From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 18 Dec 2016 17:56:28 -0500 Subject: [refpolicy] [PATCH 1/2] games: general update and improved pulseaudio integration In-Reply-To: <1481998696.13429.7.camel@trentalancia.net> References: <1481998696.13429.7.camel@trentalancia.net> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/17/16 13:18, Guido Trentalancia via refpolicy wrote: > Update for the games module and integration with pulseaudio. > > Signed-off-by: Guido Trentalancia > --- > policy/modules/contrib/games.if | 41 +++++++++++++++++++++++++++++++++++++++- > policy/modules/contrib/games.te | 17 ++++++++++++++++ > 2 files changed, 57 insertions(+), 1 deletion(-) > > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.if refpolicy-git-07122016/policy/modules/contrib/games.if > --- refpolicy-git-07122016-orig/policy/modules/contrib/games.if 2016-12-08 18:23:14.044084368 +0100 > +++ refpolicy-git-07122016/policy/modules/contrib/games.if 2016-12-09 22:13:38.424448790 +0100 > @@ -42,7 +42,6 @@ interface(`games_role',` > ######################################## > ##

> ## Read and write games data files. > -## games data. > ##

> ## > ##

> @@ -58,3 +57,43 @@ interface(`games_rw_data',` > files_search_var_lib($1) > rw_files_pattern($1, games_data_t, games_data_t) > ') > + > +######################################## > +##

> +## Run a game in the game domain. > +##

> +## > +##

> +## Domain allowed to transition. > +##

> +## > +# > +interface(`games_domtrans',` > + gen_require(` > + type games_t, games_exec_t; > + ') > + > + corecmd_search_bin($1) > + domtrans_pattern($1, games_exec_t, games_t) > +') > + > +######################################## > +##

> +## Send and receive messages from > +## games over dbus. > +##

> +## > +##

> +## Domain allowed access. > +##

> +## > +# > +interface(`games_dbus_chat',` > + gen_require(` > + type games_t; > + class dbus send_msg; > + ') > + > + allow $1 games_t:dbus send_msg; > + allow games_t $1:dbus send_msg; > +') > diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.te refpolicy-git-07122016/policy/modules/contrib/games.te > --- refpolicy-git-07122016-orig/policy/modules/contrib/games.te 2016-12-08 18:23:14.044084368 +0100 > +++ refpolicy-git-07122016/policy/modules/contrib/games.te 2016-12-09 22:18:09.451695873 +0100 > @@ -42,6 +42,10 @@ typealias games_tmpfs_t alias { user_gam > typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t }; > userdom_user_tmpfs_file(games_tmpfs_t) > > +optional_policy(` > + pulseaudio_tmpfs_content(games_tmpfs_t) > +') > + > ######################################## > # > # Server local policy > @@ -95,6 +99,7 @@ optional_policy(` > # Client local policy > # > > +allow games_t self:fifo_file rw_file_perms; > allow games_t self:sem create_sem_perms; > allow games_t self:tcp_socket { accept listen }; > > @@ -137,6 +142,7 @@ dev_read_sound(games_t) > dev_read_input(games_t) > dev_read_mouse(games_t) > dev_read_urand(games_t) > +dev_rw_dri(games_t) > dev_write_sound(games_t) > > files_list_var(games_t) > @@ -146,6 +152,8 @@ files_read_etc_files(games_t) > files_read_usr_files(games_t) > files_read_var_files(games_t) > > +fs_dontaudit_getattr_xattr_fs(games_t) > + > init_dontaudit_rw_utmp(games_t) > > logging_dontaudit_search_logs(games_t) > @@ -166,10 +174,19 @@ tunable_policy(`allow_execmem',` > ') > > optional_policy(` > + dbus_all_session_bus_client(games_t) > + dbus_connect_all_session_bus(games_t) > +') > + > +optional_policy(` > nscd_use(games_t) > ') > > optional_policy(` > + pulseaudio_run(games_t, games_roles) > +') > + > +optional_policy(` > xserver_user_x_domain_template(games, games_t, games_tmpfs_t) > xserver_create_xdm_tmp_sockets(games_t) > xserver_read_xdm_lib_files(games_t) Merged. -- Chris PeBenito