From: guido@trentalancia.net (Guido Trentalancia)
Date: Sat, 10 Sep 2016 18:26:46 +0200
Subject: [refpolicy] [PATCH] mozilla: let mozilla play audio
Message-ID: <1473524806.18488.3.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Let mozilla play audio:

- add new interfaces to the pulseaudio module;
- let mozilla read alsa configuration files;
- add further permissions to mozilla needed to use
  pulseaudio to play audio.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/mozilla.te    |    9 ++++
 policy/modules/contrib/pulseaudio.if |   77 +++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te	2016-09-10 18:09:13.357710355 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te	2016-09-10 18:07:16.322739208 +0200
@@ -234,6 +239,11 @@ tunable_policy(`use_samba_home_dirs',`
 ')
 
 optional_policy(`
+	alsa_read_config(mozilla_t)
+	alsa_read_home_files(mozilla_t)
+')
+
+optional_policy(`
 	apache_read_user_scripts(mozilla_t)
 	apache_read_user_content(mozilla_t)
 ')
@@ -292,6 +305,8 @@ optional_policy(`
 
 optional_policy(`
 	pulseaudio_run(mozilla_t, mozilla_roles)
+	pulseaudio_rw_tmpfs_files(mozilla_t)
+	pulseaudio_use_fds(mozilla_t)
 ')
 
 optional_policy(`
@@ -561,6 +580,8 @@ optional_policy(`
 
 optional_policy(`
 	pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles)
+	pulseaudio_rw_tmpfs_files(mozilla_plugin_t)
+	pulseaudio_use_fds(mozilla_plugin_t)
 ')
 
 optional_policy(`
--- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.if	2016-08-20 03:45:31.740027060 +0200
+++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.if	2016-08-20 00:25:39.112517500 +0200
@@ -346,3 +347,80 @@ interface(`pulseaudio_tmpfs_content',`
 
 	typeattribute $1 pulseaudio_tmpfsfile;
 ')
+
+#######################################
+## <summary>
+##	Read pulseaudio tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_read_tmpfs_files',`
+	gen_require(`
+		type pulseaudio_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+#######################################
+## <summary>
+##	Read and write pulseaudio tmpfs
+##	files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_rw_tmpfs_files',`
+	gen_require(`
+		type pulseaudio_tmpfs_t;
+	')
+
+	fs_search_tmpfs($1)
+	rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
+')
+
+########################################
+## <summary>
+##	Use file descriptors for
+##	pulseaudio.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_use_fds',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	allow $1 pulseaudio_t:fd use;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to use the
+##	file descriptors for pulseaudio.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_use_fds',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	dontaudit $1 pulseaudio_t:fd use;
+')