[selinux-policy: 2176/3172] wm policy from dan

Thu Oct 7 22:13:20 UTC 2010

commit 5f6c30f8bd3b15c9845ffb24d2e7035e1ca2fe2d
Author: Chris PeBenito <pebenito at gentoo.org>
Date:   Mon Jul 27 15:11:22 2009 -0400

    wm policy from dan

 Changelog                 |    1 +
 policy/modules/apps/wm.fc |    3 +
 policy/modules/apps/wm.if |   98 +++++++++++++++++++++++++++++++++++++++++++++
 policy/modules/apps/wm.te |   10 +++++
 4 files changed, 112 insertions(+), 0 deletions(-)
---

diff --git a/Changelog b/Changelog
index a48f9c9..85b677d 100644
--- a/Changelog
+++ b/Changelog
@@ -37,6 +37,7 @@
 	ulogd (Dan Walsh)
 	varnishd (Dan Walsh)
 	webadm (Dan Walsh)
+	wm (Dan Walsh)
 	xguest (Dan Walsh)
 	zosremote (Dan Walsh)
 
diff --git a/policy/modules/apps/wm.fc b/policy/modules/apps/wm.fc
new file mode 100644
index 0000000..be30d55
--- /dev/null
+++ b/policy/modules/apps/wm.fc
@@ -0,0 +1,3 @@
+/usr/bin/twm		--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/openbox	--	gen_context(system_u:object_r:wm_exec_t,s0)
+/usr/bin/metacity	--	gen_context(system_u:object_r:wm_exec_t,s0)
diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
new file mode 100644
index 0000000..313f247
--- /dev/null
+++ b/policy/modules/apps/wm.if
@@ -0,0 +1,98 @@
+## <summary>X Window Managers</summary>
+
+#######################################
+## <summary>
+##	The role template for the wm module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for window manager applications.
+##	</p>
+## </desc>
+## <param name="role_prefix">
+##	<summary>
+##	The prefix of the user domain (e.g., user
+##	is the prefix for user_t).
+##	</summary>
+## </param>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`wm_role_template',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	type $1_wm_t;
+	domain_type($1_wm_t)
+	domain_entry_file($1_wm_t, wm_exec_t)
+	role $2 types $1_wm_t;
+
+	allow $1_wm_t self:fifo_file rw_fifo_file_perms;
+	allow $1_wm_t self:process getsched;
+	allow $1_wm_t self:shm create_shm_perms;
+
+	allow $1_wm_t $3:unix_stream_socket connectto;
+
+	domtrans_pattern($3, wm_exec_t, $1_wm_t)
+
+	kernel_read_system_state($1_wm_t)
+
+	corecmd_bin_domtrans($1_wm_t, $3)
+	corecmd_shell_domtrans($1_wm_t, $3)
+
+	dev_read_urand($1_wm_t)
+
+	files_read_etc_files($1_wm_t)
+	files_read_usr_files($1_wm_t)
+
+	mls_file_read_all_levels($1_wm_t)
+	mls_file_write_all_levels($1_wm_t)
+	mls_xwin_read_all_levels($1_wm_t)
+	mls_xwin_write_all_levels($1_wm_t)
+	mls_fd_use_all_levels($1_wm_t)
+
+	auth_use_nsswitch($1_wm_t)
+
+	miscfiles_read_fonts($1_wm_t)
+	miscfiles_read_localization($1_wm_t)
+
+	userdom_manage_home_role($2, $1_wm_t)
+	userdom_manage_tmpfs_role($2, $1_wm_t)
+	userdom_manage_tmp_role($2, $1_wm_t)
+
+	optional_policy(`
+		dbus_system_bus_client($1_wm_t)
+	')
+
+	optional_policy(`
+		xserver_role($2, $1_wm_t)
+	')
+')
+
+########################################
+## <summary>
+##	Execute the wm program in the wm domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`wm_exec',`
+	gen_require(`
+		type wm_exec_t;
+	')
+
+	can_exec($1, wm_exec_t)
+')
diff --git a/policy/modules/apps/wm.te b/policy/modules/apps/wm.te
new file mode 100644
index 0000000..d19d2ec
--- /dev/null
+++ b/policy/modules/apps/wm.te
@@ -0,0 +1,10 @@
+
+policy_module(wm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type wm_exec_t;
+corecmd_executable_file(wm_exec_t)
