commit: cb26336af2009ff82257bb3d49f0630259471070
Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net>
AuthorDate: Sun Apr 16 22:39:36 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Apr 30 09:12:52 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cb26336a
wm: interactive start
Update the window manager (wm) module (support starting
gnome-shell from an X terminal).
This second version curbs on an open permission when dealing with the user
terminal (terminal is already opened by the X terminal application, thanks to
Christian Göttsche for the tip).
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/wm.if | 27 +++++++++++++++++++++++++++
policy/modules/contrib/wm.te | 7 ++++++-
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/wm.if b/policy/modules/contrib/wm.if
index dbe32237..e8fd7706 100644
--- a/policy/modules/contrib/wm.if
+++ b/policy/modules/contrib/wm.if
@@ -73,6 +73,8 @@ template(`wm_role_template',`
xserver_role($2, $1_wm_t)
xserver_manage_core_devices($1_wm_t)
+ wm_write_pipes($1, $3)
+
optional_policy(`
dbus_connect_spec_session_bus($1, $1_wm_t)
dbus_spec_session_bus_client($1, $1_wm_t)
@@ -219,3 +221,28 @@ interface(`wm_application_domain',`
userdom_user_application_domain($1, $2)
domtrans_pattern(wm_domain, $2, $1)
')
+
+########################################
+### <summary>
+### Write wm unnamed pipes.
+### </summary>
+## <param name="role_prefix">
+### <summary>
+### The prefix of the user domain (e.g., user
+### is the prefix for user_t).
+### </summary>
+### </param>
+### <param name="domain">
+### <summary>
+### Domain allowed access.
+### </summary>
+### </param>
+### </param>
+##
+interface(`wm_write_pipes',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow $2 $1_wm_t:fifo_file write;
+')
diff --git a/policy/modules/contrib/wm.te b/policy/modules/contrib/wm.te
index 77dcc432..5b39df69 100644
--- a/policy/modules/contrib/wm.te
+++ b/policy/modules/contrib/wm.te
@@ -64,6 +64,8 @@ kernel_read_fs_sysctls(wm_domain)
kernel_read_proc_symlinks(wm_domain)
kernel_read_sysctl(wm_domain)
+locallogin_dontaudit_use_fds(wm_domain)
+
miscfiles_read_fonts(wm_domain)
miscfiles_read_generic_certs(wm_domain)
miscfiles_read_localization(wm_domain)
@@ -72,13 +74,16 @@ networkmanager_read_etc_files(wm_domain)
udev_read_pid_files(wm_domain)
-# this is needed by gnome-shell
+# the following is needed by gnome-shell
userdom_exec_user_home_content_files(wm_domain)
userdom_manage_user_tmp_sockets(wm_domain)
userdom_tmp_filetrans_user_tmp(wm_domain, sock_file)
userdom_user_runtime_filetrans_user_tmp(wm_domain, sock_file)
+# to print error messages
+userdom_use_inherited_user_terminals(wm_domain)
+
userdom_manage_user_home_content_dirs(wm_domain)
userdom_manage_user_home_content_files(wm_domain)
