From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 14 Aug 2016 14:37:37 -0400
Subject: [refpolicy] [PATCH v7] Update policy and file contexts for the
 alsa module
In-Reply-To: <1471101128.21480.29.camel@trentalancia.net>
References: <1470771217.3770.2.camel@trentalancia.net>
	<89ebee6b-8605-678d-e323-28d6e99778cd@gmail.com>
	<1470772925.3770.6.camel@trentalancia.net>
	<1470839456.11490.4.camel@trentalancia.net>
	<1470840227.11490.6.camel@trentalancia.net>
	<1471097852.21480.18.camel@trentalancia.net>
	<1471100331.21480.28.camel@trentalancia.net>
	<1471101128.21480.29.camel@trentalancia.net>
Message-ID: <77e6f470-17d5-156e-5ef7-3d87e069f2ff@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/13/16 11:12, Guido Trentalancia wrote:
> Update the alsa module so that the alsa_etc_t file context (previously
> alsa_etc_rw_t) is widened to the whole alsa share directory, instead
> of just a couple of files.
>
> The wrong and misleading _rw_ label has been deprecated in the alsa
> interface definitions and in their instances throughout the whole
> Reference Policy (static and system-wide configuration files are
> not runtime-writable). Warning messages are printed when the user
> attempts to use the old namings for the above mentioned alsa
> interface definitions.
>
> After applying this patch, the recent pulseaudio patch should also
> be applied to complete the removal of the _rw_ labels on the alsa
> interfaces.
>
> This version of the patch finally removes obsolete file contexts and
> grants read permissions instead of manage permissions for static
> configuration files in /usr/share/alsa and system-wide configuration
> files in /etc.
>
> Thanks to Dominick Grift for pointing out redundant interface usage
> in a previous version of this patch.

Merged.  I also added a compatibility alias to alsa_etc_rw_t.



> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> ---
>  policy/modules/contrib/alsa.fc       |    9 ++----
>  policy/modules/contrib/alsa.if       |   52 ++++++++++++++++++++++++++++-------
>  policy/modules/contrib/alsa.te       |   10 +++---
>  policy/modules/contrib/asterisk.te   |    2 -
>  policy/modules/contrib/entropyd.te   |    2 -
>  policy/modules/contrib/hal.te        |    2 -
>  policy/modules/contrib/mozilla.te    |    2 -
>  policy/modules/contrib/mpd.te        |    2 -
>  policy/modules/contrib/mplayer.te    |    2 -
>  policy/modules/system/init.te        |    2 -
>  policy/modules/system/udev.te        |    2 -
>  policy/modules/system/userdomain.if  |    4 +-
>  13 files changed, 61 insertions(+), 32 deletions(-)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.fc	2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.fc	2016-08-10 16:07:26.601201245 +0200
> @@ -6,10 +6,8 @@ ifdef(`distro_debian',`
>
>  /bin/alsaunmute	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>
> -/etc/alsa/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/etc/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/etc/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
> +/etc/asound\.conf	gen_context(system_u:object_r:alsa_etc_t,s0)
>
>  /sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  /sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
> @@ -25,8 +23,7 @@ ifdef(`distro_debian',`
>  /usr/sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>  /usr/sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
>
> -/usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> -/usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
>
>  /var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.if	2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.if	2016-08-13 15:57:00.899552788 +0200
> @@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
>
>  ########################################
>  ## <summary>
> -##	Read writable Alsa configuration content.
> +##	Read writable Alsa configuration
> +##	content.  (Deprecated)
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
>  ## </param>
>  #
>  interface(`alsa_read_rw_config',`
> +	refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
> +	alsa_read_config($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Read Alsa configuration content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`alsa_read_config',`
>  	gen_require(`
> -		type alsa_etc_rw_t;
> +		type alsa_etc_t;
>  	')
>
>  	files_search_etc($1)
> -	allow $1 alsa_etc_rw_t:dir list_dir_perms;
> -	read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> -	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> +	allow $1 alsa_etc_t:dir list_dir_perms;
> +	read_files_pattern($1, alsa_etc_t, alsa_etc_t)
> +	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
>  	ifdef(`distro_debian',`
>  		files_search_usr($1)
> @@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
>
>  ########################################
>  ## <summary>
> -##	Manage writable Alsa config files.
> +##	Manage writable Alsa config
> +##	files.  (Deprecated)
>  ## </summary>
>  ## <param name="domain">
>  ##	<summary>
> @@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
>  ## </param>
>  #
>  interface(`alsa_manage_rw_config',`
> +	refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
> +	alsa_manage_config($1)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage Alsa config files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`alsa_manage_config',`
>  	gen_require(`
> -		type alsa_etc_rw_t;
> +		type alsa_etc_t;
>  	')
>
>  	files_search_etc($1)
> -	allow $1 alsa_etc_rw_t:dir list_dir_perms;
> -	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> -	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
> +	allow $1 alsa_etc_t:dir list_dir_perms;
> +	manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
> +	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
>
>  	ifdef(`distro_debian',`
>  		files_search_usr($1)
> --- refpolicy-git-06082016-orig/policy/modules/contrib/alsa.te	2016-08-06 21:27:11.326094018 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/alsa.te	2016-08-10 15:42:03.969550824 +0200
> @@ -12,8 +12,8 @@ type alsa_exec_t;
>  init_system_domain(alsa_t, alsa_exec_t)
>  role alsa_roles types alsa_t;
>
> -type alsa_etc_rw_t;
> -files_config_file(alsa_etc_rw_t)
> +type alsa_etc_t;
> +files_config_file(alsa_etc_t)
>
>  type alsa_tmp_t;
>  files_tmp_file(alsa_tmp_t)
> @@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { a
>
>  allow alsa_t alsa_home_t:file read_file_perms;
>
> -manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
> -files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
> +list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> +read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>
>  can_exec(alsa_t, alsa_exec_t)
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/asterisk.te	2016-08-06 21:27:11.330094064 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/asterisk.te	2016-08-10 15:54:57.818932359 +0200
> @@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(as
>  userdom_dontaudit_search_user_home_dirs(asterisk_t)
>
>  optional_policy(`
> -	alsa_read_rw_config(asterisk_t)
> +	alsa_read_config(asterisk_t)
>  ')
>
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/entropyd.te	2016-08-06 21:27:11.349094280 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/entropyd.te	2016-08-10 15:55:49.200688065 +0200
> @@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
>  optional_policy(`
>  	tunable_policy(`entropyd_use_audio',`
>  		alsa_read_lib(entropyd_t)
> -		alsa_read_rw_config(entropyd_t)
> +		alsa_read_config(entropyd_t)
>  	')
>  ')
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/hal.te	2016-08-06 21:27:11.357094372 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/hal.te	2016-08-10 15:55:28.902389524 +0200
> @@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(
>
>  optional_policy(`
>  	alsa_domtrans(hald_t)
> -	alsa_read_rw_config(hald_t)
> +	alsa_read_config(hald_t)
>  ')
>
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te	2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te	2016-08-10 15:57:03.475780480 +0200
> @@ -518,7 +518,7 @@ tunable_policy(`use_samba_home_dirs',`
>  ')
>
>  optional_policy(`
> -	alsa_read_rw_config(mozilla_plugin_t)
> +	alsa_read_config(mozilla_plugin_t)
>  	alsa_read_home_files(mozilla_plugin_t)
>  ')
>
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mpd.te	2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mpd.te	2016-08-10 15:56:33.740343142 +0200
> @@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
>  ')
>
>  optional_policy(`
> -	alsa_read_rw_config(mpd_t)
> +	alsa_read_config(mpd_t)
>  ')
>
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/contrib/mplayer.te	2016-08-06 21:27:11.371094531 +0200
> +++ refpolicy-git-06082016/policy/modules/contrib/mplayer.te	2016-08-10 15:56:47.576546638 +0200
> @@ -251,7 +251,7 @@ tunable_policy(`allow_mplayer_execstack'
>  ')
>
>  optional_policy(`
> -	alsa_read_rw_config(mplayer_t)
> +	alsa_read_config(mplayer_t)
>  ')
>
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/init.te	2016-08-06 21:26:43.300774339 +0200
> +++ refpolicy-git-06082016/policy/modules/system/init.te	2016-08-10 15:57:39.413309038 +0200
> @@ -694,7 +694,7 @@ ifdef(`distro_redhat',`
>  	miscfiles_read_hwdata(initrc_t)
>
>  	optional_policy(`
> -		alsa_manage_rw_config(initrc_t)
> +		alsa_manage_config(initrc_t)
>  	')
>
>  	optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/udev.te	2016-08-07 19:44:14.820691246 +0200
> +++ refpolicy-git-06082016/policy/modules/system/udev.te	2016-08-10 15:58:00.350616976 +0200
> @@ -234,7 +234,7 @@ ifdef(`init_systemd',`
>  optional_policy(`
>  	alsa_domtrans(udev_t)
>  	alsa_read_lib(udev_t)
> -	alsa_read_rw_config(udev_t)
> +	alsa_read_config(udev_t)
>  ')
>
>  optional_policy(`
> --- refpolicy-git-06082016-orig/policy/modules/system/userdomain.if	2016-08-06 21:26:43.311774465 +0200
> +++ refpolicy-git-06082016/policy/modules/system/userdomain.if	2016-08-10 16:00:35.340683806 +0200
> @@ -579,7 +579,7 @@ template(`userdom_common_user_template',
>  	optional_policy(`
>  		alsa_home_filetrans_alsa_home($1_t, file, ".asoundrc")
>  		alsa_manage_home_files($1_t)
> -		alsa_read_rw_config($1_t)
> +		alsa_read_config($1_t)
>  		alsa_relabel_home_files($1_t)
>  	')
>
> @@ -933,7 +933,7 @@ template(`userdom_restricted_xwindows_us
>  	xserver_restricted_role($1_r, $1_t)
>
>  	optional_policy(`
> -		alsa_read_rw_config($1_t)
> +		alsa_read_config($1_t)
>  	')
>
>  	optional_policy(`


-- 
Chris PeBenito