[selinux-policy: 2157/3172] add pulseaudio from dan.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:11:41 UTC 2010
commit 9b1907b217cb4c4d508b5130fcb6267e38182642
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jul 21 10:05:38 2009 -0400
add pulseaudio from dan.
Changelog | 1 +
policy/modules/apps/pulseaudio.fc | 1 +
policy/modules/apps/pulseaudio.if | 145 +++++++++++++++++++++++++++++++
policy/modules/apps/pulseaudio.te | 92 +++++++++++++++++++
policy/modules/kernel/corenetwork.te.in | 1 +
5 files changed, 240 insertions(+), 0 deletions(-)
---
diff --git a/Changelog b/Changelog
index f4ab837..ea6ab0b 100644
--- a/Changelog
+++ b/Changelog
@@ -29,6 +29,7 @@
pads (Dan Walsh)
pingd (Dan Walsh)
policykit (Dan Walsh)
+ pulseaudio (Dan Walsh)
psad (Dan Walsh)
portreserve (Dan Walsh)
sssd (Dan Walsh)
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
new file mode 100644
index 0000000..5164058
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.fc
@@ -0,0 +1 @@
+/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
new file mode 100644
index 0000000..e6d88c4
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.if
@@ -0,0 +1,145 @@
+## <summary>Pulseaudio network sound server.</summary>
+
+########################################
+## <summary>
+## Role access for pulseaudio
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`pulseaudio_role',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
+ class dbus { send_msg };
+ ')
+
+ role $1 types pulseaudio_t;
+
+ # Transition from the user domain to the derived domain.
+ domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t)
+
+ ps_process_pattern($2, pulseaudio_t)
+
+ allow pulseaudio_t $2:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull };
+ ps_process_pattern(pulseaudio_t, $2)
+
+ allow pulseaudio_t $2:unix_stream_socket connectto;
+ allow $2 pulseaudio_t:unix_stream_socket connectto;
+
+ userdom_manage_home_role($1, pulseaudio_t)
+ userdom_manage_tmp_role($1, pulseaudio_t)
+ userdom_manage_tmpfs_role($1, pulseaudio_t)
+
+ allow $2 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $2:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Execute a domain transition to run pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_domtrans',`
+ gen_require(`
+ type pulseaudio_t, pulseaudio_exec_t;
+ ')
+
+ domtrans_pattern($1,pulseaudio_exec_t,pulseaudio_t)
+')
+
+########################################
+## <summary>
+## Execute pulseaudio in the pulseaudio domain, and
+## allow the specified role the pulseaudio domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed the pulseaudio domain.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_run',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ pulseaudio_domtrans($1)
+ role $2 types pulseaudio_t;
+')
+
+########################################
+## <summary>
+## Execute a pulseaudio in the current domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_exec',`
+ gen_require(`
+ type pulseaudio_exec_t;
+ ')
+
+ can_exec($1,pulseaudio_exec_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## pulseaudio over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dbus_chat',`
+ gen_require(`
+ type pulseaudio_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 pulseaudio_t:dbus send_msg;
+ allow pulseaudio_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## pulsaudio connection template.
+## </summary>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_stream_connect',`
+ gen_require(`
+ type pulseaudio_t;
+ ')
+
+ allow $1 pulseaudio_t:process signull;
+ allow $1 pulseaudio_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
new file mode 100644
index 0000000..542f4a9
--- /dev/null
+++ b/policy/modules/apps/pulseaudio.te
@@ -0,0 +1,92 @@
+
+policy_module(pulseaudio,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type pulseaudio_t;
+type pulseaudio_exec_t;
+application_domain(pulseaudio_t, pulseaudio_exec_t)
+role system_r types pulseaudio_t;
+
+########################################
+#
+# pulseaudio local policy
+#
+
+allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
+allow pulseaudio_t self:fifo_file rw_file_perms;
+allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
+allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
+allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
+allow pulseaudio_t self:udp_socket create_socket_perms;
+
+kernel_read_kernel_sysctls(pulseaudio_t)
+
+corecmd_exec_bin(pulseaudio_t)
+
+corenet_all_recvfrom_unlabeled(pulseaudio_t)
+corenet_all_recvfrom_netlabel(pulseaudio_t)
+corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
+corenet_tcp_bind_soundd_port(pulseaudio_t)
+corenet_tcp_sendrecv_generic_if(pulseaudio_t)
+corenet_tcp_sendrecv_generic_node(pulseaudio_t)
+corenet_udp_bind_sap_port(pulseaudio_t)
+corenet_udp_sendrecv_generic_if(pulseaudio_t)
+corenet_udp_sendrecv_generic_node(pulseaudio_t)
+
+dev_read_sound(pulseaudio_t)
+dev_write_sound(pulseaudio_t)
+dev_read_sysfs(pulseaudio_t)
+dev_read_urand(pulseaudio_t)
+
+files_read_etc_files(pulseaudio_t)
+files_read_usr_files(pulseaudio_t)
+
+fs_rw_anon_inodefs_files(pulseaudio_t)
+fs_getattr_tmpfs(pulseaudio_t)
+
+term_use_all_user_ttys(pulseaudio_t)
+term_use_all_user_ptys(pulseaudio_t)
+
+auth_use_nsswitch(pulseaudio_t)
+
+logging_send_syslog_msg(pulseaudio_t)
+
+miscfiles_read_localization(pulseaudio_t)
+
+optional_policy(`
+ gnome_manage_config(pulseaudio_t)
+')
+
+optional_policy(`
+ dbus_system_bus_client(pulseaudio_t)
+ dbus_session_bus_client(pulseaudio_t)
+
+ optional_policy(`
+ consolekit_dbus_chat(pulseaudio_t)
+ ')
+
+ optional_policy(`
+ hal_dbus_chat(pulseaudio_t)
+ ')
+')
+
+optional_policy(`
+ policykit_domtrans_auth(pulseaudio_t)
+ policykit_read_lib(pulseaudio_t)
+ policykit_read_reload(pulseaudio_t)
+')
+
+optional_policy(`
+ udev_read_db(pulseaudio_t)
+')
+
+optional_policy(`
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_manage_xdm_tmp_files(pulseaudio_t)
+ xserver_read_xdm_lib_files(pulseaudio_t)
+')
+
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 4b1ad9d..b470501 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -168,6 +168,7 @@ network_port(router, udp,520,s0, udp,521,s0, tcp,521,s0)
network_port(rsh, tcp,514,s0)
network_port(rsync, tcp,873,s0, udp,873,s0)
network_port(rwho, udp,513,s0)
+network_port(sap, tcp,9875,s0, udp,9875,s0)
network_port(smbd, tcp,137-139,s0, tcp,445,s0)
network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
More information about the scm-commits
mailing list