Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 30a0ac7... 72a0458... M policy/modules/admin/alsa.fc
:100644 100644 fe09bea... 91b6eef... M policy/modules/admin/alsa.if
:100644 100644 04f9d96... 84727c0... M policy/modules/admin/alsa.te
policy/modules/admin/alsa.fc | 4 +-
policy/modules/admin/alsa.if | 49 ++++++++++++++++++++++++++++++++++-------
policy/modules/admin/alsa.te | 6 ++++-
3 files changed, 47 insertions(+), 12 deletions(-)
diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 30a0ac7..72a0458 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -1,3 +1,5 @@
+HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
+
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
@@ -10,9 +12,7 @@
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
-ifdef(`distro_debian', `
/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-')
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index fe09bea..91b6eef 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -1,8 +1,8 @@
-## <summary>Ainit ALSA configuration tool</summary>
+## <summary>Ainit ALSA configuration tool.</summary>
########################################
## <summary>
-## Domain transition to alsa
+## Execute a domain transition to run Alsa.
## </summary>
## <param name="domain">
## <summary>
@@ -15,12 +15,13 @@ interface(`alsa_domtrans',`
type alsa_t, alsa_exec_t;
')
+ corecmd_search_bin($1)
domtrans_pattern($1, alsa_exec_t, alsa_t)
')
########################################
## <summary>
-## Allow read and write access to alsa semaphores.
+## Read and write Alsa semaphores.
## </summary>
## <param name="domain">
## <summary>
@@ -33,12 +34,12 @@ interface(`alsa_rw_semaphores',`
type alsa_t;
')
- allow $1 alsa_t:sem { unix_read unix_write associate read write };
+ allow $1 alsa_t:sem rw_sem_perms;
')
########################################
## <summary>
-## Allow read and write access to alsa shared memory.
+## Read and write Alsa shared memory.
## </summary>
## <param name="domain">
## <summary>
@@ -51,12 +52,12 @@ interface(`alsa_rw_shared_mem',`
type alsa_t;
')
- allow $1 alsa_t:shm { unix_read unix_write create_shm_perms };
+ allow $1 alsa_t:shm rw_shm_perms;
')
########################################
## <summary>
-## Read alsa writable config files.
+## Read writable Alsa config files.
## </summary>
## <param name="domain">
## <summary>
@@ -69,14 +70,19 @@ interface(`alsa_read_rw_config',`
type alsa_etc_rw_t;
')
+ files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ ')
')
########################################
## <summary>
-## Manage alsa writable config files.
+## Manage writable Alsa config files.
## </summary>
## <param name="domain">
## <summary>
@@ -89,14 +95,19 @@ interface(`alsa_manage_rw_config',`
type alsa_etc_rw_t;
')
+ files_search_etc($1)
allow $1 alsa_etc_rw_t:dir list_dir_perms;
manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+
+ ifdef(`distro_debian',`
+ files_search_usr($1)
+ ')
')
########################################
## <summary>
-## Read alsa lib files.
+## Read Alsa lib files.
## </summary>
## <param name="domain">
## <summary>
@@ -109,5 +120,25 @@ interface(`alsa_read_lib',`
type alsa_var_lib_t;
')
+ files_search_var_lib($1)
read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t)
')
+
+########################################
+## <summary>
+## Read Alsa home files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_home_files',`
+ gen_require(`
+ type alsa_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 alsa_home_t:file read_file_perms;
+')
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 04f9d96..84727c0 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -16,6 +16,9 @@ files_type(alsa_etc_rw_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
+type alsa_home_t;
+userdom_user_home_content(alsa_home_t)
+
########################################
#
# Local policy
@@ -28,6 +31,8 @@ allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket create_stream_socket_perms;
allow alsa_t self:unix_dgram_socket create_socket_perms;
+allow alsa_t alsa_home_t:file read_file_perms;
+
manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
@@ -46,7 +51,6 @@ dev_read_sysfs(alsa_t)
corecmd_exec_bin(alsa_t)
-files_search_home(alsa_t)
files_read_etc_files(alsa_t)
files_read_usr_files(alsa_t)
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/f0759a47/attachment.bin