From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 10 Aug 2016 16:30:56 +0200 Subject: [refpolicy] [PATCH v3] Update policy and file contexts for the alsa module In-Reply-To: <1470772925.3770.6.camel@trentalancia.net> References: <1470771217.3770.2.camel@trentalancia.net> <89ebee6b-8605-678d-e323-28d6e99778cd@gmail.com> <1470772925.3770.6.camel@trentalancia.net> Message-ID: <1470839456.11490.4.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the alsa module so that the alsa_etc_t file context (previously alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files. The wrong and misleading _rw_ label is also removed from the alsa interface definitions and from their instances throughout the whole Reference Policy (static and system-wide configuration files are not runtime-writable). This version of the patch finally removes obsolete file contexts and grants read permissions instead of manage permissions for static configuration files in /usr/share/alsa and system-wide configuration files in /etc. Thanks to Dominick Grift for pointing out redundant interface usage in a previous version of this patch. Signed-off-by: Guido Trentalancia --- doc/policy.xml | 4 ++-- policy/modules/contrib/alsa.fc | 9 +++------ policy/modules/contrib/alsa.if | 24 ++++++++++++------------ policy/modules/contrib/alsa.te | 10 +++++----- policy/modules/contrib/asterisk.te | 2 +- policy/modules/contrib/entropyd.te | 2 +- policy/modules/contrib/hal.te | 2 +- policy/modules/contrib/mozilla.te | 2 +- policy/modules/contrib/mpd.te | 2 +- policy/modules/contrib/mplayer.te | 2 +- policy/modules/contrib/pulseaudio.te | 2 +- policy/modules/system/init.te | 2 +- policy/modules/system/udev.te | 2 +- policy/modules/system/userdomain.if | 4 ++-- 14 files changed, 33 insertions(+), 36 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200 @@ -6,10 +6,8 @@ ifdef(`distro_debian',` /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) +/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0) /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) @@ -25,8 +23,7 @@ ifdef(`distro_debian',` /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-10 15:40:21.757047516 +0200 @@ -102,7 +102,7 @@ interface(`alsa_rw_shared_mem',` ######################################## ## -## Read writable Alsa configuration content. +## Read Alsa configuration content. ## ## ## @@ -110,15 +110,15 @@ interface(`alsa_rw_shared_mem',` ## ## # -interface(`alsa_read_rw_config',` +interface(`alsa_read_config',` gen_require(` - type alsa_etc_rw_t; + type alsa_etc_t; ') files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + allow $1 alsa_etc_t:dir list_dir_perms; + read_files_pattern($1, alsa_etc_t, alsa_etc_t) + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) ifdef(`distro_debian',` files_search_usr($1) @@ -127,7 +127,7 @@ interface(`alsa_read_rw_config',` ######################################## ## -## Manage writable Alsa config files. +## Manage Alsa config files. ## ## ## @@ -135,15 +135,15 @@ interface(`alsa_read_rw_config',` ## ## # -interface(`alsa_manage_rw_config',` +interface(`alsa_manage_config',` gen_require(` - type alsa_etc_rw_t; + type alsa_etc_t; ') files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + allow $1 alsa_etc_t:dir list_dir_perms; + manage_files_pattern($1, alsa_etc_t, alsa_etc_t) + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) ifdef(`distro_debian',` files_search_usr($1) --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200 @@ -12,8 +12,8 @@ type alsa_exec_t; init_system_domain(alsa_t, alsa_exec_t) role alsa_roles types alsa_t; -type alsa_etc_rw_t; -files_config_file(alsa_etc_rw_t) +type alsa_etc_t; +files_config_file(alsa_etc_t) type alsa_tmp_t; files_tmp_file(alsa_tmp_t) @@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a allow alsa_t alsa_home_t:file read_file_perms; -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) +list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t) +read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) +read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) can_exec(alsa_t, alsa_exec_t) --- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200 @@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` - alsa_read_rw_config(asterisk_t) + alsa_read_config(asterisk_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200 @@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs( optional_policy(` alsa_domtrans(hald_t) - alsa_read_rw_config(hald_t) + alsa_read_config(hald_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200 @@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',` optional_policy(` tunable_policy(`entropyd_use_audio',` alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) + alsa_read_config(entropyd_t) ') ') --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-06 21:27:11.412094999 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-08-10 15:56:08.982979017 +0200 @@ -146,7 +146,7 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - alsa_read_rw_config(pulseaudio_t) + alsa_read_config(pulseaudio_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200 @@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',` ') optional_policy(` - alsa_read_rw_config(mpd_t) + alsa_read_config(mpd_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200 @@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack' ') optional_policy(` - alsa_read_rw_config(mplayer_t) + alsa_read_config(mplayer_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200 @@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) + alsa_read_config(mozilla_plugin_t) alsa_read_home_files(mozilla_plugin_t) ') --- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200 +++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200 @@ -694,7 +694,7 @@ ifdef(`distro_redhat',` miscfiles_read_hwdata(initrc_t) optional_policy(` - alsa_manage_rw_config(initrc_t) + alsa_manage_config(initrc_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200 +++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200 @@ -234,7 +234,7 @@ ifdef(`init_systemd',` optional_policy(` alsa_domtrans(udev_t) alsa_read_lib(udev_t) - alsa_read_rw_config(udev_t) + alsa_read_config(udev_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200 +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200 @@ -579,7 +579,7 @@ template(`userdom_common_user_template', optional_policy(` alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") alsa_manage_home_files($1_t) - alsa_read_rw_config($1_t) + alsa_read_config($1_t) alsa_relabel_home_files($1_t) ') @@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us xserver_restricted_role($1_r, $1_t) optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_config($1_t) ') optional_policy(` --- refpolicy-git-06082016-orig/doc/policy.xml 2016-08-06 21:30:16.798209657 +0200 +++ refpolicy-git-06082016/doc/policy.xml 2016-08-10 16:20:17.453744520 +0200 @@ -1331,7 +1331,7 @@ Domain allowed access. - + Read writable Alsa configuration content. @@ -1341,7 +1341,7 @@ Domain allowed access. - + Manage writable Alsa config files.