Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.fc | 5 ++
policy/modules/contrib/gnome.if | 60 +++++++++++++++++++++++++++++++++++
policy/modules/contrib/gnome.te | 3 +
policy/modules/contrib/pulseaudio.te | 5 ++
4 files changed, 73 insertions(+)
--- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200
@@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
@@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
--- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-15 12:50:47.168965082 +0200
@@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
--- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-08-14 21:28:11.494519604 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 2016-09-15 12:51:26.107456172 +0200
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
--- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te 2016-08-15 23:39:24.063783236 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te 2016-09-15 12:52:08.824994923 +0200
@@ -193,6 +193,11 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ allow pulseaudio_t gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.fc | 5 ++
policy/modules/contrib/gnome.if | 79 +++++++++++++++++++++++++++++++++++
policy/modules/contrib/gnome.te | 3 +
policy/modules/contrib/pulseaudio.te | 5 ++
4 files changed, 92 insertions(+)
--- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200
@@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
@@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
--- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-15 15:19:41.127233923 +0200
@@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -735,3 +795,22 @@ interface(`gnome_stream_connect_all_gkey
files_search_tmp($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
+
+########################################
+## <summary>
+## Manage and mmap gstreamer ORC
+## optimized code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_mmap_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
+')
--- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-08-14 21:28:11.494519604 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 2016-09-15 12:51:26.107456172 +0200
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
--- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te 2016-08-15 23:39:24.063783236 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te 2016-09-15 15:18:04.644202840 +0200
@@ -193,6 +193,11 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ gnome_manage_mmap_gstreamer_orcexec(pulseaudio_t)
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
On 09/15/16 09:26, Guido Trentalancia via refpolicy wrote:
> Add a new gstreamer_orcexec_t type and file context to the gnome
> module in order to support the OIL Runtime Compiler (ORC) optimized
> code execution (used for example by pulseaudio).
>
> Add optional policy to the pulseaudio module to support the ORC
> optimized code execution.
>
> This patch has been anticipated a few weeks ago as part of a
> larger gnome patch. It has now been split as a smaller patch,
> as required.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gnome.fc | 5 ++
> policy/modules/contrib/gnome.if | 79 +++++++++++++++++++++++++++++++++++
> policy/modules/contrib/gnome.te | 3 +
> policy/modules/contrib/pulseaudio.te | 5 ++
> 4 files changed, 92 insertions(+)
>
> --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200
> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200
> @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst
> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
>
> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> +
> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
>
> /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
> @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
>
> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> +
> +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200
> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-15 15:19:41.127233923 +0200
> @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
>
> ########################################
> ## <summary>
> +## Create objects in user home
> +## directories with the gstreamer
> +## orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user
> +## runtime directories with the
> +## gstreamer orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Read generic gnome keyring home files.
> ## </summary>
> ## <param name="domain">
> @@ -735,3 +795,22 @@ interface(`gnome_stream_connect_all_gkey
> files_search_tmp($1)
> stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
> ')
> +
> +########################################
> +## <summary>
> +## Manage and mmap gstreamer ORC
> +## optimized code.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_manage_mmap_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + allow $1 gstreamer_orcexec_t:file { manage_file_perms mmap_file_perms };
This will need to be split into two interfaces. Otherwise I think it's ok.
--
Chris PeBenito
Add a new gstreamer_orcexec_t type and file context to the gnome
module in order to support the OIL Runtime Compiler (ORC) optimized
code execution (used for example by pulseaudio).
Add optional policy to the pulseaudio module to support the ORC
optimized code execution.
This patch has been anticipated a few weeks ago as part of a
larger gnome patch. It has now been split as a smaller patch,
as required.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/gnome.fc | 5 +
policy/modules/contrib/gnome.if | 98 +++++++++++++++++++++++++++++++++++
policy/modules/contrib/gnome.te | 3 +
policy/modules/contrib/pulseaudio.te | 6 ++
4 files changed, 112 insertions(+)
--- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200
@@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst
HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
+HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+
/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
/tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
@@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
/usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
+
+/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
+/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
--- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-19 13:03:01.904972915 +0200
@@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
########################################
## <summary>
+## Create objects in user home
+## directories with the gstreamer
+## orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Create objects in the user
+## runtime directories with the
+## gstreamer orcexec type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
+')
+
+########################################
+## <summary>
## Read generic gnome keyring home files.
## </summary>
## <param name="domain">
@@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey
files_search_tmp($1)
stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
')
+
+########################################
+## <summary>
+## Manage gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_manage_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Mmap gstreamer ORC optimized
+## code.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`gnome_mmap_gstreamer_orcexec',`
+ gen_require(`
+ type gstreamer_orcexec_t;
+ ')
+
+ allow $1 gstreamer_orcexec_t:file mmap_file_perms;
+')
--- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-08-14 21:28:11.494519604 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 2016-09-15 12:51:26.107456172 +0200
@@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
type gnome_keyring_tmp_t;
userdom_user_tmp_file(gnome_keyring_tmp_t)
+type gstreamer_orcexec_t;
+application_executable_file(gstreamer_orcexec_t)
+
##############################
#
# Common local Policy
--- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te 2016-08-15 23:39:24.063783236 +0200
+++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te 2016-09-19 13:06:10.485531536 +0200
@@ -193,6 +193,12 @@ optional_policy(`
optional_policy(`
gnome_stream_connect_gconf(pulseaudio_t)
+
+ # OIL Runtime Compiler (ORC) optimized code execution
+ gnome_manage_gstreamer_orcexec(pulseaudio_t)
+ gnome_mmap_gstreamer_orcexec(pulseaudio_t)
+ gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
+ gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
')
optional_policy(`
On 09/19/16 07:15, Guido Trentalancia via refpolicy wrote:
> Add a new gstreamer_orcexec_t type and file context to the gnome
> module in order to support the OIL Runtime Compiler (ORC) optimized
> code execution (used for example by pulseaudio).
>
> Add optional policy to the pulseaudio module to support the ORC
> optimized code execution.
>
> This patch has been anticipated a few weeks ago as part of a
> larger gnome patch. It has now been split as a smaller patch,
> as required.
Merged.
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/gnome.fc | 5 +
> policy/modules/contrib/gnome.if | 98 +++++++++++++++++++++++++++++++++++
> policy/modules/contrib/gnome.te | 3 +
> policy/modules/contrib/pulseaudio.te | 6 ++
> 4 files changed, 112 insertions(+)
>
> --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-08-14 21:28:11.493519589 +0200
> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 2016-09-15 12:45:49.974216884 +0200
> @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst
> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:object_r:gnome_keyring_home_t,s0)
> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object_r:gnome_home_t,s0)
>
> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> +
> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,s0)
>
> /tmp/gconfd-USER/.* -- gen_context(system_u:object_r:gconf_tmp_t,s0)
> @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
>
> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> /usr/libexec/gconfd-2 -- gen_context(system_u:object_r:gconfd_exec_t,s0)
> +
> +/var/run/user/[^/]*/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> +/var/run/user/%{USERID}/orcexec\..* -- gen_context(system_u:object_r:gstreamer_orcexec_t,s0)
> --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-08-14 21:28:11.493519589 +0200
> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 2016-09-19 13:03:01.904972915 +0200
> @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
>
> ########################################
> ## <summary>
> +## Create objects in user home
> +## directories with the gstreamer
> +## orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the user
> +## runtime directories with the
> +## gstreamer orcexec type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## Class of the object being created.
> +## </summary>
> +## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> ## Read generic gnome keyring home files.
> ## </summary>
> ## <param name="domain">
> @@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey
> files_search_tmp($1)
> stream_connect_pattern($1, gnome_keyring_tmp_t, gnome_keyring_tmp_t, gkeyringd_domain)
> ')
> +
> +########################################
> +## <summary>
> +## Manage gstreamer ORC optimized
> +## code.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_manage_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + allow $1 gstreamer_orcexec_t:file manage_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Mmap gstreamer ORC optimized
> +## code.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`gnome_mmap_gstreamer_orcexec',`
> + gen_require(`
> + type gstreamer_orcexec_t;
> + ')
> +
> + allow $1 gstreamer_orcexec_t:file mmap_file_perms;
> +')
> --- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-08-14 21:28:11.494519604 +0200
> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 2016-09-15 12:51:26.107456172 +0200
> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
> type gnome_keyring_tmp_t;
> userdom_user_tmp_file(gnome_keyring_tmp_t)
>
> +type gstreamer_orcexec_t;
> +application_executable_file(gstreamer_orcexec_t)
> +
> ##############################
> #
> # Common local Policy
> --- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te 2016-08-15 23:39:24.063783236 +0200
> +++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te 2016-09-19 13:06:10.485531536 +0200
> @@ -193,6 +193,12 @@ optional_policy(`
>
> optional_policy(`
> gnome_stream_connect_gconf(pulseaudio_t)
> +
> + # OIL Runtime Compiler (ORC) optimized code execution
> + gnome_manage_gstreamer_orcexec(pulseaudio_t)
> + gnome_mmap_gstreamer_orcexec(pulseaudio_t)
> + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_t, file)
> + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio_t, file)
> ')
>
> optional_policy(`
--
Chris PeBenito
Hello Christopher.
I have checked the current git tree, but unfortunately I couldn't find
any trace of this patch.
Can you please double-check that it has been applied ?
Thanks,
Guido
On Mon, 19/09/2016 at 18.36 -0400, Chris PeBenito wrote:
> On 09/19/16 07:15, Guido Trentalancia via refpolicy wrote:
> >
> > Add a new gstreamer_orcexec_t type and file context to the gnome
> > module in order to support the OIL Runtime Compiler (ORC) optimized
> > code execution (used for example by pulseaudio).
> >
> > Add optional policy to the pulseaudio module to support the ORC
> > optimized code execution.
> >
> > This patch has been anticipated a few weeks ago as part of a
> > larger gnome patch. It has now been split as a smaller patch,
> > as required.
>
> Merged.
>
>
> >
> > Signed-off-by: Guido Trentalancia <[email protected]>
> > ---
> > ?policy/modules/contrib/gnome.fc??????|????5 +
> > ?policy/modules/contrib/gnome.if??????|???98
> > +++++++++++++++++++++++++++++++++++
> > ?policy/modules/contrib/gnome.te??????|????3 +
> > ?policy/modules/contrib/pulseaudio.te |????6 ++
> > ?4 files changed, 112 insertions(+)
> >
> > --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-
> > 08-14 21:28:11.493519589 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 20
> > 16-09-15 12:45:49.974216884 +0200
> > @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst
> > ?HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:objec
> > t_r:gnome_keyring_home_t,s0)
> > ?HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object
> > _r:gnome_home_t,s0)
> >
> > +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreame
> > r_orcexec_t,s0)
> > +
> > ?/etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,
> > s0)
> >
> > ?/tmp/gconfd-USER/.* -- gen_context(system_u:object_r
> > :gconf_tmp_t,s0)
> > @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
> >
> > ?/usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_
> > u:object_r:gconfd_exec_t,s0)
> > ?/usr/libexec/gconfd-2 -- gen_context(system_u:object
> > _r:gconfd_exec_t,s0)
> > +
> > +/var/run/user/[^/]*/orcexec\..* -- gen_context(syste
> > m_u:object_r:gstreamer_orcexec_t,s0)
> > +/var/run/user/%{USERID}/orcexec\..* -- gen_context(s
> > ystem_u:object_r:gstreamer_orcexec_t,s0)
> > --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-
> > 08-14 21:28:11.493519589 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 20
> > 16-09-19 13:03:01.904972915 +0200
> > @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
> >
> > ?########################################
> > ?## <summary>
> > +## Create objects in user home
> > +## directories with the gstreamer
> > +## orcexec type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="object_class">
> > +## <summary>
> > +## Class of the object being created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
> > + gen_require(`
> > + type gstreamer_orcexec_t;
> > + ')
> > +
> > + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t,
> > $2, $3)
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Create objects in the user
> > +## runtime directories with the
> > +## gstreamer orcexec type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="object_class">
> > +## <summary>
> > +## Class of the object being created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
> > + gen_require(`
> > + type gstreamer_orcexec_t;
> > + ')
> > +
> > + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t,
> > $2, $3)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ?## Read generic gnome keyring home files.
> > ?## </summary>
> > ?## <param name="domain">
> > @@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey
> > ? files_search_tmp($1)
> > ? stream_connect_pattern($1, gnome_keyring_tmp_t,
> > gnome_keyring_tmp_t, gkeyringd_domain)
> > ?')
> > +
> > +########################################
> > +## <summary>
> > +## Manage gstreamer ORC optimized
> > +## code.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gnome_manage_gstreamer_orcexec',`
> > + gen_require(`
> > + type gstreamer_orcexec_t;
> > + ')
> > +
> > + allow $1 gstreamer_orcexec_t:file manage_file_perms;
> > +')
> > +
> > +########################################
> > +## <summary>
> > +## Mmap gstreamer ORC optimized
> > +## code.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`gnome_mmap_gstreamer_orcexec',`
> > + gen_require(`
> > + type gstreamer_orcexec_t;
> > + ')
> > +
> > + allow $1 gstreamer_orcexec_t:file mmap_file_perms;
> > +')
> > --- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-
> > 08-14 21:28:11.494519604 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 20
> > 16-09-15 12:51:26.107456172 +0200
> > @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
> > ?type gnome_keyring_tmp_t;
> > ?userdom_user_tmp_file(gnome_keyring_tmp_t)
> >
> > +type gstreamer_orcexec_t;
> > +application_executable_file(gstreamer_orcexec_t)
> > +
> > ?##############################
> > ?#
> > ?# Common local Policy
> > --- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te
> > 2016-08-15 23:39:24.063783236 +0200
> > +++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te
> > 2016-09-19 13:06:10.485531536 +0200
> > @@ -193,6 +193,12 @@ optional_policy(`
> >
> > ?optional_policy(`
> > ? gnome_stream_connect_gconf(pulseaudio_t)
> > +
> > + # OIL Runtime Compiler (ORC) optimized code execution
> > + gnome_manage_gstreamer_orcexec(pulseaudio_t)
> > + gnome_mmap_gstreamer_orcexec(pulseaudio_t)
> > + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_
> > t, file)
> > + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio
> > _t, file)
> > ?')
> >
> > ?optional_policy(`
>
>
>
On 09/27/16 11:01, Guido Trentalancia wrote:
> Hello Christopher.
>
> I have checked the current git tree, but unfortunately I couldn't find
> any trace of this patch.
>
> Can you please double-check that it has been applied ?
This looks like it, to me:
https://github.com/TresysTechnology/refpolicy-contrib/commit/89a34a6719990644905b4ea64a4b5b84965c76cc
> On Mon, 19/09/2016 at 18.36 -0400, Chris PeBenito wrote:
>> On 09/19/16 07:15, Guido Trentalancia via refpolicy wrote:
>>>
>>> Add a new gstreamer_orcexec_t type and file context to the gnome
>>> module in order to support the OIL Runtime Compiler (ORC) optimized
>>> code execution (used for example by pulseaudio).
>>>
>>> Add optional policy to the pulseaudio module to support the ORC
>>> optimized code execution.
>>>
>>> This patch has been anticipated a few weeks ago as part of a
>>> larger gnome patch. It has now been split as a smaller patch,
>>> as required.
>>
>> Merged.
>>
>>
>>>
>>> Signed-off-by: Guido Trentalancia <[email protected]>
>>> ---
>>> policy/modules/contrib/gnome.fc | 5 +
>>> policy/modules/contrib/gnome.if | 98
>>> +++++++++++++++++++++++++++++++++++
>>> policy/modules/contrib/gnome.te | 3 +
>>> policy/modules/contrib/pulseaudio.te | 6 ++
>>> 4 files changed, 112 insertions(+)
>>>
>>> --- refpolicy-git-orig/policy/modules/contrib/gnome.fc 2016-
>>> 08-14 21:28:11.493519589 +0200
>>> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.fc 20
>>> 16-09-15 12:45:49.974216884 +0200
>>> @@ -5,6 +5,8 @@ HOME_DIR/\.gnome2(/.*)? gen_context(syst
>>> HOME_DIR/\.gnome2/keyrings(/.*)? gen_context(system_u:objec
>>> t_r:gnome_keyring_home_t,s0)
>>> HOME_DIR/\.gnome2_private(/.*)? gen_context(system_u:object
>>> _r:gnome_home_t,s0)
>>>
>>> +HOME_DIR/orcexec\..* gen_context(system_u:object_r:gstreame
>>> r_orcexec_t,s0)
>>> +
>>> /etc/gconf(/.*)? gen_context(system_u:object_r:gconf_etc_t,
>>> s0)
>>>
>>> /tmp/gconfd-USER/.* -- gen_context(system_u:object_r
>>> :gconf_tmp_t,s0)
>>> @@ -14,3 +16,6 @@ HOME_DIR/\.gnome2_private(/.*)? gen_cont
>>>
>>> /usr/lib/[^/]*/gconf/gconfd-2 -- gen_context(system_
>>> u:object_r:gconfd_exec_t,s0)
>>> /usr/libexec/gconfd-2 -- gen_context(system_u:object
>>> _r:gconfd_exec_t,s0)
>>> +
>>> +/var/run/user/[^/]*/orcexec\..* -- gen_context(syste
>>> m_u:object_r:gstreamer_orcexec_t,s0)
>>> +/var/run/user/%{USERID}/orcexec\..* -- gen_context(s
>>> ystem_u:object_r:gstreamer_orcexec_t,s0)
>>> --- refpolicy-git-orig/policy/modules/contrib/gnome.if 2016-
>>> 08-14 21:28:11.493519589 +0200
>>> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.if 20
>>> 16-09-19 13:03:01.904972915 +0200
>>> @@ -604,6 +604,66 @@ interface(`gnome_gconf_home_filetrans',`
>>>
>>> ########################################
>>> ## <summary>
>>> +## Create objects in user home
>>> +## directories with the gstreamer
>>> +## orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +## <summary>
>>> +## Class of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +## <summary>
>>> +## The name of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_user_home_dir_filetrans_gstreamer_orcexec',`
>>> + gen_require(`
>>> + type gstreamer_orcexec_t;
>>> + ')
>>> +
>>> + userdom_user_home_dir_filetrans($1, gstreamer_orcexec_t,
>>> $2, $3)
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Create objects in the user
>>> +## runtime directories with the
>>> +## gstreamer orcexec type.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="object_class">
>>> +## <summary>
>>> +## Class of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +## <param name="name" optional="true">
>>> +## <summary>
>>> +## The name of the object being created.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_user_runtime_filetrans_gstreamer_orcexec',`
>>> + gen_require(`
>>> + type gstreamer_orcexec_t;
>>> + ')
>>> +
>>> + userdom_user_runtime_filetrans($1, gstreamer_orcexec_t,
>>> $2, $3)
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> ## Read generic gnome keyring home files.
>>> ## </summary>
>>> ## <param name="domain">
>>> @@ -735,3 +795,41 @@ interface(`gnome_stream_connect_all_gkey
>>> files_search_tmp($1)
>>> stream_connect_pattern($1, gnome_keyring_tmp_t,
>>> gnome_keyring_tmp_t, gkeyringd_domain)
>>> ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Manage gstreamer ORC optimized
>>> +## code.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_manage_gstreamer_orcexec',`
>>> + gen_require(`
>>> + type gstreamer_orcexec_t;
>>> + ')
>>> +
>>> + allow $1 gstreamer_orcexec_t:file manage_file_perms;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Mmap gstreamer ORC optimized
>>> +## code.
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain allowed access.
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`gnome_mmap_gstreamer_orcexec',`
>>> + gen_require(`
>>> + type gstreamer_orcexec_t;
>>> + ')
>>> +
>>> + allow $1 gstreamer_orcexec_t:file mmap_file_perms;
>>> +')
>>> --- refpolicy-git-orig/policy/modules/contrib/gnome.te 2016-
>>> 08-14 21:28:11.494519604 +0200
>>> +++ refpolicy-git-orcexec/policy/modules/contrib/gnome.te 20
>>> 16-09-15 12:51:26.107456172 +0200
>>> @@ -46,6 +46,9 @@ userdom_user_home_content(gnome_keyring_
>>> type gnome_keyring_tmp_t;
>>> userdom_user_tmp_file(gnome_keyring_tmp_t)
>>>
>>> +type gstreamer_orcexec_t;
>>> +application_executable_file(gstreamer_orcexec_t)
>>> +
>>> ##############################
>>> #
>>> # Common local Policy
>>> --- refpolicy-git-orig/policy/modules/contrib/pulseaudio.te
>>> 2016-08-15 23:39:24.063783236 +0200
>>> +++ refpolicy-git-orcexec/policy/modules/contrib/pulseaudio.te
>>> 2016-09-19 13:06:10.485531536 +0200
>>> @@ -193,6 +193,12 @@ optional_policy(`
>>>
>>> optional_policy(`
>>> gnome_stream_connect_gconf(pulseaudio_t)
>>> +
>>> + # OIL Runtime Compiler (ORC) optimized code execution
>>> + gnome_manage_gstreamer_orcexec(pulseaudio_t)
>>> + gnome_mmap_gstreamer_orcexec(pulseaudio_t)
>>> + gnome_user_runtime_filetrans_gstreamer_orcexec(pulseaudio_
>>> t, file)
>>> + gnome_user_home_dir_filetrans_gstreamer_orcexec(pulseaudio
>>> _t, file)
>>> ')
>>>
>>> optional_policy(`
>>
>>
>>
>
--
Chris PeBenito