From b7ceb3499560bcdcc6d09693ddc379564b1b0798 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Fri, 3 Sep 2010 11:59:00 +0200 Subject: [PATCH 1/5] Do not try to relabel the contents of the /dev/shm directory. Signed-off-by: Dominick Grift --- policy/modules/kernel/filesystem.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 9306de60..7d0ef43c 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,3 +1,4 @@ /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/dev/shm/.* <> /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) From 5675107ff975b871e744f9d57e9a5460be1d5cb8 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Fri, 3 Sep 2010 16:25:47 +0200 Subject: [PATCH 2/5] Libcgroup moved the cgroup directory to /sys/fs/cgroup. Signed-off-by: Dominick Grift --- policy/modules/kernel/filesystem.fc | 2 ++ policy/modules/kernel/filesystem.if | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 7d0ef43c..59bae6ad 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -2,3 +2,5 @@ /dev/shm/.* <> /cgroup -d gen_context(system_u:object_r:cgroup_t,s0) + +/sys/fs/cgroup(/.*)? <> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index e3e17bad..437a42af 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',` ') search_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -664,6 +665,7 @@ interface(`fs_list_cgroup_dirs', ` ') list_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -682,6 +684,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -701,6 +704,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -720,6 +724,7 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -738,6 +743,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -757,6 +763,7 @@ interface(`fs_rw_cgroup_files',` ') rw_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -796,6 +803,7 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## From e411968dff4370d020e091476be1a59e064ff1f8 Mon Sep 17 00:00:00 2001 From: Dominick Grift Date: Fri, 3 Sep 2010 16:26:40 +0200 Subject: [PATCH 3/5] Implement alsa_home_t for asoundrc. Clean up Alsa module. Signed-off-by: Dominick Grift --- policy/modules/admin/alsa.fc | 4 +-- policy/modules/admin/alsa.if | 49 +++++++++++++++++++++++++++++------- policy/modules/admin/alsa.te | 6 ++++- 3 files changed, 47 insertions(+), 12 deletions(-) diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc index 30a0ac74..72a04587 100644 --- a/policy/modules/admin/alsa.fc +++ b/policy/modules/admin/alsa.fc @@ -1,3 +1,5 @@ +HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) + /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0) /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0) @@ -10,9 +12,7 @@ /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) -ifdef(`distro_debian', ` /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -') /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if index fe09bea7..91b6eef4 100644 --- a/policy/modules/admin/alsa.if +++ b/policy/modules/admin/alsa.if @@ -1,8 +1,8 @@ -## Ainit ALSA configuration tool +## Ainit ALSA configuration tool. ######################################## ## -## Domain transition to alsa +## Execute a domain transition to run Alsa. ## ## ## @@ -15,12 +15,13 @@ interface(`alsa_domtrans',` type alsa_t, alsa_exec_t; ') + corecmd_search_bin($1) domtrans_pattern($1, alsa_exec_t, alsa_t) ') ######################################## ## -## Allow read and write access to alsa semaphores. +## Read and write Alsa semaphores. ## ## ## @@ -33,12 +34,12 @@ interface(`alsa_rw_semaphores',` type alsa_t; ') - allow $1 alsa_t:sem { unix_read unix_write associate read write }; + allow $1 alsa_t:sem rw_sem_perms; ') ######################################## ## -## Allow read and write access to alsa shared memory. +## Read and write Alsa shared memory. ## ## ## @@ -51,12 +52,12 @@ interface(`alsa_rw_shared_mem',` type alsa_t; ') - allow $1 alsa_t:shm { unix_read unix_write create_shm_perms }; + allow $1 alsa_t:shm rw_shm_perms; ') ######################################## ## -## Read alsa writable config files. +## Read writable Alsa config files. ## ## ## @@ -69,14 +70,19 @@ interface(`alsa_read_rw_config',` type alsa_etc_rw_t; ') + files_search_etc($1) allow $1 alsa_etc_rw_t:dir list_dir_perms; read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + + ifdef(`distro_debian',` + files_search_usr($1) + ') ') ######################################## ## -## Manage alsa writable config files. +## Manage writable Alsa config files. ## ## ## @@ -89,14 +95,19 @@ interface(`alsa_manage_rw_config',` type alsa_etc_rw_t; ') + files_search_etc($1) allow $1 alsa_etc_rw_t:dir list_dir_perms; manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) + + ifdef(`distro_debian',` + files_search_usr($1) + ') ') ######################################## ## -## Read alsa lib files. +## Read Alsa lib files. ## ## ## @@ -109,5 +120,25 @@ interface(`alsa_read_lib',` type alsa_var_lib_t; ') + files_search_var_lib($1) read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) ') + +######################################## +## +## Read Alsa home files. +## +## +## +## Domain allowed access. +## +## +# +interface(`alsa_read_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file read_file_perms; +') diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 04f9d968..84727c02 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -16,6 +16,9 @@ files_type(alsa_etc_rw_t) type alsa_var_lib_t; files_type(alsa_var_lib_t) +type alsa_home_t; +userdom_user_home_content(alsa_home_t) + ######################################## # # Local policy @@ -28,6 +31,8 @@ allow alsa_t self:shm create_shm_perms; allow alsa_t self:unix_stream_socket create_stream_socket_perms; allow alsa_t self:unix_dgram_socket create_socket_perms; +allow alsa_t alsa_home_t:file read_file_perms; + manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t) files_etc_filetrans(alsa_t, alsa_etc_rw_t, file) @@ -46,7 +51,6 @@ dev_read_sysfs(alsa_t) corecmd_exec_bin(alsa_t) -files_search_home(alsa_t) files_read_etc_files(alsa_t) files_read_usr_files(alsa_t) From eca7eb3b476f255dd1482ea2de61113df9785afd Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 3 Sep 2010 11:56:10 -0400 Subject: [PATCH 4/5] Rearrange alsa interfaces. --- policy/modules/admin/alsa.if | 38 ++++++++++++++++++------------------ 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if index 91b6eef4..69aa7428 100644 --- a/policy/modules/admin/alsa.if +++ b/policy/modules/admin/alsa.if @@ -105,25 +105,6 @@ interface(`alsa_manage_rw_config',` ') ') -######################################## -## -## Read Alsa lib files. -## -## -## -## Domain allowed access. -## -## -# -interface(`alsa_read_lib',` - gen_require(` - type alsa_var_lib_t; - ') - - files_search_var_lib($1) - read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) -') - ######################################## ## ## Read Alsa home files. @@ -142,3 +123,22 @@ interface(`alsa_read_home_files',` userdom_search_user_home_dirs($1) allow $1 alsa_home_t:file read_file_perms; ') + +######################################## +## +## Read Alsa lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`alsa_read_lib',` + gen_require(` + type alsa_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) +') From 28d96f0e3974f203b0bd1567a3d15c3113df2970 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 3 Sep 2010 13:09:40 -0400 Subject: [PATCH 5/5] Module version bumps for b7ceb34 5675107 e411968 eca7eb3. --- policy/modules/admin/alsa.te | 2 +- policy/modules/kernel/filesystem.te | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index 84727c02..0f227f1d 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,4 +1,4 @@ -policy_module(alsa, 1.9.1) +policy_module(alsa, 1.9.2) ######################################## # diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 56c34086..0dff98ef 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.13.2) +policy_module(filesystem, 1.13.3) ######################################## #