From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Wed, 10 Aug 2016 07:53:16 +0200
Subject: [refpolicy] [PATCH v2] Update file contexts for the alsa module
In-Reply-To: <1470772925.3770.6.camel@trentalancia.net>
References: <1470771217.3770.2.camel@trentalancia.net>
	<89ebee6b-8605-678d-e323-28d6e99778cd@gmail.com>
	<1470772925.3770.6.camel@trentalancia.net>
Message-ID: <CAPzO=Ny4z7v39URc26nFhKQJCrvqASaKp+PtW1H87jkxN6hCgQ@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Aug 9, 2016 at 10:02 PM, Guido Trentalancia
<guido@trentalancia.net> wrote:
> Update the alsa module so that the alsa_etc_rw_t file context is
> widened to the whole share directory, instead of just a couple of files.
[...]
> -/usr/share/alsa/alsa\.conf     gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/usr/share/alsa/pcm(/.*)?      gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa(/.*)?  gen_context(system_u:object_r:alsa_etc_rw_t,s0)

Do you happen to know why or what is trying to write to /usr/share? I
would consider /usr/share to be only writable for a very limited
number of domains (mostly package managers and such).

Isn't alsa_etc_rw_t not something more oriented towards /etc?

I am somewhat afraid that, tagging the entire /usr/share/alsa as
alsa_etc_rw_t makes a large number of alsa domains capable of writing
stuff around there (well, besides the Linux DAC controls of course).

Wkr,
  Sven Vermeulen