[selinux-policy: 1088/3172] add alsa

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:38:53 UTC 2010 

commit de8af9dc65d59ab84ab44d74b9651eaaef00fda8
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Jan 12 16:00:55 2006 +0000

    add alsa

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/admin/alsa.fc        |    4 ++
 refpolicy/policy/modules/admin/alsa.if        |   55 +++++++++++++++++++++++++
 refpolicy/policy/modules/admin/alsa.te        |   50 ++++++++++++++++++++++
 refpolicy/policy/modules/system/userdomain.if |   33 +++++++++++++++
 5 files changed, 143 insertions(+), 0 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index f5cd8e6..87a20aa 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -5,6 +5,7 @@
 - Add swat to samba module.
 - Numerous miscellaneous fixes from Dan Walsh.
 - Added modules:
+	alsa
 	automount
 	ddcprobe
 	fetchmail
diff --git a/refpolicy/policy/modules/admin/alsa.fc b/refpolicy/policy/modules/admin/alsa.fc
new file mode 100644
index 0000000..99c414d
--- /dev/null
+++ b/refpolicy/policy/modules/admin/alsa.fc
@@ -0,0 +1,4 @@
+
+/etc/alsa/pcm(/.*)?		gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+
+/usr/bin/ainit 		--	gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/alsa.if b/refpolicy/policy/modules/admin/alsa.if
new file mode 100644
index 0000000..0150f97
--- /dev/null
+++ b/refpolicy/policy/modules/admin/alsa.if
@@ -0,0 +1,55 @@
+## <summary>Ainit ALSA configuration tool</summary>
+
+########################################
+## <summary>
+##	Domain transition to alsa
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`alsa_domtrans',`
+	gen_require(`
+		type alsa_t;
+		type alsa_exec_t;
+	')
+
+	domain_auto_trans($1, alsa_exec_t, alsa_t)
+
+	allow $1 alsa_t:fd use;
+	allow alsa_t $1:fd use;
+	allow alsa_t $1:fifo_file rw_file_perms;
+	allow alsa_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Allow read and write access to alsa semaphores.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`alsa_rw_semaphores',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	allow $1 alsa_t:sem { unix_read unix_write associate read write };
+')
+
+########################################
+## <summary>
+##	Allow read and write access to alsa shared memory.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`alsa_rw_shared_mem',`
+	gen_require(`
+		type alsa_t;
+	')
+
+	allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
+')
diff --git a/refpolicy/policy/modules/admin/alsa.te b/refpolicy/policy/modules/admin/alsa.te
new file mode 100644
index 0000000..10de00f
--- /dev/null
+++ b/refpolicy/policy/modules/admin/alsa.te
@@ -0,0 +1,50 @@
+
+policy_module(alsa,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type alsa_t;
+type alsa_exec_t;
+domain_type(alsa_t)
+domain_entry_file(alsa_t, alsa_exec_t)
+role system_r types alsa_t;
+
+type alsa_etc_rw_t;
+files_type(alsa_etc_rw_t)
+
+########################################
+#
+# Local policy
+#
+
+allow alsa_t self:capability { setgid setuid ipc_owner };
+dontaudit alsa_t self:capability sys_admin;
+allow alsa_t self:sem create_sem_perms;
+allow alsa_t self:shm create_shm_perms;
+allow alsa_t self:unix_stream_socket create_stream_socket_perms;
+allow alsa_t self:unix_dgram_socket create_socket_perms;
+
+allow alsa_t alsa_etc_rw_t:dir rw_dir_perms;
+allow alsa_t alsa_etc_rw_t:file create_file_perms;
+allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms;
+
+files_read_etc_files(alsa_t)
+
+term_use_generic_pty(alsa_t)
+
+libs_use_ld_so(alsa_t)
+libs_use_shared_libs(alsa_t)
+
+logging_send_syslog_msg(alsa_t)
+
+miscfiles_read_localization(alsa_t)
+
+userdom_manage_unpriv_user_semaphores(alsa_t)
+userdom_manage_unpriv_user_shared_mem(alsa_t)
+
+optional_policy(`nscd',`
+	nscd_use_socket(alsa_t)
+')
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index 108cd43..5e8392f 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -1650,6 +1650,39 @@ interface(`userdom_spec_domtrans_unpriv_users',`
 
 ########################################
 ## <summary>
+##	Manage unpriviledged user SysV sempaphores.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_unpriv_user_semaphores',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:sem create_sem_perms;
+')
+
+########################################
+## <summary>
+##	Manage unpriviledged user SysV shared
+##	memory segments.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`userdom_manage_unpriv_user_shared_mem',`
+	gen_require(`
+		attribute unpriv_userdomain;
+	')
+
+	allow $1 unpriv_userdomain:shm create_shm_perms;
+')
+
+########################################
+## <summary>
 ##	Execute a shell in the sysadm domain.
 ## </summary>
 ## <param name="domain">

More information about the scm-commits mailing list