From 18683835fd8fa847cdf601290b1721286a5c9fc8 Mon Sep 17 00:00:00 2001
From: Jeremy Solt <jsolt@tresys.com>
Date: Tue, 23 Mar 2010 15:51:04 -0400
Subject: [PATCH] pulseaudio patch from Dan Walsh

Fixed template where it should have been interface
Replaced read_home and manage_home interfaces with read_home_files, manage_home_files and reduced access
Removed admin_dir reference
Replaced rtkit_daemon_system_domain with rtkit_scheduled
Fixed style / spacing issues
---
 policy/modules/apps/pulseaudio.fc |  8 ++++
 policy/modules/apps/pulseaudio.if | 74 +++++++++++++++++++++++++++----
 policy/modules/apps/pulseaudio.te | 43 +++++++++++++++---
 3 files changed, 111 insertions(+), 14 deletions(-)

diff --git a/policy/modules/apps/pulseaudio.fc b/policy/modules/apps/pulseaudio.fc
index 5164058c..630ca730 100644
--- a/policy/modules/apps/pulseaudio.fc
+++ b/policy/modules/apps/pulseaudio.fc
@@ -1 +1,9 @@
+HOME_DIR/\.pulse-cookie		gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_home_t,s0)
+
+/var/lib/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_lib_t,s0)
+
+/var/run/pulse(/.*)?		gen_context(system_u:object_r:pulseaudio_var_run_t,s0)
+
 /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
+
diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 2116903f..0eacdcb2 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -18,7 +18,7 @@
 interface(`pulseaudio_role',`
 	gen_require(`
 		type pulseaudio_t, pulseaudio_exec_t, print_spool_t;
-		class dbus { send_msg };
+		class dbus { acquire_svc send_msg };
 	')
 
 	role $1 types pulseaudio_t;
@@ -29,7 +29,7 @@ interface(`pulseaudio_role',`
 	ps_process_pattern($2, pulseaudio_t)
 
 	allow pulseaudio_t $2:process { signal signull };
-	allow $2 pulseaudio_t:process { signal signull };
+	allow $2 pulseaudio_t:process { signal signull sigkill };
 	ps_process_pattern(pulseaudio_t, $2)
 
 	allow pulseaudio_t $2:unix_stream_socket connectto;
@@ -40,7 +40,7 @@ interface(`pulseaudio_role',`
 	userdom_manage_tmpfs_role($1, pulseaudio_t)
 
 	allow $2 pulseaudio_t:dbus send_msg;
-	allow pulseaudio_t $2:dbus send_msg;
+	allow pulseaudio_t $2:dbus { acquire_svc send_msg };
 ')
 
 ########################################
@@ -98,7 +98,7 @@ interface(`pulseaudio_run',`
 #
 interface(`pulseaudio_exec',`
 	gen_require(`
-                type pulseaudio_exec_t;
+		type pulseaudio_exec_t;
 	')
 
 	can_exec($1,pulseaudio_exec_t)
@@ -127,20 +127,78 @@ interface(`pulseaudio_dbus_chat',`
 
 ########################################
 ## <summary>
-##	pulsaudio connection template.
+##	Read pulseaudio homedir files 
 ## </summary>
 ## <param name="user_domain">
 ##	<summary>
-##	The type of the user domain.
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_read_home_files',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+##	Manage pulseaudio homedir files
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_manage_home_files',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+')
+
+########################################
+## <summary>
+##	Allow domain to setattr on pulseaudio homedir
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_setattr_home_dir',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	allow $1 pulseaudio_home_t:dir setattr;
+')
+
+#####################################
+## <summary>
+##	Connect to pulseaudio over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`pulseaudio_stream_connect',`
 	gen_require(`
-		type pulseaudio_t;
+		type pulseaudio_t, pulseaudio_var_run_t;
 	')
 
+	files_search_pids($1)
 	allow $1 pulseaudio_t:process signull;
 	allow pulseaudio_t $1:process signull;
-	allow $1 pulseaudio_t:unix_stream_socket connectto;
+	stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t)
 ')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 1d0ddedb..48f7d918 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -8,24 +8,51 @@ policy_module(pulseaudio, 1.1.1)
 
 type pulseaudio_t;
 type pulseaudio_exec_t;
+init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
 application_domain(pulseaudio_t, pulseaudio_exec_t)
 role system_r types pulseaudio_t;
 
+type pulseaudio_home_t;
+userdom_user_home_content(pulseaudio_home_t)
+
+type pulseaudio_tmpfs_t;
+files_tmpfs_file(pulseaudio_tmpfs_t)
+
+type pulseaudio_var_lib_t;
+files_type(pulseaudio_var_lib_t)
+
+type pulseaudio_var_run_t;
+files_pid_file(pulseaudio_var_run_t)
+
 ########################################
 #
 # pulseaudio local policy
 #
-
+allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
 allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
 allow pulseaudio_t self:fifo_file rw_file_perms;
-allow pulseaudio_t self:unix_stream_socket create_stream_socket_perms;
+allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
 allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
 allow pulseaudio_t self:udp_socket create_socket_perms;
 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
 
+userdom_search_user_home_dirs(pulseaudio_t)
+manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
+
+manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
+files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
+
 can_exec(pulseaudio_t, pulseaudio_exec_t)
 
+kernel_getattr_proc(pulseaudio_t)
 kernel_read_system_state(pulseaudio_t)
 kernel_read_kernel_sysctls(pulseaudio_t)
 
@@ -67,10 +94,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	gnome_manage_config(pulseaudio_t)
-')
-
-optional_policy(`
+	dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
 	dbus_system_bus_client(pulseaudio_t)
 	dbus_session_bus_client(pulseaudio_t)
 	dbus_connect_session_bus(pulseaudio_t)
@@ -92,6 +116,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	rtkit_scheduled(pulseaudio_t)
+')
+
 optional_policy(`
 	policykit_domtrans_auth(pulseaudio_t)
 	policykit_read_lib(pulseaudio_t)
@@ -103,6 +131,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xserver_stream_connect(pulseaudio_t)
 	xserver_manage_xdm_tmp_files(pulseaudio_t)
 	xserver_read_xdm_lib_files(pulseaudio_t)
+	xserver_read_xdm_pid(pulseaudio_t)
+	xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
 ')