Received: by 2002:a5b:505:0:0:0:0:0 with SMTP id o5csp849573ybp; Fri, 11 Oct 2019 05:26:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqzNB6sy90C3/wJvVvc5Icn9wUA5R4XGCWkuBbx9T1ZFfpBcu7MbovDLzfgBNiSyzv4Iqm6I X-Received: by 2002:a17:906:ce46:: with SMTP id se6mr13636467ejb.103.1570796815639; Fri, 11 Oct 2019 05:26:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1570796815; cv=none; d=google.com; s=arc-20160816; b=h296fHk0+Tvs2FS+dqKFYXI0/IjkjWQQXfYa4B0sPFZTxQPRNn3EI5sTEH/oKRqPL/ l/a+l0FInUvieNTL0gf+NuH6L2GAH/uIWfQH5w5Xw0mPOrkn/Gf5y1QpJ1eJNdgGz2dN eFNYN1LEGpO1cm9w3aL+DqJDO26z2bH+fNF/QMAn1j+7uUr7nvUR6xXWxJsNYpbC/vNj 6q4OgI3WXASnWaJmSx/M3ZPSK9PTu4MLCei5n8rx0STamexbnaclje0lxt6qvifETBXr I3NPUwYrogKWmomXZ3eMVoeLmdV5Ax/q+CtnoOWEL/UcdNqWUy9RR0RX90vFVC5/K5ko +2YA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:to:from :dkim-signature; bh=t5c7oGmS988G1S8wv8nMWXxbW1ZO2/0JrJOBXF+J36Q=; b=jvrBDABMKPnBTWop8F1Ab+Bipur+/9eK0GjkICkh+wdQQPJByXncDfOmSJgA87i6yH 7kpePP4DKNd2pGMlRfKHpL5JEhwSkNpJ5VGhe1K/BeEKgw8QsEw6p2MU1I545+KBPbry 7ZblM+9h9+EDCnkpN5EgCkO7AQO7YXVo6LMcfSNKCb3RZ+fJJ53dxLtbDE7Ve6rxCx2E 8wSy6a1MwbjN4eigzwzscYWINX1B3aWHoyK1DrvA1TKTZIZVrZjfFBzwHPw2ZsPzMH7K tvhZKOYvP7ldUu3Qy6zRjHQhEBuXM6V/2wmUSUTWpeoOpid3LeJfvLlPFEtVhdphjKYT OYBQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@bigon.be header.s=key1 header.b=SQwbH4XD; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 27si5146116edz.186.2019.10.11.05.26.52; Fri, 11 Oct 2019 05:26:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@bigon.be header.s=key1 header.b=SQwbH4XD; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728070AbfJKMYU (ORCPT + 11 others); Fri, 11 Oct 2019 08:24:20 -0400 Received: from ithil.bigon.be ([163.172.57.153]:38268 "EHLO ithil.bigon.be" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727936AbfJKMYU (ORCPT ); Fri, 11 Oct 2019 08:24:20 -0400 Received: from localhost (localhost [IPv6:::1]) by ithil.bigon.be (Postfix) with ESMTP id 3860E1FD70 for ; Fri, 11 Oct 2019 14:24:18 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=bigon.be; h= content-transfer-encoding:mime-version:references:in-reply-to :x-mailer:message-id:date:date:subject:subject:from:from :received:received:received; s=key1; t=1570796658; x=1572611059; bh=THSa7xw6ds+AMwk2M7tf3g+C96n0qUroJ5APbFDWQis=; b=SQwbH4XD2oi/ FyLo6sSv3bf+Ac12aAXRKTncxyn72Y+6qDZ5dYJwD7y67OtfcSFNk1BiFxjHePUV vUfWNjtixVwRzPIvDevYxSQBhrKE7t28Ogh7l3Mvrcrwwcs0gKwe9JSlQErO+21Y XO2AU/bmOfeMtvl0ScXhrfjVt3On9BA= Received: from ithil.bigon.be ([IPv6:::1]) by localhost (ithil.bigon.be [IPv6:::1]) (amavisd-new, port 10026) with ESMTP id sjszaPGbGoiO for ; Fri, 11 Oct 2019 14:24:18 +0200 (CEST) Received: from edoras.bigon.be (unknown [193.53.238.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: bigon@bigon.be) by ithil.bigon.be (Postfix) with ESMTPSA for ; Fri, 11 Oct 2019 14:24:18 +0200 (CEST) Received: from bigon (uid 1000) (envelope-from bigon@bigon.be) id 21f88 by edoras.bigon.be (DragonFly Mail Agent v0.12); Fri, 11 Oct 2019 14:24:16 +0200 From: Laurent Bigonville To: selinux-refpolicy@vger.kernel.org Subject: [PATCH 07/10] Allow alsa_t to set scheduling priority and send signal to itself Date: Fri, 11 Oct 2019 14:24:13 +0200 Message-Id: <20191011122416.14651-7-bigon@debian.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20191011122416.14651-1-bigon@debian.org> References: <20191011122416.14651-1-bigon@debian.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org From: Laurent Bigonville When alsactl is running as a daemon with systemd, it sets its process priority to be nice to other processes. When stopping the service, it's signaling to itself that it needs to exit. ---- time->Sun Oct 6 11:59:59 2019 type=AVC msg=audit(1570355999.755:43): avc: denied { setsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 ---- time->Sun Oct 6 11:59:59 2019 type=AVC msg=audit(1570355999.755:44): avc: denied { getsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 ---- time->Sun Oct 6 12:07:26 2019 type=AVC msg=audit(1570356446.747:292): avc: denied { signal } for pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1 Signed-off-by: Laurent Bigonville --- policy/modules/admin/alsa.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 9d053c4d..a2287485 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -44,6 +44,7 @@ files_lock_file(alsa_var_lock_t) allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid }; # kill : kill pulseaudio dontaudit alsa_t self:capability { kill sys_admin }; +allow alsa_t self:process { getsched setsched signal }; allow alsa_t self:sem create_sem_perms; allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket { accept listen }; -- 2.23.0