From: guido@trentalancia.net (Guido Trentalancia) Date: Tue, 13 Sep 2016 13:29:25 +0200 Subject: [refpolicy] [PATCH] mozilla: let mozilla play audio In-Reply-To: References: <1473524806.18488.3.camel@trentalancia.net> <88e4da55-6d3a-5d36-a54f-98b83cc86038@gmail.com> <1473607339.18488.9.camel@trentalancia.net> Message-ID: <62CD2F41-F92D-41C0-969C-83E994426BF0@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi! There was a small diff attached to the previous message to move the permissions to the pulseaudio module in the pulseaudio_client section. Please refer to that. Guido On the 13th of September 2016 00:51:44 CEST, Chris PeBenito wrote: >On 09/11/16 11:22, Guido Trentalancia via refpolicy wrote: >> Hello Dominick (and cc Chris) ! >> >> On Sun, 11/09/2016 at 15.21 +0200, Dominick Grift via refpolicy >wrote: >>> On 09/10/2016 06:26 PM, Guido Trentalancia via refpolicy wrote: >>>> >>>> Let mozilla play audio: >>>> >>>> - add new interfaces to the pulseaudio module; >>>> - let mozilla read alsa configuration files; >>>> - add further permissions to mozilla needed to use >>>> pulseaudio to play audio. >>>> >>>> Signed-off-by: Guido Trentalancia >>>> --- >>>> policy/modules/contrib/mozilla.te | 9 ++++ >>>> policy/modules/contrib/pulseaudio.if | 77 >>>> +++++++++++++++++++++++++++++++++++ >>>> 2 files changed, 86 insertions(+) >> >> [...] >> >>> Applies to all pulseaudio clients, so this should have been added to >>> pulseaudio.te instead: >> >> I am fine with improving this. >> >>> optional_policy(` >>> alsa_read_config(pulseaudio_client) >>> alsa_read_home_files(pulseaudio_client) >>> ') >> >> and this: >> >>>> >>>> + pulseaudio_use_fds(mozilla_t) >>> >>> This applies to all pulseaudio_client and thus should be added to >>> pulseaudio.te as follows instead: >>> >>> pulseaudio_use_fds(pulseaudio_client) >> >> as long as it is also fine to Christopher. > >If the rules apply to all pulseaudio domains, then it should be done as > >Dominick suggests. > > > >> The other change (delete instead of read/write) doesn't make a big >> difference in my opinion. >> >> Here is the small diff: >> >> Improvements to the mozilla and pulseaudio modules >> as suggested by Dominick Grift. >> >> policy/modules/contrib/mozilla.te | 14 -------------- >> policy/modules/contrib/pulseaudio.te | 8 ++++++++ >> 2 files changed, 8 insertions(+), 14 deletions(-) >> >> --- >refpolicy-git-06082016-orig/policy/modules/contrib/mozilla.te 2016-09-11 >17:05:47.916850416 +0200 >> +++ >refpolicy-git-06082016/policy/modules/contrib/mozilla.te 2016-09-11 >17:05:27.911531798 +0200 >> @@ -234,11 +267,6 @@ tunable_policy(`use_samba_home_dirs',` >> ') >> >> optional_policy(` >> - alsa_read_config(mozilla_t) >> - alsa_read_home_files(mozilla_t) >> -') >> - >> -optional_policy(` >> apache_read_user_scripts(mozilla_t) >> apache_read_user_content(mozilla_t) >> ') >> @@ -297,8 +329,6 @@ optional_policy(` >> >> optional_policy(` >> pulseaudio_run(mozilla_t, mozilla_roles) >> - pulseaudio_rw_tmpfs_files(mozilla_t) >> - pulseaudio_use_fds(mozilla_t) >> ') >> >> optional_policy(` >> @@ -525,11 +569,6 @@ tunable_policy(`use_samba_home_dirs',` >> ') >> >> optional_policy(` >> - alsa_read_config(mozilla_plugin_t) >> - alsa_read_home_files(mozilla_plugin_t) >> -') >> - >> -optional_policy(` >> automount_dontaudit_getattr_tmp_dirs(mozilla_plugin_t) >> ') >> >> @@ -568,8 +607,6 @@ optional_policy(` >> >> optional_policy(` >> pulseaudio_run(mozilla_plugin_t, mozilla_plugin_roles) >> - pulseaudio_rw_tmpfs_files(mozilla_plugin_t) >> - pulseaudio_use_fds(mozilla_plugin_t) >> ') >> >> optional_policy(` >> --- >refpolicy-git-06082016-orig/policy/modules/contrib/pulseaudio.te 2016-08-20 >03:45:31.741027074 +0200 >> +++ >refpolicy-git-06082016/policy/modules/contrib/pulseaudio.te 2016-09-11 >17:15:40.155169246 +0200 >> @@ -231,6 +258,9 @@ pulseaudio_home_filetrans_pulseaudio_hom >> pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, >".pulse-cookie") >> pulseaudio_signull(pulseaudio_client) >> >> +pulseaudio_rw_tmpfs_files(pulseaudio_client) >> +pulseaudio_use_fds(pulseaudio_client) >> + >> userdom_read_user_tmpfs_files(pulseaudio_client) >> userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, >dir, "pulse") >> # userdom_delete_user_tmpfs_files(pulseaudio_client) >> @@ -250,6 +280,11 @@ tunable_policy(`use_samba_home_dirs',` >> ') >> >> optional_policy(` >> + alsa_read_config(pulseaudio_client) >> + alsa_read_home_files(pulseaudio_client) >> +') >> + >> +optional_policy(` >> pulseaudio_dbus_chat(pulseaudio_client) >> ') >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >>