[selinux-policy: 2587/3172] pulseaudio patch from Dan Walsh
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:49:56 UTC 2010
commit 18683835fd8fa847cdf601290b1721286a5c9fc8
Author: Jeremy Solt <jsolt at tresys.com>
Date: Tue Mar 23 15:51:04 2010 -0400
pulseaudio patch from Dan Walsh
Fixed template where it should have been interface
Replaced read_home and manage_home interfaces with read_home_files, manage_home_files and reduced access
Removed admin_dir reference
Replaced rtkit_daemon_system_domain with rtkit_scheduled
Fixed style / spacing issues
policy/modules/apps/pulseaudio.fc | 8 ++++
policy/modules/apps/pulseaudio.if | 74 +++++++++++++++++++++++++++++++++----
policy/modules/apps/pulseaudio.te | 43 ++++++++++++++++++---
3 files changed, 111 insertions(+), 14 deletions(-)
---
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 5164058..630ca73 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
@@ -1 +1,9 @@
+HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+
+/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 2116903..0eacdcb 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -18,7 +18,7 @@
interface(`pulseaudio_role',`
gen_require(`
type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
- class dbus { send_msg };
+ class dbus { acquire_svc send_msg };
')
role $1 types pulseaudio_t;
@@ -29,7 +29,7 @@ interface(`pulseaudio_role',`
ps_process_pattern($2, pulseaudio_t)
allow pulseaudio_t $2:process { signal signull };
- allow $2 pulseaudio_t:process { signal signull };
+ allow $2 pulseaudio_t:process { signal signull sigkill };
ps_process_pattern(pulseaudio_t, $2)
allow pulseaudio_t $2:unix_stream_socket connectto;
@@ -40,7 +40,7 @@ interface(`pulseaudio_role',`
userdom_manage_tmpfs_role($1, pulseaudio_t)
allow $2 pulseaudio_t:dbus send_msg;
- allow pulseaudio_t $2:dbus send_msg;
+ allow pulseaudio_t $2:dbus { acquire_svc send_msg };
')
########################################
@@ -98,7 +98,7 @@ interface(`pulseaudio_run',`
#
interface(`pulseaudio_exec',`
gen_require(`
- type pulseaudio_exec_t;
+ type pulseaudio_exec_t;
')
can_exec($1,pulseaudio_exec_t)
@@ -127,20 +127,78 @@ interface(`pulseaudio_dbus_chat',`
########################################
## <summary>
-## pulsaudio connection template.
+## Read pulseaudio homedir files
## </summary>
## <param name="user_domain">
## <summary>
-## The type of the user domain.
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_read_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## Manage pulseaudio homedir files
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_manage_home_files',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+## Allow domain to setattr on pulseaudio homedir
+## </summary>
+## <param name="user_domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_setattr_home_dir',`
+ gen_require(`
+ type pulseaudio_home_t;
+ ')
+
+ allow $1 pulseaudio_home_t:dir setattr;
+')
+
+#####################################
+## <summary>
+## Connect to pulseaudio over a unix domain
+## stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
## </summary>
## </param>
#
interface(`pulseaudio_stream_connect',`
gen_require(`
- type pulseaudio_t;
+ type pulseaudio_t, pulseaudio_var_run_t;
')
+ files_search_pids($1)
allow $1 pulseaudio_t:process signull;
allow pulseaudio_t $1:process signull;
- allow $1 pulseaudio_t:unix_stream_socket connectto;
+ stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 1d0dded..48f7d91 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -8,24 +8,51 @@ policy_module(pulseaudio, 1.1.1)
type pulseaudio_t;
type pulseaudio_exec_t;
+init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
application_domain(pulseaudio_t, pulseaudio_exec_t)
role system_r types pulseaudio_t;
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmpfs_t;
+files_tmpfs_file(pulseaudio_tmpfs_t)
+
+type pulseaudio_var_lib_t;
+files_type(pulseaudio_var_lib_t)
+
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+
########################################
#
# pulseaudio local policy
#
-
+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
allow pulseaudio_t self:fifo_file rw_file_perms;
-allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
allow pulseaudio_t self:udp_socket create_socket_perms;
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
+userdom_search_user_home_dirs(pulseaudio_t)
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+
can_exec(pulseaudio_t, pulseaudio_exec_t)
+kernel_getattr_proc(pulseaudio_t)
kernel_read_system_state(pulseaudio_t)
kernel_read_kernel_sysctls(pulseaudio_t)
@@ -67,10 +94,7 @@ optional_policy(`
')
optional_policy(`
- gnome_manage_config(pulseaudio_t)
-')
-
-optional_policy(`
+ dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
dbus_system_bus_client(pulseaudio_t)
dbus_session_bus_client(pulseaudio_t)
dbus_connect_session_bus(pulseaudio_t)
@@ -93,6 +117,10 @@ optional_policy(`
')
optional_policy(`
+ rtkit_scheduled(pulseaudio_t)
+')
+
+optional_policy(`
policykit_domtrans_auth(pulseaudio_t)
policykit_read_lib(pulseaudio_t)
policykit_read_reload(pulseaudio_t)
@@ -103,6 +131,9 @@ optional_policy(`
')
optional_policy(`
+ xserver_stream_connect(pulseaudio_t)
xserver_manage_xdm_tmp_files(pulseaudio_t)
xserver_read_xdm_lib_files(pulseaudio_t)
+ xserver_read_xdm_pid(pulseaudio_t)
+ xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
')
More information about the scm-commits
mailing list