From 77ed833ba2148dc4fce95693730d818a0808b57c Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 8 Aug 2021 12:49:44 -0400
Subject: [PATCH] wm, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/apps/wm.if           | 37 ++++++++++++++++++-----------
 policy/modules/roles/staff.te       |  2 +-
 policy/modules/roles/sysadm.te      |  2 +-
 policy/modules/roles/unprivuser.te  |  2 +-
 policy/modules/system/userdomain.if |  2 +-
 5 files changed, 27 insertions(+), 18 deletions(-)

diff --git a/policy/modules/apps/wm.if b/policy/modules/apps/wm.if
index d9cea6c3b..1df1dcbb8 100644
--- a/policy/modules/apps/wm.if
+++ b/policy/modules/apps/wm.if
@@ -12,18 +12,23 @@
 ## </desc>
 ## <param name="role_prefix">
 ##	<summary>
-##	The prefix of the user domain (e.g., user
-##	is the prefix for user_t).
-##	</summary>
-## </param>
-## <param name="user_role">
-##	<summary>
-##	The role associated with the user domain.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
 ## <param name="user_domain">
 ##	<summary>
-##	The type of the user domain.
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
 ##	</summary>
 ## </param>
 #
@@ -41,7 +46,7 @@ template(`wm_role_template',`
 	type $1_wm_t, wm_domain;
 	userdom_application_exec_domain($1_wm_t, $1)
 	userdom_user_application_domain($1_wm_t, wm_exec_t)
-	role $2 types $1_wm_t;
+	role $4 types $1_wm_t;
 
 	########################################
 	#
@@ -60,8 +65,8 @@ template(`wm_role_template',`
 
 	domtrans_pattern($3, wm_exec_t, $1_wm_t)
 
-	corecmd_bin_domtrans($1_wm_t, $3)
-	corecmd_shell_domtrans($1_wm_t, $3)
+	corecmd_bin_domtrans($1_wm_t, $2)
+	corecmd_shell_domtrans($1_wm_t, $2)
 
 	mls_file_read_all_levels($1_wm_t)
 	mls_file_write_all_levels($1_wm_t)
@@ -71,7 +76,7 @@ template(`wm_role_template',`
 
 	auth_use_nsswitch($1_wm_t)
 
-	xserver_role($2, $1_wm_t)
+	xserver_role($1, $1_wm_t, $3, $4)
 	xserver_manage_core_devices($1_wm_t)
 
 	wm_write_pipes($1, $3)
@@ -95,12 +100,16 @@ template(`wm_role_template',`
 	')
 
 	optional_policy(`
-		policykit_run_auth($1_wm_t, $2)
+		policykit_run_auth($1_wm_t, $4)
 		policykit_signal_auth($1_wm_t)
 	')
 
 	optional_policy(`
-		pulseaudio_run($1_wm_t, $2)
+		pulseaudio_run($1_wm_t, $4)
+	')
+
+	optional_policy(`
+		systemd_user_app_status($1, $1_wm_t)
 	')
 ')
 
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 4f17f9cd6..6c6612cd1 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -207,6 +207,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		wm_role_template(staff, staff_r, staff_t)
+		wm_role_template(staff, staff_t, staff_application_exec_domain, staff_r)
 	')
 ')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 3c4f5b14c..49ec421e9 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -1262,6 +1262,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		wm_role_template(sysadm, sysadm_r, sysadm_t)
+		wm_role_template(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 	')
 ')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index dcd5bb413..fa2fb0375 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -191,6 +191,6 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		wm_role_template(user, user_r, user_t)
+		wm_role_template(user, user_t, user_application_exec_domain, user_r)
 	')
 ')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6e6d21429..142eb19ff 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -1137,7 +1137,7 @@ template(`userdom_restricted_xwindows_user_template',`
 		')
 
 		optional_policy(`
-			wm_role_template($1, $1_r, $1_t)
+			wm_role_template($1, $1_t, $1_application_exec_domain, $1_r)
 		')
 	')