Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp847788ybp;
        Fri, 11 Oct 2019 05:25:12 -0700 (PDT)
X-Google-Smtp-Source: APXvYqzdZvk9Ye3485afiCl1b82BOiW3h5Vay0G9Mb6jRK+DlaIlXk1r1oDtI8HofaTVPlvtsohy
X-Received: by 2002:a17:906:c2c1:: with SMTP id ch1mr12924288ejb.321.1570796711960;
        Fri, 11 Oct 2019 05:25:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1570796711; cv=none;
        d=google.com; s=arc-20160816;
        b=aU/VB+WKsCsTfIu6K7JipFOAbn+EQaPg9qAS54hZ5jarlld6HLWLLIt3AjwGppxfYT
         flnb/qgpgFR6BE7GBaZmUgDd9LJvywzNH2dJdamlmjZO63YEkltgbu+1Iuo+atkMbcjD
         KxH51cQDnweMoikr6BYAq2+kBe4aaw8WczPcWlG1Nf6SJM8wTyzS8y52/MlDPxAD4Lac
         PDZB5gqTcPAzbkpssd2r2Kx9tZ/34YmpVPTzm2k7tz8mFwi2dq7w7OJLRhZFAejBiucY
         mlNcvE4ixjy9bLHbdtj4gHHRpbNrcHpOWH4b4p2xsj6aqHT5t0LctJbhGIhKUahVu9I8
         WP+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:to:from
         :dkim-signature;
        bh=7SL8RstRwej+ri17jQ22nOFq9Bv8RIm5r6hPj1TPFe4=;
        b=ju0XPwmR0PHsCAm8fJcIlGoSip1j4ZfXSrsKIJqvVFEjle05iVfnZqMkuBXGyPRAru
         LjKezZzNEJDSCUQX3JnLORgtJVevAL/nbZBAvJJPLI99I+dgDp0oYP44lWm3jBMt+6sL
         yk8ojYONsluorraEMAVn9UWNFVnLtlJLenoz6o19zINpBW0LnRZIWQZmkYTv6xDb1M3Q
         Gd+G8ET8SzYACl5bY/5XoIb8fREL8NQd6qW5ucv8iIsZoiYZWpWVZmPtCwjx98urGdBc
         LkkdxE6qEsWwh6SsdQGE8xhWTjiH6zvF57PR2SLdY7O8CN0kTQifDSLn+cM1pZHLgSXy
         8uqA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@bigon.be header.s=key1 header.b=rgEkrXNe;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id i15si6083678ede.196.2019.10.11.05.25.09;
        Fri, 11 Oct 2019 05:25:11 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@bigon.be header.s=key1 header.b=rgEkrXNe;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728093AbfJKMYW (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Fri, 11 Oct 2019 08:24:22 -0400
Received: from ithil.bigon.be ([163.172.57.153]:38288 "EHLO ithil.bigon.be"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727950AbfJKMYW (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 11 Oct 2019 08:24:22 -0400
Received: from localhost (localhost [IPv6:::1])
        by ithil.bigon.be (Postfix) with ESMTP id 611FB20550
        for <selinux-refpolicy@vger.kernel.org>; Fri, 11 Oct 2019 14:24:18 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bigon.be; h=
        content-transfer-encoding:mime-version:references:in-reply-to
        :x-mailer:message-id:date:date:subject:subject:from:from
        :received:received:received; s=key1; t=1570796658; x=1572611059;
         bh=81JGT/bkUzj9ZfaeB7zs5A27I6n4owBicgoBPsy46M4=; b=rgEkrXNemia0
        VFeTCFf+kANJJlpY86nsx3M/GRVYxRNObSRV2N1Zd2EiYBe2Hbes1ZmJZlUa+sv7
        V0Dm9Y/DilcApfI6EciaOCdTqcCqzxK8tZwErQsfvZg5kx376LSIgTGm9goQqjTZ
        um9nlSsBFkHIqnZpGtluK2ozj+YL0pw=
Received: from ithil.bigon.be ([IPv6:::1])
        by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026)
        with ESMTP id FBSGTIK6pdhN for <selinux-refpolicy@vger.kernel.org>;
        Fri, 11 Oct 2019 14:24:18 +0200 (CEST)
Received: from edoras.bigon.be (unknown [193.53.238.198])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
        (No client certificate requested)
        (Authenticated sender: bigon@bigon.be)
        by ithil.bigon.be (Postfix) with ESMTPSA
        for <selinux-refpolicy@vger.kernel.org>; Fri, 11 Oct 2019 14:24:18 +0200 (CEST)
Received: from bigon (uid 1000)
        (envelope-from bigon@bigon.be)
        id 21dda
        by edoras.bigon.be (DragonFly Mail Agent v0.12);
        Fri, 11 Oct 2019 14:24:16 +0200
From:   Laurent Bigonville <bigon@debian.org>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH 06/10] Allow alsa_t to create alsa_runtime_t file as well
Date:   Fri, 11 Oct 2019 14:24:12 +0200
Message-Id: <20191011122416.14651-6-bigon@debian.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20191011122416.14651-1-bigon@debian.org>
References: <20191011122416.14651-1-bigon@debian.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

From: Laurent Bigonville <bigon@bigon.be>

When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } for  pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/admin/alsa.fc | 1 +
 policy/modules/admin/alsa.te | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 75ea9ebf..16ccb7ca 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc				--	gen_context(system_u:object_r:alsa_home_t,s0)
 /etc/asound\.conf				--	gen_context(system_u:object_r:alsa_etc_t,s0)
 
 /run/alsa(/.*)?						gen_context(system_u:object_r:alsa_runtime_t,s0)
+/run/alsactl.pid				--	gen_context(system_u:object_r:alsa_runtime_t,s0)
 
 /usr/bin/ainit					--	gen_context(system_u:object_r:alsa_exec_t,s0)
 /usr/bin/alsactl				--	gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index e567dd32..9d053c4d 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map;
 can_exec(alsa_t, alsa_exec_t)
 
 allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:file manage_file_perms;
 allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
-files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
 
 manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
-- 
2.23.0