---
pulseaudio.if | 2 +-
pulseaudio.te | 5 ++++-
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/pulseaudio.if b/pulseaudio.if
index bbb17fd..6dff8ba 100644
--- a/pulseaudio.if
+++ b/pulseaudio.if
@@ -33,7 +33,7 @@ interface(`pulseaudio_role',`
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
+ allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
diff --git a/pulseaudio.te b/pulseaudio.te
index 0c4945b..37b80d2 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -54,7 +54,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
-allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
+allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
@@ -73,6 +73,7 @@ userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile })
+allow pulseaudio_t { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file map;
fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
@@ -138,6 +139,7 @@ logging_send_syslog_msg(pulseaudio_t)
miscfiles_read_localization(pulseaudio_t)
userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_map_user_tmpfs_files(pulseaudio_t)
userdom_delete_user_tmpfs_files(pulseaudio_t)
userdom_search_user_home_dirs(pulseaudio_t)
userdom_search_user_home_content(pulseaudio_t)
@@ -238,6 +240,7 @@ allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
+allow pulseaudio_client pulseaudio_tmpfs_t:file map;
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
fs_getattr_tmpfs(pulseaudio_client)
--
2.13.5
Without this, restorecon relabels them and the agent connection breaks
---
gpg.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/gpg.fc b/gpg.fc
index c2c1236..c936239 100644
--- a/gpg.fc
+++ b/gpg.fc
@@ -12,3 +12,5 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s
/usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
/run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
+/run/user/%{USERID}/gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
+/run/user/%{USERID}/gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
--
2.13.5
---
rpc.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/rpc.fc b/rpc.fc
index 6674a53..6dfd451 100644
--- a/rpc.fc
+++ b/rpc.fc
@@ -29,3 +29,4 @@
/run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
/run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
+/run/sm-notify\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
--
2.13.5
On 09/15/2017 01:17 PM, Jason Zaman via refpolicy wrote:
> ---
> pulseaudio.if | 2 +-
> pulseaudio.te | 5 ++++-
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/pulseaudio.if b/pulseaudio.if
> index bbb17fd..6dff8ba 100644
> --- a/pulseaudio.if
> +++ b/pulseaudio.if
> @@ -33,7 +33,7 @@ interface(`pulseaudio_role',`
> allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
>
> allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
> - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
> + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
>
> allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
> allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 0c4945b..37b80d2 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -54,7 +54,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
> allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
>
> allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
> -allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
> +allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
> allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
>
> userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
> @@ -73,6 +73,7 @@ userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
>
> manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
> manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile })
> +allow pulseaudio_t { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file map;
> fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
>
> manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
> @@ -138,6 +139,7 @@ logging_send_syslog_msg(pulseaudio_t)
> miscfiles_read_localization(pulseaudio_t)
>
> userdom_read_user_tmpfs_files(pulseaudio_t)
> +userdom_map_user_tmpfs_files(pulseaudio_t)
> userdom_delete_user_tmpfs_files(pulseaudio_t)
> userdom_search_user_home_dirs(pulseaudio_t)
> userdom_search_user_home_content(pulseaudio_t)
> @@ -238,6 +240,7 @@ allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
> allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
>
> rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
> +allow pulseaudio_client pulseaudio_tmpfs_t:file map;
> delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
>
> fs_getattr_tmpfs(pulseaudio_client)
Merged.
--
Chris PeBenito
On 09/15/2017 01:17 PM, Jason Zaman via refpolicy wrote:
> Without this, restorecon relabels them and the agent connection breaks
> ---
> gpg.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/gpg.fc b/gpg.fc
> index c2c1236..c936239 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -12,3 +12,5 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s
> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
>
> /run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
> +/run/user/%{USERID}/gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +/run/user/%{USERID}/gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
Merged.
--
Chris PeBenito
On 09/15/2017 01:17 PM, Jason Zaman via refpolicy wrote:
> ---
> rpc.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/rpc.fc b/rpc.fc
> index 6674a53..6dfd451 100644
> --- a/rpc.fc
> +++ b/rpc.fc
> @@ -29,3 +29,4 @@
>
> /run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
> /run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
> +/run/sm-notify\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
Merged.
--
Chris PeBenito
On 09/15/2017 01:17 PM, Jason Zaman via refpolicy wrote:
> ---
> pulseaudio.if | 2 +-
> pulseaudio.te | 5 ++++-
> 2 files changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/pulseaudio.if b/pulseaudio.if
> index bbb17fd..6dff8ba 100644
> --- a/pulseaudio.if
> +++ b/pulseaudio.if
> @@ -33,7 +33,7 @@ interface(`pulseaudio_role',`
> allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
>
> allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
> - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
> + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map };
>
> allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
> allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
> diff --git a/pulseaudio.te b/pulseaudio.te
> index 0c4945b..37b80d2 100644
> --- a/pulseaudio.te
> +++ b/pulseaudio.te
> @@ -54,7 +54,7 @@ allow pulseaudio_t self:tcp_socket { accept listen };
> allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
>
> allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms;
> -allow pulseaudio_t pulseaudio_home_t:file manage_file_perms;
> +allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map };
> allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms;
>
> userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse")
> @@ -73,6 +73,7 @@ userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native")
>
> manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
> manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile })
> +allow pulseaudio_t { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file map;
> fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file })
>
> manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
> @@ -138,6 +139,7 @@ logging_send_syslog_msg(pulseaudio_t)
> miscfiles_read_localization(pulseaudio_t)
>
> userdom_read_user_tmpfs_files(pulseaudio_t)
> +userdom_map_user_tmpfs_files(pulseaudio_t)
> userdom_delete_user_tmpfs_files(pulseaudio_t)
> userdom_search_user_home_dirs(pulseaudio_t)
> userdom_search_user_home_content(pulseaudio_t)
> @@ -238,6 +240,7 @@ allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms;
> allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
>
> rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
> +allow pulseaudio_client pulseaudio_tmpfs_t:file map;
> delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
>
> fs_getattr_tmpfs(pulseaudio_client)
Merged.
--
Chris PeBenito
On 09/15/2017 01:17 PM, Jason Zaman via refpolicy wrote:
> Without this, restorecon relabels them and the agent connection breaks
> ---
> gpg.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/gpg.fc b/gpg.fc
> index c2c1236..c936239 100644
> --- a/gpg.fc
> +++ b/gpg.fc
> @@ -12,3 +12,5 @@ HOME_DIR/\.gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s
> /usr/lib/gnupg/gpgkeys.* -- gen_context(system_u:object_r:gpg_helper_exec_t,s0)
>
> /run/user/%{USERID}/gnupg(/.*)? gen_context(system_u:object_r:gpg_runtime_t,s0)
> +/run/user/%{USERID}/gnupg/S\.gpg-agent.* -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
> +/run/user/%{USERID}/gnupg/S\.scdaemon -s gen_context(system_u:object_r:gpg_agent_tmp_t,s0)
Merged.
--
Chris PeBenito
On 09/15/2017 01:17 PM, Jason Zaman via refpolicy wrote:
> ---
> rpc.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/rpc.fc b/rpc.fc
> index 6674a53..6dfd451 100644
> --- a/rpc.fc
> +++ b/rpc.fc
> @@ -29,3 +29,4 @@
>
> /run/rpc\.statd(/.*)? gen_context(system_u:object_r:rpcd_var_run_t,s0)
> /run/rpc\.statd\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
> +/run/sm-notify\.pid -- gen_context(system_u:object_r:rpcd_var_run_t,s0)
Merged. This collides with the same label in init.fc, but I removed that.
--
Chris PeBenito