From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 16 Sep 2017 13:16:08 -0400 Subject: [refpolicy] [PATCH 1/3] pulseaudio: Add neccessary map permissions In-Reply-To: <20170915171746.28337-1-jason@perfinion.com> References: <20170915171746.28337-1-jason@perfinion.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/15/2017 01:17 PM, Jason Zaman via refpolicy wrote: > --- > pulseaudio.if | 2 +- > pulseaudio.te | 5 ++++- > 2 files changed, 5 insertions(+), 2 deletions(-) > > diff --git a/pulseaudio.if b/pulseaudio.if > index bbb17fd..6dff8ba 100644 > --- a/pulseaudio.if > +++ b/pulseaudio.if > @@ -33,7 +33,7 @@ interface(`pulseaudio_role',` > allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; > > allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; > - allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; > + allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms map }; > > allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; > allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; > diff --git a/pulseaudio.te b/pulseaudio.te > index 0c4945b..37b80d2 100644 > --- a/pulseaudio.te > +++ b/pulseaudio.te > @@ -54,7 +54,7 @@ allow pulseaudio_t self:tcp_socket { accept listen }; > allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms; > > allow pulseaudio_t pulseaudio_home_t:dir manage_dir_perms; > -allow pulseaudio_t pulseaudio_home_t:file manage_file_perms; > +allow pulseaudio_t pulseaudio_home_t:file { manage_file_perms map }; > allow pulseaudio_t pulseaudio_home_t:lnk_file manage_lnk_file_perms; > > userdom_user_home_dir_filetrans(pulseaudio_t, pulseaudio_home_t, dir, ".pulse") > @@ -73,6 +73,7 @@ userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") > > manage_dirs_pattern(pulseaudio_t, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) > manage_files_pattern(pulseaudio_t, pulseaudio_tmpfs_t, { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }) > +allow pulseaudio_t { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file map; > fs_tmpfs_filetrans(pulseaudio_t, pulseaudio_tmpfs_t, { dir file }) > > manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t) > @@ -138,6 +139,7 @@ logging_send_syslog_msg(pulseaudio_t) > miscfiles_read_localization(pulseaudio_t) > > userdom_read_user_tmpfs_files(pulseaudio_t) > +userdom_map_user_tmpfs_files(pulseaudio_t) > userdom_delete_user_tmpfs_files(pulseaudio_t) > userdom_search_user_home_dirs(pulseaudio_t) > userdom_search_user_home_content(pulseaudio_t) > @@ -238,6 +240,7 @@ allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms; > allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms; > > rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }) > +allow pulseaudio_client pulseaudio_tmpfs_t:file map; > delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile) > > fs_getattr_tmpfs(pulseaudio_client) Merged. -- Chris PeBenito