1 |
commit: ccd334f66ed8b61c6fc43223ff504a9511eab158 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Wed Jun 1 16:12:39 2016 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Jun 1 18:32:45 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ccd334f6 |
7 |
|
8 |
pulseaudio: fcontext and filetrans for runtime |
9 |
|
10 |
policy/modules/contrib/pulseaudio.fc | 1 + |
11 |
policy/modules/contrib/pulseaudio.te | 7 ++++++- |
12 |
2 files changed, 7 insertions(+), 1 deletion(-) |
13 |
|
14 |
diff --git a/policy/modules/contrib/pulseaudio.fc b/policy/modules/contrib/pulseaudio.fc |
15 |
index 9cc63f6..cde5a80 100644 |
16 |
--- a/policy/modules/contrib/pulseaudio.fc |
17 |
+++ b/policy/modules/contrib/pulseaudio.fc |
18 |
@@ -7,6 +7,7 @@ HOME_DIR/\.pulse-cookie -- gen_context(system_u:object_r:pulseaudio_home_t,s0) |
19 |
/var/lib/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_lib_t,s0) |
20 |
|
21 |
/var/run/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_var_run_t,s0) |
22 |
+/var/run/%{USERID}/pulse(/.*)? gen_context(system_u:object_r:pulseaudio_tmp_t,s0) |
23 |
|
24 |
|
25 |
ifdef(`distro_gentoo',` |
26 |
|
27 |
diff --git a/policy/modules/contrib/pulseaudio.te b/policy/modules/contrib/pulseaudio.te |
28 |
index 9b8d84e..94b7ef4 100644 |
29 |
--- a/policy/modules/contrib/pulseaudio.te |
30 |
+++ b/policy/modules/contrib/pulseaudio.te |
31 |
@@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) |
32 |
manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) |
33 |
manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) |
34 |
files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) |
35 |
+userdom_user_runtime_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) |
36 |
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock") |
37 |
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") |
38 |
userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") |
39 |
@@ -203,8 +204,11 @@ optional_policy(` |
40 |
# |
41 |
|
42 |
allow pulseaudio_client self:unix_dgram_socket sendto; |
43 |
+allow pulseaudio_client self:process signull; |
44 |
|
45 |
-allow pulseaudio_client pulseaudio_client:process signull; |
46 |
+allow pulseaudio_client pulseaudio_tmp_t:dir manage_dir_perms; |
47 |
+allow pulseaudio_client pulseaudio_tmp_t:file manage_file_perms; |
48 |
+allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms; |
49 |
|
50 |
read_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }) |
51 |
delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile) |
52 |
@@ -228,6 +232,7 @@ pulseaudio_home_filetrans_pulseaudio_home(pulseaudio_client, file, ".pulse-cooki |
53 |
pulseaudio_signull(pulseaudio_client) |
54 |
|
55 |
userdom_read_user_tmpfs_files(pulseaudio_client) |
56 |
+userdom_user_runtime_filetrans(pulseaudio_client, pulseaudio_tmp_t, dir, "pulse") |
57 |
# userdom_delete_user_tmpfs_files(pulseaudio_client) |
58 |
|
59 |
tunable_policy(`use_nfs_home_dirs',` |