From 3a7aacc91ccd7452c7fef303e46317383369eab5 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 9 May 2011 20:12:26 +0000
Subject: [PATCH] Make telepathy and gkeyringd daemon working with confined
 users

---
 policy/modules/apps/gnome.if           | 43 +++++++++++++++
 policy/modules/apps/telepathy.if       | 75 ++++++++++++++++++++++++++
 policy/modules/apps/telepathy.te       | 10 ++++
 policy/modules/roles/staff.te          |  6 +--
 policy/modules/roles/unconfineduser.te |  3 +-
 policy/modules/roles/xguest.te         |  6 +--
 policy/modules/system/userdomain.if    |  3 ++
 7 files changed, 139 insertions(+), 7 deletions(-)

diff --git a/policy/modules/apps/gnome.if b/policy/modules/apps/gnome.if
index c9f63b0a..bf930fc5 100644
--- a/policy/modules/apps/gnome.if
+++ b/policy/modules/apps/gnome.if
@@ -1051,3 +1051,46 @@ gen_require(`
 	userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-10)
 	userdom_admin_home_dir_filetrans($1, gstreamer_home_t, dir, .gstreamer-12)
 ')
+######################################
+## <summary>
+##  Execute gnome-keyring executable
+##  in the specified domain.
+## </summary>
+## <desc>
+##  <p>
+##  Execute a telepathy executable
+##  in the specified domain.  This allows
+##  the specified domain to execute any file
+##  on these filesystems in the specified
+##  domain. 
+##  </p>
+##  <p>
+##  No interprocess communication (signals, pipes,
+##  etc.) is provided by this interface since
+##  the domains are not owned by this module.
+##  </p>
+##  <p>
+##  This interface was added to handle
+##  the ssh-agent policy.
+##  </p>
+## </desc>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="target_domain">
+##  <summary>
+##  The type of the new process.
+##  </summary>
+## </param>
+#
+interface(`gnome_command_domtrans_gkeyringd', `
+    gen_require(`
+        type gkeyringd_exec_t;
+    ')
+
+    allow $2 gkeyringd_exec_t:file entrypoint;
+    domain_transition_pattern($1, gkeyringd_exec_t, $2)
+    type_transition $1 gkeyringd_exec_t:process $2;
+')
diff --git a/policy/modules/apps/telepathy.if b/policy/modules/apps/telepathy.if
index f6acf249..6d94c9bd 100644
--- a/policy/modules/apps/telepathy.if
+++ b/policy/modules/apps/telepathy.if
@@ -49,6 +49,22 @@ template(`telepathy_domain_template',`
 template(`telepathy_dbus_session_role', `
 	gen_require(`
 		attribute telepathy_domain;
+		 type telepathy_gabble_t;
+        type telepathy_sofiasip_t;
+        type telepathy_idle_t;
+        type telepathy_mission_control_t;
+        type telepathy_salut_t;
+        type telepathy_sunshine_t;
+        type telepathy_stream_engine_t;
+        type telepathy_msn_t;
+        type telepathy_gabble_exec_t;
+        type telepathy_sofiasip_exec_t;
+        type telepathy_idle_exec_t;
+        type telepathy_mission_control_exec_t;
+        type telepathy_salut_exec_t;
+        type telepathy_sunshine_exec_t;
+        type telepathy_stream_engine_exec_t;
+        type telepathy_msn_exec_t;
 	')
 
         role $1 types telepathy_domain;
@@ -63,6 +79,16 @@ template(`telepathy_dbus_session_role', `
 	telepathy_gabble_stream_connect($2)
 	telepathy_msn_stream_connect($2)
 	telepathy_salut_stream_connect($2)	
+
+	dbus_session_domain($3, telepathy_gabble_exec_t, telepathy_gabble_t)
+    dbus_session_domain($3, telepathy_sofiasip_exec_t, telepathy_sofiasip_t)
+    dbus_session_domain($3, telepathy_idle_exec_t, telepathy_idle_t)
+    dbus_session_domain($3, telepathy_mission_control_exec_t, telepathy_mission_control_t)
+    dbus_session_domain($3, telepathy_salut_exec_t, telepathy_salut_t)
+    dbus_session_domain($3, telepathy_sunshine_exec_t, telepathy_sunshine_t)
+    dbus_session_domain($3, telepathy_stream_engine_exec_t, telepathy_stream_engine_t)
+    dbus_session_domain($3, telepathy_msn_exec_t, telepathy_msn_t)
+
 ')
 
 ########################################
@@ -189,3 +215,52 @@ interface(`telepathy_mission_control_read_state',`
 	ps_process_pattern($1, telepathy_mission_control_t)
 ')
 
+#######################################
+## <summary>
+##  Execute telepathy executable
+##  in the specified domain.
+## </summary>
+## <desc>
+##  <p>
+##  Execute a telepathy executable
+##  in the specified domain.  This allows
+##  the specified domain to execute any file
+##  on these filesystems in the specified
+##  domain. 
+##  </p>
+##  <p>
+##  No interprocess communication (signals, pipes,
+##  etc.) is provided by this interface since
+##  the domains are not owned by this module.
+##  </p>
+##  <p>
+##  This interface was added to handle
+##  the ssh-agent policy.
+##  </p>
+## </desc>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="target_domain">
+##  <summary>
+##  The type of the new process.
+##  </summary>
+## </param>
+#
+interface(`telepathy_command_domtrans', `
+    gen_require(`
+        attribute telepathy_executable;
+    ')
+
+    allow $2 telepathy_executable:file entrypoint;
+    domain_transition_pattern($1, telepathy_executable, $2)
+    type_transition $1 telepathy_executable:process $2;
+
+	# needs to dbus chat with unconfined_t and unconfined_dbusd_t
+	optional_policy(`
+        telepathy_dbus_chat($1)
+        telepathy_dbus_chat($2)
+    ')
+')
diff --git a/policy/modules/apps/telepathy.te b/policy/modules/apps/telepathy.te
index a6cb11d8..6b89128f 100644
--- a/policy/modules/apps/telepathy.te
+++ b/policy/modules/apps/telepathy.te
@@ -334,3 +334,13 @@ optional_policy(`
 optional_policy(`
         xserver_rw_xdm_pipes(telepathy_domain)
 ')
+
+
+# Just for F15
+optional_policy(`
+    gen_require(`
+        role unconfined_r;
+    ')
+
+    role unconfined_r types telepathy_domain;
+')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 16635325..7f56ac0c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -175,9 +175,9 @@ optional_policy(`
 	sudo_role_template(staff, staff_r, staff_t)
 ')
 
-optional_policy(`
-	telepathy_dbus_session_role(staff_r, staff_t)
-')
+#optional_policy(`
+#	telepathy_dbus_session_role(staff_r, staff_t)
+#')
 
 optional_policy(`
 	userhelper_console_role_template(staff, staff_r, staff_usertype)
diff --git a/policy/modules/roles/unconfineduser.te b/policy/modules/roles/unconfineduser.te
index 4cf791be..9f1eee0d 100644
--- a/policy/modules/roles/unconfineduser.te
+++ b/policy/modules/roles/unconfineduser.te
@@ -300,6 +300,7 @@ optional_policy(`
 		gnomeclock_dbus_chat(unconfined_usertype)
 		gnome_dbus_chat_gconfdefault(unconfined_usertype)
 		gnome_filetrans_admin_home_content(unconfined_usertype)
+		gnome_command_domtrans_gkeyringd(unconfined_dbusd_t,unconfined_t)
 	')
 
 	optional_policy(`
@@ -436,7 +437,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	telepathy_dbus_session_role(unconfined_r, unconfined_t)
+	telepathy_command_domtrans(unconfined_dbusd_t, unconfined_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/roles/xguest.te b/policy/modules/roles/xguest.te
index 9d378550..4b5f1060 100644
--- a/policy/modules/roles/xguest.te
+++ b/policy/modules/roles/xguest.te
@@ -167,9 +167,9 @@ optional_policy(`
 		corenet_tcp_connect_transproxy_port(xguest_usertype)
 	')
 
-	optional_policy(`
-		telepathy_dbus_session_role(xguest_r, xguest_t)
-	')
+	#optional_policy(`
+	#	telepathy_dbus_session_role(xguest_r, xguest_t)
+	#')
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e2d6a338..73fd0820 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1081,6 +1081,9 @@ template(`userdom_restricted_xwindows_user_template',`
 	 # bug: #682499
 	 optional_policy(`
 	 	gnome_read_usr_config($1_usertype)
+		gnome_role_gkeyringd($1, $1_r, $1_t)
+		# cjp: telepathy F15 bugs
+		telepathy_dbus_session_role($1_r, $1_t, $1)
 	')
 
 	optional_policy(`
-- 
2.39.2