Pulseaudio patch from Dan Walsh.

Dontaudit attempts to exec pulseaudio. qemu does this and it causes other avc's even though qemu can not use pulseaudio. Allow other domains to use pulseiaudio
2010-06-22 09:13:17 -04:00 · 2010-06-22 09:13:17 -04:00 · 1fd3a8070f
commit 1fd3a8070f
parent 1ff703fc4a
2 changed files with 60 additions and 1 deletions
--- a/policy/modules/apps/pulseaudio.if
+++ b/policy/modules/apps/pulseaudio.if
@ -104,6 +104,43 @@ interface(`pulseaudio_exec',`
 	can_exec($1, pulseaudio_exec_t)
 ')

+########################################
+## <summary>
+##	Do not audit to execute a pulseaudio.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`pulseaudio_dontaudit_exec',`
+	gen_require(`
+		type pulseaudio_exec_t;
+	')
+
+	dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
+')
+
+########################################
+## <summary>
+##	Send signull signal to pulseaudio
+##	processes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_signull',`
+	gen_require(`
+		type pulseaudio_t;
+	')
+
+	allow $1 pulseaudio_t:process signull;
+')
+
 #####################################
 ## <summary>
 ##	Connect to pulseaudio over a unix domain
@ -184,6 +221,25 @@ interface(`pulseaudio_read_home_files',`
 	read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')

+########################################
+## <summary>
+##	Read and write Pulse Audio files.
+## </summary>
+## <param name="user_domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`pulseaudio_rw_home_files',`
+	gen_require(`
+		type pulseaudio_home_t;
+	')
+
+	rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	userdom_search_user_home_dirs($1)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete pulseaudio
@ -202,4 +258,5 @@ interface(`pulseaudio_manage_home_files',`

 	userdom_search_user_home_dirs($1)
 	manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
+	read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
 ')
--- a/policy/modules/apps/pulseaudio.te
+++ b/policy/modules/apps/pulseaudio.te
@ -1,4 +1,4 @@
-policy_module(pulseaudio, 1.2.0)
+policy_module(pulseaudio, 1.2.1)

 ########################################
 #
@ -43,6 +43,7 @@ userdom_search_user_home_dirs(pulseaudio_t)

 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
+manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
 files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })

 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
@ -127,6 +128,7 @@ optional_policy(`
 ')

 optional_policy(`
+	udev_read_state(pulseaudio_t)
 	udev_read_db(pulseaudio_t)
 ')