Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp847788ybp; Fri, 11 Oct 2019 05:25:12 -0700 (PDT) X-Google-Smtp-Source: APXvYqzdZvk9Ye3485afiCl1b82BOiW3h5Vay0G9Mb6jRK+DlaIlXk1r1oDtI8HofaTVPlvtsohy X-Received: by 2002:a17:906:c2c1:: with SMTP id ch1mr12924288ejb.321.1570796711960; Fri, 11 Oct 2019 05:25:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570796711; cv=none; d=google.com; s=arc-20160816; b=aU/VB+WKsCsTfIu6K7JipFOAbn+EQaPg9qAS54hZ5jarlld6HLWLLIt3AjwGppxfYT flnb/qgpgFR6BE7GBaZmUgDd9LJvywzNH2dJdamlmjZO63YEkltgbu+1Iuo+atkMbcjD KxH51cQDnweMoikr6BYAq2+kBe4aaw8WczPcWlG1Nf6SJM8wTyzS8y52/MlDPxAD4Lac PDZB5gqTcPAzbkpssd2r2Kx9tZ/34YmpVPTzm2k7tz8mFwi2dq7w7OJLRhZFAejBiucY mlNcvE4ixjy9bLHbdtj4gHHRpbNrcHpOWH4b4p2xsj6aqHT5t0LctJbhGIhKUahVu9I8 WP+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=7SL8RstRwej+ri17jQ22nOFq9Bv8RIm5r6hPj1TPFe4=; b=ju0XPwmR0PHsCAm8fJcIlGoSip1j4ZfXSrsKIJqvVFEjle05iVfnZqMkuBXGyPRAru LjKezZzNEJDSCUQX3JnLORgtJVevAL/nbZBAvJJPLI99I+dgDp0oYP44lWm3jBMt+6sL yk8ojYONsluorraEMAVn9UWNFVnLtlJLenoz6o19zINpBW0LnRZIWQZmkYTv6xDb1M3Q Gd+G8ET8SzYACl5bY/5XoIb8fREL8NQd6qW5ucv8iIsZoiYZWpWVZmPtCwjx98urGdBc LkkdxE6qEsWwh6SsdQGE8xhWTjiH6zvF57PR2SLdY7O8CN0kTQifDSLn+cM1pZHLgSXy 8uqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bigon.be header.s=key1 header.b=rgEkrXNe; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i15si6083678ede.196.2019.10.11.05.25.09; Fri, 11 Oct 2019 05:25:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@bigon.be header.s=key1 header.b=rgEkrXNe; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728093AbfJKMYW (ORCPT + 11 others); Fri, 11 Oct 2019 08:24:22 -0400 Received: from ithil.bigon.be ([163.172.57.153]:38288 "EHLO ithil.bigon.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727950AbfJKMYW (ORCPT ); Fri, 11 Oct 2019 08:24:22 -0400 Received: from localhost (localhost [IPv6:::1]) by ithil.bigon.be (Postfix) with ESMTP id 611FB20550 for ; Fri, 11 Oct 2019 14:24:18 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bigon.be; h= content-transfer-encoding:mime-version:references:in-reply-to :x-mailer:message-id:date:date:subject:subject:from:from :received:received:received; s=key1; t=1570796658; x=1572611059; bh=81JGT/bkUzj9ZfaeB7zs5A27I6n4owBicgoBPsy46M4=; b=rgEkrXNemia0 VFeTCFf+kANJJlpY86nsx3M/GRVYxRNObSRV2N1Zd2EiYBe2Hbes1ZmJZlUa+sv7 V0Dm9Y/DilcApfI6EciaOCdTqcCqzxK8tZwErQsfvZg5kx376LSIgTGm9goQqjTZ um9nlSsBFkHIqnZpGtluK2ozj+YL0pw= Received: from ithil.bigon.be ([IPv6:::1]) by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id FBSGTIK6pdhN for ; Fri, 11 Oct 2019 14:24:18 +0200 (CEST) Received: from edoras.bigon.be (unknown [193.53.238.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: bigon@bigon.be) by ithil.bigon.be (Postfix) with ESMTPSA for ; Fri, 11 Oct 2019 14:24:18 +0200 (CEST) Received: from bigon (uid 1000) (envelope-from bigon@bigon.be) id 21dda by edoras.bigon.be (DragonFly Mail Agent v0.12); Fri, 11 Oct 2019 14:24:16 +0200 From: Laurent Bigonville To: selinux-refpolicy@vger.kernel.org Subject: [PATCH 06/10] Allow alsa_t to create alsa_runtime_t file as well Date: Fri, 11 Oct 2019 14:24:12 +0200 Message-Id: <20191011122416.14651-6-bigon@debian.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191011122416.14651-1-bigon@debian.org> References: <20191011122416.14651-1-bigon@debian.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org From: Laurent Bigonville When alsactl is started as a daemon, it creates a pidfile (/run/alsactl.pid), that needs to be allowed ---- time->Sun Oct 6 10:59:09 2019 type=AVC msg=audit(1570352349.743:45): avc: denied { write open } for pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570352349.743:45): avc: denied { create } for pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.226:657): avc: denied { open } for pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570355678.226:657): avc: denied { read } for pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.230:659): avc: denied { unlink } for pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Signed-off-by: Laurent Bigonville --- policy/modules/admin/alsa.fc | 1 + policy/modules/admin/alsa.te | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc index 75ea9ebf..16ccb7ca 100644 --- a/policy/modules/admin/alsa.fc +++ b/policy/modules/admin/alsa.fc @@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0) /run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0) +/run/alsactl.pid -- gen_context(system_u:object_r:alsa_runtime_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index e567dd32..9d053c4d 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map; can_exec(alsa_t, alsa_exec_t) allow alsa_t alsa_runtime_t:dir manage_dir_perms; +allow alsa_t alsa_runtime_t:file manage_file_perms; allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms; -files_pid_filetrans(alsa_t, alsa_runtime_t, dir) +files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file }) manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) -- 2.23.0