nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow alsa_t to create alsa_runtime_t file as well 

When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } for  pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
This commit is contained in:
Laurent Bigonville 2019-10-06 12:01:48 +02:00
parent 9b18951eb0
commit 56a11f07c3
2 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
policy/modules/admin/alsa.fc
View File

@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0)
/etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0)
/run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_runtime_t,s0)
/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)

3
policy/modules/admin/alsa.te
View File

@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map;
can_exec(alsa_t, alsa_exec_t)
allow alsa_t alsa_runtime_t:dir manage_dir_perms;
allow alsa_t alsa_runtime_t:file manage_file_perms;
allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)