[selinux-policy: 2157/3172] add pulseaudio from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:11:41 UTC 2010 

commit 9b1907b217cb4c4d508b5130fcb6267e38182642
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jul 21 10:05:38 2009 -0400

    add pulseaudio from dan.

 Changelog                               |    1 +
 policy/modules/apps/pulseaudio.fc       |    1 +
 policy/modules/apps/pulseaudio.if       |  145 +++++++++++++++++++++++++++++++
 policy/modules/apps/pulseaudio.te       |   92 +++++++++++++++++++
 policy/modules/kernel/corenetwork.te.in |    1 +
 5 files changed, 240 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index f4ab837..ea6ab0b 100644
--- a/Changelog
+++ b/Changelog
@@ -29,6 +29,7 @@
 	pads (Dan Walsh)
 	pingd (Dan Walsh)
 	policykit (Dan Walsh)
+	pulseaudio (Dan Walsh)
 	psad (Dan Walsh)
 	portreserve (Dan Walsh)
 	sssd (Dan Walsh)
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
new file mode 100644
index 0000000..5164058
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.fc
@@ -0,0 +1 @@
+/usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
new file mode 100644
index 0000000..e6d88c4
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.if
@@ -0,0 +1,145 @@
+## <summary>Pulseaudio network sound server.</summary>
+
+########################################
+## <summary>
+##	Role access for pulseaudio
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+## <param name="domain">
+##	<summary>
+##	User domain for the role
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_role',`
+	gen_require(`
+		type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+		class dbus { send_msg };
+	')
+
+	role $1 types pulseaudio_t;
+
+	# Transition from the user domain to the derived domain.
+	domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
+
+	ps_process_pattern($2, pulseaudio_t)
+
+	allow pulseaudio_t $2:process { signal signull };
+	allow $2 pulseaudio_t:process { signal signull };
+	ps_process_pattern(pulseaudio_t, $2)
+
+	allow pulseaudio_t $2:unix_stream_socket connectto;
+	allow $2 pulseaudio_t:unix_stream_socket connectto;
+
+	userdom_manage_home_role($1, pulseaudio_t)
+	userdom_manage_tmp_role($1, pulseaudio_t)
+	userdom_manage_tmpfs_role($1, pulseaudio_t)
+
+	allow $2 pulseaudio_t:dbus send_msg;
+	allow pulseaudio_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_domtrans',`
+	gen_require(`
+		type pulseaudio_t, pulseaudio_exec_t;
+	')
+
+	domtrans_pattern($1,pulseaudio_exec_t,pulseaudio_t)
+')
+
+########################################
+## <summary>
+##	Execute pulseaudio in the pulseaudio domain, and
+##	allow the specified role the pulseaudio domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the pulseaudio domain.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_run',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	pulseaudio_domtrans($1)
+	role $2 types pulseaudio_t;
+')
+
+########################################
+## <summary>
+##	Execute a pulseaudio in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_exec',`
+	gen_require(`
+                type pulseaudio_exec_t;
+	')
+
+	can_exec($1,pulseaudio_exec_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	pulseaudio over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_dbus_chat',`
+	gen_require(`
+		type pulseaudio_t;
+		class dbus send_msg;
+	')
+
+	allow $1 pulseaudio_t:dbus send_msg;
+	allow pulseaudio_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+##	pulsaudio connection template.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_stream_connect',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	allow $1 pulseaudio_t:process signull;
+	allow $1 pulseaudio_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
new file mode 100644
index 0000000..542f4a9
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.te
@@ -0,0 +1,92 @@
+
+policy_module(pulseaudio,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pulseaudio_t;
+type pulseaudio_exec_t;
+application_domain(pulseaudio_t, pulseaudio_exec_t)
+role system_r types pulseaudio_t;
+
+########################################
+#
+# pulseaudio local policy
+#
+
+allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(pulseaudio_t)
+
+corecmd_exec_bin(pulseaudio_t)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_t)
+corenet_all_recvfrom_netlabel(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+
+dev_read_sound(pulseaudio_t)
+dev_write_sound(pulseaudio_t)
+dev_read_sysfs(pulseaudio_t)
+dev_read_urand(pulseaudio_t)
+
+files_read_etc_files(pulseaudio_t)
+files_read_usr_files(pulseaudio_t)
+
+fs_rw_anon_inodefs_files(pulseaudio_t)
+fs_getattr_tmpfs(pulseaudio_t)
+
+term_use_all_user_ttys(pulseaudio_t)
+term_use_all_user_ptys(pulseaudio_t)
+
+auth_use_nsswitch(pulseaudio_t)
+
+logging_send_syslog_msg(pulseaudio_t)
+
+miscfiles_read_localization(pulseaudio_t)
+
+optional_policy(`
+	gnome_manage_config(pulseaudio_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(pulseaudio_t)
+	dbus_session_bus_client(pulseaudio_t)
+
+	optional_policy(`
+		consolekit_dbus_chat(pulseaudio_t)
+	')
+
+	optional_policy(`
+		hal_dbus_chat(pulseaudio_t)
+	')
+')
+
+optional_policy(`
+	policykit_domtrans_auth(pulseaudio_t)
+	policykit_read_lib(pulseaudio_t)
+	policykit_read_reload(pulseaudio_t)
+')
+
+optional_policy(`
+	udev_read_db(pulseaudio_t)
+')
+
+optional_policy(`
+	xserver_read_xdm_pid(pulseaudio_t)
+	xserver_manage_xdm_tmp_files(pulseaudio_t)
+	xserver_read_xdm_lib_files(pulseaudio_t)
+')
+
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 4b1ad9d..b470501 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -168,6 +168,7 @@ network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
 network_port(rsh, tcp,514,s0)
 network_port(rsync, tcp,873,s0, udp,873,s0)
 network_port(rwho, udp,513,s0)
+network_port(sap, tcp,9875,s0, udp,9875,s0)
 network_port(smbd, tcp,137-139,s0, tcp,445,s0)
 network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
 network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)

More information about the scm-commits mailing list