From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 13 Aug 2016 08:40:06 -0400
Subject: [refpolicy] [PATCH v4] Update policy and file contexts for the
 alsa module
In-Reply-To: <1470840227.11490.6.camel@trentalancia.net>
References: <1470771217.3770.2.camel@trentalancia.net>
	<89ebee6b-8605-678d-e323-28d6e99778cd@gmail.com>
	<1470772925.3770.6.camel@trentalancia.net>
	<1470839456.11490.4.camel@trentalancia.net>
	<1470840227.11490.6.camel@trentalancia.net>
Message-ID: <e4d9490c-cf15-6780-71fb-0b1c9b59c23b@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/10/16 10:43, Guido Trentalancia wrote:
> Update the alsa module so that the alsa_etc_t file context (previously
> alsa_etc_rw_t) is widened to the whole alsa share directory, instead
> of just a couple of files.
>
> The wrong and misleading _rw_ label is also removed from the alsa
> interface definitions and from their instances throughout the whole
> Reference Policy (static and system-wide configuration files are
> not runtime-writable).
>
> This version of the patch finally removes obsolete file contexts and
> grants read permissions instead of manage permissions for static
> configuration files in /usr/share/alsa and system-wide configuration
> files in /etc.
>
> Thanks to Dominick Grift for pointing out redundant interface usage
> in a previous version of this patch.
>
[...]

> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if	2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if	2016-08-10 15:40:21.757047516 +0200
> @@ -102,7 +102,7 @@ interface(`alsa_rw_shared_mem',`
>
>  ########################################
>  ## <summary>
> -##	Read writable Alsa configuration content.
> +##	Read Alsa configuration content.
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -110,15 +110,15 @@ interface(`alsa_rw_shared_mem',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`alsa_read_rw_config',`
> +interface(`alsa_read_config',`

Since these interfaces have been in releases, please do not remove them, 
deprecate them.  It is fine to have them print out deprecation warnings 
and call the new interfaces you're creating (grep for "refpolicywarn" to 
see other deprecated interface examples)


>  	gen_require(`
> -		type alsa_etc_rw_t;
> +		type alsa_etc_t;
>  	')
>
>  	files_search_etc($1)
> -	allow $1 alsa_etc_rw_t:dir list_dir_perms;
> -	read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> -	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> +	allow $1 alsa_etc_t:dir list_dir_perms;
> +	read_files_pattern($1, alsa_etc_t, alsa_etc_t)
> +	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
>  	ifdef(`distro_debian',`
>  		files_search_usr($1)
> @@ -127,7 +127,7 @@ interface(`alsa_read_rw_config',`
>
>  ########################################
>  ## <summary>
> -##	Manage writable Alsa config files.
> +##	Manage Alsa config files.
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -135,15 +135,15 @@ interface(`alsa_read_rw_config',`
>  ##	</summary>
>  ## </param>
>  #
> -interface(`alsa_manage_rw_config',`
> +interface(`alsa_manage_config',`
>  	gen_require(`
> -		type alsa_etc_rw_t;
> +		type alsa_etc_t;
>  	')
>
>  	files_search_etc($1)
> -	allow $1 alsa_etc_rw_t:dir list_dir_perms;
> -	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> -	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> +	allow $1 alsa_etc_t:dir list_dir_perms;
> +	manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
> +	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
>  	ifdef(`distro_debian',`
>  		files_search_usr($1)



-- 
Chris PeBenito