From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 09 Dec 2016 22:29:26 +0100 Subject: [refpolicy] [PATCH v3 1/2] games: general update and improved pulseaudio integration In-Reply-To: <1481303406.15060.6.camel@trentalancia.net> References: <1481216996.20182.5.camel@trentalancia.net> <6f6a7bd9-45f2-9f77-b8d8-ff2c93301acc@gmail.com> <1481297005.21097.2.camel@trentalancia.net> <23921624-9a6c-e27e-9c96-eaf27b42e329@gmail.com> <1481302735.15060.2.camel@trentalancia.net> <1481303406.15060.6.camel@trentalancia.net> Message-ID: <1481318966.8850.6.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Update for the games module and integration with pulseaudio. This patch introduces a new interface needed by later versions of a recently posted window manager (wm) patch. This third version of the patch relies on the following recent change proposals for the pulseaudio module: [PATCH 1/2] pulseaudio: update server and client permissions http://oss.tresys.com/pipermail/refpolicy/2016-December/008677.html and it makes part 2/2 obsolete. Signed-off-by: Guido Trentalancia --- policy/modules/contrib/games.if | 41 +++++++++++++++++++++++++++++++++++++++- policy/modules/contrib/games.te | 17 ++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.if refpolicy-git-07122016/policy/modules/contrib/games.if --- refpolicy-git-07122016-orig/policy/modules/contrib/games.if 2016-12-08 18:23:14.044084368 +0100 +++ refpolicy-git-07122016/policy/modules/contrib/games.if 2016-12-09 22:13:38.424448790 +0100 @@ -42,7 +42,6 @@ interface(`games_role',` ######################################## ## ## Read and write games data files. -## games data. ## ## ## @@ -58,3 +57,43 @@ interface(`games_rw_data',` files_search_var_lib($1) rw_files_pattern($1, games_data_t, games_data_t) ') + +######################################## +## +## Run a game in the game domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`games_domtrans',` + gen_require(` + type games_t, games_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, games_exec_t, games_t) +') + +######################################## +## +## Send and receive messages from +## games over dbus. +## +## +## +## Domain allowed access. +## +## +# +interface(`games_dbus_chat',` + gen_require(` + type games_t; + class dbus send_msg; + ') + + allow $1 games_t:dbus send_msg; + allow games_t $1:dbus send_msg; +') diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.te refpolicy-git-07122016/policy/modules/contrib/games.te --- refpolicy-git-07122016-orig/policy/modules/contrib/games.te 2016-12-08 18:23:14.044084368 +0100 +++ refpolicy-git-07122016/policy/modules/contrib/games.te 2016-12-09 22:18:09.451695873 +0100 @@ -42,6 +42,10 @@ typealias games_tmpfs_t alias { user_gam typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; userdom_user_tmpfs_file(games_tmpfs_t) +optional_policy(` + pulseaudio_tmpfs_content(games_tmpfs_t) +') + ######################################## # # Server local policy @@ -95,6 +99,7 @@ optional_policy(` # Client local policy # +allow games_t self:fifo_file rw_file_perms; allow games_t self:sem create_sem_perms; allow games_t self:tcp_socket { accept listen }; @@ -137,6 +142,7 @@ dev_read_sound(games_t) dev_read_input(games_t) dev_read_mouse(games_t) dev_read_urand(games_t) +dev_rw_dri(games_t) dev_write_sound(games_t) files_list_var(games_t) @@ -146,6 +152,8 @@ files_read_etc_files(games_t) files_read_usr_files(games_t) files_read_var_files(games_t) +fs_dontaudit_getattr_xattr_fs(games_t) + init_dontaudit_rw_utmp(games_t) logging_dontaudit_search_logs(games_t) @@ -166,10 +174,19 @@ tunable_policy(`allow_execmem',` ') optional_policy(` + dbus_all_session_bus_client(games_t) + dbus_connect_all_session_bus(games_t) +') + +optional_policy(` nscd_use(games_t) ') optional_policy(` + pulseaudio_run(games_t, games_roles) +') + +optional_policy(` xserver_user_x_domain_template(games, games_t, games_tmpfs_t) xserver_create_xdm_tmp_sockets(games_t) xserver_read_xdm_lib_files(games_t)