From: domg472@gmail.com (Dominick Grift)
Date: Wed, 8 Sep 2010 12:41:12 +0200
Subject: [refpolicy] [alsa patch 1/1] Interaction with alsa home content by
 confined users.
Message-ID: <20100908104106.GA31213@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Confined users can manage and relabel alsa home files.

Plus some cleanups inspired by example policy.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 69aa742... 376f4f7... M	policy/modules/admin/alsa.if
:100644 100644 0c9876c... f9c23ed... M	policy/modules/roles/staff.te
:100644 100644 2a19751... db0ebdd... M	policy/modules/roles/sysadm.te
:100644 100644 e8a507d... a7620a4... M	policy/modules/roles/unprivuser.te
 policy/modules/admin/alsa.if       |   53 +++++++++++++++++++++++++++++++-----
 policy/modules/roles/staff.te      |    5 +++
 policy/modules/roles/sysadm.te     |    5 +++
 policy/modules/roles/unprivuser.te |    5 +++
 4 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 69aa742..376f4f7 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run Alsa.
+##	Transition to the alsa domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -16,12 +16,13 @@ interface(`alsa_domtrans',`
 	')
 
 	corecmd_search_bin($1)
+	files_search_usr($1)
 	domtrans_pattern($1, alsa_exec_t, alsa_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write Alsa semaphores.
+##	Read and write alsa semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,7 +40,7 @@ interface(`alsa_rw_semaphores',`
 
 ########################################
 ## <summary>
-##	Read and write Alsa shared memory.
+##	Read and write alsa shared memory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,7 +58,7 @@ interface(`alsa_rw_shared_mem',`
 
 ########################################
 ## <summary>
-##	Read writable Alsa config files.
+##	Read writable alsa configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -82,7 +83,7 @@ interface(`alsa_read_rw_config',`
 
 ########################################
 ## <summary>
-##	Manage writable Alsa config files.
+##	Create, read, write, and delete writable alsa configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107,7 +108,26 @@ interface(`alsa_manage_rw_config',`
 
 ########################################
 ## <summary>
-##	Read Alsa home files.
+##	Manage alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_home_files', `
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read alsa home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -126,7 +146,26 @@ interface(`alsa_read_home_files',`
 
 ########################################
 ## <summary>
-##	Read Alsa lib files.
+##	Relabel alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_relabel_home_files', `
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Read alsa lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0c9876c..f9c23ed 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -53,6 +53,11 @@ optional_policy(`
 
 ifndef(`distro_redhat',`
 	optional_policy(`
+		alsa_manage_home_files(staff_t)
+		alsa_relabel_home_files(staff_t)
+	')
+
+	optional_policy(`
 		auth_role(staff_r, staff_t)
 	')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751..db0ebdd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -399,6 +399,11 @@ optional_policy(`
 
 ifndef(`distro_redhat',`
 	optional_policy(`
+		alsa_manage_home_files(sysadm_t)
+		alsa_relabel_home_files(sysadm_t)
+	')
+
+	optional_policy(`
 		auth_role(sysadm_r, sysadm_t)
 	')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e8a507d..a7620a4 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -26,6 +26,11 @@ optional_policy(`
 
 ifndef(`distro_redhat',`
 	optional_policy(`
+		alsa_manage_home_files(user_t)
+		alsa_relabel_home_files(user_t)
+	')
+
+	optional_policy(`
 		auth_role(user_r, user_t)
 	')
 
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100908/34c0bd17/attachment.bin