From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 25 Mar 2018 13:57:01 +0200 Subject: [refpolicy] [PATCH v3 06/19] Enhance pulseaudio domain with XDG privilege sets In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be> References: <20180325115714.5610-1-sven.vermeulen@siphos.be> Message-ID: <20180325115714.5610-7-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The pulseaudio domain was configured to use the ~/.config/pulse/ location as pulseaudio_home_t. With the introduction of the XDG-based types, this can now be switched to pulseaudio_xdg_config_t. Signed-off-by: Sven Vermeulen --- pulseaudio.fc | 2 +- pulseaudio.te | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/pulseaudio.fc b/pulseaudio.fc index 146b5a7..0d9bc35 100644 --- a/pulseaudio.fc +++ b/pulseaudio.fc @@ -1,7 +1,7 @@ HOME_DIR/\.esd_auth -- gen_context(system_u:object_r:pulseaudio_home_t,s0) HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0) HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) -HOME_DIR/\.config/pulse(/.*)? -- gen_context(system_u:object_r:pulseaudio_home_t,s0) +HOME_DIR/\.config/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_xdg_config_t,s0) /usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0) diff --git a/pulseaudio.te b/pulseaudio.te index 4df510e..96a28a9 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -40,6 +40,9 @@ files_type(pulseaudio_var_lib_t) type pulseaudio_var_run_t; files_pid_file(pulseaudio_var_run_t) +type pulseaudio_xdg_config_t; +xdg_config_content(pulseaudio_xdg_config_t) + ######################################## # # Local policy @@ -87,6 +90,10 @@ manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t) files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file }) +manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +xdg_config_filetrans(pulseaudio_t, pulseaudio_xdg_config_t, dir, "pulse") + allow pulseaudio_t pulseaudio_client:process signull; ps_process_pattern(pulseaudio_t, pulseaudio_client) @@ -247,6 +254,10 @@ rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, allow pulseaudio_client pulseaudio_tmpfs_t:file map; delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile) +manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_t, pulseaudio_xdg_config_t) +xdg_config_filetrans(pulseaudio_client, pulseaudio_xdg_config_t, dir, "pulse") + fs_getattr_tmpfs(pulseaudio_client) corenet_all_recvfrom_unlabeled(pulseaudio_client) -- 2.16.1