From 1fd3a8070ff4b6efdb4f2841a709acc1ab1bbdad Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Tue, 22 Jun 2010 09:13:17 -0400
Subject: [PATCH] Pulseaudio patch from Dan Walsh.

Dontaudit attempts to exec pulseaudio.  qemu does this and it causes
other avc's even though qemu can not use pulseaudio.

Allow other domains to use pulseiaudio
---
 policy/modules/apps/pulseaudio.if | 57 +++++++++++++++++++++++++++++++
 policy/modules/apps/pulseaudio.te |  4 ++-
 2 files changed, 60 insertions(+), 1 deletion(-)

diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if
index 95448d94..bb86a623 100644
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@@ -104,6 +104,43 @@ interface(`pulseaudio_exec',`
 	can_exec($1, pulseaudio_exec_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit to execute a pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_exec',`
+	gen_require(`
+		type pulseaudio_exec_t;
+	')
+
+	dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+##	Send signull signal to pulseaudio
+##	processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_signull',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	allow $1 pulseaudio_t:process signull;
+')
+
 #####################################
 ## <summary>
 ##	Connect to pulseaudio over a unix domain
@@ -184,6 +221,25 @@ interface(`pulseaudio_read_home_files',`
 	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
 
+########################################
+## <summary>
+##	Read and write Pulse Audio files.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_rw_home_files',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete pulseaudio
@@ -202,4 +258,5 @@ interface(`pulseaudio_manage_home_files',`
 
 	userdom_search_user_home_dirs($1)
 	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
diff --git a/policy/modules/apps/pulseaudio.te b/policy/modules/apps/pulseaudio.te
index 964a73b6..7e3e3b26 100644
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.2.0)
+policy_module(pulseaudio, 1.2.1)
 
 ########################################
 #
@@ -43,6 +43,7 @@ userdom_search_user_home_dirs(pulseaudio_t)
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
 
 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@@ -127,6 +128,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	udev_read_state(pulseaudio_t)
 	udev_read_db(pulseaudio_t)
 ')