Update for the games module and integration with pulseaudio.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/games.if | 41 +++++++++++++++++++++++++++++++++++++++-
policy/modules/contrib/games.te | 17 ++++++++++++++++
2 files changed, 57 insertions(+), 1 deletion(-)
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.if refpolicy-git-07122016/policy/modules/contrib/games.if
--- refpolicy-git-07122016-orig/policy/modules/contrib/games.if 2016-12-08 18:23:14.044084368 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/games.if 2016-12-09 22:13:38.424448790 +0100
@@ -42,7 +42,6 @@ interface(`games_role',`
########################################
## <summary>
## Read and write games data files.
-## games data.
## </summary>
## <param name="domain">
## <summary>
@@ -58,3 +57,43 @@ interface(`games_rw_data',`
files_search_var_lib($1)
rw_files_pattern($1, games_data_t, games_data_t)
')
+
+########################################
+## <summary>
+## Run a game in the game domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`games_domtrans',`
+ gen_require(`
+ type games_t, games_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, games_exec_t, games_t)
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## games over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`games_dbus_chat',`
+ gen_require(`
+ type games_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 games_t:dbus send_msg;
+ allow games_t $1:dbus send_msg;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.te refpolicy-git-07122016/policy/modules/contrib/games.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/games.te 2016-12-08 18:23:14.044084368 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/games.te 2016-12-09 22:18:09.451695873 +0100
@@ -42,6 +42,10 @@ typealias games_tmpfs_t alias { user_gam
typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
userdom_user_tmpfs_file(games_tmpfs_t)
+optional_policy(`
+ pulseaudio_tmpfs_content(games_tmpfs_t)
+')
+
########################################
#
# Server local policy
@@ -95,6 +99,7 @@ optional_policy(`
# Client local policy
#
+allow games_t self:fifo_file rw_file_perms;
allow games_t self:sem create_sem_perms;
allow games_t self:tcp_socket { accept listen };
@@ -137,6 +142,7 @@ dev_read_sound(games_t)
dev_read_input(games_t)
dev_read_mouse(games_t)
dev_read_urand(games_t)
+dev_rw_dri(games_t)
dev_write_sound(games_t)
files_list_var(games_t)
@@ -146,6 +152,8 @@ files_read_etc_files(games_t)
files_read_usr_files(games_t)
files_read_var_files(games_t)
+fs_dontaudit_getattr_xattr_fs(games_t)
+
init_dontaudit_rw_utmp(games_t)
logging_dontaudit_search_logs(games_t)
@@ -166,10 +174,19 @@ tunable_policy(`allow_execmem',`
')
optional_policy(`
+ dbus_all_session_bus_client(games_t)
+ dbus_connect_all_session_bus(games_t)
+')
+
+optional_policy(`
nscd_use(games_t)
')
optional_policy(`
+ pulseaudio_run(games_t, games_roles)
+')
+
+optional_policy(`
xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
xserver_create_xdm_tmp_sockets(games_t)
xserver_read_xdm_lib_files(games_t)
This patch adds a new interface from the games module to the wm
module.
Signed-off-by: Guido Trentalancia <[email protected]>
---
policy/modules/contrib/wm.te | 4 ++++
1 file changed, 4 insertions(+)
--- a/policy/modules/contrib/wm.te 2016-12-17 19:12:19.624563352 +0100
+++ b/policy/modules/contrib/wm.te 2016-12-17 19:11:26.706556939 +0100
@@ -107,6 +107,10 @@ optional_policy(`
')
optional_policy(`
+ games_dbus_chat(wm_domain)
+')
+
+optional_policy(`
mozilla_dbus_chat(wm_domain)
')
On 12/17/16 13:18, Guido Trentalancia via refpolicy wrote:
> Update for the games module and integration with pulseaudio.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/games.if | 41 +++++++++++++++++++++++++++++++++++++++-
> policy/modules/contrib/games.te | 17 ++++++++++++++++
> 2 files changed, 57 insertions(+), 1 deletion(-)
>
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.if refpolicy-git-07122016/policy/modules/contrib/games.if
> --- refpolicy-git-07122016-orig/policy/modules/contrib/games.if 2016-12-08 18:23:14.044084368 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/games.if 2016-12-09 22:13:38.424448790 +0100
> @@ -42,7 +42,6 @@ interface(`games_role',`
> ########################################
> ## <summary>
> ## Read and write games data files.
> -## games data.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -58,3 +57,43 @@ interface(`games_rw_data',`
> files_search_var_lib($1)
> rw_files_pattern($1, games_data_t, games_data_t)
> ')
> +
> +########################################
> +## <summary>
> +## Run a game in the game domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`games_domtrans',`
> + gen_require(`
> + type games_t, games_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, games_exec_t, games_t)
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## games over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`games_dbus_chat',`
> + gen_require(`
> + type games_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 games_t:dbus send_msg;
> + allow games_t $1:dbus send_msg;
> +')
> diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.te refpolicy-git-07122016/policy/modules/contrib/games.te
> --- refpolicy-git-07122016-orig/policy/modules/contrib/games.te 2016-12-08 18:23:14.044084368 +0100
> +++ refpolicy-git-07122016/policy/modules/contrib/games.te 2016-12-09 22:18:09.451695873 +0100
> @@ -42,6 +42,10 @@ typealias games_tmpfs_t alias { user_gam
> typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
> userdom_user_tmpfs_file(games_tmpfs_t)
>
> +optional_policy(`
> + pulseaudio_tmpfs_content(games_tmpfs_t)
> +')
> +
> ########################################
> #
> # Server local policy
> @@ -95,6 +99,7 @@ optional_policy(`
> # Client local policy
> #
>
> +allow games_t self:fifo_file rw_file_perms;
> allow games_t self:sem create_sem_perms;
> allow games_t self:tcp_socket { accept listen };
>
> @@ -137,6 +142,7 @@ dev_read_sound(games_t)
> dev_read_input(games_t)
> dev_read_mouse(games_t)
> dev_read_urand(games_t)
> +dev_rw_dri(games_t)
> dev_write_sound(games_t)
>
> files_list_var(games_t)
> @@ -146,6 +152,8 @@ files_read_etc_files(games_t)
> files_read_usr_files(games_t)
> files_read_var_files(games_t)
>
> +fs_dontaudit_getattr_xattr_fs(games_t)
> +
> init_dontaudit_rw_utmp(games_t)
>
> logging_dontaudit_search_logs(games_t)
> @@ -166,10 +174,19 @@ tunable_policy(`allow_execmem',`
> ')
>
> optional_policy(`
> + dbus_all_session_bus_client(games_t)
> + dbus_connect_all_session_bus(games_t)
> +')
> +
> +optional_policy(`
> nscd_use(games_t)
> ')
>
> optional_policy(`
> + pulseaudio_run(games_t, games_roles)
> +')
> +
> +optional_policy(`
> xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
> xserver_create_xdm_tmp_sockets(games_t)
> xserver_read_xdm_lib_files(games_t)
Merged.
--
Chris PeBenito
On 12/17/16 13:18, Guido Trentalancia via refpolicy wrote:
> This patch adds a new interface from the games module to the wm
> module.
>
> Signed-off-by: Guido Trentalancia <[email protected]>
> ---
> policy/modules/contrib/wm.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> --- a/policy/modules/contrib/wm.te 2016-12-17 19:12:19.624563352 +0100
> +++ b/policy/modules/contrib/wm.te 2016-12-17 19:11:26.706556939 +0100
> @@ -107,6 +107,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + games_dbus_chat(wm_domain)
> +')
> +
> +optional_policy(`
> mozilla_dbus_chat(wm_domain)
> ')
Merged.
--
Chris PeBenito