Update the alsa module:
- the alsa_etc_rw_t file context is widened to the whole share
directory, instead of just a couple of files;
- alsa_t can manage var_lock_t files.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/alsa.fc | 3 +--
policy/modules/contrib/alsa.te | 3 ++-
2 files changed, 3 insertions(+), 3 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-09 21:03:34.117512342 +0200
@@ -25,8 +25,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-09 21:30:37.291043389 +0200
@@ -64,7 +64,8 @@ manage_dirs_pattern(alsa_t, alsa_var_lib
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
allow alsa_t alsa_var_lock_t:file manage_file_perms;
-files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
+files_search_locks(alsa_t)
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
kernel_read_system_state(alsa_t)
On 08/09/2016 09:33 PM, Guido Trentalancia wrote:
> Update the alsa module:
>
> - the alsa_etc_rw_t file context is widened to the whole share
> directory, instead of just a couple of files;
> - alsa_t can manage var_lock_t files.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/alsa.fc | 3 +--
> policy/modules/contrib/alsa.te | 3 ++-
> 2 files changed, 3 insertions(+), 3 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-09 21:03:34.117512342 +0200
> @@ -25,8 +25,7 @@ ifdef(`distro_debian',`
> /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
> /usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
>
> -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
>
> /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-09 21:30:37.291043389 +0200
> @@ -64,7 +64,8 @@ manage_dirs_pattern(alsa_t, alsa_var_lib
> manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
>
> allow alsa_t alsa_var_lock_t:file manage_file_perms;
> -files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
> +files_search_locks(alsa_t)
redundant: files_lock_filetrans() already provides the above
> +files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
>
> kernel_read_system_state(alsa_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160809/9f499699/attachment.bin
Update the alsa module so that the alsa_etc_rw_t file context is
widened to the whole share directory, instead of just a couple of files.
Thanks to Dominick Grift for pointing out redundant interface usage
in the previous version of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/alsa.fc | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-09 21:03:34.117512342 +0200
@@ -25,8 +25,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
On Tue, Aug 9, 2016 at 10:02 PM, Guido Trentalancia
<[email protected]> wrote:
> Update the alsa module so that the alsa_etc_rw_t file context is
> widened to the whole share directory, instead of just a couple of files.
[...]
> -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
Do you happen to know why or what is trying to write to /usr/share? I
would consider /usr/share to be only writable for a very limited
number of domains (mostly package managers and such).
Isn't alsa_etc_rw_t not something more oriented towards /etc?
I am somewhat afraid that, tagging the entire /usr/share/alsa as
alsa_etc_rw_t makes a large number of alsa domains capable of writing
stuff around there (well, besides the Linux DAC controls of course).
Wkr,
Sven Vermeulen
On Wed, 10/08/2016 at 07.53 +0200, Sven Vermeulen wrote:
> On Tue, Aug 9, 2016 at 10:02 PM, Guido Trentalancia
> <[email protected]> wrote:
> > Update the alsa module so that the alsa_etc_rw_t file context is
> > widened to the whole share directory, instead of just a couple of
> > files.
> [...]
> > -/usr/share/alsa/alsa\.conf?????gen_context(system_u:object_r:alsa_
> > etc_rw_t,s0)
> > -/usr/share/alsa/pcm(/.*)???????gen_context(system_u:object_r:alsa_
> > etc_rw_t,s0)
> > +/usr/share/alsa(/.*)???gen_context(system_u:object_r:alsa_etc_rw_t
> > ,s0)
>
> Do you happen to know why or what is trying to write to /usr/share? I
> would consider /usr/share to be only writable for a very limited
> number of domains (mostly package managers and such).
It's a bug in the current module. It should not write to anything in
/usr/share/alsa. And the "_rw_" naming is confusing !!
> Isn't alsa_etc_rw_t not something more oriented towards /etc?
However, if you want to change the ALSA package, then you should submit
a patch to ALSA development...
I believe a subdirectory of /usr/share is the right place for static
configuration files (as opposed to user configuration files in /etc).
> I am somewhat afraid that, tagging the entire /usr/share/alsa as
> alsa_etc_rw_t makes a large number of alsa domains capable of writing
> stuff around there (well, besides the Linux DAC controls of course).
It is possible on the refpolicy side to fix the existing module in
order to only allow read permissions and not manage permissions.
I believe the latter is the best solution possible.
A new revised version of the patch (v3) follows this message...
> Wkr,
> ? Sven Vermeulen
Regards,
Guido
Update the alsa module so that the alsa_etc_t file context (previously
alsa_etc_rw_t) is widened to the whole alsa share directory, instead
of just a couple of files.
The wrong and misleading _rw_ label is also removed from the alsa
interface definitions and from their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable).
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
doc/policy.xml | 4 ++--
policy/modules/contrib/alsa.fc | 9 +++------
policy/modules/contrib/alsa.if | 24 ++++++++++++------------
policy/modules/contrib/alsa.te | 10 +++++-----
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.if | 4 ++--
14 files changed, 33 insertions(+), 36 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-10 15:40:21.757047516 +0200
@@ -102,7 +102,7 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read Alsa configuration content.
## </summary>
## <param name="domain">
## <summary>
@@ -110,15 +110,15 @@ interface(`alsa_rw_shared_mem',`
## </summary>
## </param>
#
-interface(`alsa_read_rw_config',`
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +127,7 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage Alsa config files.
## </summary>
## <param name="domain">
## <summary>
@@ -135,15 +135,15 @@ interface(`alsa_read_rw_config',`
## </summary>
## </param>
#
-interface(`alsa_manage_rw_config',`
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
--- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-06 21:27:11.412094999 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-10 15:56:08.982979017 +0200
@@ -146,7 +146,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(pulseaudio_t)
+ alsa_read_config(pulseaudio_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200
@@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200
@@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_config(mozilla_plugin_t)
alsa_read_home_files(mozilla_plugin_t)
')
--- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200
+++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200
@@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
miscfiles_read_hwdata(initrc_t)
optional_policy(`
- alsa_manage_rw_config(initrc_t)
+ alsa_manage_config(initrc_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200
+++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200
@@ -234,7 +234,7 @@ ifdef(`init_systemd',`
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
- alsa_read_rw_config(udev_t)
+ alsa_read_config(udev_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200
@@ -579,7 +579,7 @@ template(`userdom_common_user_template',
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
alsa_relabel_home_files($1_t)
')
@@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
xserver_restricted_role($1_r, $1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/doc/policy.xml 2016-08-06 21:30:16.798209657 +0200
+++ refpolicy-git-06082016/doc/policy.xml 2016-08-10 16:20:17.453744520 +0200
@@ -1331,7 +1331,7 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_read_rw_config" lineno="113">
+<interface name="alsa_read_config" lineno="113">
<summary>
Read writable Alsa configuration content.
</summary>
@@ -1341,7 +1341,7 @@ Domain allowed access.
</summary>
</param>
</interface>
-<interface name="alsa_manage_rw_config" lineno="138">
+<interface name="alsa_manage_config" lineno="138">
<summary>
Manage writable Alsa config files.
</summary>
Update the alsa module so that the alsa_etc_t file context (previously
alsa_etc_rw_t) is widened to the whole alsa share directory, instead
of just a couple of files.
The wrong and misleading _rw_ label is also removed from the alsa
interface definitions and from their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable).
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/alsa.fc | 9 +++------
policy/modules/contrib/alsa.if | 24 ++++++++++++------------
policy/modules/contrib/alsa.te | 10 +++++-----
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mozilla.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
policy/modules/contrib/pulseaudio.te | 2 +-
policy/modules/system/init.te | 2 +-
policy/modules/system/udev.te | 2 +-
policy/modules/system/userdomain.if | 4 ++--
13 files changed, 31 insertions(+), 34 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-10 15:40:21.757047516 +0200
@@ -102,7 +102,7 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read Alsa configuration content.
## </summary>
## <param name="domain">
## <summary>
@@ -110,15 +110,15 @@ interface(`alsa_rw_shared_mem',`
## </summary>
## </param>
#
-interface(`alsa_read_rw_config',`
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +127,7 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage Alsa config files.
## </summary>
## <param name="domain">
## <summary>
@@ -135,15 +135,15 @@ interface(`alsa_read_rw_config',`
## </summary>
## </param>
#
-interface(`alsa_manage_rw_config',`
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
--- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-06 21:27:11.412094999 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-10 15:56:08.982979017 +0200
@@ -146,7 +146,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(pulseaudio_t)
+ alsa_read_config(pulseaudio_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200
@@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200
@@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_config(mozilla_plugin_t)
alsa_read_home_files(mozilla_plugin_t)
')
--- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200
+++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200
@@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
miscfiles_read_hwdata(initrc_t)
optional_policy(`
- alsa_manage_rw_config(initrc_t)
+ alsa_manage_config(initrc_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200
+++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200
@@ -234,7 +234,7 @@ ifdef(`init_systemd',`
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
- alsa_read_rw_config(udev_t)
+ alsa_read_config(udev_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200
@@ -579,7 +579,7 @@ template(`userdom_common_user_template',
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
alsa_relabel_home_files($1_t)
')
@@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
xserver_restricted_role($1_r, $1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
')
optional_policy(`
On 08/10/16 10:43, Guido Trentalancia wrote:
> Update the alsa module so that the alsa_etc_t file context (previously
> alsa_etc_rw_t) is widened to the whole alsa share directory, instead
> of just a couple of files.
>
> The wrong and misleading _rw_ label is also removed from the alsa
> interface definitions and from their instances throughout the whole
> Reference Policy (static and system-wide configuration files are
> not runtime-writable).
>
> This version of the patch finally removes obsolete file contexts and
> grants read permissions instead of manage permissions for static
> configuration files in /usr/share/alsa and system-wide configuration
> files in /etc.
>
> Thanks to Dominick Grift for pointing out redundant interface usage
> in a previous version of this patch.
>
[...]
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-10 15:40:21.757047516 +0200
> @@ -102,7 +102,7 @@ interface(`alsa_rw_shared_mem',`
>
> ########################################
> ## <summary>
> -## Read writable Alsa configuration content.
> +## Read Alsa configuration content.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -110,15 +110,15 @@ interface(`alsa_rw_shared_mem',`
> ## </summary>
> ## </param>
> #
> -interface(`alsa_read_rw_config',`
> +interface(`alsa_read_config',`
Since these interfaces have been in releases, please do not remove them,
deprecate them. It is fine to have them print out deprecation warnings
and call the new interfaces you're creating (grep for "refpolicywarn" to
see other deprecated interface examples)
> gen_require(`
> - type alsa_etc_rw_t;
> + type alsa_etc_t;
> ')
>
> files_search_etc($1)
> - allow $1 alsa_etc_rw_t:dir list_dir_perms;
> - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> + allow $1 alsa_etc_t:dir list_dir_perms;
> + read_files_pattern($1, alsa_etc_t, alsa_etc_t)
> + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
> ifdef(`distro_debian',`
> files_search_usr($1)
> @@ -127,7 +127,7 @@ interface(`alsa_read_rw_config',`
>
> ########################################
> ## <summary>
> -## Manage writable Alsa config files.
> +## Manage Alsa config files.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -135,15 +135,15 @@ interface(`alsa_read_rw_config',`
> ## </summary>
> ## </param>
> #
> -interface(`alsa_manage_rw_config',`
> +interface(`alsa_manage_config',`
> gen_require(`
> - type alsa_etc_rw_t;
> + type alsa_etc_t;
> ')
>
> files_search_etc($1)
> - allow $1 alsa_etc_rw_t:dir list_dir_perms;
> - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> + allow $1 alsa_etc_t:dir list_dir_perms;
> + manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
> + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
> ifdef(`distro_debian',`
> files_search_usr($1)
--
Chris PeBenito
Update the alsa module so that the alsa_etc_t file context (previously
alsa_etc_rw_t) is widened to the whole alsa share directory, instead
of just a couple of files.
The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/alsa.fc | 9 ++----
policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++-------
policy/modules/contrib/alsa.te | 10 +++---
policy/modules/contrib/asterisk.te | 2 -
policy/modules/contrib/entropyd.te | 2 -
policy/modules/contrib/hal.te | 2 -
policy/modules/contrib/mozilla.te | 2 -
policy/modules/contrib/mpd.te | 2 -
policy/modules/contrib/mplayer.te | 2 -
policy/modules/contrib/pulseaudio.te | 2 -
policy/modules/system/init.te | 2 -
policy/modules/system/udev.te | 2 -
policy/modules/system/userdomain.if | 4 +-
13 files changed, 61 insertions(+), 32 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-13 15:57:00.899552788 +0200
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read writable Alsa configuration
+## content. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
## </param>
#
interface(`alsa_read_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
+ alsa_read_config($1)
+')
+
+########################################
+## <summary>
+## Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage writable Alsa config
+## files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
## </param>
#
interface(`alsa_manage_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
+ alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+## Manage Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
--- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200
@@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_config(mozilla_plugin_t)
alsa_read_home_files(mozilla_plugin_t)
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200
@@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
--- refpolicy-git-06082016-pulseaudio-orig/policy/modules/contrib/pulseaudio.te 2016-08-13 16:04:58.606101692 +0200
+++ refpolicy-git-06082016-pulseaudio-alsa/policy/modules/contrib/pulseaudio.te 2016-08-13 16:05:07.627227363 +0200
@@ -161,7 +161,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_rw_config(pulseaudio_t)
+ alsa_read_config(pulseaudio_t)
alsa_read_home_files(pulseaudio_t)
')
--- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200
+++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200
@@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
miscfiles_read_hwdata(initrc_t)
optional_policy(`
- alsa_manage_rw_config(initrc_t)
+ alsa_manage_config(initrc_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200
+++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200
@@ -234,7 +234,7 @@ ifdef(`init_systemd',`
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
- alsa_read_rw_config(udev_t)
+ alsa_read_config(udev_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200
@@ -579,7 +579,7 @@ template(`userdom_common_user_template',
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
alsa_relabel_home_files($1_t)
')
@@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
xserver_restricted_role($1_r, $1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
')
optional_policy(`
On 08/13/2016 04:17 PM, Guido Trentalancia wrote:
> Update the alsa module so that the alsa_etc_t file context (previously
> alsa_etc_rw_t) is widened to the whole alsa share directory, instead
> of just a couple of files.
>
> The wrong and misleading _rw_ label has been deprecated in the alsa
> interface definitions and in their instances throughout the whole
> Reference Policy (static and system-wide configuration files are
> not runtime-writable). Warning messages are printed when the user
> attempts to use the old namings for the above mentioned alsa
> interface definitions.
>
> This version of the patch finally removes obsolete file contexts and
> grants read permissions instead of manage permissions for static
> configuration files in /usr/share/alsa and system-wide configuration
> files in /etc.
>
> Thanks to Dominick Grift for pointing out redundant interface usage
> in a previous version of this patch.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/alsa.fc | 9 ++----
> policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++-------
> policy/modules/contrib/alsa.te | 10 +++---
> policy/modules/contrib/asterisk.te | 2 -
> policy/modules/contrib/entropyd.te | 2 -
> policy/modules/contrib/hal.te | 2 -
> policy/modules/contrib/mozilla.te | 2 -
> policy/modules/contrib/mpd.te | 2 -
> policy/modules/contrib/mplayer.te | 2 -
> policy/modules/contrib/pulseaudio.te | 2 -
> policy/modules/system/init.te | 2 -
> policy/modules/system/udev.te | 2 -
> policy/modules/system/userdomain.if | 4 +-
> 13 files changed, 61 insertions(+), 32 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200
> @@ -6,10 +6,8 @@ ifdef(`distro_debian',`
>
> /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
>
> -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
> +/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
>
> /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
> /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
> @@ -25,8 +23,7 @@ ifdef(`distro_debian',`
> /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
> /usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
>
> -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
>
> /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-13 15:57:00.899552788 +0200
> @@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
>
> ########################################
> ## <summary>
> -## Read writable Alsa configuration content.
> +## Read writable Alsa configuration
> +## content. (Deprecated)
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
> ## </param>
> #
> interface(`alsa_read_rw_config',`
> + refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
> + alsa_read_config($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read Alsa configuration content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`alsa_read_config',`
> gen_require(`
> - type alsa_etc_rw_t;
> + type alsa_etc_t;
> ')
>
> files_search_etc($1)
> - allow $1 alsa_etc_rw_t:dir list_dir_perms;
> - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> + allow $1 alsa_etc_t:dir list_dir_perms;
> + read_files_pattern($1, alsa_etc_t, alsa_etc_t)
> + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
> ifdef(`distro_debian',`
> files_search_usr($1)
> @@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
>
> ########################################
> ## <summary>
> -## Manage writable Alsa config files.
> +## Manage writable Alsa config
> +## files. (Deprecated)
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
> ## </param>
> #
> interface(`alsa_manage_rw_config',`
> + refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
> + alsa_manage_config($1)
> +')
> +
> +########################################
> +## <summary>
> +## Manage Alsa config files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`alsa_manage_config',`
> gen_require(`
> - type alsa_etc_rw_t;
> + type alsa_etc_t;
> ')
>
> files_search_etc($1)
> - allow $1 alsa_etc_rw_t:dir list_dir_perms;
> - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> + allow $1 alsa_etc_t:dir list_dir_perms;
> + manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
> + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
The interface name suggests that it applies to all alsa_etc_t content.
The description suggests that it only applies to files, the reality is
somewhere in between...
how about: "Manage Alsa config"
allow $1 alsa_etc_t:dir manage_dir_perms;
allow $1 alsa_etc_t:file manage_file_perms;
allow $1 alsa_etc_t:lnk_file manage_link_file_perms;
>
> ifdef(`distro_debian',`
> files_search_usr($1)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200
> @@ -12,8 +12,8 @@ type alsa_exec_t;
> init_system_domain(alsa_t, alsa_exec_t)
> role alsa_roles types alsa_t;
>
> -type alsa_etc_rw_t;
> -files_config_file(alsa_etc_rw_t)
> +type alsa_etc_t;
> +files_config_file(alsa_etc_t)
>
> type alsa_tmp_t;
> files_tmp_file(alsa_tmp_t)
> @@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
>
> allow alsa_t alsa_home_t:file read_file_perms;
>
> -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
> +list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>
> can_exec(alsa_t, alsa_exec_t)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200
> @@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
> userdom_dontaudit_search_user_home_dirs(asterisk_t)
>
> optional_policy(`
> - alsa_read_rw_config(asterisk_t)
> + alsa_read_config(asterisk_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200
> @@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
> optional_policy(`
> tunable_policy(`entropyd_use_audio',`
> alsa_read_lib(entropyd_t)
> - alsa_read_rw_config(entropyd_t)
> + alsa_read_config(entropyd_t)
> ')
> ')
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200
> @@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
>
> optional_policy(`
> alsa_domtrans(hald_t)
> - alsa_read_rw_config(hald_t)
> + alsa_read_config(hald_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200
> @@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> - alsa_read_rw_config(mozilla_plugin_t)
> + alsa_read_config(mozilla_plugin_t)
> alsa_read_home_files(mozilla_plugin_t)
> ')
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200
> @@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
> ')
>
> optional_policy(`
> - alsa_read_rw_config(mpd_t)
> + alsa_read_config(mpd_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200
> @@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
> ')
>
> optional_policy(`
> - alsa_read_rw_config(mplayer_t)
> + alsa_read_config(mplayer_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-pulseaudio-orig/policy/modules/contrib/pulseaudio.te 2016-08-13 16:04:58.606101692 +0200
> +++ refpolicy-git-06082016-pulseaudio-alsa/policy/modules/contrib/pulseaudio.te 2016-08-13 16:05:07.627227363 +0200
> @@ -161,7 +161,7 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> - alsa_rw_config(pulseaudio_t)
> + alsa_read_config(pulseaudio_t)
> alsa_read_home_files(pulseaudio_t)
> ')
>
> --- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200
> +++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200
> @@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
> miscfiles_read_hwdata(initrc_t)
>
> optional_policy(`
> - alsa_manage_rw_config(initrc_t)
> + alsa_manage_config(initrc_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200
> +++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200
> @@ -234,7 +234,7 @@ ifdef(`init_systemd',`
> optional_policy(`
> alsa_domtrans(udev_t)
> alsa_read_lib(udev_t)
> - alsa_read_rw_config(udev_t)
> + alsa_read_config(udev_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200
> @@ -579,7 +579,7 @@ template(`userdom_common_user_template',
> optional_policy(`
> alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> - alsa_read_rw_config($1_t)
> + alsa_read_config($1_t)
> alsa_relabel_home_files($1_t)
> ')
>
> @@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
> xserver_restricted_role($1_r, $1_t)
>
> optional_policy(`
> - alsa_read_rw_config($1_t)
> + alsa_read_config($1_t)
> ')
>
> optional_policy(`
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20160813/ac486bcc/attachment-0001.bin
Update the alsa module so that the alsa_etc_t file context (previously
alsa_etc_rw_t) is widened to the whole alsa share directory, instead
of just a couple of files.
The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/alsa.fc | 9 ++----
policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++-------
policy/modules/contrib/alsa.te | 10 +++---
policy/modules/contrib/asterisk.te | 2 -
policy/modules/contrib/entropyd.te | 2 -
policy/modules/contrib/hal.te | 2 -
policy/modules/contrib/mozilla.te | 2 -
policy/modules/contrib/mpd.te | 2 -
policy/modules/contrib/mplayer.te | 2 -
policy/modules/contrib/pulseaudio.te | 2 -
policy/modules/system/init.te | 2 -
policy/modules/system/udev.te | 2 -
policy/modules/system/userdomain.if | 4 +-
13 files changed, 61 insertions(+), 32 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-13 15:57:00.899552788 +0200
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read writable Alsa configuration
+## content. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
## </param>
#
interface(`alsa_read_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
+ alsa_read_config($1)
+')
+
+########################################
+## <summary>
+## Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage writable Alsa config
+## files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
## </param>
#
interface(`alsa_manage_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
+ alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+## Manage Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
--- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200
@@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_config(mozilla_plugin_t)
alsa_read_home_files(mozilla_plugin_t)
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200
@@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
--- refpolicy-git-06082016-pulseaudio-orig/policy/modules/contrib/pulseaudio.te 2016-08-13 16:04:58.606101692 +0200
+++ refpolicy-git-06082016-pulseaudio-alsa/policy/modules/contrib/pulseaudio.te 2016-08-13 16:05:07.627227363 +0200
@@ -146,7 +161,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(pulseaudio_t)
+ alsa_read_config(pulseaudio_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200
+++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200
@@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
miscfiles_read_hwdata(initrc_t)
optional_policy(`
- alsa_manage_rw_config(initrc_t)
+ alsa_manage_config(initrc_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200
+++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200
@@ -234,7 +234,7 @@ ifdef(`init_systemd',`
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
- alsa_read_rw_config(udev_t)
+ alsa_read_config(udev_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200
@@ -579,7 +579,7 @@ template(`userdom_common_user_template',
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
alsa_relabel_home_files($1_t)
')
@@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
xserver_restricted_role($1_r, $1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
')
optional_policy(`
Update the alsa module so that the alsa_etc_t file context (previously
alsa_etc_rw_t) is widened to the whole alsa share directory, instead
of just a couple of files.
The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.
After applying this patch, the recent pulseaudio patch should also
be applied to complete the removal of the _rw_ labels on the alsa
interfaces.
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/alsa.fc | 9 ++----
policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++-------
policy/modules/contrib/alsa.te | 10 +++---
policy/modules/contrib/asterisk.te | 2 -
policy/modules/contrib/entropyd.te | 2 -
policy/modules/contrib/hal.te | 2 -
policy/modules/contrib/mozilla.te | 2 -
policy/modules/contrib/mpd.te | 2 -
policy/modules/contrib/mplayer.te | 2 -
policy/modules/system/init.te | 2 -
policy/modules/system/udev.te | 2 -
policy/modules/system/userdomain.if | 4 +-
13 files changed, 61 insertions(+), 32 deletions(-)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-13 15:57:00.899552788 +0200
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read writable Alsa configuration
+## content. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
## </param>
#
interface(`alsa_read_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
+ alsa_read_config($1)
+')
+
+########################################
+## <summary>
+## Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage writable Alsa config
+## files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
## </param>
#
interface(`alsa_manage_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
+ alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+## Manage Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
--- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
--- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200
@@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
')
optional_policy(`
- alsa_read_rw_config(mozilla_plugin_t)
+ alsa_read_config(mozilla_plugin_t)
alsa_read_home_files(mozilla_plugin_t)
')
--- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200
@@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200
+++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200
@@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
miscfiles_read_hwdata(initrc_t)
optional_policy(`
- alsa_manage_rw_config(initrc_t)
+ alsa_manage_config(initrc_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200
+++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200
@@ -234,7 +234,7 @@ ifdef(`init_systemd',`
optional_policy(`
alsa_domtrans(udev_t)
alsa_read_lib(udev_t)
- alsa_read_rw_config(udev_t)
+ alsa_read_config(udev_t)
')
optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200
+++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200
@@ -579,7 +579,7 @@ template(`userdom_common_user_template',
optional_policy(`
alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
alsa_manage_home_files($1_t)
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
alsa_relabel_home_files($1_t)
')
@@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
xserver_restricted_role($1_r, $1_t)
optional_policy(`
- alsa_read_rw_config($1_t)
+ alsa_read_config($1_t)
')
optional_policy(`
On 08/13/16 11:12, Guido Trentalancia wrote:
> Update the alsa module so that the alsa_etc_t file context (previously
> alsa_etc_rw_t) is widened to the whole alsa share directory, instead
> of just a couple of files.
>
> The wrong and misleading _rw_ label has been deprecated in the alsa
> interface definitions and in their instances throughout the whole
> Reference Policy (static and system-wide configuration files are
> not runtime-writable). Warning messages are printed when the user
> attempts to use the old namings for the above mentioned alsa
> interface definitions.
>
> After applying this patch, the recent pulseaudio patch should also
> be applied to complete the removal of the _rw_ labels on the alsa
> interfaces.
>
> This version of the patch finally removes obsolete file contexts and
> grants read permissions instead of manage permissions for static
> configuration files in /usr/share/alsa and system-wide configuration
> files in /etc.
>
> Thanks to Dominick Grift for pointing out redundant interface usage
> in a previous version of this patch.
Merged. I also added a compatibility alias to alsa_etc_rw_t.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/alsa.fc | 9 ++----
> policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++-------
> policy/modules/contrib/alsa.te | 10 +++---
> policy/modules/contrib/asterisk.te | 2 -
> policy/modules/contrib/entropyd.te | 2 -
> policy/modules/contrib/hal.te | 2 -
> policy/modules/contrib/mozilla.te | 2 -
> policy/modules/contrib/mpd.te | 2 -
> policy/modules/contrib/mplayer.te | 2 -
> policy/modules/system/init.te | 2 -
> policy/modules/system/udev.te | 2 -
> policy/modules/system/userdomain.if | 4 +-
> 13 files changed, 61 insertions(+), 32 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200
> @@ -6,10 +6,8 @@ ifdef(`distro_debian',`
>
> /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
>
> -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
> +/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
>
> /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
> /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
> @@ -25,8 +23,7 @@ ifdef(`distro_debian',`
> /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
> /usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
>
> -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
>
> /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-13 15:57:00.899552788 +0200
> @@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
>
> ########################################
> ## <summary>
> -## Read writable Alsa configuration content.
> +## Read writable Alsa configuration
> +## content. (Deprecated)
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
> ## </param>
> #
> interface(`alsa_read_rw_config',`
> + refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
> + alsa_read_config($1)
> +')
> +
> +########################################
> +## <summary>
> +## Read Alsa configuration content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`alsa_read_config',`
> gen_require(`
> - type alsa_etc_rw_t;
> + type alsa_etc_t;
> ')
>
> files_search_etc($1)
> - allow $1 alsa_etc_rw_t:dir list_dir_perms;
> - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> + allow $1 alsa_etc_t:dir list_dir_perms;
> + read_files_pattern($1, alsa_etc_t, alsa_etc_t)
> + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
> ifdef(`distro_debian',`
> files_search_usr($1)
> @@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
>
> ########################################
> ## <summary>
> -## Manage writable Alsa config files.
> +## Manage writable Alsa config
> +## files. (Deprecated)
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
> ## </param>
> #
> interface(`alsa_manage_rw_config',`
> + refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
> + alsa_manage_config($1)
> +')
> +
> +########################################
> +## <summary>
> +## Manage Alsa config files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`alsa_manage_config',`
> gen_require(`
> - type alsa_etc_rw_t;
> + type alsa_etc_t;
> ')
>
> files_search_etc($1)
> - allow $1 alsa_etc_rw_t:dir list_dir_perms;
> - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> + allow $1 alsa_etc_t:dir list_dir_perms;
> + manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
> + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
> ifdef(`distro_debian',`
> files_search_usr($1)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200
> @@ -12,8 +12,8 @@ type alsa_exec_t;
> init_system_domain(alsa_t, alsa_exec_t)
> role alsa_roles types alsa_t;
>
> -type alsa_etc_rw_t;
> -files_config_file(alsa_etc_rw_t)
> +type alsa_etc_t;
> +files_config_file(alsa_etc_t)
>
> type alsa_tmp_t;
> files_tmp_file(alsa_tmp_t)
> @@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
>
> allow alsa_t alsa_home_t:file read_file_perms;
>
> -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
> +list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>
> can_exec(alsa_t, alsa_exec_t)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200
> @@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
> userdom_dontaudit_search_user_home_dirs(asterisk_t)
>
> optional_policy(`
> - alsa_read_rw_config(asterisk_t)
> + alsa_read_config(asterisk_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200
> @@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
> optional_policy(`
> tunable_policy(`entropyd_use_audio',`
> alsa_read_lib(entropyd_t)
> - alsa_read_rw_config(entropyd_t)
> + alsa_read_config(entropyd_t)
> ')
> ')
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200
> @@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
>
> optional_policy(`
> alsa_domtrans(hald_t)
> - alsa_read_rw_config(hald_t)
> + alsa_read_config(hald_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200
> @@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
> ')
>
> optional_policy(`
> - alsa_read_rw_config(mozilla_plugin_t)
> + alsa_read_config(mozilla_plugin_t)
> alsa_read_home_files(mozilla_plugin_t)
> ')
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200
> @@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
> ')
>
> optional_policy(`
> - alsa_read_rw_config(mpd_t)
> + alsa_read_config(mpd_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200
> @@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
> ')
>
> optional_policy(`
> - alsa_read_rw_config(mplayer_t)
> + alsa_read_config(mplayer_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200
> +++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200
> @@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
> miscfiles_read_hwdata(initrc_t)
>
> optional_policy(`
> - alsa_manage_rw_config(initrc_t)
> + alsa_manage_config(initrc_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200
> +++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200
> @@ -234,7 +234,7 @@ ifdef(`init_systemd',`
> optional_policy(`
> alsa_domtrans(udev_t)
> alsa_read_lib(udev_t)
> - alsa_read_rw_config(udev_t)
> + alsa_read_config(udev_t)
> ')
>
> optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200
> @@ -579,7 +579,7 @@ template(`userdom_common_user_template',
> optional_policy(`
> alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
> alsa_manage_home_files($1_t)
> - alsa_read_rw_config($1_t)
> + alsa_read_config($1_t)
> alsa_relabel_home_files($1_t)
> ')
>
> @@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
> xserver_restricted_role($1_r, $1_t)
>
> optional_policy(`
> - alsa_read_rw_config($1_t)
> + alsa_read_config($1_t)
> ')
>
> optional_policy(`
--
Chris PeBenito