From: guido@trentalancia.net (Guido Trentalancia) Date: Thu, 08 Dec 2016 18:09:56 +0100 Subject: [refpolicy] [PATCH 1/2] games: general update and improved pulseaudio integration Message-ID: <1481216996.20182.5.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update for the games module and improved integration with pulseaudio. This patch also introduces a new interface needed by later versions of a recently posted window manager (wm) patch. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/games.if | 79 +++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/games.te | 17 ++++++++ 2 files changed, 95 insertions(+), 1 deletion(-) --- refpolicy-git-07122016-orig/policy/modules/contrib/games.if 2016-12-08 16:56:24.204207842 +0100 +++ refpolicy-git-07122016/policy/modules/contrib/games.if 2016-12-08 17:56:49.233100321 +0100 @@ -42,7 +42,6 @@ interface(`games_role',` ######################################## ## ## Read and write games data files. -## games data. ## ## ## @@ -58,3 +57,81 @@ interface(`games_rw_data',` files_search_var_lib($1) rw_files_pattern($1, games_data_t, games_data_t) ') + +######################################## +## +## Read games tmpfs files. +## +## +## +## Domain allowed access. +## +## +# +interface(`games_read_tmpfs_files',` + gen_require(` + type games_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, games_tmpfs_t, games_tmpfs_t) +') + +######################################## +## +## Run a game in the game domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`games_domtrans',` + gen_require(` + type games_t, games_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, games_exec_t, games_t) +') + +######################################## +## +## Send null signals to games +## processes. +## +## +## +## Domain allowed access. +## +## +# +interface(`games_signull',` + gen_require(` + type games_t; + ') + + allow $1 games_t:process signull; +') + +######################################## +## +## Send and receive messages from +## games over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`games_dbus_chat',` + gen_require(` + type games_t; + class dbus send_msg; + ') + + allow $1 games_t:dbus send_msg; + allow games_t $1:dbus send_msg; +') --- refpolicy-git-07122016-orig/policy/modules/contrib/games.te 2016-12-08 16:56:24.204207842 +0100 +++ refpolicy-git-07122016/policy/modules/contrib/games.te 2016-12-08 17:47:13.726232210 +0100 @@ -95,6 +95,7 @@ optional_policy(` # Client local policy # +allow games_t self:fifo_file rw_file_perms; allow games_t self:sem create_sem_perms; allow games_t self:tcp_socket { accept listen }; @@ -137,6 +138,7 @@ dev_read_sound(games_t) dev_read_input(games_t) dev_read_mouse(games_t) dev_read_urand(games_t) +dev_rw_dri(games_t) dev_write_sound(games_t) files_list_var(games_t) @@ -146,6 +148,9 @@ files_read_etc_files(games_t) files_read_usr_files(games_t) files_read_var_files(games_t) +fs_dontaudit_getattr_xattr_fs(games_t) +fs_getattr_tmpfs(games_t) + init_dontaudit_rw_utmp(games_t) logging_dontaudit_search_logs(games_t) @@ -166,10 +171,22 @@ tunable_policy(`allow_execmem',` ') optional_policy(` + dbus_all_session_bus_client(games_t) + dbus_connect_all_session_bus(games_t) +') + +optional_policy(` nscd_use(games_t) ') optional_policy(` + pulseaudio_rw_tmpfs_files(games_t) + pulseaudio_signull(games_t) + pulseaudio_stream_connect(games_t) + pulseaudio_use_fds(games_t) +') + +optional_policy(` xserver_user_x_domain_template(games, games_t, games_tmpfs_t) xserver_create_xdm_tmp_sockets(games_t) xserver_read_xdm_lib_files(games_t)