pulseaudio patch from Dan Walsh
Fixed template where it should have been interface Replaced read_home and manage_home interfaces with read_home_files, manage_home_files and reduced access Removed admin_dir reference Replaced rtkit_daemon_system_domain with rtkit_scheduled Fixed style / spacing issues
This commit is contained in:
parent
d279dd603f
commit
18683835fd
|
@ -1 +1,9 @@
|
|||
HOME_DIR/\.pulse-cookie gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
||||
HOME_DIR/\.pulse(/.*)? gen_context(system_u:object_r:pulseaudio_home_t,s0)
|
||||
|
||||
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
|
||||
|
||||
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
|
||||
|
||||
/usr/bin/pulseaudio -- gen_context(system_u:object_r:pulseaudio_exec_t,s0)
|
||||
|
||||
|
|
|
@ -18,7 +18,7 @@
|
|||
interface(`pulseaudio_role',`
|
||||
gen_require(`
|
||||
type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
|
||||
class dbus { send_msg };
|
||||
class dbus { acquire_svc send_msg };
|
||||
')
|
||||
|
||||
role $1 types pulseaudio_t;
|
||||
|
@ -29,7 +29,7 @@ interface(`pulseaudio_role',`
|
|||
ps_process_pattern($2, pulseaudio_t)
|
||||
|
||||
allow pulseaudio_t $2:process { signal signull };
|
||||
allow $2 pulseaudio_t:process { signal signull };
|
||||
allow $2 pulseaudio_t:process { signal signull sigkill };
|
||||
ps_process_pattern(pulseaudio_t, $2)
|
||||
|
||||
allow pulseaudio_t $2:unix_stream_socket connectto;
|
||||
|
@ -40,7 +40,7 @@ interface(`pulseaudio_role',`
|
|||
userdom_manage_tmpfs_role($1, pulseaudio_t)
|
||||
|
||||
allow $2 pulseaudio_t:dbus send_msg;
|
||||
allow pulseaudio_t $2:dbus send_msg;
|
||||
allow pulseaudio_t $2:dbus { acquire_svc send_msg };
|
||||
')
|
||||
|
||||
########################################
|
||||
|
@ -98,7 +98,7 @@ interface(`pulseaudio_run',`
|
|||
#
|
||||
interface(`pulseaudio_exec',`
|
||||
gen_require(`
|
||||
type pulseaudio_exec_t;
|
||||
type pulseaudio_exec_t;
|
||||
')
|
||||
|
||||
can_exec($1,pulseaudio_exec_t)
|
||||
|
@ -127,20 +127,78 @@ interface(`pulseaudio_dbus_chat',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## pulsaudio connection template.
|
||||
## Read pulseaudio homedir files
|
||||
## </summary>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pulseaudio_read_home_files',`
|
||||
gen_require(`
|
||||
type pulseaudio_home_t;
|
||||
')
|
||||
|
||||
userdom_search_user_home_dirs($1)
|
||||
read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Manage pulseaudio homedir files
|
||||
## </summary>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pulseaudio_manage_home_files',`
|
||||
gen_require(`
|
||||
type pulseaudio_home_t;
|
||||
')
|
||||
|
||||
userdom_search_user_home_dirs($1)
|
||||
manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow domain to setattr on pulseaudio homedir
|
||||
## </summary>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pulseaudio_setattr_home_dir',`
|
||||
gen_require(`
|
||||
type pulseaudio_home_t;
|
||||
')
|
||||
|
||||
allow $1 pulseaudio_home_t:dir setattr;
|
||||
')
|
||||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Connect to pulseaudio over a unix domain
|
||||
## stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`pulseaudio_stream_connect',`
|
||||
gen_require(`
|
||||
type pulseaudio_t;
|
||||
type pulseaudio_t, pulseaudio_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 pulseaudio_t:process signull;
|
||||
allow pulseaudio_t $1:process signull;
|
||||
allow $1 pulseaudio_t:unix_stream_socket connectto;
|
||||
stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
|
||||
')
|
||||
|
|
|
@ -8,24 +8,51 @@ policy_module(pulseaudio, 1.1.1)
|
|||
|
||||
type pulseaudio_t;
|
||||
type pulseaudio_exec_t;
|
||||
init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
|
||||
application_domain(pulseaudio_t, pulseaudio_exec_t)
|
||||
role system_r types pulseaudio_t;
|
||||
|
||||
type pulseaudio_home_t;
|
||||
userdom_user_home_content(pulseaudio_home_t)
|
||||
|
||||
type pulseaudio_tmpfs_t;
|
||||
files_tmpfs_file(pulseaudio_tmpfs_t)
|
||||
|
||||
type pulseaudio_var_lib_t;
|
||||
files_type(pulseaudio_var_lib_t)
|
||||
|
||||
type pulseaudio_var_run_t;
|
||||
files_pid_file(pulseaudio_var_run_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# pulseaudio local policy
|
||||
#
|
||||
|
||||
allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
|
||||
allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
|
||||
allow pulseaudio_t self:fifo_file rw_file_perms;
|
||||
allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
|
||||
allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
|
||||
allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
|
||||
allow pulseaudio_t self:udp_socket create_socket_perms;
|
||||
allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
|
||||
|
||||
userdom_search_user_home_dirs(pulseaudio_t)
|
||||
manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
||||
manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
|
||||
|
||||
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
|
||||
manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
|
||||
files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
|
||||
manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
|
||||
manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
|
||||
files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
|
||||
|
||||
can_exec(pulseaudio_t, pulseaudio_exec_t)
|
||||
|
||||
kernel_getattr_proc(pulseaudio_t)
|
||||
kernel_read_system_state(pulseaudio_t)
|
||||
kernel_read_kernel_sysctls(pulseaudio_t)
|
||||
|
||||
|
@ -67,10 +94,7 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_manage_config(pulseaudio_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
|
||||
dbus_system_bus_client(pulseaudio_t)
|
||||
dbus_session_bus_client(pulseaudio_t)
|
||||
dbus_connect_session_bus(pulseaudio_t)
|
||||
|
@ -92,6 +116,10 @@ optional_policy(`
|
|||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rtkit_scheduled(pulseaudio_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
policykit_domtrans_auth(pulseaudio_t)
|
||||
policykit_read_lib(pulseaudio_t)
|
||||
|
@ -103,6 +131,9 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
xserver_stream_connect(pulseaudio_t)
|
||||
xserver_manage_xdm_tmp_files(pulseaudio_t)
|
||||
xserver_read_xdm_lib_files(pulseaudio_t)
|
||||
xserver_read_xdm_pid(pulseaudio_t)
|
||||
xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
|
||||
')
|
||||
|
|
Loading…
Reference in New Issue