[selinux-policy: 2589/3172] Tweaks on pulseaudio 1868383, ksmtuned d279dd6, and smokeping f3c346c.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:50:06 UTC 2010 

commit ad0071bbe4ea6062fa8245510e1b5c1588d8bcc9
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Mon Mar 29 09:19:40 2010 -0400

    Tweaks on pulseaudio 1868383, ksmtuned d279dd6, and smokeping f3c346c.

 policy/modules/apps/pulseaudio.fc    |    6 +--
 policy/modules/apps/pulseaudio.if    |   69 +++++++++++++++++-----------------
 policy/modules/apps/pulseaudio.te    |    3 +-
 policy/modules/services/ksmtuned.if  |    8 +--
 policy/modules/services/ksmtuned.te  |   10 +---
 policy/modules/services/smokeping.fc |    2 -
 policy/modules/services/smokeping.if |    7 +--
 policy/modules/services/smokeping.te |   12 +++---
 8 files changed, 54 insertions(+), 63 deletions(-)
---
diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 630ca73..84f23dc 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
@@ -1,9 +1,7 @@
 HOME_DIR/\.pulse-cookie		gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_home_t,s0)
 
-/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
-
-/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
-
 /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 
+/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 0eacdcb..95448d9 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -58,7 +58,7 @@ interface(`pulseaudio_domtrans',`
 		type pulseaudio_t, pulseaudio_exec_t;
 	')
 
-	domtrans_pattern($1,pulseaudio_exec_t,pulseaudio_t)
+	domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
 ')
 
 ########################################
@@ -88,7 +88,7 @@ interface(`pulseaudio_run',`
 
 ########################################
 ## <summary>
-##	Execute a pulseaudio in the current domain
+##	Execute a pulseaudio in the current domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
@@ -101,13 +101,13 @@ interface(`pulseaudio_exec',`
 		type pulseaudio_exec_t;
 	')
 
-	can_exec($1,pulseaudio_exec_t)
+	can_exec($1, pulseaudio_exec_t)
 ')
 
-########################################
+#####################################
 ## <summary>
-##	Send and receive messages from
-##	pulseaudio over dbus.
+##	Connect to pulseaudio over a unix domain
+##	stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -115,38 +115,41 @@ interface(`pulseaudio_exec',`
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_dbus_chat',`
+interface(`pulseaudio_stream_connect',`
 	gen_require(`
-		type pulseaudio_t;
-		class dbus send_msg;
+		type pulseaudio_t, pulseaudio_var_run_t;
 	')
 
-	allow $1 pulseaudio_t:dbus send_msg;
-	allow pulseaudio_t $1:dbus send_msg;
+	files_search_pids($1)
+	allow $1 pulseaudio_t:process signull;
+	allow pulseaudio_t $1:process signull;
+	stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
 ')
 
 ########################################
 ## <summary>
-##	Read pulseaudio homedir files 
+##	Send and receive messages from
+##	pulseaudio over dbus.
 ## </summary>
-## <param name="user_domain">
+## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_read_home_files',`
+interface(`pulseaudio_dbus_chat',`
 	gen_require(`
-		type pulseaudio_home_t;
+		type pulseaudio_t;
+		class dbus send_msg;
 	')
 
-	userdom_search_user_home_dirs($1)
-	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	allow $1 pulseaudio_t:dbus send_msg;
+	allow pulseaudio_t $1:dbus send_msg;
 ')
 
 ########################################
 ## <summary>
-##	Manage pulseaudio homedir files
+##	Set the attributes of the pulseaudio homedir.
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
@@ -154,18 +157,17 @@ interface(`pulseaudio_read_home_files',`
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_manage_home_files',`
+interface(`pulseaudio_setattr_home_dir',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
-	userdom_search_user_home_dirs($1)
-	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	allow $1 pulseaudio_home_t:dir setattr;
 ')
 
 ########################################
 ## <summary>
-##	Allow domain to setattr on pulseaudio homedir
+##	Read pulseaudio homedir files.
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
@@ -173,32 +175,31 @@ interface(`pulseaudio_manage_home_files',`
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_setattr_home_dir',`
+interface(`pulseaudio_read_home_files',`
 	gen_require(`
 		type pulseaudio_home_t;
 	')
 
-	allow $1 pulseaudio_home_t:dir setattr;
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
 
-#####################################
+########################################
 ## <summary>
-##	Connect to pulseaudio over a unix domain
-##	stream socket.
+##	Create, read, write, and delete pulseaudio
+##	home directory files.
 ## </summary>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`pulseaudio_stream_connect',`
+interface(`pulseaudio_manage_home_files',`
 	gen_require(`
-		type pulseaudio_t, pulseaudio_var_run_t;
+		type pulseaudio_home_t;
 	')
 
-	files_search_pids($1)
-	allow $1 pulseaudio_t:process signull;
-	allow pulseaudio_t $1:process signull;
-	stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 48f7d91..a4aa82b 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -28,6 +28,7 @@ files_pid_file(pulseaudio_var_run_t)
 #
 # pulseaudio local policy
 #
+
 allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
 allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
 allow pulseaudio_t self:fifo_file rw_file_perms;
@@ -37,9 +38,9 @@ allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
 allow pulseaudio_t self:udp_socket create_socket_perms;
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
-userdom_search_user_home_dirs(pulseaudio_t)
 manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+userdom_search_user_home_dirs(pulseaudio_t)
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
diff --git a/policy/modules/services/ksmtuned.if b/policy/modules/services/ksmtuned.if
index 62c7274..67e9269 100644
--- a/policy/modules/services/ksmtuned.if
+++ b/policy/modules/services/ksmtuned.if
@@ -1,5 +1,4 @@
-
-## <summary>policy for Kernel Samepage Merging (KSM) Tuning Daemon</summary>
+## <summary>Kernel Samepage Merging (KSM) Tuning Daemon</summary>
 
 ########################################
 ## <summary>
@@ -19,7 +18,6 @@ interface(`ksmtuned_domtrans',`
 	domtrans_pattern($1, ksmtuned_exec_t, ksmtuned_t)
 ')
 
-
 ########################################
 ## <summary>
 ##	Execute ksmtuned server in the ksmtuned domain.
@@ -40,7 +38,7 @@ interface(`ksmtuned_initrc_domtrans',`
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	an ksmtuned environment
 ## </summary>
 ## <param name="domain">
@@ -63,7 +61,7 @@ interface(`ksmtuned_admin',`
 
 	allow $1 ksmtuned_t:process { ptrace signal_perms };
 	ps_process_pattern(ksmtumed_t)
-	        
+
 	files_list_pids($1)
 	admin_pattern($1, ksmtuned_var_run_t)
 
diff --git a/policy/modules/services/ksmtuned.te b/policy/modules/services/ksmtuned.te
index b59c36b..95dc691 100644
--- a/policy/modules/services/ksmtuned.te
+++ b/policy/modules/services/ksmtuned.te
@@ -1,4 +1,5 @@
-policy_module(ksmtuned,1.0.0)
+
+policy_module(ksmtuned, 1.0.0)
 
 ########################################
 #
@@ -19,14 +20,9 @@ files_pid_file(ksmtuned_var_run_t)
 #
 # ksmtuned local policy
 #
-allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
 
-# Init script handling
-domain_use_interactive_fds(ksmtuned_t)
-
-# internal communication is often done using fifo and unix sockets.
+allow ksmtuned_t self:capability { sys_ptrace sys_tty_config };
 allow ksmtuned_t self:fifo_file rw_file_perms;
-allow ksmtuned_t self:unix_stream_socket create_stream_socket_perms;
 
 manage_files_pattern(ksmtuned_t, ksmtuned_var_run_t, ksmtuned_var_run_t)
 files_pid_filetrans(ksmtuned_t, ksmtuned_var_run_t, file)
diff --git a/policy/modules/services/smokeping.fc b/policy/modules/services/smokeping.fc
index c79e023..9ff2d99 100644
--- a/policy/modules/services/smokeping.fc
+++ b/policy/modules/services/smokeping.fc
@@ -7,5 +7,3 @@
 /var/lib/smokeping(/.*)?		gen_context(system_u:object_r:smokeping_var_lib_t,s0)
 
 /var/run/smokeping(/.*)?		gen_context(system_u:object_r:smokeping_var_run_t,s0)
-
-
diff --git a/policy/modules/services/smokeping.if b/policy/modules/services/smokeping.if
index 4e5e18b..6be6642 100644
--- a/policy/modules/services/smokeping.if
+++ b/policy/modules/services/smokeping.if
@@ -1,5 +1,4 @@
-
-## <summary>policy for smokeping</summary>
+## <summary>Smokeping network latency measurement.</summary>
 
 ########################################
 ## <summary>
@@ -129,12 +128,12 @@ interface(`smokeping_manage_lib_files',`
 	')
 
 	files_search_var_lib($1)
-	manage_files_pattern($1, smokeping_var_lib_t,  smokeping_var_lib_t)
+	manage_files_pattern($1, smokeping_var_lib_t, smokeping_var_lib_t)
 ')
 
 ########################################
 ## <summary>
-##	All of the rules required to administrate 
+##	All of the rules required to administrate
 ##	a smokeping environment
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/smokeping.te b/policy/modules/services/smokeping.te
index c311a16..ffb91bc 100644
--- a/policy/modules/services/smokeping.te
+++ b/policy/modules/services/smokeping.te
@@ -1,5 +1,5 @@
 
-policy_module(smokeping,1.0.0)
+policy_module(smokeping, 1.0.0)
 
 ########################################
 #
@@ -28,12 +28,12 @@ allow smokeping_t self:fifo_file rw_fifo_file_perms;
 allow smokeping_t self:udp_socket create_socket_perms;
 allow smokeping_t self:unix_stream_socket create_stream_socket_perms;
 
-manage_dirs_pattern(smokeping_t, smokeping_var_run_t,  smokeping_var_run_t)
-manage_files_pattern(smokeping_t, smokeping_var_run_t,  smokeping_var_run_t)
+manage_dirs_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
+manage_files_pattern(smokeping_t, smokeping_var_run_t, smokeping_var_run_t)
 files_pid_filetrans(smokeping_t, smokeping_var_run_t, { file dir })
 
-manage_dirs_pattern(smokeping_t, smokeping_var_lib_t,  smokeping_var_lib_t)
-manage_files_pattern(smokeping_t, smokeping_var_lib_t,  smokeping_var_lib_t)
+manage_dirs_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
+manage_files_pattern(smokeping_t, smokeping_var_lib_t, smokeping_var_lib_t)
 files_var_lib_filetrans(smokeping_t, smokeping_var_lib_t, { file dir } )
 
 corecmd_read_bin_symlinks(smokeping_t)
@@ -61,7 +61,7 @@ netutils_domtrans_ping(smokeping_t)
 
 optional_policy(`
 	apache_content_template(smokeping_cgi)
-	
+
 	allow httpd_smokeping_cgi_script_t self:udp_socket create_socket_perms;
 
 	manage_files_pattern(httpd_smokeping_cgi_script_t, smokeping_var_lib_t, smokeping_var_lib_t)

More information about the scm-commits mailing list