From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 13 Aug 2016 17:12:08 +0200 Subject: [refpolicy] [PATCH v7] Update policy and file contexts for the alsa module In-Reply-To: <1471100331.21480.28.camel@trentalancia.net> References: <1470771217.3770.2.camel@trentalancia.net> <89ebee6b-8605-678d-e323-28d6e99778cd@gmail.com> <1470772925.3770.6.camel@trentalancia.net> <1470839456.11490.4.camel@trentalancia.net> <1470840227.11490.6.camel@trentalancia.net> <1471097852.21480.18.camel@trentalancia.net> <1471100331.21480.28.camel@trentalancia.net> Message-ID: <1471101128.21480.29.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update the alsa module so that the alsa_etc_t file context (previously alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files. The wrong and misleading _rw_ label has been deprecated in the alsa interface definitions and in their instances throughout the whole Reference Policy (static and system-wide configuration files are not runtime-writable). Warning messages are printed when the user attempts to use the old namings for the above mentioned alsa interface definitions. After applying this patch, the recent pulseaudio patch should also be applied to complete the removal of the _rw_ labels on the alsa interfaces. This version of the patch finally removes obsolete file contexts and grants read permissions instead of manage permissions for static configuration files in /usr/share/alsa and system-wide configuration files in /etc. Thanks to Dominick Grift for pointing out redundant interface usage in a previous version of this patch. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/alsa.fc | 9 ++---- policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++------- policy/modules/contrib/alsa.te | 10 +++--- policy/modules/contrib/asterisk.te | 2 - policy/modules/contrib/entropyd.te | 2 - policy/modules/contrib/hal.te | 2 - policy/modules/contrib/mozilla.te | 2 - policy/modules/contrib/mpd.te | 2 - policy/modules/contrib/mplayer.te | 2 - policy/modules/system/init.te | 2 - policy/modules/system/udev.te | 2 - policy/modules/system/userdomain.if | 4 +- 13 files changed, 61 insertions(+), 32 deletions(-) --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc 2016-08-06 21:27:11.326094018 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc 2016-08-10 16:07:26.601201245 +0200 @@ -6,10 +6,8 @@ ifdef(`distro_debian',` /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) -/etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) +/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0) /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) @@ -25,8 +23,7 @@ ifdef(`distro_debian',` /usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0) -/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) -/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) +/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0) /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if 2016-08-06 21:27:11.326094018 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if 2016-08-13 15:57:00.899552788 +0200 @@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',` ######################################## ## -## Read writable Alsa configuration content. +## Read writable Alsa configuration +## content. (Deprecated) ## ## ## @@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',` ## # interface(`alsa_read_rw_config',` + refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.') + alsa_read_config($1) +') + +######################################## +## +## Read Alsa configuration content. +## +## +## +## Domain allowed access. +## +## +# +interface(`alsa_read_config',` gen_require(` - type alsa_etc_rw_t; + type alsa_etc_t; ') files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + allow $1 alsa_etc_t:dir list_dir_perms; + read_files_pattern($1, alsa_etc_t, alsa_etc_t) + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) ifdef(`distro_debian',` files_search_usr($1) @@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',` ######################################## ## -## Manage writable Alsa config files. +## Manage writable Alsa config +## files. (Deprecated) ## ## ## @@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',` ## # interface(`alsa_manage_rw_config',` + refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.') + alsa_manage_config($1) +') + +######################################## +## +## Manage Alsa config files. +## +## +## +## Domain allowed access. +## +## +# +interface(`alsa_manage_config',` gen_require(` - type alsa_etc_rw_t; + type alsa_etc_t; ') files_search_etc($1) - allow $1 alsa_etc_rw_t:dir list_dir_perms; - manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) - read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + allow $1 alsa_etc_t:dir list_dir_perms; + manage_files_pattern($1, alsa_etc_t, alsa_etc_t) + read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t) ifdef(`distro_debian',` files_search_usr($1) --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te 2016-08-06 21:27:11.326094018 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/alsa.te 2016-08-10 15:42:03.969550824 +0200 @@ -12,8 +12,8 @@ type alsa_exec_t; init_system_domain(alsa_t, alsa_exec_t) role alsa_roles types alsa_t; -type alsa_etc_rw_t; -files_config_file(alsa_etc_rw_t) +type alsa_etc_t; +files_config_file(alsa_etc_t) type alsa_tmp_t; files_tmp_file(alsa_tmp_t) @@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a allow alsa_t alsa_home_t:file read_file_perms; -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) +list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t) +read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) +read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) can_exec(alsa_t, alsa_exec_t) --- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te 2016-08-06 21:27:11.330094064 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te 2016-08-10 15:54:57.818932359 +0200 @@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as userdom_dontaudit_search_user_home_dirs(asterisk_t) optional_policy(` - alsa_read_rw_config(asterisk_t) + alsa_read_config(asterisk_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te 2016-08-06 21:27:11.349094280 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te 2016-08-10 15:55:49.200688065 +0200 @@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',` optional_policy(` tunable_policy(`entropyd_use_audio',` alsa_read_lib(entropyd_t) - alsa_read_rw_config(entropyd_t) + alsa_read_config(entropyd_t) ') ') --- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te 2016-08-06 21:27:11.357094372 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/hal.te 2016-08-10 15:55:28.902389524 +0200 @@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs( optional_policy(` alsa_domtrans(hald_t) - alsa_read_rw_config(hald_t) + alsa_read_config(hald_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-08-06 21:27:11.371094531 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-08-10 15:57:03.475780480 +0200 @@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` - alsa_read_rw_config(mozilla_plugin_t) + alsa_read_config(mozilla_plugin_t) alsa_read_home_files(mozilla_plugin_t) ') --- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te 2016-08-06 21:27:11.371094531 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/mpd.te 2016-08-10 15:56:33.740343142 +0200 @@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',` ') optional_policy(` - alsa_read_rw_config(mpd_t) + alsa_read_config(mpd_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te 2016-08-06 21:27:11.371094531 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te 2016-08-10 15:56:47.576546638 +0200 @@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack' ') optional_policy(` - alsa_read_rw_config(mplayer_t) + alsa_read_config(mplayer_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/system/init.te 2016-08-06 21:26:43.300774339 +0200 +++ refpolicy-git-06082016/policy/modules/system/init.te 2016-08-10 15:57:39.413309038 +0200 @@ -694,7 +694,7 @@ ifdef(`distro_redhat',` miscfiles_read_hwdata(initrc_t) optional_policy(` - alsa_manage_rw_config(initrc_t) + alsa_manage_config(initrc_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/system/udev.te 2016-08-07 19:44:14.820691246 +0200 +++ refpolicy-git-06082016/policy/modules/system/udev.te 2016-08-10 15:58:00.350616976 +0200 @@ -234,7 +234,7 @@ ifdef(`init_systemd',` optional_policy(` alsa_domtrans(udev_t) alsa_read_lib(udev_t) - alsa_read_rw_config(udev_t) + alsa_read_config(udev_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if 2016-08-06 21:26:43.311774465 +0200 +++ refpolicy-git-06082016/policy/modules/system/userdomain.if 2016-08-10 16:00:35.340683806 +0200 @@ -579,7 +579,7 @@ template(`userdom_common_user_template', optional_policy(` alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc") alsa_manage_home_files($1_t) - alsa_read_rw_config($1_t) + alsa_read_config($1_t) alsa_relabel_home_files($1_t) ') @@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us xserver_restricted_role($1_r, $1_t) optional_policy(` - alsa_read_rw_config($1_t) + alsa_read_config($1_t) ') optional_policy(`