From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 11 Dec 2016 15:51:48 -0500 Subject: [refpolicy] [PATCH 1/2] pulseaudio: update server and client permissions In-Reply-To: <1481317805.8850.3.camel@trentalancia.net> References: <1481317805.8850.3.camel@trentalancia.net> Message-ID: <60f3ebc6-79b4-d4a5-9539-a6540f532625@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/09/16 16:10, Guido Trentalancia via refpolicy wrote: > Update the pulseaudio module, so that: > - the pulseaudio server can send the signull signal to its clients; > - the pulseaudio server can manage not only pulseaudio_tmpfs files > but all pulseaudio_tmpfs_content; > - pulseaudio clients can also write and not just read pulseaudio > content files in the temporary filesystems (tmpfs); > - pulseaudio clients can use file descriptors for pulseaudio. > > This patch has been triggered by recent testing of the games module > and it makes the following patch obsolete (not applied yet): > > [PATCH 2/2] pulseaudio: improve the support for Gnome games > http://oss.tresys.com/pipermail/refpolicy/2016-December/008651.html > > It also makes obsolete interface calls to the following interfaces > in addition to pulseaudio_run(): pulseaudio_rw_tmpfs_files() and > pulseaudio_use_fds(). These are currently used in the mozilla > module (removed in part 2/2 of this patchset). Merged. > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/pulseaudio.if | 1 + > policy/modules/contrib/pulseaudio.te | 5 +++-- > 2 files changed, 4 insertions(+), 2 deletions(-) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if > --- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.if 2016-09-27 16:28:51.964139648 +0200 > +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.if 2016-12-09 21:37:37.848562623 +0100 > @@ -40,6 +40,7 @@ interface(`pulseaudio_role',` > allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; > > allow pulseaudio_t $2:unix_stream_socket connectto; > + allow pulseaudio_t $2:process signull; > ') > > ######################################## > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.te refpolicy-git-07122016/policy/modules/contrib/pulseaudio.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/pulseaudio.te 2016-12-08 18:23:09.689033221 +0100 > +++ refpolicy-git-07122016/policy/modules/contrib/pulseaudio.te 2016-12-09 21:48:58.706665014 +0100 > @@ -72,7 +72,7 @@ userdom_user_tmp_filetrans(pulseaudio_t, > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") > > manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > -manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > +manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }) > fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) > > manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) > @@ -237,7 +237,7 @@ allow pulseaudio_client pulseaudio_tmp_t > allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms; > allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms; > > -read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }) > +rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }) > delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile) > > fs_getattr_tmpfs(pulseaudio_client) > @@ -257,6 +257,7 @@ pulseaudio_home_filetrans_pulseaudio_hom > pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".esd_auth") > pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cookie") > pulseaudio_signull(pulseaudio_client) > +pulseaudio_use_fds(pulseaudio_client) > > userdom_read_user_tmpfs_files(pulseaudio_client) > userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse") -- Chris PeBenito