From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 12 Sep 2016 18:51:44 -0400 Subject: [refpolicy] [PATCH] mozilla: let mozilla play audio In-Reply-To: <1473607339.18488.9.camel@trentalancia.net> References: <1473524806.18488.3.camel@trentalancia.net> <88e4da55-6d3a-5d36-a54f-98b83cc86038@gmail.com> <1473607339.18488.9.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/11/16 11:22, Guido Trentalancia via refpolicy wrote: > Hello Dominick (and cc Chris) ! > > On Sun, 11/09/2016 at 15.21 +0200, Dominick Grift via refpolicy wrote: >> On 09/10/2016 06:26 PM, Guido Trentalancia via refpolicy wrote: >>> >>> Let mozilla play audio: >>> >>> - add new interfaces to the pulseaudio module; >>> - let mozilla read alsa configuration files; >>> - add further permissions to mozilla needed to use >>> pulseaudio to play audio. >>> >>> Signed-off-by: Guido Trentalancia >>> --- >>> policy/modules/contrib/mozilla.te | 9 ++++ >>> policy/modules/contrib/pulseaudio.if | 77 >>> +++++++++++++++++++++++++++++++++++ >>> 2 files changed, 86 insertions(+) > > [...] > >> Applies to all pulseaudio clients, so this should have been added to >> pulseaudio.te instead: > > I am fine with improving this. > >> optional_policy(` >> alsa_read_config(pulseaudio_client) >> alsa_read_home_files(pulseaudio_client) >> ') > > and this: > >>> >>> + pulseaudio_use_fds(mozilla_t) >> >> This applies to all pulseaudio_client and thus should be added to >> pulseaudio.te as follows instead: >> >> pulseaudio_use_fds(pulseaudio_client) > > as long as it is also fine to Christopher. If the rules apply to all pulseaudio domains, then it should be done as Dominick suggests. > The other change (delete instead of read/write) doesn't make a big > difference in my opinion. > > Here is the small diff: > > Improvements to the mozilla and pulseaudio modules > as suggested by Dominick Grift. > > policy/modules/contrib/mozilla.te | 14 -------------- > policy/modules/contrib/pulseaudio.te | 8 ++++++++ > 2 files changed, 8 insertions(+), 14 deletions(-) > > --- refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-09-11 17:05:47.916850416 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-09-11 17:05:27.911531798 +0200 > @@ -234,11 +267,6 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > - alsa_read_config(mozilla_t) > - alsa_read_home_files(mozilla_t) > -') > - > -optional_policy(` > apache_read_user_scripts(mozilla_t) > apache_read_user_content(mozilla_t) > ') > @@ -297,8 +329,6 @@ optional_policy(` > > optional_policy(` > pulseaudio_run(mozilla_t, mozilla_roles) > - pulseaudio_rw_tmpfs_files(mozilla_t) > - pulseaudio_use_fds(mozilla_t) > ') > > optional_policy(` > @@ -525,11 +569,6 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > - alsa_read_config(mozilla_plugin_t) > - alsa_read_home_files(mozilla_plugin_t) > -') > - > -optional_policy(` > automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) > ') > > @@ -568,8 +607,6 @@ optional_policy(` > > optional_policy(` > pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) > - pulseaudio_rw_tmpfs_files(mozilla_plugin_t) > - pulseaudio_use_fds(mozilla_plugin_t) > ') > > optional_policy(` > --- refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-20 03:45:31.741027074 +0200 > +++ refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-09-11 17:15:40.155169246 +0200 > @@ -231,6 +258,9 @@ pulseaudio_home_filetrans_pulseaudio_hom > pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") > pulseaudio_signull(pulseaudio_client) > > +pulseaudio_rw_tmpfs_files(pulseaudio_client) > +pulseaudio_use_fds(pulseaudio_client) > + > userdom_read_user_tmpfs_files(pulseaudio_client) > userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse") > # userdom_delete_user_tmpfs_files(pulseaudio_client) > @@ -250,6 +280,11 @@ tunable_policy(`use_samba_home_dirs',` > ') > > optional_policy(` > + alsa_read_config(pulseaudio_client) > + alsa_read_home_files(pulseaudio_client) > +') > + > +optional_policy(` > pulseaudio_dbus_chat(pulseaudio_client) > ') > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito