016-12-15 00:23:12.650129586 +0100 @@ -27,6 +27,10 @@ typealias java_t alias { staff_javaplugi typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; role java_roles types java_t; +optional_policy(` + wm_application_domain(java_t, java_exec_t) +') + type java_home_t; userdom_user_home_content(java_home_t) diff -pru a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te --- a/policy/modules/contrib/mono.te 2016-08-14 21:28:11.520520004 +0200 +++ b/policy/modules/contrib/mono.te 2016-12-15 00:24:01.783117146 +0100 @@ -16,6 +16,10 @@ role mono_roles types mono_t; application_type(mono_t) +optional_policy(` + wm_application_domain(mono_t, mono_exec_t) +') + ######################################## # # Common local policy diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te --- a/policy/modules/contrib/mozilla.te 2016-12-14 16:31:11.432155580 +0100 +++ b/policy/modules/contrib/mozilla.te 2016-12-15 00:24:45.672785494 +0100 @@ -24,6 +24,10 @@ typealias mozilla_t alias { auditadm_moz userdom_user_application_domain(mozilla_t, mozilla_exec_t) role mozilla_roles types mozilla_t; +optional_policy(` + wm_application_domain(mozilla_t, mozilla_exec_t) +') + type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; diff -pru a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te --- a/policy/modules/contrib/mplayer.te 2016-10-29 16:29:19.667325422 +0200 +++ b/policy/modules/contrib/mplayer.te 2016-12-15 00:25:40.085738055 +0100 @@ -30,6 +30,10 @@ typealias mplayer_t alias { auditadm_mpl userdom_user_application_domain(mplayer_t, mplayer_exec_t) role mplayer_roles types mplayer_t; +optional_policy(` + wm_application_domain(mplayer_t, mplayer_exec_t) +') + type mplayer_etc_t; files_config_file(mplayer_etc_t) diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if --- a/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100 +++ b/policy/modules/contrib/wm.if 2016-12-15 00:16:28.516076888 +0100 @@ -47,6 +47,8 @@ template(`wm_role_template',` # Policy # + allow $3 $1_wm_t:fd use; + allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; @@ -72,6 +74,7 @@ template(`wm_role_template',` xserver_manage_core_devices($1_wm_t) optional_policy(` + dbus_connect_spec_session_bus($1, $1_wm_t) dbus_spec_session_bus_client($1, $1_wm_t) dbus_system_bus_client($1_wm_t) @@ -81,7 +84,7 @@ template(`wm_role_template',` ') optional_policy(` - gnome_stream_connect_gkeyringd($1, $1_wm_t) + gnome_stream_connect_all_gkeyringd($1_wm_t) ') optional_policy(` @@ -134,3 +137,87 @@ interface(`wm_dbus_chat',` allow $2 $1_wm_t:dbus send_msg; allow $1_wm_t $2:dbus send_msg; ') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmp_files',` + gen_require(` + type wm_tmp_t; + ') + + dontaudit $1 wm_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmpfs_files',` + gen_require(` + type wm_tmpfs_t; + ') + + dontaudit $1 wm_tmpfs_t:file exec_file_perms; +') + +######################################## +## <summary> +## Create a domain for applications +## that are launched by the window +## manager. +## </summary> +## <desc> +## <p> +## Create a domain for applications that are launched by the +## window manager (implying a domain transition). Typically +## these are graphical applications that are run interactively. +## </p> +## <p> +## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +## </p> +## </desc> +## <param name="target_domain"> +## <summary> +## Type to be used in the domain transition as the application +## domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +## <param name="source_domain"> +## <summary> +## Type to be used as the source window manager domain. +## </summary> +## </param> +## <infoflow type="none"/> +# +interface(`wm_application_domain',` + gen_require(` + attribute wm_domain; + ') + + application_type($1) + ubac_constrained($1) + application_executable_file($2) + domtrans_pattern(wm_domain, $2, $1) +') diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te --- a/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100 +++ b/policy/modules/contrib/wm.te 2016-12-15 00:26:06.044631194 +0100 @@ -10,6 +10,16 @@ attribute wm_domain; type wm_exec_t; corecmd_executable_file(wm_exec_t) +type wm_tmp_t; +userdom_user_tmp_file(wm_tmp_t) + +type wm_tmpfs_t; +userdom_user_tmpfs_file(wm_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(wm_tmpfs_t) +') + ######################################## # # Common wm domain local policy @@ -21,31 +31,60 @@ allow wm_domain self:netlink_kobject_uev allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) + +can_exec(wm_domain, wm_exec_t) + kernel_read_system_state(wm_domain) corecmd_getattr_all_executables(wm_domain) +dev_read_rand(wm_domain) dev_read_sound(wm_domain) dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) +dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain) +kernel_read_fs_sysctls(wm_domain) +kernel_read_proc_symlinks(wm_domain) +kernel_read_sysctl(wm_domain) + miscfiles_read_fonts(wm_domain) +miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) +udev_read_pid_files(wm_domain) + +# this is needed by gnome-shell +userdom_exec_user_home_content_files(wm_domain) + userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) + userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) +wm_dontaudit_exec_tmp_files(wm_domain) +wm_dontaudit_exec_tmpfs_files(wm_domain) + optional_policy(` accountsd_dbus_chat(wm_domain) ') @@ -55,10 +94,27 @@ optional_policy(` ') optional_policy(` + consolekit_dbus_chat(wm_domain) +') + +optional_policy(` devicekit_dbus_chat_power(wm_domain) ') optional_policy(` + evolution_dbus_chat(wm_domain) + evolution_alarm_dbus_chat(wm_domain) +') + +optional_policy(` + games_dbus_chat(wm_domain) +') + +optional_policy(` + mozilla_dbus_chat(wm_domain) +') + +optional_policy(` networkmanager_dbus_chat(wm_domain) ') @@ -67,9 +123,13 @@ optional_policy(` ') optional_policy(` - pulseaudio_stream_connect(wm_domain) + telepathy_mission_control_dbus_chat(wm_domain) ') optional_policy(` userhelper_exec_consolehelper(wm_domain) ') + +optional_policy(` + xserver_dbus_chat_xdm(wm_domain) +') diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te --- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100 +++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100 @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(staff_r, staff_t) + telepathy_role_template(staff, staff_r, staff_t) ') optional_policy(` - telepathy_role_template(staff, staff_r, staff_t) + wm_role_template(staff, staff_r, staff_t) ') ') @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te --- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100 +++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100 @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(sysadm, sysadm_r, sysadm_t) ') + + optional_policy(` + wm_role_template(sysadm, sysadm_r, sysadm_t) + ') ') optional_policy(` diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te --- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100 +++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100 @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(user_r, user_t) + telepathy_role_template(user, user_r, user_t) ') optional_policy(` - telepathy_role_template(user, user_r, user_t) + wm_role_template(user, user_r, user_t) ') ') @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(user_r, user_t) + ') + + optional_policy(` pyzor_role(user_r, user_t) ') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3 1/5] wm: update the window manager (wm) module and enable its role template (v6) 2016-12-14 23:43 ` [refpolicy] [PATCH v3 1/5] wm: update the window manager (wm) module and enable its role template (v6) Guido Trentalancia @ 2016-12-16 0:31 ` Chris PeBenito 2016-12-16 15:59 ` [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) Guido Trentalancia 2016-12-16 15:59 ` [refpolicy] [PATCH v4 1/5 contrib " Guido Trentalancia 0 siblings, 2 replies; 47+ messages in thread From: Chris PeBenito @ 2016-12-16 0:31 UTC (permalink / raw) To: refpolicy On 12/14/16 18:43, Guido Trentalancia via refpolicy wrote: > Enable the window manager role (wm contrib module) and update > the module to work with gnome-shell. > > This patch requires the following recently posted patch for the > games module: > > [PATCH v3 1/2] games: general update and improved pulseaudio integration > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > This patch has received some testing with the following two > configurations: > - gnome-shell executing in normal mode (with display managers > other than gdm, such as xdm from XOrg); > - gnome-shell executing in gdm mode (with the Gnome Display > Manager). > > Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used > in conjunction with gdm. > > Since the window managers are not limited by gnome-shell, this latter > version of the patch (along with part 2/5) uses separate optional > conditionals for the gnome and wm role templates. > > The new wm_application_domain() interface introduced in the sixth > version of this patch is an idea of Jason Zaman. > > This patch also fixes a minor bug in the way the pulseaudio_role() > interface is optionally included by the role templates (pulseaudio > does not depend on dbus). I'm willing to merge this set, but the patches need to be broken up so I can commit them to contrib and base separately. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/colord.te | 5 ++ > policy/modules/contrib/dbus.te | 5 ++ > policy/modules/contrib/evolution.te | 4 + > policy/modules/contrib/games.te | 4 + > policy/modules/contrib/java.te | 4 + > policy/modules/contrib/mono.te | 4 + > policy/modules/contrib/mozilla.te | 4 + > policy/modules/contrib/mplayer.te | 4 + > policy/modules/contrib/wm.if | 89 +++++++++++++++++++++++++++++++++++- > policy/modules/contrib/wm.te | 62 ++++++++++++++++++++++++- > policy/modules/roles/staff.te | 8 ++- > policy/modules/roles/sysadm.te | 4 + > policy/modules/roles/unprivuser.te | 8 ++- > 13 files changed, 199 insertions(+), 6 deletions(-) > > diff -pru a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te > --- a/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 > +++ b/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100 > @@ -137,3 +137,8 @@ optional_policy(` > udev_read_db(colord_t) > udev_read_pid_files(colord_t) > ') > + > +optional_policy(` > + xserver_read_xdm_lib_files(colord_t) > + xserver_use_xdm_fds(colord_t) > +') > diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te > --- a/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200 > +++ b/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100 > @@ -159,6 +159,11 @@ optional_policy(` > udev_read_db(system_dbusd_t) > ') > > +optional_policy(` > + xserver_read_xdm_lib_files(system_dbusd_t) > + xserver_use_xdm_fds(system_dbusd_t) > +') > + > ######################################## > # > # Common session bus local policy > diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te > --- a/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100 > +++ b/policy/modules/contrib/evolution.te 2016-12-15 00:18:21.791452219 +0100 > @@ -23,6 +23,10 @@ typealias evolution_t alias { auditadm_e > userdom_user_application_domain(evolution_t, evolution_exec_t) > role evolution_roles types evolution_t; > > +optional_policy(` > + wm_application_domain(evolution_t, evolution_exec_t) > +') > + > type evolution_alarm_t; > type evolution_alarm_exec_t; > typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; > diff -pru a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te > --- a/policy/modules/contrib/games.te 2016-12-12 01:59:37.872004679 +0100 > +++ b/policy/modules/contrib/games.te 2016-12-15 00:19:55.191238925 +0100 > @@ -14,6 +14,10 @@ typealias games_t alias { auditadm_games > userdom_user_application_domain(games_t, games_exec_t) > role games_roles types games_t; > > +optional_policy(` > + wm_application_domain(games_t, games_exec_t) > +') > + > type games_data_t; > typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; > typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; > diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te > --- a/policy/modules/contrib/java.te 2016-08-14 21:28:11.504519758 +0200 > +++ b/policy/modules/contrib/java.te 2016-12-15 00:23:12.650129586 +0100 > @@ -27,6 +27,10 @@ typealias java_t alias { staff_javaplugi > typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; > role java_roles types java_t; > > +optional_policy(` > + wm_application_domain(java_t, java_exec_t) > +') > + > type java_home_t; > userdom_user_home_content(java_home_t) > > diff -pru a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te > --- a/policy/modules/contrib/mono.te 2016-08-14 21:28:11.520520004 +0200 > +++ b/policy/modules/contrib/mono.te 2016-12-15 00:24:01.783117146 +0100 > @@ -16,6 +16,10 @@ role mono_roles types mono_t; > > application_type(mono_t) > > +optional_policy(` > + wm_application_domain(mono_t, mono_exec_t) > +') > + > ######################################## > # > # Common local policy > diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te > --- a/policy/modules/contrib/mozilla.te 2016-12-14 16:31:11.432155580 +0100 > +++ b/policy/modules/contrib/mozilla.te 2016-12-15 00:24:45.672785494 +0100 > @@ -24,6 +24,10 @@ typealias mozilla_t alias { auditadm_moz > userdom_user_application_domain(mozilla_t, mozilla_exec_t) > role mozilla_roles types mozilla_t; > > +optional_policy(` > + wm_application_domain(mozilla_t, mozilla_exec_t) > +') > + > type mozilla_home_t; > typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; > typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; > diff -pru a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te > --- a/policy/modules/contrib/mplayer.te 2016-10-29 16:29:19.667325422 +0200 > +++ b/policy/modules/contrib/mplayer.te 2016-12-15 00:25:40.085738055 +0100 > @@ -30,6 +30,10 @@ typealias mplayer_t alias { auditadm_mpl > userdom_user_application_domain(mplayer_t, mplayer_exec_t) > role mplayer_roles types mplayer_t; > > +optional_policy(` > + wm_application_domain(mplayer_t, mplayer_exec_t) > +') > + > type mplayer_etc_t; > files_config_file(mplayer_etc_t) > > diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if > --- a/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100 > +++ b/policy/modules/contrib/wm.if 2016-12-15 00:16:28.516076888 +0100 > @@ -47,6 +47,8 @@ template(`wm_role_template',` > # Policy > # > > + allow $3 $1_wm_t:fd use; > + > allow $1_wm_t $3:unix_stream_socket connectto; > allow $3 $1_wm_t:unix_stream_socket connectto; > > @@ -72,6 +74,7 @@ template(`wm_role_template',` > xserver_manage_core_devices($1_wm_t) > > optional_policy(` > + dbus_connect_spec_session_bus($1, $1_wm_t) > dbus_spec_session_bus_client($1, $1_wm_t) > dbus_system_bus_client($1_wm_t) > > @@ -81,7 +84,7 @@ template(`wm_role_template',` > ') > > optional_policy(` > - gnome_stream_connect_gkeyringd($1, $1_wm_t) > + gnome_stream_connect_all_gkeyringd($1_wm_t) > ') > > optional_policy(` > @@ -134,3 +137,87 @@ interface(`wm_dbus_chat',` > allow $2 $1_wm_t:dbus send_msg; > allow $1_wm_t $2:dbus send_msg; > ') > + > +######################################## > +## <summary> > +## Do not audit attempts to execute > +## files in temporary directories. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain to not audit. > +## </summary> > +## </param> > +# > +interface(`wm_dontaudit_exec_tmp_files',` > + gen_require(` > + type wm_tmp_t; > + ') > + > + dontaudit $1 wm_tmp_t:file exec_file_perms; > +') > + > +######################################## > +## <summary> > +## Do not audit attempts to execute > +## files in temporary filesystems. > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain to not audit. > +## </summary> > +## </param> > +# > +interface(`wm_dontaudit_exec_tmpfs_files',` > + gen_require(` > + type wm_tmpfs_t; > + ') > + > + dontaudit $1 wm_tmpfs_t:file exec_file_perms; > +') > + > +######################################## > +## <summary> > +## Create a domain for applications > +## that are launched by the window > +## manager. > +## </summary> > +## <desc> > +## <p> > +## Create a domain for applications that are launched by the > +## window manager (implying a domain transition). Typically > +## these are graphical applications that are run interactively. > +## </p> > +## <p> > +## The types will be made usable as a domain and file, making > +## calls to domain_type() and files_type() redundant. > +## </p> > +## </desc> > +## <param name="target_domain"> > +## <summary> > +## Type to be used in the domain transition as the application > +## domain. > +## </summary> > +## </param> > +## <param name="entry_point"> > +## <summary> > +## Type of the program to be used as an entry point to this domain. > +## </summary> > +## </param> > +## <param name="source_domain"> > +## <summary> > +## Type to be used as the source window manager domain. > +## </summary> > +## </param> > +## <infoflow type="none"/> > +# > +interface(`wm_application_domain',` > + gen_require(` > + attribute wm_domain; > + ') > + > + application_type($1) > + ubac_constrained($1) > + application_executable_file($2) > + domtrans_pattern(wm_domain, $2, $1) > +') > diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te > --- a/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100 > +++ b/policy/modules/contrib/wm.te 2016-12-15 00:26:06.044631194 +0100 > @@ -10,6 +10,16 @@ attribute wm_domain; > type wm_exec_t; > corecmd_executable_file(wm_exec_t) > > +type wm_tmp_t; > +userdom_user_tmp_file(wm_tmp_t) > + > +type wm_tmpfs_t; > +userdom_user_tmpfs_file(wm_tmpfs_t) > + > +optional_policy(` > + pulseaudio_tmpfs_content(wm_tmpfs_t) > +') > + > ######################################## > # > # Common wm domain local policy > @@ -21,31 +31,60 @@ allow wm_domain self:netlink_kobject_uev > allow wm_domain self:shm create_shm_perms; > allow wm_domain self:unix_dgram_socket create_socket_perms; > > +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) > +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) > + > +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) > +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) > + > +can_exec(wm_domain, wm_exec_t) > + > kernel_read_system_state(wm_domain) > > corecmd_getattr_all_executables(wm_domain) > > +dev_read_rand(wm_domain) > dev_read_sound(wm_domain) > dev_read_sysfs(wm_domain) > dev_read_urand(wm_domain) > +dev_rw_dri(wm_domain) > dev_rw_wireless(wm_domain) > dev_write_sound(wm_domain) > > +files_read_etc_runtime_files(wm_domain) > files_read_usr_files(wm_domain) > > fs_getattr_all_fs(wm_domain) > > +kernel_read_fs_sysctls(wm_domain) > +kernel_read_proc_symlinks(wm_domain) > +kernel_read_sysctl(wm_domain) > + > miscfiles_read_fonts(wm_domain) > +miscfiles_read_generic_certs(wm_domain) > miscfiles_read_localization(wm_domain) > > +udev_read_pid_files(wm_domain) > + > +# this is needed by gnome-shell > +userdom_exec_user_home_content_files(wm_domain) > + > userdom_manage_user_tmp_sockets(wm_domain) > userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) > userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) > > userdom_manage_user_home_content_dirs(wm_domain) > userdom_manage_user_home_content_files(wm_domain) > + > userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) > > +wm_dontaudit_exec_tmp_files(wm_domain) > +wm_dontaudit_exec_tmpfs_files(wm_domain) > + > optional_policy(` > accountsd_dbus_chat(wm_domain) > ') > @@ -55,10 +94,27 @@ optional_policy(` > ') > > optional_policy(` > + consolekit_dbus_chat(wm_domain) > +') > + > +optional_policy(` > devicekit_dbus_chat_power(wm_domain) > ') > > optional_policy(` > + evolution_dbus_chat(wm_domain) > + evolution_alarm_dbus_chat(wm_domain) > +') > + > +optional_policy(` > + games_dbus_chat(wm_domain) > +') > + > +optional_policy(` > + mozilla_dbus_chat(wm_domain) > +') > + > +optional_policy(` > networkmanager_dbus_chat(wm_domain) > ') > > @@ -67,9 +123,13 @@ optional_policy(` > ') > > optional_policy(` > - pulseaudio_stream_connect(wm_domain) > + telepathy_mission_control_dbus_chat(wm_domain) > ') > > optional_policy(` > userhelper_exec_consolehelper(wm_domain) > ') > + > +optional_policy(` > + xserver_dbus_chat_xdm(wm_domain) > +') > diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > --- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100 > +++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100 > @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - pulseaudio_role(staff_r, staff_t) > + telepathy_role_template(staff, staff_r, staff_t) > ') > > optional_policy(` > - telepathy_role_template(staff, staff_r, staff_t) > + wm_role_template(staff, staff_r, staff_t) > ') > ') > > @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + pulseaudio_role(staff_r, staff_t) > + ') > + > + optional_policy(` > pyzor_role(staff_r, staff_t) > ') > > diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > --- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100 > +++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100 > @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` > optional_policy(` > gnome_role_template(sysadm, sysadm_r, sysadm_t) > ') > + > + optional_policy(` > + wm_role_template(sysadm, sysadm_r, sysadm_t) > + ') > ') > > optional_policy(` > diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > --- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100 > +++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100 > @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - pulseaudio_role(user_r, user_t) > + telepathy_role_template(user, user_r, user_t) > ') > > optional_policy(` > - telepathy_role_template(user, user_r, user_t) > + wm_role_template(user, user_r, user_t) > ') > ') > > @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + pulseaudio_role(user_r, user_t) > + ') > + > + optional_policy(` > pyzor_role(user_r, user_t) > ') > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) 2016-12-16 0:31 ` Chris PeBenito @ 2016-12-16 15:59 ` Guido Trentalancia 2016-12-17 14:05 ` Chris PeBenito 2016-12-16 15:59 ` [refpolicy] [PATCH v4 1/5 contrib " Guido Trentalancia 1 sibling, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-16 15:59 UTC (permalink / raw) To: refpolicy Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This patch requires the following recently posted patch for the games module: [PATCH v3 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html This patch has received some testing with the following two configurations: - gnome-shell executing in normal mode (with display managers other than gdm, such as xdm from XOrg); - gnome-shell executing in gdm mode (with the Gnome Display Manager). Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used in conjunction with gdm. Since the window managers are not limited by gnome-shell, this latter version of the patch (along with part 2/5) uses separate optional conditionals for the gnome and wm role templates. The new wm_application_domain() interface introduced in the sixth version of this patch is an idea of Jason Zaman. This patch also fixes a minor bug in the way the pulseaudio_role() interface is optionally included by the role templates (pulseaudio does not depend on dbus). This seventh version splits the 1/5 patch in two separate patches: one for the base policy and one for the contrib policy. THIS IS THE BASE POLICY PART. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/roles/staff.te | 8 ++++++-- policy/modules/roles/sysadm.te | 4 ++++ policy/modules/roles/unprivuser.te | 8 ++++++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te --- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100 +++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100 @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(staff_r, staff_t) + telepathy_role_template(staff, staff_r, staff_t) ') optional_policy(` - telepathy_role_template(staff, staff_r, staff_t) + wm_role_template(staff, staff_r, staff_t) ') ') @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(staff_r, staff_t) + ') + + optional_policy(` pyzor_role(staff_r, staff_t) ') diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te --- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100 +++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100 @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` optional_policy(` gnome_role_template(sysadm, sysadm_r, sysadm_t) ') + + optional_policy(` + wm_role_template(sysadm, sysadm_r, sysadm_t) + ') ') optional_policy(` diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te --- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100 +++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100 @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` ') optional_policy(` - pulseaudio_role(user_r, user_t) + telepathy_role_template(user, user_r, user_t) ') optional_policy(` - telepathy_role_template(user, user_r, user_t) + wm_role_template(user, user_r, user_t) ') ') @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + pulseaudio_role(user_r, user_t) + ') + + optional_policy(` pyzor_role(user_r, user_t) ') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) 2016-12-16 15:59 ` [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) Guido Trentalancia @ 2016-12-17 14:05 ` Chris PeBenito 2016-12-17 16:56 ` Guido Trentalancia 0 siblings, 1 reply; 47+ messages in thread From: Chris PeBenito @ 2016-12-17 14:05 UTC (permalink / raw) To: refpolicy On 12/16/16 10:59, Guido Trentalancia via refpolicy wrote: > Enable the window manager role (wm contrib module) and update > the module to work with gnome-shell. > > This patch requires the following recently posted patch for the > games module: > > [PATCH v3 1/2] games: general update and improved pulseaudio integration > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > This patch has received some testing with the following two > configurations: > - gnome-shell executing in normal mode (with display managers > other than gdm, such as xdm from XOrg); > - gnome-shell executing in gdm mode (with the Gnome Display > Manager). > > Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used > in conjunction with gdm. > > Since the window managers are not limited by gnome-shell, this latter > version of the patch (along with part 2/5) uses separate optional > conditionals for the gnome and wm role templates. > > The new wm_application_domain() interface introduced in the sixth > version of this patch is an idea of Jason Zaman. > > This patch also fixes a minor bug in the way the pulseaudio_role() > interface is optionally included by the role templates (pulseaudio > does not depend on dbus). > > This seventh version splits the 1/5 patch in two separate patches: > one for the base policy and one for the contrib policy. > > THIS IS THE BASE POLICY PART. I've merged this set. However, after I applied them, I realized there was an invalid interface added in xserver (nonexistant xdm_domain attribute) and a missing interface called in wm. I've removed them. > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/roles/staff.te | 8 ++++++-- > policy/modules/roles/sysadm.te | 4 ++++ > policy/modules/roles/unprivuser.te | 8 ++++++-- > 3 files changed, 16 insertions(+), 4 deletions(-) > > diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te > --- a/policy/modules/roles/staff.te 2016-12-14 02:24:53.397000941 +0100 > +++ b/policy/modules/roles/staff.te 2016-12-13 22:45:02.857851229 +0100 > @@ -88,11 +88,11 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - pulseaudio_role(staff_r, staff_t) > + telepathy_role_template(staff, staff_r, staff_t) > ') > > optional_policy(` > - telepathy_role_template(staff, staff_r, staff_t) > + wm_role_template(staff, staff_r, staff_t) > ') > ') > > @@ -145,6 +145,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + pulseaudio_role(staff_r, staff_t) > + ') > + > + optional_policy(` > pyzor_role(staff_r, staff_t) > ') > > diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te > --- a/policy/modules/roles/sysadm.te 2016-12-14 02:24:53.397000941 +0100 > +++ b/policy/modules/roles/sysadm.te 2016-12-13 22:45:25.577422292 +0100 > @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',` > optional_policy(` > gnome_role_template(sysadm, sysadm_r, sysadm_t) > ') > + > + optional_policy(` > + wm_role_template(sysadm, sysadm_r, sysadm_t) > + ') > ') > > optional_policy(` > diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > --- a/policy/modules/roles/unprivuser.te 2016-12-14 02:24:53.398000965 +0100 > +++ b/policy/modules/roles/unprivuser.te 2016-12-13 22:44:50.493540449 +0100 > @@ -57,11 +57,11 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - pulseaudio_role(user_r, user_t) > + telepathy_role_template(user, user_r, user_t) > ') > > optional_policy(` > - telepathy_role_template(user, user_r, user_t) > + wm_role_template(user, user_r, user_t) > ') > ') > > @@ -122,6 +122,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + pulseaudio_role(user_r, user_t) > + ') > + > + optional_policy(` > pyzor_role(user_r, user_t) > ') -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) 2016-12-17 14:05 ` Chris PeBenito @ 2016-12-17 16:56 ` Guido Trentalancia 2016-12-17 18:06 ` Chris PeBenito 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-17 16:56 UTC (permalink / raw) To: refpolicy Hello Christopher. On Sat, 17/12/2016 at 09.05 -0500, Chris PeBenito wrote: > On 12/16/16 10:59, Guido Trentalancia via refpolicy wrote: > > > > Enable the window manager role (wm contrib module) and update > > the module to work with gnome-shell. > > > > This patch requires the following recently posted patch for the > > games module: > > > > [PATCH v3 1/2] games: general update and improved pulseaudio > > integration > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html [...] > I've merged this set.??However, after I applied them, I realized > there? > was an invalid interface added in xserver (nonexistant xdm_domain? > attribute) and a missing interface called in wm.??I've removed them. I suppose the missing interface called in wm is games_dbus_chat(). Can you confirm ? Such interface has been introduced by the recent games patch (see above). The patch description mentions that it depends on the games patch, which for some reason has not been applied yet. What is the invalid interface added in xserver ?? Regards, Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) 2016-12-17 16:56 ` Guido Trentalancia @ 2016-12-17 18:06 ` Chris PeBenito 0 siblings, 0 replies; 47+ messages in thread From: Chris PeBenito @ 2016-12-17 18:06 UTC (permalink / raw) To: refpolicy On 12/17/16 11:56, Guido Trentalancia via refpolicy wrote: > Hello Christopher. > > On Sat, 17/12/2016 at 09.05 -0500, Chris PeBenito wrote: >> On 12/16/16 10:59, Guido Trentalancia via refpolicy wrote: >>> >>> Enable the window manager role (wm contrib module) and update >>> the module to work with gnome-shell. >>> >>> This patch requires the following recently posted patch for the >>> games module: >>> >>> [PATCH v3 1/2] games: general update and improved pulseaudio >>> integration >>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > [...] > >> I've merged this set. However, after I applied them, I realized >> there >> was an invalid interface added in xserver (nonexistant xdm_domain >> attribute) and a missing interface called in wm. I've removed them. > > I suppose the missing interface called in wm is games_dbus_chat(). Can > you confirm ? Yes. > Such interface has been introduced by the recent games patch (see > above). The patch description mentions that it depends on the games > patch, which for some reason has not been applied yet. You've made many patch sets with partial revisions. It is difficult to keep track of all the patches. You'll have to submit a new patch set. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v4 1/5 contrib part] wm: update the window manager (wm) module and enable its role template (v7) 2016-12-16 0:31 ` Chris PeBenito 2016-12-16 15:59 ` [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) Guido Trentalancia @ 2016-12-16 15:59 ` Guido Trentalancia 1 sibling, 0 replies; 47+ messages in thread From: Guido Trentalancia @ 2016-12-16 15:59 UTC (permalink / raw) To: refpolicy Enable the window manager role (wm contrib module) and update the module to work with gnome-shell. This patch requires the following recently posted patch for the games module: [PATCH v3 1/2] games: general update and improved pulseaudio integration http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html This patch has received some testing with the following two configurations: - gnome-shell executing in normal mode (with display managers other than gdm, such as xdm from XOrg); - gnome-shell executing in gdm mode (with the Gnome Display Manager). Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used in conjunction with gdm. Since the window managers are not limited by gnome-shell, this latter version of the patch (along with part 2/5) uses separate optional conditionals for the gnome and wm role templates. The new wm_application_domain() interface introduced in the sixth version of this patch is an idea of Jason Zaman. This patch also fixes a minor bug in the way the pulseaudio_role() interface is optionally included by the role templates (pulseaudio does not depend on dbus). This seventh version splits the 1/5 patch in two separate patches: one for the base policy and one for the contrib policy. THIS IS THE CONTRIB POLICY PART. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/colord.te | 5 ++ policy/modules/contrib/dbus.te | 5 ++ policy/modules/contrib/evolution.te | 4 + policy/modules/contrib/games.te | 4 + policy/modules/contrib/java.te | 4 + policy/modules/contrib/mono.te | 4 + policy/modules/contrib/mozilla.te | 4 + policy/modules/contrib/mplayer.te | 4 + policy/modules/contrib/wm.if | 89 +++++++++++++++++++++++++++++++++++- policy/modules/contrib/wm.te | 62 ++++++++++++++++++++++++- 10 files changed, 183 insertions(+), 2 deletions(-) diff -pru a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te --- a/policy/modules/contrib/colord.te 2016-08-14 21:28:11.468519205 +0200 +++ b/policy/modules/contrib/colord.te 2016-12-14 02:45:54.815580399 +0100 @@ -137,3 +137,8 @@ optional_policy(` udev_read_db(colord_t) udev_read_pid_files(colord_t) ') + +optional_policy(` + xserver_read_xdm_lib_files(colord_t) + xserver_use_xdm_fds(colord_t) +') diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te --- a/policy/modules/contrib/dbus.te 2016-08-14 21:28:11.477519343 +0200 +++ b/policy/modules/contrib/dbus.te 2016-12-14 02:24:00.796768671 +0100 @@ -159,6 +159,11 @@ optional_policy(` udev_read_db(system_dbusd_t) ') +optional_policy(` + xserver_read_xdm_lib_files(system_dbusd_t) + xserver_use_xdm_fds(system_dbusd_t) +') + ######################################## # # Common session bus local policy diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te --- a/policy/modules/contrib/evolution.te 2016-12-07 13:39:49.975910286 +0100 +++ b/policy/modules/contrib/evolution.te 2016-12-15 00:18:21.791452219 +0100 @@ -23,6 +23,10 @@ typealias evolution_t alias { auditadm_e userdom_user_application_domain(evolution_t, evolution_exec_t) role evolution_roles types evolution_t; +optional_policy(` + wm_application_domain(evolution_t, evolution_exec_t) +') + type evolution_alarm_t; type evolution_alarm_exec_t; typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t }; diff -pru a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te --- a/policy/modules/contrib/games.te 2016-12-12 01:59:37.872004679 +0100 +++ b/policy/modules/contrib/games.te 2016-12-15 00:19:55.191238925 +0100 @@ -14,6 +14,10 @@ typealias games_t alias { auditadm_games userdom_user_application_domain(games_t, games_exec_t) role games_roles types games_t; +optional_policy(` + wm_application_domain(games_t, games_exec_t) +') + type games_data_t; typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t }; typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t }; diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te --- a/policy/modules/contrib/java.te 2016-08-14 21:28:11.504519758 +0200 +++ b/policy/modules/contrib/java.te 2016-12-15 00:23:12.650129586 +0100 @@ -27,6 +27,10 @@ typealias java_t alias { staff_javaplugi typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t }; role java_roles types java_t; +optional_policy(` + wm_application_domain(java_t, java_exec_t) +') + type java_home_t; userdom_user_home_content(java_home_t) diff -pru a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te --- a/policy/modules/contrib/mono.te 2016-08-14 21:28:11.520520004 +0200 +++ b/policy/modules/contrib/mono.te 2016-12-15 00:24:01.783117146 +0100 @@ -16,6 +16,10 @@ role mono_roles types mono_t; application_type(mono_t) +optional_policy(` + wm_application_domain(mono_t, mono_exec_t) +') + ######################################## # # Common local policy diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te --- a/policy/modules/contrib/mozilla.te 2016-12-14 16:31:11.432155580 +0100 +++ b/policy/modules/contrib/mozilla.te 2016-12-15 00:24:45.672785494 +0100 @@ -24,6 +24,10 @@ typealias mozilla_t alias { auditadm_moz userdom_user_application_domain(mozilla_t, mozilla_exec_t) role mozilla_roles types mozilla_t; +optional_policy(` + wm_application_domain(mozilla_t, mozilla_exec_t) +') + type mozilla_home_t; typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t }; typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t }; diff -pru a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te --- a/policy/modules/contrib/mplayer.te 2016-10-29 16:29:19.667325422 +0200 +++ b/policy/modules/contrib/mplayer.te 2016-12-15 00:25:40.085738055 +0100 @@ -30,6 +30,10 @@ typealias mplayer_t alias { auditadm_mpl userdom_user_application_domain(mplayer_t, mplayer_exec_t) role mplayer_roles types mplayer_t; +optional_policy(` + wm_application_domain(mplayer_t, mplayer_exec_t) +') + type mplayer_etc_t; files_config_file(mplayer_etc_t) diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if --- a/policy/modules/contrib/wm.if 2016-12-14 02:24:53.377000472 +0100 +++ b/policy/modules/contrib/wm.if 2016-12-15 00:16:28.516076888 +0100 @@ -47,6 +47,8 @@ template(`wm_role_template',` # Policy # + allow $3 $1_wm_t:fd use; + allow $1_wm_t $3:unix_stream_socket connectto; allow $3 $1_wm_t:unix_stream_socket connectto; @@ -72,6 +74,7 @@ template(`wm_role_template',` xserver_manage_core_devices($1_wm_t) optional_policy(` + dbus_connect_spec_session_bus($1, $1_wm_t) dbus_spec_session_bus_client($1, $1_wm_t) dbus_system_bus_client($1_wm_t) @@ -81,7 +84,7 @@ template(`wm_role_template',` ') optional_policy(` - gnome_stream_connect_gkeyringd($1, $1_wm_t) + gnome_stream_connect_all_gkeyringd($1_wm_t) ') optional_policy(` @@ -134,3 +137,87 @@ interface(`wm_dbus_chat',` allow $2 $1_wm_t:dbus send_msg; allow $1_wm_t $2:dbus send_msg; ') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmp_files',` + gen_require(` + type wm_tmp_t; + ') + + dontaudit $1 wm_tmp_t:file exec_file_perms; +') + +######################################## +## <summary> +## Do not audit attempts to execute +## files in temporary filesystems. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +# +interface(`wm_dontaudit_exec_tmpfs_files',` + gen_require(` + type wm_tmpfs_t; + ') + + dontaudit $1 wm_tmpfs_t:file exec_file_perms; +') + +######################################## +## <summary> +## Create a domain for applications +## that are launched by the window +## manager. +## </summary> +## <desc> +## <p> +## Create a domain for applications that are launched by the +## window manager (implying a domain transition). Typically +## these are graphical applications that are run interactively. +## </p> +## <p> +## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +## </p> +## </desc> +## <param name="target_domain"> +## <summary> +## Type to be used in the domain transition as the application +## domain. +## </summary> +## </param> +## <param name="entry_point"> +## <summary> +## Type of the program to be used as an entry point to this domain. +## </summary> +## </param> +## <param name="source_domain"> +## <summary> +## Type to be used as the source window manager domain. +## </summary> +## </param> +## <infoflow type="none"/> +# +interface(`wm_application_domain',` + gen_require(` + attribute wm_domain; + ') + + application_type($1) + ubac_constrained($1) + application_executable_file($2) + domtrans_pattern(wm_domain, $2, $1) +') diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te --- a/policy/modules/contrib/wm.te 2016-12-14 02:24:53.396000918 +0100 +++ b/policy/modules/contrib/wm.te 2016-12-15 00:26:06.044631194 +0100 @@ -10,6 +10,16 @@ attribute wm_domain; type wm_exec_t; corecmd_executable_file(wm_exec_t) +type wm_tmp_t; +userdom_user_tmp_file(wm_tmp_t) + +type wm_tmpfs_t; +userdom_user_tmpfs_file(wm_tmpfs_t) + +optional_policy(` + pulseaudio_tmpfs_content(wm_tmpfs_t) +') + ######################################## # # Common wm domain local policy @@ -21,31 +31,60 @@ allow wm_domain self:netlink_kobject_uev allow wm_domain self:shm create_shm_perms; allow wm_domain self:unix_dgram_socket create_socket_perms; +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t) +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file }) + +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t) +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file }) + +can_exec(wm_domain, wm_exec_t) + kernel_read_system_state(wm_domain) corecmd_getattr_all_executables(wm_domain) +dev_read_rand(wm_domain) dev_read_sound(wm_domain) dev_read_sysfs(wm_domain) dev_read_urand(wm_domain) +dev_rw_dri(wm_domain) dev_rw_wireless(wm_domain) dev_write_sound(wm_domain) +files_read_etc_runtime_files(wm_domain) files_read_usr_files(wm_domain) fs_getattr_all_fs(wm_domain) +kernel_read_fs_sysctls(wm_domain) +kernel_read_proc_symlinks(wm_domain) +kernel_read_sysctl(wm_domain) + miscfiles_read_fonts(wm_domain) +miscfiles_read_generic_certs(wm_domain) miscfiles_read_localization(wm_domain) +udev_read_pid_files(wm_domain) + +# this is needed by gnome-shell +userdom_exec_user_home_content_files(wm_domain) + userdom_manage_user_tmp_sockets(wm_domain) userdom_tmp_filetrans_user_tmp(wm_domain, sock_file) userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file) userdom_manage_user_home_content_dirs(wm_domain) userdom_manage_user_home_content_files(wm_domain) + userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file }) +wm_dontaudit_exec_tmp_files(wm_domain) +wm_dontaudit_exec_tmpfs_files(wm_domain) + optional_policy(` accountsd_dbus_chat(wm_domain) ') @@ -55,10 +94,27 @@ optional_policy(` ') optional_policy(` + consolekit_dbus_chat(wm_domain) +') + +optional_policy(` devicekit_dbus_chat_power(wm_domain) ') optional_policy(` + evolution_dbus_chat(wm_domain) + evolution_alarm_dbus_chat(wm_domain) +') + +optional_policy(` + games_dbus_chat(wm_domain) +') + +optional_policy(` + mozilla_dbus_chat(wm_domain) +') + +optional_policy(` networkmanager_dbus_chat(wm_domain) ') @@ -67,9 +123,13 @@ optional_policy(` ') optional_policy(` - pulseaudio_stream_connect(wm_domain) + telepathy_mission_control_dbus_chat(wm_domain) ') optional_policy(` userhelper_exec_consolehelper(wm_domain) ') + +optional_policy(` + xserver_dbus_chat_xdm(wm_domain) +') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) [not found] ` <CAPuKSJbhx+9kkU_KK5qX8s6ALknojqTeqmtjrkJR0fkVBn=wWg@mail.gmail.com> 2016-12-14 13:23 ` Guido Trentalancia @ 2016-12-14 14:37 ` Guido Trentalancia 2016-12-14 15:33 ` Guido Trentalancia 1 sibling, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 14:37 UTC (permalink / raw) To: refpolicy On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: > > > On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy@o > ss.tresys.com> wrote: > Enable the window manager role (wm contrib module) and update > the module to work with gnome-shell. > > This patch requires the following recently posted patch for the > games module: > > [PATCH v3 1/2] games: general update and improved pulseaudio > integration > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > This patch has received some testing with the following two > configurations: > - gnome-shell executing in normal mode (with display managers > other than gdm, such as xdm from XOrg); > - gnome-shell executing in gdm mode (with the Gnome Display > Manager). > > Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used > in conjunction with gdm. > > Since the window managers are not limited by gnome-shell, this latter > version of the patch (along with part 2/5) uses separate optional > conditionals for the gnome and wm role templates. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > ?policy/modules/contrib/colord.te? ?|? ? 5 ++ > ?policy/modules/contrib/dbus.te? ? ?|? ? 5 ++ > ?policy/modules/contrib/wm.if? ? ? ?|? ?43 +++++++++++++++++- > ?policy/modules/contrib/wm.te? ? ? ?|? ?88 > ++++++++++++++++++++++++++++++++++++- > ?policy/modules/roles/staff.te? ? ? |? ? 8 ++- > ?policy/modules/roles/sysadm.te? ? ?|? ? 4 + > ?policy/modules/roles/unprivuser.te |? ? 8 ++- > ?7 files changed, 155 insertions(+), 6 deletions(-) [...] > @@ -55,10 +96,51 @@ optional_policy(` > ?') > > ?optional_policy(` > +? ? ? ?consolekit_dbus_chat(wm_domain) > +') > + > +optional_policy(` > ? ? ? ? devicekit_dbus_chat_power(wm_domain) > ?') > > ?optional_policy(` > +? ? ? ?evolution_domtrans(wm_domain) > + > +? ? ? ?optional_policy(` > +? ? ? ? ? ? ? ?evolution_dbus_chat(wm_domain) > +? ? ? ? ? ? ? ?evolution_alarm_dbus_chat(wm_domain) > +? ? ? ?') > +') > + > +optional_policy(` > +? ? ? ?games_domtrans(wm_domain) > + > +? ? ? ?optional_policy(` > +? ? ? ? ? ? ? ?games_dbus_chat(wm_domain) > +? ? ? ?') > +') > + > +optional_policy(` > +? ? ? ?java_domtrans(wm_domain) > +') > + > +optional_policy(` > +? ? ? ?mono_domtrans(wm_domain) > +') > + > +optional_policy(` > +? ? ? ?mozilla_domtrans(wm_domain) > + > +? ? ? ?optional_policy(` > +? ? ? ? ? ? ? ?mozilla_dbus_chat(wm_domain) > +? ? ? ?') > +') > + > +optional_policy(` > +? ? ? ?mplayer_domtrans(wm_domain) > +') > + > +optional_policy(` > ? ? ? ? networkmanager_dbus_chat(wm_domain) > ?') > > Whoa are we going to have to add every single application to > wm_domain to be able to run it? That will get annoying super fast. > Isn't there an application_domain attribute we can use? If there > isn't we might want to reverse this so X application types instead > declare that wm can run them (something like the application_type > interface) I am now trying to get back to you on this, provided that I understood the meaning of what you proposed... I suppose you are suggesting to use an interface such as wm_application() in the module of each application that needs to be run by the window manager and avoid calling applicationname_domtrans() from the wm module. Even if that was possible, there would be a loss of visibility in the wm module about what applications it can actually run. The latter is undesirable in my opinion and defeats the purpose of having a separate wm module to control what the window manager can and cannot do, because at that point it would be each application module which decides if the application can run or not in the window manager. Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 14:37 ` [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) Guido Trentalancia @ 2016-12-14 15:33 ` Guido Trentalancia 2016-12-14 21:23 ` Chris PeBenito 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 15:33 UTC (permalink / raw) To: refpolicy Hello again. I am back with a possible solution to the problem that you described... On Wed, 14/12/2016 at 15.37 +0100, Guido Trentalancia via refpolicy wrote: > On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: > > > > > > > > On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy > > @o > > ss.tresys.com> wrote: > > Enable the window manager role (wm contrib module) and update > > the module to work with gnome-shell. > > > > This patch requires the following recently posted patch for the > > games module: > > > > [PATCH v3 1/2] games: general update and improved pulseaudio > > integration > > http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html > > > > This patch has received some testing with the following two > > configurations: > > - gnome-shell executing in normal mode (with display managers > > other than gdm, such as xdm from XOrg); > > - gnome-shell executing in gdm mode (with the Gnome Display > > Manager). > > > > Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used > > in conjunction with gdm. > > > > Since the window managers are not limited by gnome-shell, this > > latter > > version of the patch (along with part 2/5) uses separate optional > > conditionals for the gnome and wm role templates. > > > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > > --- > > ?policy/modules/contrib/colord.te? ?|? ? 5 ++ > > ?policy/modules/contrib/dbus.te? ? ?|? ? 5 ++ > > ?policy/modules/contrib/wm.if? ? ? ?|? ?43 +++++++++++++++++- > > ?policy/modules/contrib/wm.te? ? ? ?|? ?88 > > ++++++++++++++++++++++++++++++++++++- > > ?policy/modules/roles/staff.te? ? ? |? ? 8 ++- > > ?policy/modules/roles/sysadm.te? ? ?|? ? 4 + > > ?policy/modules/roles/unprivuser.te |? ? 8 ++- > > ?7 files changed, 155 insertions(+), 6 deletions(-) > > [...] > > > > > @@ -55,10 +96,51 @@ optional_policy(` > > ?') > > > > ?optional_policy(` > > +? ? ? ?consolekit_dbus_chat(wm_domain) > > +') > > + > > +optional_policy(` > > ? ? ? ? devicekit_dbus_chat_power(wm_domain) > > ?') > > > > ?optional_policy(` > > +? ? ? ?evolution_domtrans(wm_domain) > > + > > +? ? ? ?optional_policy(` > > +? ? ? ? ? ? ? ?evolution_dbus_chat(wm_domain) > > +? ? ? ? ? ? ? ?evolution_alarm_dbus_chat(wm_domain) > > +? ? ? ?') > > +') > > + > > +optional_policy(` > > +? ? ? ?games_domtrans(wm_domain) > > + > > +? ? ? ?optional_policy(` > > +? ? ? ? ? ? ? ?games_dbus_chat(wm_domain) > > +? ? ? ?') > > +') > > + > > +optional_policy(` > > +? ? ? ?java_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > +? ? ? ?mono_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > +? ? ? ?mozilla_domtrans(wm_domain) > > + > > +? ? ? ?optional_policy(` > > +? ? ? ? ? ? ? ?mozilla_dbus_chat(wm_domain) > > +? ? ? ?') > > +') > > + > > +optional_policy(` > > +? ? ? ?mplayer_domtrans(wm_domain) > > +') > > + > > +optional_policy(` > > ? ? ? ? networkmanager_dbus_chat(wm_domain) > > ?') > > > > Whoa are we going to have to add every single application to > > wm_domain to be able to run it? That will get annoying super fast. > > Isn't there an application_domain attribute we can use? If there > > isn't we might want to reverse this so X application types instead > > declare that wm can run them (something like the application_type > > interface) > > I am now trying to get back to you on this, provided that I > understood > the meaning of what you proposed... > > I suppose you are suggesting to use an interface such as > wm_application() in the module of each application that needs to be > run > by the window manager and avoid calling applicationname_domtrans() > from > the wm module. > > Even if that was possible, there would be a loss of visibility in the > wm module about what applications it can actually run. > > The latter is undesirable in my opinion and defeats the purpose of > having a separate wm module to control what the window manager can > and > cannot do, because at that point it would be each application module > which decides if the application can run or not in the window > manager. It is possible to achieve what you are seeking. You just need to use the following interface (in policy/modules/contrib/wm.if): [cut] ######################################## ## <summary> ## Create a domain for applications ## that are launched by the window ## manager. ## </summary> ## <desc> ## <p> ## Create a domain for applications that are launched by the ## window manager (implying a domain transition).??Typically ## these are graphical applications that are run interactively. ## </p> ## <p> ## The types will be made usable as a domain and file, making ## calls to domain_type() and files_type() redundant. ## </p> ## </desc> ## <param name="target_domain"> ## <summary> ## Type to be used in the domain transition as the application ## domain. ## </summary> ## </param> ## <param name="entry_point"> ## <summary> ## Type of the program to be used as an entry point to this domain. ## </summary> ## </param> ## <param name="source_domain"> ## <summary> ## Type to be used as the source window manager domain. ## </summary> ## </param> ## <infoflow type="none"/> # interface(`wm_application_domain',` gen_require(` attribute wm_domain; ') application_type($1) ubac_constrained($1) application_executable_file($2) domtrans_pattern(wm_domain, $2, $1) ') [cut] and then, for each application that you want to enable from the window manager, you need to call the interface wm_application_domain() from the application module similarly to the way the userdom_user_application_domain() interface is currently called. For example, for mozilla: [cut] --- refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 22:29:53.579462880 +0100 +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 16:28:46.055294184 +0100 @@ -22,6 +39,7 @@ type mozilla_exec_t; ?typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; ?typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; ?userdom_user_application_domain(mozilla_t, mozilla_exec_t) +wm_application_domain(mozilla_t, mozilla_exec_t) ?role mozilla_roles types mozilla_t; ? ?type mozilla_home_t; [cut] I hope this helps. If the majority of people prefer that the policy changes in this direction, despite the side-effects that I have highlighted earlier on, I can amend the initial patch. Regards, Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 15:33 ` Guido Trentalancia @ 2016-12-14 21:23 ` Chris PeBenito 2016-12-14 21:34 ` Dominick Grift 0 siblings, 1 reply; 47+ messages in thread From: Chris PeBenito @ 2016-12-14 21:23 UTC (permalink / raw) To: refpolicy On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: > Hello again. > > I am back with a possible solution to the problem that you described... > > On Wed, 14/12/2016 at 15.37 +0100, Guido Trentalancia via refpolicy > wrote: >> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: >>> >>> >>> >>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy >>> @o >>> ss.tresys.com> wrote: >>> Enable the window manager role (wm contrib module) and update >>> the module to work with gnome-shell. >>> >>> This patch requires the following recently posted patch for the >>> games module: >>> >>> [PATCH v3 1/2] games: general update and improved pulseaudio >>> integration >>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>> >>> This patch has received some testing with the following two >>> configurations: >>> - gnome-shell executing in normal mode (with display managers >>> other than gdm, such as xdm from XOrg); >>> - gnome-shell executing in gdm mode (with the Gnome Display >>> Manager). >>> >>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used >>> in conjunction with gdm. >>> >>> Since the window managers are not limited by gnome-shell, this >>> latter >>> version of the patch (along with part 2/5) uses separate optional >>> conditionals for the gnome and wm role templates. >>> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>> --- >>> policy/modules/contrib/colord.te | 5 ++ >>> policy/modules/contrib/dbus.te | 5 ++ >>> policy/modules/contrib/wm.if | 43 +++++++++++++++++- >>> policy/modules/contrib/wm.te | 88 >>> ++++++++++++++++++++++++++++++++++++- >>> policy/modules/roles/staff.te | 8 ++- >>> policy/modules/roles/sysadm.te | 4 + >>> policy/modules/roles/unprivuser.te | 8 ++- >>> 7 files changed, 155 insertions(+), 6 deletions(-) >> >> [...] >> >>> >>> @@ -55,10 +96,51 @@ optional_policy(` >>> ') >>> >>> optional_policy(` >>> + consolekit_dbus_chat(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> devicekit_dbus_chat_power(wm_domain) >>> ') >>> >>> optional_policy(` >>> + evolution_domtrans(wm_domain) >>> + >>> + optional_policy(` >>> + evolution_dbus_chat(wm_domain) >>> + evolution_alarm_dbus_chat(wm_domain) >>> + ') >>> +') >>> + >>> +optional_policy(` >>> + games_domtrans(wm_domain) >>> + >>> + optional_policy(` >>> + games_dbus_chat(wm_domain) >>> + ') >>> +') >>> + >>> +optional_policy(` >>> + java_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> + mono_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> + mozilla_domtrans(wm_domain) >>> + >>> + optional_policy(` >>> + mozilla_dbus_chat(wm_domain) >>> + ') >>> +') >>> + >>> +optional_policy(` >>> + mplayer_domtrans(wm_domain) >>> +') >>> + >>> +optional_policy(` >>> networkmanager_dbus_chat(wm_domain) >>> ') >>> >>> Whoa are we going to have to add every single application to >>> wm_domain to be able to run it? That will get annoying super fast. >>> Isn't there an application_domain attribute we can use? If there >>> isn't we might want to reverse this so X application types instead >>> declare that wm can run them (something like the application_type >>> interface) >> >> I am now trying to get back to you on this, provided that I >> understood >> the meaning of what you proposed... >> >> I suppose you are suggesting to use an interface such as >> wm_application() in the module of each application that needs to be >> run >> by the window manager and avoid calling applicationname_domtrans() >> from >> the wm module. >> >> Even if that was possible, there would be a loss of visibility in the >> wm module about what applications it can actually run. >> >> The latter is undesirable in my opinion and defeats the purpose of >> having a separate wm module to control what the window manager can >> and >> cannot do, because at that point it would be each application module >> which decides if the application can run or not in the window >> manager. > > It is possible to achieve what you are seeking. You just need to use > the following interface (in policy/modules/contrib/wm.if): > > [cut] > > ######################################## > ## <summary> > ## Create a domain for applications > ## that are launched by the window > ## manager. > ## </summary> > ## <desc> > ## <p> > ## Create a domain for applications that are launched by the > ## window manager (implying a domain transition). Typically > ## these are graphical applications that are run interactively. > ## </p> > ## <p> > ## The types will be made usable as a domain and file, making > ## calls to domain_type() and files_type() redundant. > ## </p> > ## </desc> > ## <param name="target_domain"> > ## <summary> > ## Type to be used in the domain transition as the application > ## domain. > ## </summary> > ## </param> > ## <param name="entry_point"> > ## <summary> > ## Type of the program to be used as an entry point to this domain. > ## </summary> > ## </param> > ## <param name="source_domain"> > ## <summary> > ## Type to be used as the source window manager domain. > ## </summary> > ## </param> > ## <infoflow type="none"/> > # > interface(`wm_application_domain',` > gen_require(` > attribute wm_domain; > ') > > application_type($1) > ubac_constrained($1) > application_executable_file($2) > domtrans_pattern(wm_domain, $2, $1) > ') > > [cut] > > and then, for each application that you want to enable from the window > manager, you need to call the interface wm_application_domain() from > the application module similarly to the way the > userdom_user_application_domain() interface is currently called. > > For example, for mozilla: > > [cut] > > --- refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 22:29:53.579462880 +0100 > +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 16:28:46.055294184 +0100 > @@ -22,6 +39,7 @@ type mozilla_exec_t; > typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; > typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; > userdom_user_application_domain(mozilla_t, mozilla_exec_t) > +wm_application_domain(mozilla_t, mozilla_exec_t) I'd tend to prefer it this way, as long as you make this call optional. > role mozilla_roles types mozilla_t; > > type mozilla_home_t; > > [cut] > > I hope this helps. > > If the majority of people prefer that the policy changes in this > direction, despite the side-effects that I have highlighted earlier on, > I can amend the initial patch. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 21:23 ` Chris PeBenito @ 2016-12-14 21:34 ` Dominick Grift 2016-12-14 21:45 ` Dominick Grift 0 siblings, 1 reply; 47+ messages in thread From: Dominick Grift @ 2016-12-14 21:34 UTC (permalink / raw) To: refpolicy On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: > On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: >> Hello again. >> >> I am back with a possible solution to the problem that you described... >> >> On Wed, 14/12/2016 at 15.37 +0100, Guido Trentalancia via refpolicy >> wrote: >>> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: >>>> >>>> >>>> >>>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy >>>> @o >>>> ss.tresys.com> wrote: >>>> Enable the window manager role (wm contrib module) and update >>>> the module to work with gnome-shell. >>>> >>>> This patch requires the following recently posted patch for the >>>> games module: >>>> >>>> [PATCH v3 1/2] games: general update and improved pulseaudio >>>> integration >>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>>> >>>> This patch has received some testing with the following two >>>> configurations: >>>> - gnome-shell executing in normal mode (with display managers >>>> other than gdm, such as xdm from XOrg); >>>> - gnome-shell executing in gdm mode (with the Gnome Display >>>> Manager). >>>> >>>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used >>>> in conjunction with gdm. >>>> >>>> Since the window managers are not limited by gnome-shell, this >>>> latter >>>> version of the patch (along with part 2/5) uses separate optional >>>> conditionals for the gnome and wm role templates. >>>> >>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>>> --- >>>> policy/modules/contrib/colord.te | 5 ++ >>>> policy/modules/contrib/dbus.te | 5 ++ >>>> policy/modules/contrib/wm.if | 43 +++++++++++++++++- >>>> policy/modules/contrib/wm.te | 88 >>>> ++++++++++++++++++++++++++++++++++++- >>>> policy/modules/roles/staff.te | 8 ++- >>>> policy/modules/roles/sysadm.te | 4 + >>>> policy/modules/roles/unprivuser.te | 8 ++- >>>> 7 files changed, 155 insertions(+), 6 deletions(-) >>> >>> [...] >>> >>>> >>>> @@ -55,10 +96,51 @@ optional_policy(` >>>> ') >>>> >>>> optional_policy(` >>>> + consolekit_dbus_chat(wm_domain) >>>> +') >>>> + >>>> +optional_policy(` >>>> devicekit_dbus_chat_power(wm_domain) >>>> ') >>>> >>>> optional_policy(` >>>> + evolution_domtrans(wm_domain) >>>> + >>>> + optional_policy(` >>>> + evolution_dbus_chat(wm_domain) >>>> + evolution_alarm_dbus_chat(wm_domain) >>>> + ') >>>> +') >>>> + >>>> +optional_policy(` >>>> + games_domtrans(wm_domain) >>>> + >>>> + optional_policy(` >>>> + games_dbus_chat(wm_domain) >>>> + ') >>>> +') >>>> + >>>> +optional_policy(` >>>> + java_domtrans(wm_domain) >>>> +') >>>> + >>>> +optional_policy(` >>>> + mono_domtrans(wm_domain) >>>> +') >>>> + >>>> +optional_policy(` >>>> + mozilla_domtrans(wm_domain) >>>> + >>>> + optional_policy(` >>>> + mozilla_dbus_chat(wm_domain) >>>> + ') >>>> +') >>>> + >>>> +optional_policy(` >>>> + mplayer_domtrans(wm_domain) >>>> +') >>>> + >>>> +optional_policy(` >>>> networkmanager_dbus_chat(wm_domain) >>>> ') >>>> >>>> Whoa are we going to have to add every single application to >>>> wm_domain to be able to run it? That will get annoying super fast. >>>> Isn't there an application_domain attribute we can use? If there >>>> isn't we might want to reverse this so X application types instead >>>> declare that wm can run them (something like the application_type >>>> interface) >>> >>> I am now trying to get back to you on this, provided that I >>> understood >>> the meaning of what you proposed... >>> >>> I suppose you are suggesting to use an interface such as >>> wm_application() in the module of each application that needs to be >>> run >>> by the window manager and avoid calling applicationname_domtrans() >>> from >>> the wm module. >>> >>> Even if that was possible, there would be a loss of visibility in the >>> wm module about what applications it can actually run. >>> >>> The latter is undesirable in my opinion and defeats the purpose of >>> having a separate wm module to control what the window manager can >>> and >>> cannot do, because at that point it would be each application module >>> which decides if the application can run or not in the window >>> manager. >> >> It is possible to achieve what you are seeking. You just need to use >> the following interface (in policy/modules/contrib/wm.if): >> >> [cut] >> >> ######################################## >> ## <summary> >> ## Create a domain for applications >> ## that are launched by the window >> ## manager. >> ## </summary> >> ## <desc> >> ## <p> >> ## Create a domain for applications that are launched by the >> ## window manager (implying a domain transition). Typically >> ## these are graphical applications that are run interactively. >> ## </p> >> ## <p> >> ## The types will be made usable as a domain and file, making >> ## calls to domain_type() and files_type() redundant. >> ## </p> >> ## </desc> >> ## <param name="target_domain"> >> ## <summary> >> ## Type to be used in the domain transition as the application >> ## domain. >> ## </summary> >> ## </param> >> ## <param name="entry_point"> >> ## <summary> >> ## Type of the program to be used as an entry point to this domain. >> ## </summary> >> ## </param> >> ## <param name="source_domain"> >> ## <summary> >> ## Type to be used as the source window manager domain. >> ## </summary> >> ## </param> >> ## <infoflow type="none"/> >> # >> interface(`wm_application_domain',` >> gen_require(` >> attribute wm_domain; >> ') >> >> application_type($1) >> ubac_constrained($1) >> application_executable_file($2) >> domtrans_pattern(wm_domain, $2, $1) >> ') >> >> [cut] >> >> and then, for each application that you want to enable from the window >> manager, you need to call the interface wm_application_domain() from >> the application module similarly to the way the >> userdom_user_application_domain() interface is currently called. >> >> For example, for mozilla: >> >> [cut] >> >> --- refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 22:29:53.579462880 +0100 >> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 16:28:46.055294184 +0100 >> @@ -22,6 +39,7 @@ type mozilla_exec_t; >> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; >> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; >> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >> +wm_application_domain(mozilla_t, mozilla_exec_t) > > I'd tend to prefer it this way, as long as you make this call optional. In the bigger picture this solution is a bit unwieldy in my view. There are various components that need to be able to run programs on behalf of the user. In this case it is gnome shell, but for example systemd --user needs the same, and there are various other instances. The solution i have in dssp is not perfect either. But for domain transitions that apply to more than the just shell i use a type attribute. example: mozilla_run(staff_type_attribute, role_attribute) Then i associate the type attribute also with the programs that need to be able to run the programs on behalf of the user. staff_type(staff_wm_t) staff_type(staff_systemd_t) It is not perfect either but atleast it provides a single point of failure. domain transitions apply automatically to all domains that need to be able to run programs on behalf of the user > > >> role mozilla_roles types mozilla_t; >> >> type mozilla_home_t; >> >> [cut] >> >> I hope this helps. >> >> If the majority of people prefer that the policy changes in this >> direction, despite the side-effects that I have highlighted earlier on, >> I can amend the initial patch. > > > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/55f7efd5/attachment.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 21:34 ` Dominick Grift @ 2016-12-14 21:45 ` Dominick Grift 2016-12-14 21:52 ` Dominick Grift 0 siblings, 1 reply; 47+ messages in thread From: Dominick Grift @ 2016-12-14 21:45 UTC (permalink / raw) To: refpolicy On 12/14/2016 10:34 PM, Dominick Grift wrote: > On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: >> On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: >>> Hello again. >>> >>> I am back with a possible solution to the problem that you described... >>> >>> On Wed, 14/12/2016 at 15.37 +0100, Guido Trentalancia via refpolicy >>> wrote: >>>> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: >>>>> >>>>> >>>>> >>>>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy >>>>> @o >>>>> ss.tresys.com> wrote: >>>>> Enable the window manager role (wm contrib module) and update >>>>> the module to work with gnome-shell. >>>>> >>>>> This patch requires the following recently posted patch for the >>>>> games module: >>>>> >>>>> [PATCH v3 1/2] games: general update and improved pulseaudio >>>>> integration >>>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>>>> >>>>> This patch has received some testing with the following two >>>>> configurations: >>>>> - gnome-shell executing in normal mode (with display managers >>>>> other than gdm, such as xdm from XOrg); >>>>> - gnome-shell executing in gdm mode (with the Gnome Display >>>>> Manager). >>>>> >>>>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used >>>>> in conjunction with gdm. >>>>> >>>>> Since the window managers are not limited by gnome-shell, this >>>>> latter >>>>> version of the patch (along with part 2/5) uses separate optional >>>>> conditionals for the gnome and wm role templates. >>>>> >>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>>>> --- >>>>> policy/modules/contrib/colord.te | 5 ++ >>>>> policy/modules/contrib/dbus.te | 5 ++ >>>>> policy/modules/contrib/wm.if | 43 +++++++++++++++++- >>>>> policy/modules/contrib/wm.te | 88 >>>>> ++++++++++++++++++++++++++++++++++++- >>>>> policy/modules/roles/staff.te | 8 ++- >>>>> policy/modules/roles/sysadm.te | 4 + >>>>> policy/modules/roles/unprivuser.te | 8 ++- >>>>> 7 files changed, 155 insertions(+), 6 deletions(-) >>>> >>>> [...] >>>> >>>>> >>>>> @@ -55,10 +96,51 @@ optional_policy(` >>>>> ') >>>>> >>>>> optional_policy(` >>>>> + consolekit_dbus_chat(wm_domain) >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> devicekit_dbus_chat_power(wm_domain) >>>>> ') >>>>> >>>>> optional_policy(` >>>>> + evolution_domtrans(wm_domain) >>>>> + >>>>> + optional_policy(` >>>>> + evolution_dbus_chat(wm_domain) >>>>> + evolution_alarm_dbus_chat(wm_domain) >>>>> + ') >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> + games_domtrans(wm_domain) >>>>> + >>>>> + optional_policy(` >>>>> + games_dbus_chat(wm_domain) >>>>> + ') >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> + java_domtrans(wm_domain) >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> + mono_domtrans(wm_domain) >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> + mozilla_domtrans(wm_domain) >>>>> + >>>>> + optional_policy(` >>>>> + mozilla_dbus_chat(wm_domain) >>>>> + ') >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> + mplayer_domtrans(wm_domain) >>>>> +') >>>>> + >>>>> +optional_policy(` >>>>> networkmanager_dbus_chat(wm_domain) >>>>> ') >>>>> >>>>> Whoa are we going to have to add every single application to >>>>> wm_domain to be able to run it? That will get annoying super fast. >>>>> Isn't there an application_domain attribute we can use? If there >>>>> isn't we might want to reverse this so X application types instead >>>>> declare that wm can run them (something like the application_type >>>>> interface) >>>> >>>> I am now trying to get back to you on this, provided that I >>>> understood >>>> the meaning of what you proposed... >>>> >>>> I suppose you are suggesting to use an interface such as >>>> wm_application() in the module of each application that needs to be >>>> run >>>> by the window manager and avoid calling applicationname_domtrans() >>>> from >>>> the wm module. >>>> >>>> Even if that was possible, there would be a loss of visibility in the >>>> wm module about what applications it can actually run. >>>> >>>> The latter is undesirable in my opinion and defeats the purpose of >>>> having a separate wm module to control what the window manager can >>>> and >>>> cannot do, because at that point it would be each application module >>>> which decides if the application can run or not in the window >>>> manager. >>> >>> It is possible to achieve what you are seeking. You just need to use >>> the following interface (in policy/modules/contrib/wm.if): >>> >>> [cut] >>> >>> ######################################## >>> ## <summary> >>> ## Create a domain for applications >>> ## that are launched by the window >>> ## manager. >>> ## </summary> >>> ## <desc> >>> ## <p> >>> ## Create a domain for applications that are launched by the >>> ## window manager (implying a domain transition). Typically >>> ## these are graphical applications that are run interactively. >>> ## </p> >>> ## <p> >>> ## The types will be made usable as a domain and file, making >>> ## calls to domain_type() and files_type() redundant. >>> ## </p> >>> ## </desc> >>> ## <param name="target_domain"> >>> ## <summary> >>> ## Type to be used in the domain transition as the application >>> ## domain. >>> ## </summary> >>> ## </param> >>> ## <param name="entry_point"> >>> ## <summary> >>> ## Type of the program to be used as an entry point to this domain. >>> ## </summary> >>> ## </param> >>> ## <param name="source_domain"> >>> ## <summary> >>> ## Type to be used as the source window manager domain. >>> ## </summary> >>> ## </param> >>> ## <infoflow type="none"/> >>> # >>> interface(`wm_application_domain',` >>> gen_require(` >>> attribute wm_domain; >>> ') >>> >>> application_type($1) >>> ubac_constrained($1) >>> application_executable_file($2) >>> domtrans_pattern(wm_domain, $2, $1) >>> ') >>> >>> [cut] >>> >>> and then, for each application that you want to enable from the window >>> manager, you need to call the interface wm_application_domain() from >>> the application module similarly to the way the >>> userdom_user_application_domain() interface is currently called. >>> >>> For example, for mozilla: >>> >>> [cut] >>> >>> --- refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 22:29:53.579462880 +0100 >>> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 16:28:46.055294184 +0100 >>> @@ -22,6 +39,7 @@ type mozilla_exec_t; >>> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; >>> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; >>> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >>> +wm_application_domain(mozilla_t, mozilla_exec_t) >> >> I'd tend to prefer it this way, as long as you make this call optional. > > In the bigger picture this solution is a bit unwieldy in my view. There > are various components that need to be able to run programs on behalf of > the user. In this case it is gnome shell, but for example systemd --user > needs the same, and there are various other instances. > > The solution i have in dssp is not perfect either. But for domain > transitions that apply to more than the just shell i > use a type attribute. > > example: mozilla_run(staff_type_attribute, role_attribute) > > Then i associate the type attribute also with the programs that need to > be able to run the programs on behalf of the user. > > staff_type(staff_wm_t) > staff_type(staff_systemd_t) > > It is not perfect either but atleast it provides a single point of > failure. domain transitions apply automatically to all domains that need > to be able to run programs on behalf of the user > Some other examples: "torsocks firefox", "systemd-inhibit firefox". So lets say to have 10 user apps. Then you would have to update (atleast) these four domains to allow them to run them with the same domtrans as well. It gets ugly rather quick and hard to maintain > >> >> >>> role mozilla_roles types mozilla_t; >>> >>> type mozilla_home_t; >>> >>> [cut] >>> >>> I hope this helps. >>> >>> If the majority of people prefer that the policy changes in this >>> direction, despite the side-effects that I have highlighted earlier on, >>> I can amend the initial patch. >> >> >> >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/546e13f3/attachment-0001.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 21:45 ` Dominick Grift @ 2016-12-14 21:52 ` Dominick Grift 2016-12-14 22:01 ` Dominick Grift 2016-12-14 22:07 ` Chris PeBenito 0 siblings, 2 replies; 47+ messages in thread From: Dominick Grift @ 2016-12-14 21:52 UTC (permalink / raw) To: refpolicy On 12/14/2016 10:45 PM, Dominick Grift wrote: > On 12/14/2016 10:34 PM, Dominick Grift wrote: >> On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: >>> On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: >>>> Hello again. >>>> >>>> I am back with a possible solution to the problem that you described... >>>> >>>> On Wed, 14/12/2016 at 15.37 +0100, Guido Trentalancia via refpolicy >>>> wrote: >>>>> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: >>>>>> >>>>>> >>>>>> >>>>>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy >>>>>> @o >>>>>> ss.tresys.com> wrote: >>>>>> Enable the window manager role (wm contrib module) and update >>>>>> the module to work with gnome-shell. >>>>>> >>>>>> This patch requires the following recently posted patch for the >>>>>> games module: >>>>>> >>>>>> [PATCH v3 1/2] games: general update and improved pulseaudio >>>>>> integration >>>>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>>>>> >>>>>> This patch has received some testing with the following two >>>>>> configurations: >>>>>> - gnome-shell executing in normal mode (with display managers >>>>>> other than gdm, such as xdm from XOrg); >>>>>> - gnome-shell executing in gdm mode (with the Gnome Display >>>>>> Manager). >>>>>> >>>>>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used >>>>>> in conjunction with gdm. >>>>>> >>>>>> Since the window managers are not limited by gnome-shell, this >>>>>> latter >>>>>> version of the patch (along with part 2/5) uses separate optional >>>>>> conditionals for the gnome and wm role templates. >>>>>> >>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>>>>> --- >>>>>> policy/modules/contrib/colord.te | 5 ++ >>>>>> policy/modules/contrib/dbus.te | 5 ++ >>>>>> policy/modules/contrib/wm.if | 43 +++++++++++++++++- >>>>>> policy/modules/contrib/wm.te | 88 >>>>>> ++++++++++++++++++++++++++++++++++++- >>>>>> policy/modules/roles/staff.te | 8 ++- >>>>>> policy/modules/roles/sysadm.te | 4 + >>>>>> policy/modules/roles/unprivuser.te | 8 ++- >>>>>> 7 files changed, 155 insertions(+), 6 deletions(-) >>>>> >>>>> [...] >>>>> >>>>>> >>>>>> @@ -55,10 +96,51 @@ optional_policy(` >>>>>> ') >>>>>> >>>>>> optional_policy(` >>>>>> + consolekit_dbus_chat(wm_domain) >>>>>> +') >>>>>> + >>>>>> +optional_policy(` >>>>>> devicekit_dbus_chat_power(wm_domain) >>>>>> ') >>>>>> >>>>>> optional_policy(` >>>>>> + evolution_domtrans(wm_domain) >>>>>> + >>>>>> + optional_policy(` >>>>>> + evolution_dbus_chat(wm_domain) >>>>>> + evolution_alarm_dbus_chat(wm_domain) >>>>>> + ') >>>>>> +') >>>>>> + >>>>>> +optional_policy(` >>>>>> + games_domtrans(wm_domain) >>>>>> + >>>>>> + optional_policy(` >>>>>> + games_dbus_chat(wm_domain) >>>>>> + ') >>>>>> +') >>>>>> + >>>>>> +optional_policy(` >>>>>> + java_domtrans(wm_domain) >>>>>> +') >>>>>> + >>>>>> +optional_policy(` >>>>>> + mono_domtrans(wm_domain) >>>>>> +') >>>>>> + >>>>>> +optional_policy(` >>>>>> + mozilla_domtrans(wm_domain) >>>>>> + >>>>>> + optional_policy(` >>>>>> + mozilla_dbus_chat(wm_domain) >>>>>> + ') >>>>>> +') >>>>>> + >>>>>> +optional_policy(` >>>>>> + mplayer_domtrans(wm_domain) >>>>>> +') >>>>>> + >>>>>> +optional_policy(` >>>>>> networkmanager_dbus_chat(wm_domain) >>>>>> ') >>>>>> >>>>>> Whoa are we going to have to add every single application to >>>>>> wm_domain to be able to run it? That will get annoying super fast. >>>>>> Isn't there an application_domain attribute we can use? If there >>>>>> isn't we might want to reverse this so X application types instead >>>>>> declare that wm can run them (something like the application_type >>>>>> interface) >>>>> >>>>> I am now trying to get back to you on this, provided that I >>>>> understood >>>>> the meaning of what you proposed... >>>>> >>>>> I suppose you are suggesting to use an interface such as >>>>> wm_application() in the module of each application that needs to be >>>>> run >>>>> by the window manager and avoid calling applicationname_domtrans() >>>>> from >>>>> the wm module. >>>>> >>>>> Even if that was possible, there would be a loss of visibility in the >>>>> wm module about what applications it can actually run. >>>>> >>>>> The latter is undesirable in my opinion and defeats the purpose of >>>>> having a separate wm module to control what the window manager can >>>>> and >>>>> cannot do, because at that point it would be each application module >>>>> which decides if the application can run or not in the window >>>>> manager. >>>> >>>> It is possible to achieve what you are seeking. You just need to use >>>> the following interface (in policy/modules/contrib/wm.if): >>>> >>>> [cut] >>>> >>>> ######################################## >>>> ## <summary> >>>> ## Create a domain for applications >>>> ## that are launched by the window >>>> ## manager. >>>> ## </summary> >>>> ## <desc> >>>> ## <p> >>>> ## Create a domain for applications that are launched by the >>>> ## window manager (implying a domain transition). Typically >>>> ## these are graphical applications that are run interactively. >>>> ## </p> >>>> ## <p> >>>> ## The types will be made usable as a domain and file, making >>>> ## calls to domain_type() and files_type() redundant. >>>> ## </p> >>>> ## </desc> >>>> ## <param name="target_domain"> >>>> ## <summary> >>>> ## Type to be used in the domain transition as the application >>>> ## domain. >>>> ## </summary> >>>> ## </param> >>>> ## <param name="entry_point"> >>>> ## <summary> >>>> ## Type of the program to be used as an entry point to this domain. >>>> ## </summary> >>>> ## </param> >>>> ## <param name="source_domain"> >>>> ## <summary> >>>> ## Type to be used as the source window manager domain. >>>> ## </summary> >>>> ## </param> >>>> ## <infoflow type="none"/> >>>> # >>>> interface(`wm_application_domain',` >>>> gen_require(` >>>> attribute wm_domain; >>>> ') >>>> >>>> application_type($1) >>>> ubac_constrained($1) >>>> application_executable_file($2) >>>> domtrans_pattern(wm_domain, $2, $1) >>>> ') >>>> >>>> [cut] >>>> >>>> and then, for each application that you want to enable from the window >>>> manager, you need to call the interface wm_application_domain() from >>>> the application module similarly to the way the >>>> userdom_user_application_domain() interface is currently called. >>>> >>>> For example, for mozilla: >>>> >>>> [cut] >>>> >>>> --- refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 22:29:53.579462880 +0100 >>>> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 16:28:46.055294184 +0100 >>>> @@ -22,6 +39,7 @@ type mozilla_exec_t; >>>> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; >>>> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; >>>> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >>>> +wm_application_domain(mozilla_t, mozilla_exec_t) >>> >>> I'd tend to prefer it this way, as long as you make this call optional. >> >> In the bigger picture this solution is a bit unwieldy in my view. There >> are various components that need to be able to run programs on behalf of >> the user. In this case it is gnome shell, but for example systemd --user >> needs the same, and there are various other instances. >> >> The solution i have in dssp is not perfect either. But for domain >> transitions that apply to more than the just shell i >> use a type attribute. >> >> example: mozilla_run(staff_type_attribute, role_attribute) >> >> Then i associate the type attribute also with the programs that need to >> be able to run the programs on behalf of the user. >> >> staff_type(staff_wm_t) >> staff_type(staff_systemd_t) >> >> It is not perfect either but atleast it provides a single point of >> failure. domain transitions apply automatically to all domains that need >> to be able to run programs on behalf of the user >> > > Some other examples: "torsocks firefox", "systemd-inhibit firefox". > > So lets say to have 10 user apps. Then you would have to update > (atleast) these four domains to allow them to run them with the same > domtrans as well. It gets ugly rather quick and hard to maintain > But in reference policy this does not work well. due to the "_role()" templates. The role templates also provides access to content, and we do not want to allow for example staff_wm_t, staff_systemd_t, staff_inhibit_t, staff_torsocks_t access to mozilla_home_t, mozilla_tmp_t etc etc >> >>> >>> >>>> role mozilla_roles types mozilla_t; >>>> >>>> type mozilla_home_t; >>>> >>>> [cut] >>>> >>>> I hope this helps. >>>> >>>> If the majority of people prefer that the policy changes in this >>>> direction, despite the side-effects that I have highlighted earlier on, >>>> I can amend the initial patch. >>> >>> >>> >>> >> >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/96a587b9/attachment.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 21:52 ` Dominick Grift @ 2016-12-14 22:01 ` Dominick Grift 2016-12-14 22:07 ` Chris PeBenito 1 sibling, 0 replies; 47+ messages in thread From: Dominick Grift @ 2016-12-14 22:01 UTC (permalink / raw) To: refpolicy On 12/14/2016 10:52 PM, Dominick Grift wrote: > On 12/14/2016 10:45 PM, Dominick Grift wrote: >> On 12/14/2016 10:34 PM, Dominick Grift wrote: >>> On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: >>>> On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: >>>>> Hello again. >>>>> >>>>> I am back with a possible solution to the problem that you described... >>>>> >>>>> On Wed, 14/12/2016 at 15.37 +0100, Guido Trentalancia via refpolicy >>>>> wrote: >>>>>> On Wed, 14/12/2016 at 21.01 +0800, Jason Zaman wrote: >>>>>>> >>>>>>> >>>>>>> >>>>>>> On 14 Dec 2016 09:54, "Guido Trentalancia via refpolicy" <refpolicy >>>>>>> @o >>>>>>> ss.tresys.com> wrote: >>>>>>> Enable the window manager role (wm contrib module) and update >>>>>>> the module to work with gnome-shell. >>>>>>> >>>>>>> This patch requires the following recently posted patch for the >>>>>>> games module: >>>>>>> >>>>>>> [PATCH v3 1/2] games: general update and improved pulseaudio >>>>>>> integration >>>>>>> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html >>>>>>> >>>>>>> This patch has received some testing with the following two >>>>>>> configurations: >>>>>>> - gnome-shell executing in normal mode (with display managers >>>>>>> other than gdm, such as xdm from XOrg); >>>>>>> - gnome-shell executing in gdm mode (with the Gnome Display >>>>>>> Manager). >>>>>>> >>>>>>> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used >>>>>>> in conjunction with gdm. >>>>>>> >>>>>>> Since the window managers are not limited by gnome-shell, this >>>>>>> latter >>>>>>> version of the patch (along with part 2/5) uses separate optional >>>>>>> conditionals for the gnome and wm role templates. >>>>>>> >>>>>>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net> >>>>>>> --- >>>>>>> policy/modules/contrib/colord.te | 5 ++ >>>>>>> policy/modules/contrib/dbus.te | 5 ++ >>>>>>> policy/modules/contrib/wm.if | 43 +++++++++++++++++- >>>>>>> policy/modules/contrib/wm.te | 88 >>>>>>> ++++++++++++++++++++++++++++++++++++- >>>>>>> policy/modules/roles/staff.te | 8 ++- >>>>>>> policy/modules/roles/sysadm.te | 4 + >>>>>>> policy/modules/roles/unprivuser.te | 8 ++- >>>>>>> 7 files changed, 155 insertions(+), 6 deletions(-) >>>>>> >>>>>> [...] >>>>>> >>>>>>> >>>>>>> @@ -55,10 +96,51 @@ optional_policy(` >>>>>>> ') >>>>>>> >>>>>>> optional_policy(` >>>>>>> + consolekit_dbus_chat(wm_domain) >>>>>>> +') >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> devicekit_dbus_chat_power(wm_domain) >>>>>>> ') >>>>>>> >>>>>>> optional_policy(` >>>>>>> + evolution_domtrans(wm_domain) >>>>>>> + >>>>>>> + optional_policy(` >>>>>>> + evolution_dbus_chat(wm_domain) >>>>>>> + evolution_alarm_dbus_chat(wm_domain) >>>>>>> + ') >>>>>>> +') >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> + games_domtrans(wm_domain) >>>>>>> + >>>>>>> + optional_policy(` >>>>>>> + games_dbus_chat(wm_domain) >>>>>>> + ') >>>>>>> +') >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> + java_domtrans(wm_domain) >>>>>>> +') >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> + mono_domtrans(wm_domain) >>>>>>> +') >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> + mozilla_domtrans(wm_domain) >>>>>>> + >>>>>>> + optional_policy(` >>>>>>> + mozilla_dbus_chat(wm_domain) >>>>>>> + ') >>>>>>> +') >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> + mplayer_domtrans(wm_domain) >>>>>>> +') >>>>>>> + >>>>>>> +optional_policy(` >>>>>>> networkmanager_dbus_chat(wm_domain) >>>>>>> ') >>>>>>> >>>>>>> Whoa are we going to have to add every single application to >>>>>>> wm_domain to be able to run it? That will get annoying super fast. >>>>>>> Isn't there an application_domain attribute we can use? If there >>>>>>> isn't we might want to reverse this so X application types instead >>>>>>> declare that wm can run them (something like the application_type >>>>>>> interface) >>>>>> >>>>>> I am now trying to get back to you on this, provided that I >>>>>> understood >>>>>> the meaning of what you proposed... >>>>>> >>>>>> I suppose you are suggesting to use an interface such as >>>>>> wm_application() in the module of each application that needs to be >>>>>> run >>>>>> by the window manager and avoid calling applicationname_domtrans() >>>>>> from >>>>>> the wm module. >>>>>> >>>>>> Even if that was possible, there would be a loss of visibility in the >>>>>> wm module about what applications it can actually run. >>>>>> >>>>>> The latter is undesirable in my opinion and defeats the purpose of >>>>>> having a separate wm module to control what the window manager can >>>>>> and >>>>>> cannot do, because at that point it would be each application module >>>>>> which decides if the application can run or not in the window >>>>>> manager. >>>>> >>>>> It is possible to achieve what you are seeking. You just need to use >>>>> the following interface (in policy/modules/contrib/wm.if): >>>>> >>>>> [cut] >>>>> >>>>> ######################################## >>>>> ## <summary> >>>>> ## Create a domain for applications >>>>> ## that are launched by the window >>>>> ## manager. >>>>> ## </summary> >>>>> ## <desc> >>>>> ## <p> >>>>> ## Create a domain for applications that are launched by the >>>>> ## window manager (implying a domain transition). Typically >>>>> ## these are graphical applications that are run interactively. >>>>> ## </p> >>>>> ## <p> >>>>> ## The types will be made usable as a domain and file, making >>>>> ## calls to domain_type() and files_type() redundant. >>>>> ## </p> >>>>> ## </desc> >>>>> ## <param name="target_domain"> >>>>> ## <summary> >>>>> ## Type to be used in the domain transition as the application >>>>> ## domain. >>>>> ## </summary> >>>>> ## </param> >>>>> ## <param name="entry_point"> >>>>> ## <summary> >>>>> ## Type of the program to be used as an entry point to this domain. >>>>> ## </summary> >>>>> ## </param> >>>>> ## <param name="source_domain"> >>>>> ## <summary> >>>>> ## Type to be used as the source window manager domain. >>>>> ## </summary> >>>>> ## </param> >>>>> ## <infoflow type="none"/> >>>>> # >>>>> interface(`wm_application_domain',` >>>>> gen_require(` >>>>> attribute wm_domain; >>>>> ') >>>>> >>>>> application_type($1) >>>>> ubac_constrained($1) >>>>> application_executable_file($2) >>>>> domtrans_pattern(wm_domain, $2, $1) >>>>> ') >>>>> >>>>> [cut] >>>>> >>>>> and then, for each application that you want to enable from the window >>>>> manager, you need to call the interface wm_application_domain() from >>>>> the application module similarly to the way the >>>>> userdom_user_application_domain() interface is currently called. >>>>> >>>>> For example, for mozilla: >>>>> >>>>> [cut] >>>>> >>>>> --- refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 22:29:53.579462880 +0100 >>>>> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 16:28:46.055294184 +0100 >>>>> @@ -22,6 +39,7 @@ type mozilla_exec_t; >>>>> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; >>>>> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; >>>>> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >>>>> +wm_application_domain(mozilla_t, mozilla_exec_t) >>>> >>>> I'd tend to prefer it this way, as long as you make this call optional. >>> >>> In the bigger picture this solution is a bit unwieldy in my view. There >>> are various components that need to be able to run programs on behalf of >>> the user. In this case it is gnome shell, but for example systemd --user >>> needs the same, and there are various other instances. >>> >>> The solution i have in dssp is not perfect either. But for domain >>> transitions that apply to more than the just shell i >>> use a type attribute. >>> >>> example: mozilla_run(staff_type_attribute, role_attribute) >>> >>> Then i associate the type attribute also with the programs that need to >>> be able to run the programs on behalf of the user. >>> >>> staff_type(staff_wm_t) >>> staff_type(staff_systemd_t) >>> >>> It is not perfect either but atleast it provides a single point of >>> failure. domain transitions apply automatically to all domains that need >>> to be able to run programs on behalf of the user >>> >> >> Some other examples: "torsocks firefox", "systemd-inhibit firefox". >> >> So lets say to have 10 user apps. Then you would have to update >> (atleast) these four domains to allow them to run them with the same >> domtrans as well. It gets ugly rather quick and hard to maintain >> > > But in reference policy this does not work well. due to the "_role()" > templates. The role templates also provides access to content, and we do > not want to allow for example staff_wm_t, staff_systemd_t, > staff_inhibit_t, staff_torsocks_t access to mozilla_home_t, > mozilla_tmp_t etc etc > Both of out solutions have their pros and cons. Not suggesting refpolicy uses my solution. Just giving a glimpse what you potentially can expect down the road. >>> >>>> >>>> >>>>> role mozilla_roles types mozilla_t; >>>>> >>>>> type mozilla_home_t; >>>>> >>>>> [cut] >>>>> >>>>> I hope this helps. >>>>> >>>>> If the majority of people prefer that the policy changes in this >>>>> direction, despite the side-effects that I have highlighted earlier on, >>>>> I can amend the initial patch. >>>> >>>> >>>> >>>> >>> >>> >> >> > > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/1ff48a60/attachment-0001.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 21:52 ` Dominick Grift 2016-12-14 22:01 ` Dominick Grift @ 2016-12-14 22:07 ` Chris PeBenito 2016-12-14 22:13 ` Dominick Grift 2016-12-14 22:14 ` Guido Trentalancia 1 sibling, 2 replies; 47+ messages in thread From: Chris PeBenito @ 2016-12-14 22:07 UTC (permalink / raw) To: refpolicy On 12/14/16 16:52, Dominick Grift via refpolicy wrote: > On 12/14/2016 10:45 PM, Dominick Grift wrote: >> On 12/14/2016 10:34 PM, Dominick Grift wrote: >>> On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: >>>> On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: [...] >>>>> and then, for each application that you want to enable from the window >>>>> manager, you need to call the interface wm_application_domain() from >>>>> the application module similarly to the way the >>>>> userdom_user_application_domain() interface is currently called. >>>>> >>>>> For example, for mozilla: >>>>> >>>>> [cut] >>>>> >>>>> --- refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 22:29:53.579462880 +0100 >>>>> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 16:28:46.055294184 +0100 >>>>> @@ -22,6 +39,7 @@ type mozilla_exec_t; >>>>> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t sysadm_mozilla_t }; >>>>> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; >>>>> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >>>>> +wm_application_domain(mozilla_t, mozilla_exec_t) >>>> >>>> I'd tend to prefer it this way, as long as you make this call optional. >>> >>> In the bigger picture this solution is a bit unwieldy in my view. There >>> are various components that need to be able to run programs on behalf of >>> the user. In this case it is gnome shell, but for example systemd --user >>> needs the same, and there are various other instances. >>> >>> The solution i have in dssp is not perfect either. But for domain >>> transitions that apply to more than the just shell i >>> use a type attribute. >>> >>> example: mozilla_run(staff_type_attribute, role_attribute) >>> >>> Then i associate the type attribute also with the programs that need to >>> be able to run the programs on behalf of the user. >>> >>> staff_type(staff_wm_t) >>> staff_type(staff_systemd_t) >>> >>> It is not perfect either but atleast it provides a single point of >>> failure. domain transitions apply automatically to all domains that need >>> to be able to run programs on behalf of the user The Fedora policy has had this concept for a long time and I never liked it. It makes it much less obvious what a domain can do by looking at the policy sources. It's easy to overlook the staff_type() call you have above, and even if you see it, it may be hard to understand what that truly implies. I still feel that is the case, but it may be time to do it anyway. If so, it would have to be only in a limited way, for example only for domain transitions. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 22:07 ` Chris PeBenito @ 2016-12-14 22:13 ` Dominick Grift 2016-12-14 22:14 ` Guido Trentalancia 1 sibling, 0 replies; 47+ messages in thread From: Dominick Grift @ 2016-12-14 22:13 UTC (permalink / raw) To: refpolicy On 12/14/2016 11:07 PM, Chris PeBenito wrote: > On 12/14/16 16:52, Dominick Grift via refpolicy wrote: >> On 12/14/2016 10:45 PM, Dominick Grift wrote: >>> On 12/14/2016 10:34 PM, Dominick Grift wrote: >>>> On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: >>>>> On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: > > [...] > >>>>>> and then, for each application that you want to enable from the >>>>>> window >>>>>> manager, you need to call the interface wm_application_domain() from >>>>>> the application module similarly to the way the >>>>>> userdom_user_application_domain() interface is currently called. >>>>>> >>>>>> For example, for mozilla: >>>>>> >>>>>> [cut] >>>>>> >>>>>> --- refpolicy-git-orig/policy/modules/contrib/mozilla.te >>>>>> 2016-12-09 22:29:53.579462880 +0100 >>>>>> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 >>>>>> 16:28:46.055294184 +0100 >>>>>> @@ -22,6 +39,7 @@ type mozilla_exec_t; >>>>>> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t >>>>>> sysadm_mozilla_t }; >>>>>> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t }; >>>>>> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >>>>>> +wm_application_domain(mozilla_t, mozilla_exec_t) >>>>> >>>>> I'd tend to prefer it this way, as long as you make this call >>>>> optional. >>>> >>>> In the bigger picture this solution is a bit unwieldy in my view. There >>>> are various components that need to be able to run programs on >>>> behalf of >>>> the user. In this case it is gnome shell, but for example systemd >>>> --user >>>> needs the same, and there are various other instances. >>>> >>>> The solution i have in dssp is not perfect either. But for domain >>>> transitions that apply to more than the just shell i >>>> use a type attribute. >>>> >>>> example: mozilla_run(staff_type_attribute, role_attribute) >>>> >>>> Then i associate the type attribute also with the programs that need to >>>> be able to run the programs on behalf of the user. >>>> >>>> staff_type(staff_wm_t) >>>> staff_type(staff_systemd_t) >>>> >>>> It is not perfect either but atleast it provides a single point of >>>> failure. domain transitions apply automatically to all domains that >>>> need >>>> to be able to run programs on behalf of the user > > The Fedora policy has had this concept for a long time and I never liked > it. It makes it much less obvious what a domain can do by looking at > the policy sources. It's easy to overlook the staff_type() call you > have above, and even if you see it, it may be hard to understand what > that truly implies. > I agree. It needs to be used with great care and it is certainly not a perfect solution either. > I still feel that is the case, but it may be time to do it anyway. If > so, it would have to be only in a limited way, for example only for > domain transitions. > In DSSP1 i use run interfaces. this is a bit more than strictly needed because all the domains that need to run stuff on behalf of users can then also read state and send signals, but i think its a reasonable trade off. The most compelling argument for this solution is the single point of failure argument. Down the road with many programs this might really make things more manage-able. The argument to not do it is that one really needs to be careful that one doesnt use this attribute for anything else, and that you'll lose some flexibility. > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/1ec33cae/attachment.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 22:07 ` Chris PeBenito 2016-12-14 22:13 ` Dominick Grift @ 2016-12-14 22:14 ` Guido Trentalancia 2016-12-14 22:20 ` Dominick Grift 1 sibling, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 22:14 UTC (permalink / raw) To: refpolicy I think that this should be avoided! The policy needs to be easy to read and understand, otherwise its purpose would be defeated. Guido On the 14th December 2016 23:07:27 CET, Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote: >On 12/14/16 16:52, Dominick Grift via refpolicy wrote: >> On 12/14/2016 10:45 PM, Dominick Grift wrote: >>> On 12/14/2016 10:34 PM, Dominick Grift wrote: >>>> On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: >>>>> On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: > >[...] > >>>>>> and then, for each application that you want to enable from the >window >>>>>> manager, you need to call the interface wm_application_domain() >from >>>>>> the application module similarly to the way the >>>>>> userdom_user_application_domain() interface is currently called. >>>>>> >>>>>> For example, for mozilla: >>>>>> >>>>>> [cut] >>>>>> >>>>>> --- >refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 >22:29:53.579462880 +0100 >>>>>> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 >16:28:46.055294184 +0100 >>>>>> @@ -22,6 +39,7 @@ type mozilla_exec_t; >>>>>> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t >sysadm_mozilla_t }; >>>>>> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t >}; >>>>>> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >>>>>> +wm_application_domain(mozilla_t, mozilla_exec_t) >>>>> >>>>> I'd tend to prefer it this way, as long as you make this call >optional. >>>> >>>> In the bigger picture this solution is a bit unwieldy in my view. >There >>>> are various components that need to be able to run programs on >behalf of >>>> the user. In this case it is gnome shell, but for example systemd >--user >>>> needs the same, and there are various other instances. >>>> >>>> The solution i have in dssp is not perfect either. But for domain >>>> transitions that apply to more than the just shell i >>>> use a type attribute. >>>> >>>> example: mozilla_run(staff_type_attribute, role_attribute) >>>> >>>> Then i associate the type attribute also with the programs that >need to >>>> be able to run the programs on behalf of the user. >>>> >>>> staff_type(staff_wm_t) >>>> staff_type(staff_systemd_t) >>>> >>>> It is not perfect either but atleast it provides a single point of >>>> failure. domain transitions apply automatically to all domains that >need >>>> to be able to run programs on behalf of the user > >The Fedora policy has had this concept for a long time and I never >liked >it. It makes it much less obvious what a domain can do by looking at >the policy sources. It's easy to overlook the staff_type() call you >have above, and even if you see it, it may be hard to understand what >that truly implies. > >I still feel that is the case, but it may be time to do it anyway. If >so, it would have to be only in a limited way, for example only for >domain transitions. ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) 2016-12-14 22:14 ` Guido Trentalancia @ 2016-12-14 22:20 ` Dominick Grift 0 siblings, 0 replies; 47+ messages in thread From: Dominick Grift @ 2016-12-14 22:20 UTC (permalink / raw) To: refpolicy On 12/14/2016 11:14 PM, Guido Trentalancia via refpolicy wrote: > I think that this should be avoided! > > The policy needs to be easy to read and understand, otherwise its purpose would be defeated. > Yes but in confined complex desktop environments there are complex requirements. Maintaining these things separately will have its drawbacks as well in the longer run. Whatever you decide, its fine by me. I am just trying to give you a glimpse of what you may expect as you go down the rabbit hole. > On the 14th December 2016 23:07:27 CET, Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote: >> On 12/14/16 16:52, Dominick Grift via refpolicy wrote: >>> On 12/14/2016 10:45 PM, Dominick Grift wrote: >>>> On 12/14/2016 10:34 PM, Dominick Grift wrote: >>>>> On 12/14/2016 10:23 PM, Chris PeBenito via refpolicy wrote: >>>>>> On 12/14/16 10:33, Guido Trentalancia via refpolicy wrote: >> >> [...] >> >>>>>>> and then, for each application that you want to enable from the >> window >>>>>>> manager, you need to call the interface wm_application_domain() >> from >>>>>>> the application module similarly to the way the >>>>>>> userdom_user_application_domain() interface is currently called. >>>>>>> >>>>>>> For example, for mozilla: >>>>>>> >>>>>>> [cut] >>>>>>> >>>>>>> --- >> refpolicy-git-orig/policy/modules/contrib/mozilla.te 2016-12-09 >> 22:29:53.579462880 +0100 >>>>>>> +++ refpolicy-git/policy/modules/contrib/mozilla.te 2016-12-14 >> 16:28:46.055294184 +0100 >>>>>>> @@ -22,6 +39,7 @@ type mozilla_exec_t; >>>>>>> typealias mozilla_t alias { user_mozilla_t staff_mozilla_t >> sysadm_mozilla_t }; >>>>>>> typealias mozilla_t alias { auditadm_mozilla_t secadm_mozilla_t >> }; >>>>>>> userdom_user_application_domain(mozilla_t, mozilla_exec_t) >>>>>>> +wm_application_domain(mozilla_t, mozilla_exec_t) >>>>>> >>>>>> I'd tend to prefer it this way, as long as you make this call >> optional. >>>>> >>>>> In the bigger picture this solution is a bit unwieldy in my view. >> There >>>>> are various components that need to be able to run programs on >> behalf of >>>>> the user. In this case it is gnome shell, but for example systemd >> --user >>>>> needs the same, and there are various other instances. >>>>> >>>>> The solution i have in dssp is not perfect either. But for domain >>>>> transitions that apply to more than the just shell i >>>>> use a type attribute. >>>>> >>>>> example: mozilla_run(staff_type_attribute, role_attribute) >>>>> >>>>> Then i associate the type attribute also with the programs that >> need to >>>>> be able to run the programs on behalf of the user. >>>>> >>>>> staff_type(staff_wm_t) >>>>> staff_type(staff_systemd_t) >>>>> >>>>> It is not perfect either but atleast it provides a single point of >>>>> failure. domain transitions apply automatically to all domains that >> need >>>>> to be able to run programs on behalf of the user >> >> The Fedora policy has had this concept for a long time and I never >> liked >> it. It makes it much less obvious what a domain can do by looking at >> the policy sources. It's easy to overlook the staff_type() call you >> have above, and even if you see it, it may be hard to understand what >> that truly implies. >> >> I still feel that is the case, but it may be time to do it anyway. If >> so, it would have to be only in a limited way, for example only for >> domain transitions. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/b78f39ca/attachment.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 2/5] userdomain: separate optional conditionals for gnome and wm role templates 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia 2016-12-11 20:04 ` Chris PeBenito 2016-12-14 0:48 ` [refpolicy] [PATCH 1/5] wm: update the window manager (wm) module and enable its role template (v4) Guido Trentalancia @ 2016-12-14 0:48 ` Guido Trentalancia 2016-12-14 0:48 ` [refpolicy] [PATCH 3/5] networkmanager: enable dbus chat with xdm Guido Trentalancia ` (2 subsequent siblings) 5 siblings, 0 replies; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 0:48 UTC (permalink / raw) To: refpolicy Since the window managers are not limited by gnome-shell, the userdomain module is modified by this patch in order to use separate optional conditionals for the gnome and wm role templates. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/system/userdomain.if | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff -pruN refpolicy-git-07122016-orig/policy/modules/system/userdomain.if refpolicy-git-07122016/policy/modules/system/userdomain.if --- refpolicy-git-07122016-orig/policy/modules/system/userdomain.if 2016-12-07 13:39:08.672449330 +0100 +++ refpolicy-git-07122016/policy/modules/system/userdomain.if 2016-12-14 00:57:22.948430919 +0100 @@ -1003,11 +1003,10 @@ template(`userdom_restricted_xwindows_us optional_policy(` gnome_role_template($1, $1_r, $1_t) - wm_role_template($1, $1_r, $1_t) ') optional_policy(` - pulseaudio_role($1_r, $1_t) + wm_role_template($1, $1_r, $1_t) ') ') @@ -1016,6 +1015,10 @@ template(`userdom_restricted_xwindows_us ') optional_policy(` + pulseaudio_role($1_r, $1_t) + ') + + optional_policy(` setroubleshoot_dontaudit_stream_connect($1_t) ') ') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 3/5] networkmanager: enable dbus chat with xdm 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia ` (2 preceding siblings ...) 2016-12-14 0:48 ` [refpolicy] [PATCH 2/5] userdomain: separate optional conditionals for gnome and wm role templates Guido Trentalancia @ 2016-12-14 0:48 ` Guido Trentalancia 2016-12-14 12:44 ` Jason Zaman 2016-12-14 0:49 ` [refpolicy] [PATCH 4/5] policykit: " Guido Trentalancia 2016-12-14 0:49 ` [refpolicy] [PATCH 5/5] rtkit: " Guido Trentalancia 5 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 0:48 UTC (permalink / raw) To: refpolicy Enable dbus messaging between the X Display Manager (XDM) and Network Manager. This patch (along with parts 4/5 and 5/5) might be needed when running gdm. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/networkmanager.te | 4 ++++ 1 file changed, 4 insertions(+) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te refpolicy-git-07122016/policy/modules/contrib/networkmanager.te --- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te 2016-10-29 16:29:19.759327926 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te 2016-12-12 23:52:08.990012946 +0100 @@ -227,6 +227,10 @@ optional_policy(` optional_policy(` policykit_dbus_chat(NetworkManager_t) ') + + optional_policy(` + xserver_dbus_chat_xdm(NetworkManager_t) + ') ') optional_policy(` ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 3/5] networkmanager: enable dbus chat with xdm 2016-12-14 0:48 ` [refpolicy] [PATCH 3/5] networkmanager: enable dbus chat with xdm Guido Trentalancia @ 2016-12-14 12:44 ` Jason Zaman 2016-12-14 12:48 ` Dominick Grift 0 siblings, 1 reply; 47+ messages in thread From: Jason Zaman @ 2016-12-14 12:44 UTC (permalink / raw) To: refpolicy What does the network configuration have to do with logging in? On 14 Dec 2016 08:49, "Guido Trentalancia via refpolicy" < refpolicy@oss.tresys.com> wrote: Enable dbus messaging between the X Display Manager (XDM) and Network Manager. This patch (along with parts 4/5 and 5/5) might be needed when running gdm. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/networkmanager.te | 4 ++++ 1 file changed, 4 insertions(+) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te refpolicy-git-07122016/policy/modules/contrib/networkmanager.te --- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te 2016-10-29 16:29:19.759327926 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te 2016-12-12 23:52:08.990012946 +0100 @@ -227,6 +227,10 @@ optional_policy(` optional_policy(` policykit_dbus_chat(NetworkManager_t) ') + + optional_policy(` + xserver_dbus_chat_xdm(NetworkManager_t) + ') ') optional_policy(` _______________________________________________ refpolicy mailing list refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/c83177ec/attachment.html ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 3/5] networkmanager: enable dbus chat with xdm 2016-12-14 12:44 ` Jason Zaman @ 2016-12-14 12:48 ` Dominick Grift 0 siblings, 0 replies; 47+ messages in thread From: Dominick Grift @ 2016-12-14 12:48 UTC (permalink / raw) To: refpolicy On 12/14/2016 01:44 PM, Jason Zaman via refpolicy wrote: > What does the network configuration have to do with logging in? gdm displays some network information (indirectly probably via gnome-shell) which it gets from nm , anyhow gdm is not your average desktop manager. Its very bloated. > > On 14 Dec 2016 08:49, "Guido Trentalancia via refpolicy" < > refpolicy at oss.tresys.com> wrote: > > Enable dbus messaging between the X Display Manager (XDM) and > Network Manager. > > This patch (along with parts 4/5 and 5/5) might be needed when > running gdm. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/networkmanager.te | 4 ++++ > 1 file changed, 4 insertions(+) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te > refpolicy-git-07122016/policy/modules/contrib/networkmanager.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/networkmanager.te > 2016-10-29 16:29:19.759327926 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/networkmanager.te > 2016-12-12 23:52:08.990012946 +0100 > @@ -227,6 +227,10 @@ optional_policy(` > optional_policy(` > policykit_dbus_chat(NetworkManager_t) > ') > + > + optional_policy(` > + xserver_dbus_chat_xdm(NetworkManager_t) > + ') > ') > > optional_policy(` > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20161214/29993955/attachment.bin ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 4/5] policykit: enable dbus chat with xdm 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia ` (3 preceding siblings ...) 2016-12-14 0:48 ` [refpolicy] [PATCH 3/5] networkmanager: enable dbus chat with xdm Guido Trentalancia @ 2016-12-14 0:49 ` Guido Trentalancia 2016-12-14 0:49 ` [refpolicy] [PATCH 5/5] rtkit: " Guido Trentalancia 5 siblings, 0 replies; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 0:49 UTC (permalink / raw) To: refpolicy Enable dbus messaging between the X Display Manager (XDM) and PolicyKit. Also, let PolicyKit read the urandom device. This patch (along with parts 3/5 and 5/5) might be needed when running gdm. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/policykit.te | 6 ++++++ 1 file changed, 6 insertions(+) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/policykit.te refpolicy-git-07122016/policy/modules/contrib/policykit.te --- refpolicy-git-07122016-orig/policy/modules/contrib/policykit.te 2016-10-29 16:29:19.759327926 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/policykit.te 2016-12-12 23:50:23.856370382 +0100 @@ -88,6 +88,8 @@ domtrans_pattern(policykit_t, policykit_ kernel_read_kernel_sysctls(policykit_t) kernel_read_system_state(policykit_t) +dev_read_urand(policykit_t) + domain_read_all_domains_state(policykit_t) files_dontaudit_search_all_mountpoints(policykit_t) @@ -110,6 +112,10 @@ optional_policy(` optional_policy(` rpm_dbus_chat(policykit_t) ') + + optional_policy(` + xserver_dbus_chat_xdm(policykit_t) + ') ') optional_policy(` ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 5/5] rtkit: enable dbus chat with xdm 2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia ` (4 preceding siblings ...) 2016-12-14 0:49 ` [refpolicy] [PATCH 4/5] policykit: " Guido Trentalancia @ 2016-12-14 0:49 ` Guido Trentalancia 2016-12-14 21:29 ` Chris PeBenito 5 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 0:49 UTC (permalink / raw) To: refpolicy Enable dbus messaging between the X Display Manager (XDM) and the rtkit daemon. Also, let the rtkit daemon set the priority of the X Display Manager (XDM). This patch (along with parts 3/5 and 4/5) might be needed when running gdm. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/rtkit.te | 8 ++++++++ policy/modules/services/xserver.if | 20 +++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te --- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100 @@ -42,4 +42,12 @@ optional_policy(` optional_policy(` policykit_dbus_chat(rtkit_daemon_t) ') + + optional_policy(` + xserver_dbus_chat_xdm(rtkit_daemon_t) + ') +') + +optional_policy(` + xserver_setsched_xdm(rtkit_daemon_t) ') diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if --- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 +++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100 @@ -162,7 +162,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - ') ####################################### @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + +######################################## +## <summary> +## Set the priority of X Display +## Manager (XDM). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_setsched_xdm',` + gen_require(` + attribute xdm_domain; + ') + + allow $1 xdm_domain:process setsched; +') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH 5/5] rtkit: enable dbus chat with xdm 2016-12-14 0:49 ` [refpolicy] [PATCH 5/5] rtkit: " Guido Trentalancia @ 2016-12-14 21:29 ` Chris PeBenito 2016-12-14 23:09 ` [refpolicy] [PATCH v2 " Guido Trentalancia 0 siblings, 1 reply; 47+ messages in thread From: Chris PeBenito @ 2016-12-14 21:29 UTC (permalink / raw) To: refpolicy On 12/13/16 19:49, Guido Trentalancia via refpolicy wrote: > Enable dbus messaging between the X Display Manager (XDM) and > the rtkit daemon. > > Also, let the rtkit daemon set the priority of the X Display > Manager (XDM). > > This patch (along with parts 3/5 and 4/5) might be needed when > running gdm. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/rtkit.te | 8 ++++++++ > policy/modules/services/xserver.if | 20 +++++++++++++++++++- > 2 files changed, 27 insertions(+), 1 deletion(-) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100 > @@ -42,4 +42,12 @@ optional_policy(` > optional_policy(` > policykit_dbus_chat(rtkit_daemon_t) > ') > + > + optional_policy(` > + xserver_dbus_chat_xdm(rtkit_daemon_t) > + ') > +') > + > +optional_policy(` > + xserver_setsched_xdm(rtkit_daemon_t) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if > --- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 > +++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100 > @@ -162,7 +162,6 @@ interface(`xserver_role',` > manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > - > ') > > ####################################### > @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > +######################################## > +## <summary> > +## Set the priority of X Display > +## Manager (XDM). > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`xserver_setsched_xdm',` > + gen_require(` > + attribute xdm_domain; > + ') > + > + allow $1 xdm_domain:process setsched; > +') Since you're operating on an attribute, it should be xserver_setsched_all_xdms(). Otherwise it implies just on xdm_t. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 5/5] rtkit: enable dbus chat with xdm 2016-12-14 21:29 ` Chris PeBenito @ 2016-12-14 23:09 ` Guido Trentalancia 2016-12-17 16:43 ` Guido Trentalancia 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-14 23:09 UTC (permalink / raw) To: refpolicy Enable dbus messaging between the X Display Manager (XDM) and the rtkit daemon. Also, let the rtkit daemon set the priority of all X Display Managers (XDM). This patch (along with parts 3/5 and 4/5) is needed when running gdm. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/rtkit.te | 8 ++++++++ policy/modules/services/xserver.if | 20 +++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) --- a/policy/modules/contrib/rtkit.te 2016-12-14 02:25:03.296232854 +0100 +++ b/policy/modules/contrib/rtkit.te 2016-12-15 00:02:39.744279486 +0100 @@ -42,4 +42,12 @@ optional_policy(` optional_policy(` policykit_dbus_chat(rtkit_daemon_t) ') + + optional_policy(` + xserver_dbus_chat_xdm(rtkit_daemon_t) + ') +') + +optional_policy(` + xserver_setsched_all_xdms(rtkit_daemon_t) ') --- a/policy/modules/services/xserver.if 2016-12-14 02:25:03.297232878 +0100 +++ b/policy/modules/services/xserver.if 2016-12-15 00:03:37.656417716 +0100 @@ -162,7 +162,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - ') ####################################### @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + +######################################## +## <summary> +## Set the priority of all X +## Display Managers (XDM). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_setsched_all_xdms',` + gen_require(` + attribute xdm_domain; + ') + + allow $1 xdm_domain:process setsched; +') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 5/5] rtkit: enable dbus chat with xdm 2016-12-14 23:09 ` [refpolicy] [PATCH v2 " Guido Trentalancia @ 2016-12-17 16:43 ` Guido Trentalancia 2016-12-17 17:55 ` Chris PeBenito 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-17 16:43 UTC (permalink / raw) To: refpolicy Hello Christopher. I think for some reason this patch has been forgotten... It is part 5/5 of a patchset that you have just applied, but this is missing from the git tree. On Thu, 15/12/2016 at 00.09 +0100, Guido Trentalancia via refpolicy wrote: > Enable dbus messaging between the X Display Manager (XDM) and > the rtkit daemon. > > Also, let the rtkit daemon set the priority of all X Display > Managers (XDM). > > This patch (along with parts 3/5 and 4/5) is needed when > running gdm. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > ?policy/modules/contrib/rtkit.te????|????8 ++++++++ > ?policy/modules/services/xserver.if |???20 +++++++++++++++++++- > ?2 files changed, 27 insertions(+), 1 deletion(-) > > --- a/policy/modules/contrib/rtkit.te 2016-12-14 > 02:25:03.296232854 +0100 > +++ b/policy/modules/contrib/rtkit.te 2016-12-15 > 00:02:39.744279486 +0100 > @@ -42,4 +42,12 @@ optional_policy(` > ? optional_policy(` > ? policykit_dbus_chat(rtkit_daemon_t) > ? ') > + > + optional_policy(` > + xserver_dbus_chat_xdm(rtkit_daemon_t) > + ') > +') > + > +optional_policy(` > + xserver_setsched_all_xdms(rtkit_daemon_t) > ?') > --- a/policy/modules/services/xserver.if 2016-12-14 > 02:25:03.297232878 +0100 > +++ b/policy/modules/services/xserver.if 2016-12-15 > 00:03:37.656417716 +0100 > @@ -162,7 +162,6 @@ interface(`xserver_role',` > ? manage_files_pattern($2, user_fonts_config_t, > user_fonts_config_t) > ? relabel_dirs_pattern($2, user_fonts_config_t, > user_fonts_config_t) > ? relabel_files_pattern($2, user_fonts_config_t, > user_fonts_config_t) > - > ?') > ? > ?####################################### > @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',` > ? typeattribute $1 x_domain; > ? typeattribute $1 xserver_unconfined_type; > ?') > + > +######################################## > +## <summary> > +## Set the priority of all X > +## Display Managers (XDM). > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`xserver_setsched_all_xdms',` > + gen_require(` > + attribute xdm_domain; > + ') > + > + allow $1 xdm_domain:process setsched; > +') Regards, Guido ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v2 5/5] rtkit: enable dbus chat with xdm 2016-12-17 16:43 ` Guido Trentalancia @ 2016-12-17 17:55 ` Chris PeBenito 2016-12-17 18:06 ` [refpolicy] [PATCH v3 " Guido Trentalancia 0 siblings, 1 reply; 47+ messages in thread From: Chris PeBenito @ 2016-12-17 17:55 UTC (permalink / raw) To: refpolicy On 12/17/16 11:43, Guido Trentalancia via refpolicy wrote: > Hello Christopher. > > I think for some reason this patch has been forgotten... > > It is part 5/5 of a patchset that you have just applied, but this is > missing from the git tree. > >> + >> +######################################## >> +## <summary> >> +## Set the priority of all X >> +## Display Managers (XDM). >> +## </summary> >> +## <param name="domain"> >> +## <summary> >> +## Domain allowed access. >> +## </summary> >> +## </param> >> +# >> +interface(`xserver_setsched_all_xdms',` >> + gen_require(` >> + attribute xdm_domain; >> + ') >> + >> + allow $1 xdm_domain:process setsched; >> +') There is no xdm_domain attribute in refpolicy. This is an invalid interface. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3 5/5] rtkit: enable dbus chat with xdm 2016-12-17 17:55 ` Chris PeBenito @ 2016-12-17 18:06 ` Guido Trentalancia 2016-12-18 22:57 ` Chris PeBenito 0 siblings, 1 reply; 47+ messages in thread From: Guido Trentalancia @ 2016-12-17 18:06 UTC (permalink / raw) To: refpolicy Enable dbus messaging between the X Display Manager (XDM) and the rtkit daemon. Also, let the rtkit daemon set the priority of the X Display Manager (XDM). This patch (along with parts 3/5 and 4/5) might be needed when running gdm. I do apologize for the broken interface in the previous version of this patch. Signed-off-by: Guido Trentalancia <guido@trentalancia.net> --- policy/modules/contrib/rtkit.te | 8 ++++++++ policy/modules/services/xserver.if | 20 +++++++++++++++++++- 2 files changed, 27 insertions(+), 1 deletion(-) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te --- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200 +++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100 @@ -42,4 +42,12 @@ optional_policy(` optional_policy(` policykit_dbus_chat(rtkit_daemon_t) ') + + optional_policy(` + xserver_dbus_chat_xdm(rtkit_daemon_t) + ') +') + +optional_policy(` + xserver_setsched_xdm(rtkit_daemon_t) ') diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if --- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 +++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100 @@ -162,7 +162,6 @@ interface(`xserver_role',` manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) - ') ####################################### @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',` typeattribute $1 x_domain; typeattribute $1 xserver_unconfined_type; ') + +######################################## +## <summary> +## Set the priority of the X Display +## Manager (XDM). +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`xserver_setsched_xdm',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:process setsched; +') ^ permalink raw reply [flat|nested] 47+ messages in thread
* [refpolicy] [PATCH v3 5/5] rtkit: enable dbus chat with xdm 2016-12-17 18:06 ` [refpolicy] [PATCH v3 " Guido Trentalancia @ 2016-12-18 22:57 ` Chris PeBenito 0 siblings, 0 replies; 47+ messages in thread From: Chris PeBenito @ 2016-12-18 22:57 UTC (permalink / raw) To: refpolicy On 12/17/16 13:06, Guido Trentalancia via refpolicy wrote: > Enable dbus messaging between the X Display Manager (XDM) and > the rtkit daemon. > > Also, let the rtkit daemon set the priority of the X Display > Manager (XDM). > > This patch (along with parts 3/5 and 4/5) might be needed when > running gdm. > > I do apologize for the broken interface in the previous version > of this patch. > > Signed-off-by: Guido Trentalancia <guido@trentalancia.net> > --- > policy/modules/contrib/rtkit.te | 8 ++++++++ > policy/modules/services/xserver.if | 20 +++++++++++++++++++- > 2 files changed, 27 insertions(+), 1 deletion(-) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te refpolicy-git-07122016/policy/modules/contrib/rtkit.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/rtkit.te 2016-10-29 16:29:19.760327953 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/rtkit.te 2016-12-13 00:51:09.312852264 +0100 > @@ -42,4 +42,12 @@ optional_policy(` > optional_policy(` > policykit_dbus_chat(rtkit_daemon_t) > ') > + > + optional_policy(` > + xserver_dbus_chat_xdm(rtkit_daemon_t) > + ') > +') > + > +optional_policy(` > + xserver_setsched_xdm(rtkit_daemon_t) > ') > diff -pruN refpolicy-git-07122016-orig/policy/modules/services/xserver.if refpolicy-git-07122016/policy/modules/services/xserver.if > --- refpolicy-git-07122016-orig/policy/modules/services/xserver.if 2016-12-07 13:39:08.670449307 +0100 > +++ refpolicy-git-07122016/policy/modules/services/xserver.if 2016-12-14 00:55:17.104267790 +0100 > @@ -162,7 +162,6 @@ interface(`xserver_role',` > manage_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_dirs_pattern($2, user_fonts_config_t, user_fonts_config_t) > relabel_files_pattern($2, user_fonts_config_t, user_fonts_config_t) > - > ') > > ####################################### > @@ -1350,3 +1349,22 @@ interface(`xserver_unconfined',` > typeattribute $1 x_domain; > typeattribute $1 xserver_unconfined_type; > ') > + > +######################################## > +## <summary> > +## Set the priority of the X Display > +## Manager (XDM). > +## </summary> > +## <param name="domain"> > +## <summary> > +## Domain allowed access. > +## </summary> > +## </param> > +# > +interface(`xserver_setsched_xdm',` > + gen_require(` > + type xdm_t; > + ') > + > + allow $1 xdm_t:process setsched; > +') Merged. Again, in the future please separate base and contrib changes for ALL patches. -- Chris PeBenito ^ permalink raw reply [flat|nested] 47+ messages in thread
end of thread, other threads:[~2016-12-18 22:57 UTC | newest]
Thread overview: 47+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-07 17:00 [refpolicy] [PATCH] wm: update the window manager (wm) module and enable its role template Guido Trentalancia
2016-12-08 17:20 ` [refpolicy] [PATCH v2] " Guido Trentalancia
2016-12-08 17:51 ` Dominick Grift
2016-12-08 20:53 ` Guido Trentalancia
2016-12-08 21:13 ` Dominick Grift
2016-12-08 21:51 ` Guido Trentalancia
2016-12-09 22:21 ` [refpolicy] [PATCH v3] " Guido Trentalancia
2016-12-11 20:04 ` Chris PeBenito
2016-12-11 20:13 ` Guido Trentalancia
2016-12-11 20:47 ` Chris PeBenito
2016-12-11 21:56 ` Guido Trentalancia
2016-12-12 2:35 ` Luis Ressel
2016-12-14 0:48 ` [refpolicy] [PATCH 1/5] wm: update the window manager (wm) module and enable its role template (v4) Guido Trentalancia
2016-12-14 1:54 ` [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) Guido Trentalancia
[not found] ` <CAPuKSJbhx+9kkU_KK5qX8s6ALknojqTeqmtjrkJR0fkVBn=wWg@mail.gmail.com>
2016-12-14 13:23 ` Guido Trentalancia
2016-12-14 21:25 ` Chris PeBenito
2016-12-14 21:29 ` Guido Trentalancia
2016-12-14 23:43 ` [refpolicy] [PATCH v3 1/5] wm: update the window manager (wm) module and enable its role template (v6) Guido Trentalancia
2016-12-16 0:31 ` Chris PeBenito
2016-12-16 15:59 ` [refpolicy] [PATCH v4 1/5 base part] wm: update the window manager (wm) module and enable its role template (v7) Guido Trentalancia
2016-12-17 14:05 ` Chris PeBenito
2016-12-17 16:56 ` Guido Trentalancia
2016-12-17 18:06 ` Chris PeBenito
2016-12-16 15:59 ` [refpolicy] [PATCH v4 1/5 contrib " Guido Trentalancia
2016-12-14 14:37 ` [refpolicy] [PATCH v2 1/5] wm: update the window manager (wm) module and enable its role template (v5) Guido Trentalancia
2016-12-14 15:33 ` Guido Trentalancia
2016-12-14 21:23 ` Chris PeBenito
2016-12-14 21:34 ` Dominick Grift
2016-12-14 21:45 ` Dominick Grift
2016-12-14 21:52 ` Dominick Grift
2016-12-14 22:01 ` Dominick Grift
2016-12-14 22:07 ` Chris PeBenito
2016-12-14 22:13 ` Dominick Grift
2016-12-14 22:14 ` Guido Trentalancia
2016-12-14 22:20 ` Dominick Grift
2016-12-14 0:48 ` [refpolicy] [PATCH 2/5] userdomain: separate optional conditionals for gnome and wm role templates Guido Trentalancia
2016-12-14 0:48 ` [refpolicy] [PATCH 3/5] networkmanager: enable dbus chat with xdm Guido Trentalancia
2016-12-14 12:44 ` Jason Zaman
2016-12-14 12:48 ` Dominick Grift
2016-12-14 0:49 ` [refpolicy] [PATCH 4/5] policykit: " Guido Trentalancia
2016-12-14 0:49 ` [refpolicy] [PATCH 5/5] rtkit: " Guido Trentalancia
2016-12-14 21:29 ` Chris PeBenito
2016-12-14 23:09 ` [refpolicy] [PATCH v2 " Guido Trentalancia
2016-12-17 16:43 ` Guido Trentalancia
2016-12-17 17:55 ` Chris PeBenito
2016-12-17 18:06 ` [refpolicy] [PATCH v3 " Guido Trentalancia
2016-12-18 22:57 ` Chris PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.