From: guido@trentalancia.net (Guido Trentalancia) Date: Sat, 10 Sep 2016 18:26:46 +0200 Subject: [refpolicy] [PATCH] mozilla: let mozilla play audio Message-ID: <1473524806.18488.3.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Let mozilla play audio: - add new interfaces to the pulseaudio module; - let mozilla read alsa configuration files; - add further permissions to mozilla needed to use pulseaudio to play audio. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/mozilla.te | 9 ++++ policy/modules/contrib/pulseaudio.if | 77 +++++++++++++++++++++++++++++++++++ 2 files changed, 86 insertions(+) --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-09-10 18:09:13.357710355 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-09-10 18:07:16.322739208 +0200 @@ -234,6 +239,11 @@ tunable_policy(`use_samba_home_dirs',` ') optional_policy(` + alsa_read_config(mozilla_t) + alsa_read_home_files(mozilla_t) +') + +optional_policy(` apache_read_user_scripts(mozilla_t) apache_read_user_content(mozilla_t) ') @@ -292,6 +305,8 @@ optional_policy(` optional_policy(` pulseaudio_run(mozilla_t, mozilla_roles) + pulseaudio_rw_tmpfs_files(mozilla_t) + pulseaudio_use_fds(mozilla_t) ') optional_policy(` @@ -561,6 +580,8 @@ optional_policy(` optional_policy(` pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) + pulseaudio_rw_tmpfs_files(mozilla_plugin_t) + pulseaudio_use_fds(mozilla_plugin_t) ') optional_policy(` --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if 2016-08-20 03:45:31.740027060 +0200 +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if 2016-08-20 00:25:39.112517500 +0200 @@ -346,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',` typeattribute $1 pulseaudio_tmpfsfile; ') + +####################################### +## +## Read pulseaudio tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_read_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +####################################### +## +## Read and write pulseaudio tmpfs +## files. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_rw_tmpfs_files',` + gen_require(` + type pulseaudio_tmpfs_t; + ') + + fs_search_tmpfs($1) + rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) +') + +######################################## +## +## Use file descriptors for +## pulseaudio. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + allow $1 pulseaudio_t:fd use; +') + +######################################## +## +## Do not audit attempts to use the +## file descriptors for pulseaudio. +## +## +## +## Domain allowed access. +## +## +# +interface(`pulseaudio_dontaudit_use_fds',` + gen_require(` + type pulseaudio_t; + ') + + dontaudit $1 pulseaudio_t:fd use; +')