From: dac.override@gmail.com (Dominick Grift) Date: Mon, 13 Apr 2015 20:05:29 +0200 Subject: [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock In-Reply-To: <20150413180230.GA25665@meriadoc.Home> References: <1428939373-20020-1-git-send-email-jason@perfinion.com> <20150413180230.GA25665@meriadoc.Home> Message-ID: <20150413180528.GD32570@x131e> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Apr 13, 2015 at 10:02:30PM +0400, Jason Zaman wrote: > On Mon, Apr 13, 2015 at 07:49:37PM +0200, Sven Vermeulen wrote: > > Meh my mistake. The directory is written by pulseaudio client > > applications and get the user_tmp_t type. Sorry for the noise. > > for the record: > $ ls -alZ /tmp/pulse-PKdhtXMmr18n/ > total 4 > drwx------. 2 jason users staff_u:object_r:user_tmp_t 80 Apr 13 21:51 ./ > drwxrwxrwt. 14 root root system_u:object_r:tmp_t 440 Apr 13 21:53 ../ > srwxrwxrwx. 1 jason users staff_u:object_r:pulseaudio_tmp_t 0 Apr 13 21:51 native= > -rw-------. 1 jason users staff_u:object_r:pulseaudio_tmp_t 6 Apr 13 21:51 pid > > autolock.spawn goes away right after the server is spawned, its only > there for a short time. Also, the dir does not *have* to be user_tmp_t. > The first program that wants sound will start up pulse (usually its > gsettings or equivalent tho). eg if you dont have pulse running and > start youtube you might get /tmp/pulse-* being mozilla_tmp_t. > Yes its fragile, no doubt. Move it to XDG_RUNTIME_DIR, which allows you to get rid of the random suffix , then implement a name-based tt for "pulse" dir there > -- Jason > > > Wkr, > > ? Sven? Vermeulen > > > > On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[1]sven.vermeulen@siphos.be> > > wrote: > > > > Doesn't the files_tmp_filetrans for the directory class already > > ensure that the /tmp/pulse-* directory is of the right type? > > > > On Apr 13, 2015 6:01 PM, "Jason Zaman" <[2]jason@perfinion.com> wrote: > > > > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds > > the > > filetrans rule. > > $ start-pulseaudio-x11 > > W: [autospawn] core-util.c: Failed to create lock file > > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied > > E: [pulseaudio] main.c: Failed to acquire autospawn lock > > --- > > ? pulseaudio.te | 1 + > > ? 1 file changed, 1 insertion(+) > > diff --git a/pulseaudio.te b/pulseaudio.te > > index 4665af2..648de3a 100644 > > --- a/pulseaudio.te > > +++ b/pulseaudio.te > > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, > > pulseaudio_tmp_t, pulseaudio_tmp_t) > > ? manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > > pulseaudio_tmp_t) > > ? manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > > pulseaudio_tmp_t) > > ? files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) > > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > > "autospawn.lock") > > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > > "pid") > > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, > > sock_file, "dbus-socket") > > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, > > sock_file, "native") > > -- > > 2.0.5 > > _______________________________________________ > > refpolicy mailing list > > [3]refpolicy at oss.tresys.com > > [4]http://oss.tresys.com/mailman/listinfo/refpolicy > > > > References > > > > 1. mailto:sven.vermeulen at siphos.be > > 2. mailto:jason at perfinion.com > > 3. mailto:refpolicy at oss.tresys.com > > 4. http://oss.tresys.com/mailman/listinfo/refpolicy > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/bdb763e9/attachment.bin