From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 10 Aug 2016 16:30:33 +0200 Subject: [refpolicy] [PATCH v2] Update file contexts for the alsa module In-Reply-To: References: <1470771217.3770.2.camel@trentalancia.net> <89ebee6b-8605-678d-e323-28d6e99778cd@gmail.com> <1470772925.3770.6.camel@trentalancia.net> Message-ID: <1470839433.11490.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 10/08/2016 at 07.53 +0200, Sven Vermeulen wrote: > On Tue, Aug 9, 2016 at 10:02 PM, Guido Trentalancia > wrote: > > Update the alsa module so that the alsa_etc_rw_t file context is > > widened to the whole share directory, instead of just a couple of > > files. > [...] > > -/usr/share/alsa/alsa\.conf?????gen_context(system_u:object_r:alsa_ > > etc_rw_t,s0) > > -/usr/share/alsa/pcm(/.*)???????gen_context(system_u:object_r:alsa_ > > etc_rw_t,s0) > > +/usr/share/alsa(/.*)???gen_context(system_u:object_r:alsa_etc_rw_t > > ,s0) > > Do you happen to know why or what is trying to write to /usr/share? I > would consider /usr/share to be only writable for a very limited > number of domains (mostly package managers and such). It's a bug in the current module. It should not write to anything in /usr/share/alsa. And the "_rw_" naming is confusing !! > Isn't alsa_etc_rw_t not something more oriented towards /etc? However, if you want to change the ALSA package, then you should submit a patch to ALSA development... I believe a subdirectory of /usr/share is the right place for static configuration files (as opposed to user configuration files in /etc). > I am somewhat afraid that, tagging the entire /usr/share/alsa as > alsa_etc_rw_t makes a large number of alsa domains capable of writing > stuff around there (well, besides the Linux DAC controls of course). It is possible on the refpolicy side to fix the existing module in order to only allow read permissions and not manage permissions. I believe the latter is the best solution possible. A new revised version of the patch (v3) follows this message... > Wkr, > ? Sven Vermeulen Regards, Guido