From mboxrd@z Thu Jan  1 00:00:00 1970
From: pebenito@ieee.org (Chris PeBenito)
Date: Thu, 15 Dec 2016 19:31:47 -0500
Subject: [refpolicy] [PATCH v3 1/5] wm: update the window manager (wm)
 module and enable its role template (v6)
In-Reply-To: <1481758999.3080.4.camel@trentalancia.net>
References: <1481130053.3300.9.camel@trentalancia.net>
	<1481217618.20182.8.camel@trentalancia.net>
	<1481322107.2989.1.camel@trentalancia.net>
	<1481676520.17446.9.camel@trentalancia.net>
	<1481680495.3551.1.camel@trentalancia.net>
	<CAPuKSJbhx+9kkU_KK5qX8s6ALknojqTeqmtjrkJR0fkVBn=wWg@mail.gmail.com>
	<1481721818.2981.9.camel@trentalancia.net>
	<a0986318-7646-c3d1-c3dc-3337f2e77a68@ieee.org>
	<1481758999.3080.4.camel@trentalancia.net>
Message-ID: <29c383f9-6aba-1f9d-94fc-7b1d72cd1a9f@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/14/16 18:43, Guido Trentalancia via refpolicy wrote:
> Enable the window manager role (wm contrib module) and update
> the module to work with gnome-shell.
>
> This patch requires the following recently posted patch for the
> games module:
>
> [PATCH v3 1/2] games: general update and improved pulseaudio integration
> http://oss.tresys.com/pipermail/refpolicy/2016-December/008679.html
>
> This patch has received some testing with the following two
> configurations:
> - gnome-shell executing in normal mode (with display managers
> other than gdm, such as xdm from XOrg);
> - gnome-shell executing in gdm mode (with the Gnome Display
> Manager).
>
> Patches 3/5, 4/5 and 5/5 are needed when gnome-shell is used
> in conjunction with gdm.
>
> Since the window managers are not limited by gnome-shell, this latter
> version of the patch (along with part 2/5) uses separate optional
> conditionals for the gnome and wm role templates.
>
> The new wm_application_domain() interface introduced in the sixth
> version of this patch is an idea of Jason Zaman.
>
> This patch also fixes a minor bug in the way the pulseaudio_role()
> interface is optionally included by the role templates (pulseaudio
> does not depend on dbus).

I'm willing to merge this set, but the patches need to be broken up so I 
can commit them to contrib and base separately.


>
> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/colord.te    |    5 ++
>  policy/modules/contrib/dbus.te      |    5 ++
>  policy/modules/contrib/evolution.te |    4 +
>  policy/modules/contrib/games.te     |    4 +
>  policy/modules/contrib/java.te      |    4 +
>  policy/modules/contrib/mono.te      |    4 +
>  policy/modules/contrib/mozilla.te   |    4 +
>  policy/modules/contrib/mplayer.te   |    4 +
>  policy/modules/contrib/wm.if        |   89 +++++++++++++++++++++++++++++++++++-
>  policy/modules/contrib/wm.te        |   62 ++++++++++++++++++++++++-
>  policy/modules/roles/staff.te       |    8 ++-
>  policy/modules/roles/sysadm.te      |    4 +
>  policy/modules/roles/unprivuser.te  |    8 ++-
>  13 files changed, 199 insertions(+), 6 deletions(-)
>
> diff -pru a/policy/modules/contrib/colord.te b/policy/modules/contrib/colord.te
> --- a/policy/modules/contrib/colord.te	2016-08-14 21:28:11.468519205 +0200
> +++ b/policy/modules/contrib/colord.te	2016-12-14 02:45:54.815580399 +0100
> @@ -137,3 +137,8 @@ optional_policy(`
>  	udev_read_db(colord_t)
>  	udev_read_pid_files(colord_t)
>  ')
> +
> +optional_policy(`
> +	xserver_read_xdm_lib_files(colord_t)
> +	xserver_use_xdm_fds(colord_t)
> +')
> diff -pru a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
> --- a/policy/modules/contrib/dbus.te	2016-08-14 21:28:11.477519343 +0200
> +++ b/policy/modules/contrib/dbus.te	2016-12-14 02:24:00.796768671 +0100
> @@ -159,6 +159,11 @@ optional_policy(`
>  	udev_read_db(system_dbusd_t)
>  ')
>
> +optional_policy(`
> +	xserver_read_xdm_lib_files(system_dbusd_t)
> +	xserver_use_xdm_fds(system_dbusd_t)
> +')
> +
>  ########################################
>  #
>  # Common session bus local policy
> diff -pru a/policy/modules/contrib/evolution.te b/policy/modules/contrib/evolution.te
> --- a/policy/modules/contrib/evolution.te	2016-12-07 13:39:49.975910286 +0100
> +++ b/policy/modules/contrib/evolution.te	2016-12-15 00:18:21.791452219 +0100
> @@ -23,6 +23,10 @@ typealias evolution_t alias { auditadm_e
>  userdom_user_application_domain(evolution_t, evolution_exec_t)
>  role evolution_roles types evolution_t;
>
> +optional_policy(`
> +	wm_application_domain(evolution_t, evolution_exec_t)
> +')
> +
>  type evolution_alarm_t;
>  type evolution_alarm_exec_t;
>  typealias evolution_alarm_t alias { user_evolution_alarm_t staff_evolution_alarm_t sysadm_evolution_alarm_t };
> diff -pru a/policy/modules/contrib/games.te b/policy/modules/contrib/games.te
> --- a/policy/modules/contrib/games.te	2016-12-12 01:59:37.872004679 +0100
> +++ b/policy/modules/contrib/games.te	2016-12-15 00:19:55.191238925 +0100
> @@ -14,6 +14,10 @@ typealias games_t alias { auditadm_games
>  userdom_user_application_domain(games_t, games_exec_t)
>  role games_roles types games_t;
>
> +optional_policy(`
> +	wm_application_domain(games_t, games_exec_t)
> +')
> +
>  type games_data_t;
>  typealias games_data_t alias { user_games_data_t staff_games_data_t sysadm_games_data_t };
>  typealias games_data_t alias { auditadm_games_data_t secadm_games_data_t };
> diff -pru a/policy/modules/contrib/java.te b/policy/modules/contrib/java.te
> --- a/policy/modules/contrib/java.te	2016-08-14 21:28:11.504519758 +0200
> +++ b/policy/modules/contrib/java.te	2016-12-15 00:23:12.650129586 +0100
> @@ -27,6 +27,10 @@ typealias java_t alias { staff_javaplugi
>  typealias java_t alias { auditadm_javaplugin_t secadm_javaplugin_t };
>  role java_roles types java_t;
>
> +optional_policy(`
> +	wm_application_domain(java_t, java_exec_t)
> +')
> +
>  type java_home_t;
>  userdom_user_home_content(java_home_t)
>
> diff -pru a/policy/modules/contrib/mono.te b/policy/modules/contrib/mono.te
> --- a/policy/modules/contrib/mono.te	2016-08-14 21:28:11.520520004 +0200
> +++ b/policy/modules/contrib/mono.te	2016-12-15 00:24:01.783117146 +0100
> @@ -16,6 +16,10 @@ role mono_roles types mono_t;
>
>  application_type(mono_t)
>
> +optional_policy(`
> +	wm_application_domain(mono_t, mono_exec_t)
> +')
> +
>  ########################################
>  #
>  # Common local policy
> diff -pru a/policy/modules/contrib/mozilla.te b/policy/modules/contrib/mozilla.te
> --- a/policy/modules/contrib/mozilla.te	2016-12-14 16:31:11.432155580 +0100
> +++ b/policy/modules/contrib/mozilla.te	2016-12-15 00:24:45.672785494 +0100
> @@ -24,6 +24,10 @@ typealias mozilla_t alias { auditadm_moz
>  userdom_user_application_domain(mozilla_t, mozilla_exec_t)
>  role mozilla_roles types mozilla_t;
>
> +optional_policy(`
> +	wm_application_domain(mozilla_t, mozilla_exec_t)
> +')
> +
>  type mozilla_home_t;
>  typealias mozilla_home_t alias { user_mozilla_home_t staff_mozilla_home_t sysadm_mozilla_home_t };
>  typealias mozilla_home_t alias { auditadm_mozilla_home_t secadm_mozilla_home_t };
> diff -pru a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
> --- a/policy/modules/contrib/mplayer.te	2016-10-29 16:29:19.667325422 +0200
> +++ b/policy/modules/contrib/mplayer.te	2016-12-15 00:25:40.085738055 +0100
> @@ -30,6 +30,10 @@ typealias mplayer_t alias { auditadm_mpl
>  userdom_user_application_domain(mplayer_t, mplayer_exec_t)
>  role mplayer_roles types mplayer_t;
>
> +optional_policy(`
> +	wm_application_domain(mplayer_t, mplayer_exec_t)
> +')
> +
>  type mplayer_etc_t;
>  files_config_file(mplayer_etc_t)
>
> diff -pru a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
> --- a/policy/modules/contrib/wm.if	2016-12-14 02:24:53.377000472 +0100
> +++ b/policy/modules/contrib/wm.if	2016-12-15 00:16:28.516076888 +0100
> @@ -47,6 +47,8 @@ template(`wm_role_template',`
>  	# Policy
>  	#
>
> +	allow $3 $1_wm_t:fd use;
> +
>  	allow $1_wm_t $3:unix_stream_socket connectto;
>  	allow $3 $1_wm_t:unix_stream_socket connectto;
>
> @@ -72,6 +74,7 @@ template(`wm_role_template',`
>  	xserver_manage_core_devices($1_wm_t)
>
>  	optional_policy(`
> +		dbus_connect_spec_session_bus($1, $1_wm_t)
>  		dbus_spec_session_bus_client($1, $1_wm_t)
>  		dbus_system_bus_client($1_wm_t)
>
> @@ -81,7 +84,7 @@ template(`wm_role_template',`
>  	')
>
>  	optional_policy(`
> -		gnome_stream_connect_gkeyringd($1, $1_wm_t)
> +		gnome_stream_connect_all_gkeyringd($1_wm_t)
>  	')
>
>  	optional_policy(`
> @@ -134,3 +137,87 @@ interface(`wm_dbus_chat',`
>  	allow $2 $1_wm_t:dbus send_msg;
>  	allow $1_wm_t $2:dbus send_msg;
>  ')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to execute
> +##	files in temporary directories.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmp_files',`
> +	gen_require(`
> +		type wm_tmp_t;
> +	')
> +
> +	dontaudit $1 wm_tmp_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Do not audit attempts to execute
> +##	files in temporary filesystems.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`wm_dontaudit_exec_tmpfs_files',`
> +	gen_require(`
> +		type wm_tmpfs_t;
> +	')
> +
> +	dontaudit $1 wm_tmpfs_t:file exec_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Create a domain for applications
> +##	that are launched by the window
> +##	manager.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Create a domain for applications that are launched by the
> +##	window manager (implying a domain transition).  Typically
> +##	these are graphical applications that are run interactively.
> +##	</p>
> +##	<p>
> +##	The types will be made usable as a domain and file, making
> +##	calls to domain_type() and files_type() redundant.
> +##	</p>
> +## </desc>
> +## <param name="target_domain">
> +##	<summary>
> +##	Type to be used in the domain transition as the application
> +##	domain.
> +##	</summary>
> +## </param>
> +## <param name="entry_point">
> +##	<summary>
> +##	Type of the program to be used as an entry point to this domain.
> +##	</summary>
> +## </param>
> +## <param name="source_domain">
> +##	<summary>
> +##	Type to be used as the source window manager domain.
> +##	</summary>
> +## </param>
> +## <infoflow type="none"/>
> +#
> +interface(`wm_application_domain',`
> +	gen_require(`
> +		attribute wm_domain;
> +	')
> +
> +	application_type($1)
> +	ubac_constrained($1)
> +	application_executable_file($2)
> +	domtrans_pattern(wm_domain, $2, $1)
> +')
> diff -pru a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
> --- a/policy/modules/contrib/wm.te	2016-12-14 02:24:53.396000918 +0100
> +++ b/policy/modules/contrib/wm.te	2016-12-15 00:26:06.044631194 +0100
> @@ -10,6 +10,16 @@ attribute wm_domain;
>  type wm_exec_t;
>  corecmd_executable_file(wm_exec_t)
>
> +type wm_tmp_t;
> +userdom_user_tmp_file(wm_tmp_t)
> +
> +type wm_tmpfs_t;
> +userdom_user_tmpfs_file(wm_tmpfs_t)
> +
> +optional_policy(`
> +	pulseaudio_tmpfs_content(wm_tmpfs_t)
> +')
> +
>  ########################################
>  #
>  # Common wm domain local policy
> @@ -21,31 +31,60 @@ allow wm_domain self:netlink_kobject_uev
>  allow wm_domain self:shm create_shm_perms;
>  allow wm_domain self:unix_dgram_socket create_socket_perms;
>
> +manage_dirs_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmp_t, wm_tmp_t)
> +files_tmp_filetrans(wm_domain, wm_tmp_t, { dir file lnk_file })
> +
> +manage_dirs_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +manage_lnk_files_pattern(wm_domain, wm_tmpfs_t, wm_tmpfs_t)
> +fs_tmpfs_filetrans(wm_domain, wm_tmpfs_t, { dir file lnk_file })
> +
> +can_exec(wm_domain, wm_exec_t)
> +
>  kernel_read_system_state(wm_domain)
>
>  corecmd_getattr_all_executables(wm_domain)
>
> +dev_read_rand(wm_domain)
>  dev_read_sound(wm_domain)
>  dev_read_sysfs(wm_domain)
>  dev_read_urand(wm_domain)
> +dev_rw_dri(wm_domain)
>  dev_rw_wireless(wm_domain)
>  dev_write_sound(wm_domain)
>
> +files_read_etc_runtime_files(wm_domain)
>  files_read_usr_files(wm_domain)
>
>  fs_getattr_all_fs(wm_domain)
>
> +kernel_read_fs_sysctls(wm_domain)
> +kernel_read_proc_symlinks(wm_domain)
> +kernel_read_sysctl(wm_domain)
> +
>  miscfiles_read_fonts(wm_domain)
> +miscfiles_read_generic_certs(wm_domain)
>  miscfiles_read_localization(wm_domain)
>
> +udev_read_pid_files(wm_domain)
> +
> +# this is needed by gnome-shell
> +userdom_exec_user_home_content_files(wm_domain)
> +
>  userdom_manage_user_tmp_sockets(wm_domain)
>  userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
>  userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
>
>  userdom_manage_user_home_content_dirs(wm_domain)
>  userdom_manage_user_home_content_files(wm_domain)
> +
>  userdom_user_home_dir_filetrans_user_home_content(wm_domain, { dir file })
>
> +wm_dontaudit_exec_tmp_files(wm_domain)
> +wm_dontaudit_exec_tmpfs_files(wm_domain)
> +
>  optional_policy(`
>  	accountsd_dbus_chat(wm_domain)
>  ')
> @@ -55,10 +94,27 @@ optional_policy(`
>  ')		
>
>  optional_policy(`
> +	consolekit_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
>  	devicekit_dbus_chat_power(wm_domain)
>  ')
>
>  optional_policy(`
> +	evolution_dbus_chat(wm_domain)
> +	evolution_alarm_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> +	games_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> +	mozilla_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
>  	networkmanager_dbus_chat(wm_domain)
>  ')
>
> @@ -67,9 +123,13 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> -	pulseaudio_stream_connect(wm_domain)
> +	telepathy_mission_control_dbus_chat(wm_domain)
>  ')
>
>  optional_policy(`
>  	userhelper_exec_consolehelper(wm_domain)
>  ')
> +
> +optional_policy(`
> +	xserver_dbus_chat_xdm(wm_domain)
> +')
> diff -pru a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> --- a/policy/modules/roles/staff.te	2016-12-14 02:24:53.397000941 +0100
> +++ b/policy/modules/roles/staff.te	2016-12-13 22:45:02.857851229 +0100
> @@ -88,11 +88,11 @@ ifndef(`distro_redhat',`
>  		')
>
>  		optional_policy(`
> -			pulseaudio_role(staff_r, staff_t)
> +			telepathy_role_template(staff, staff_r, staff_t)
>  		')
>
>  		optional_policy(`
> -			telepathy_role_template(staff, staff_r, staff_t)
> +			wm_role_template(staff, staff_r, staff_t)
>  		')
>  	')
>
> @@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
>  	')
>
>  	optional_policy(`
> +		pulseaudio_role(staff_r, staff_t)
> +	')
> +
> +	optional_policy(`
>  		pyzor_role(staff_r, staff_t)
>  	')
>
> diff -pru a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> --- a/policy/modules/roles/sysadm.te	2016-12-14 02:24:53.397000941 +0100
> +++ b/policy/modules/roles/sysadm.te	2016-12-13 22:45:25.577422292 +0100
> @@ -1246,6 +1246,10 @@ ifndef(`distro_redhat',`
>  		optional_policy(`
>  			gnome_role_template(sysadm, sysadm_r, sysadm_t)
>  		')
> +
> +		optional_policy(`
> +			wm_role_template(sysadm, sysadm_r, sysadm_t)
> +		')
>  	')
>
>  	optional_policy(`
> diff -pru a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> --- a/policy/modules/roles/unprivuser.te	2016-12-14 02:24:53.398000965 +0100
> +++ b/policy/modules/roles/unprivuser.te	2016-12-13 22:44:50.493540449 +0100
> @@ -57,11 +57,11 @@ ifndef(`distro_redhat',`
>  		')
>
>  		optional_policy(`
> -			pulseaudio_role(user_r, user_t)
> +			telepathy_role_template(user, user_r, user_t)
>  		')
>
>  		optional_policy(`
> -			telepathy_role_template(user, user_r, user_t)
> +			wm_role_template(user, user_r, user_t)
>  		')
>  	')
>
> @@ -122,6 +122,10 @@ ifndef(`distro_redhat',`
>  	')
>
>  	optional_policy(`
> +		pulseaudio_role(user_r, user_t)
> +	')
> +
> +	optional_policy(`
>  		pyzor_role(user_r, user_t)
>  	')
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


-- 
Chris PeBenito