From 56a11f07c39dacfed512e0d566ce65e458435e8a Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Sun, 6 Oct 2019 12:01:48 +0200 Subject: [PATCH] Allow alsa_t to create alsa_runtime_t file as well When alsactl is started as a daemon, it creates a pidfile (/run/alsactl.pid), that needs to be allowed ---- time->Sun Oct 6 10:59:09 2019 type=AVC msg=audit(1570352349.743:45): avc: denied { write open } for pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570352349.743:45): avc: denied { create } for pid=804 comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.226:657): avc: denied { open } for pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 type=AVC msg=audit(1570355678.226:657): avc: denied { read } for pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 ---- time->Sun Oct 6 11:54:38 2019 type=AVC msg=audit(1570355678.230:659): avc: denied { unlink } for pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 Signed-off-by: Laurent Bigonville --- policy/modules/admin/alsa.fc | 1 + policy/modules/admin/alsa.te | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc index 75ea9ebf1..3f52f370f 100644 --- a/policy/modules/admin/alsa.fc +++ b/policy/modules/admin/alsa.fc @@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /etc/asound\.conf -- gen_context(system_u:object_r:alsa_etc_t,s0) /run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0) +/run/alsactl\.pid -- gen_context(system_u:object_r:alsa_runtime_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) /usr/bin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index e567dd324..9d053c4df 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map; can_exec(alsa_t, alsa_exec_t) allow alsa_t alsa_runtime_t:dir manage_dir_perms; +allow alsa_t alsa_runtime_t:file manage_file_perms; allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms; -files_pid_filetrans(alsa_t, alsa_runtime_t, dir) +files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file }) manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t) manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)