From de8af9dc65d59ab84ab44d74b9651eaaef00fda8 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Jan 12 2006 16:00:55 +0000 Subject: add alsa --- diff --git a/refpolicy/Changelog b/refpolicy/Changelog index f5cd8e6..87a20aa 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -5,6 +5,7 @@ - Add swat to samba module. - Numerous miscellaneous fixes from Dan Walsh. - Added modules: + alsa automount ddcprobe fetchmail diff --git a/refpolicy/policy/modules/admin/alsa.fc b/refpolicy/policy/modules/admin/alsa.fc new file mode 100644 index 0000000..99c414d --- /dev/null +++ b/refpolicy/policy/modules/admin/alsa.fc @@ -0,0 +1,4 @@ + +/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) + +/usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/alsa.if b/refpolicy/policy/modules/admin/alsa.if new file mode 100644 index 0000000..0150f97 --- /dev/null +++ b/refpolicy/policy/modules/admin/alsa.if @@ -0,0 +1,55 @@ +## Ainit ALSA configuration tool + +######################################## +## +## Domain transition to alsa +## +## +## Domain allowed access. +## +# +interface(`alsa_domtrans',` + gen_require(` + type alsa_t; + type alsa_exec_t; + ') + + domain_auto_trans($1, alsa_exec_t, alsa_t) + + allow $1 alsa_t:fd use; + allow alsa_t $1:fd use; + allow alsa_t $1:fifo_file rw_file_perms; + allow alsa_t $1:process sigchld; +') + +######################################## +## +## Allow read and write access to alsa semaphores. +## +## +## Domain allowed access. +## +# +interface(`alsa_rw_semaphores',` + gen_require(` + type alsa_t; + ') + + allow $1 alsa_t:sem { unix_read unix_write associate read write }; +') + +######################################## +## +## Allow read and write access to alsa shared memory. +## +## +## Domain allowed access. +## +# +interface(`alsa_rw_shared_mem',` + gen_require(` + type alsa_t; + ') + + allow $1 alsa_t:shm { unix_read unix_write create_shm_perms }; +') diff --git a/refpolicy/policy/modules/admin/alsa.te b/refpolicy/policy/modules/admin/alsa.te new file mode 100644 index 0000000..10de00f --- /dev/null +++ b/refpolicy/policy/modules/admin/alsa.te @@ -0,0 +1,50 @@ + +policy_module(alsa,1.0.0) + +######################################## +# +# Declarations +# + +type alsa_t; +type alsa_exec_t; +domain_type(alsa_t) +domain_entry_file(alsa_t, alsa_exec_t) +role system_r types alsa_t; + +type alsa_etc_rw_t; +files_type(alsa_etc_rw_t) + +######################################## +# +# Local policy +# + +allow alsa_t self:capability { setgid setuid ipc_owner }; +dontaudit alsa_t self:capability sys_admin; +allow alsa_t self:sem create_sem_perms; +allow alsa_t self:shm create_shm_perms; +allow alsa_t self:unix_stream_socket create_stream_socket_perms; +allow alsa_t self:unix_dgram_socket create_socket_perms; + +allow alsa_t alsa_etc_rw_t:dir rw_dir_perms; +allow alsa_t alsa_etc_rw_t:file create_file_perms; +allow alsa_t alsa_etc_rw_t:lnk_file create_lnk_perms; + +files_read_etc_files(alsa_t) + +term_use_generic_pty(alsa_t) + +libs_use_ld_so(alsa_t) +libs_use_shared_libs(alsa_t) + +logging_send_syslog_msg(alsa_t) + +miscfiles_read_localization(alsa_t) + +userdom_manage_unpriv_user_semaphores(alsa_t) +userdom_manage_unpriv_user_shared_mem(alsa_t) + +optional_policy(`nscd',` + nscd_use_socket(alsa_t) +') diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index 108cd43..5e8392f 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -1650,6 +1650,39 @@ interface(`userdom_spec_domtrans_unpriv_users',` ######################################## ## +## Manage unpriviledged user SysV sempaphores. +## +## +## Domain allowed access. +## +# +interface(`userdom_manage_unpriv_user_semaphores',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:sem create_sem_perms; +') + +######################################## +## +## Manage unpriviledged user SysV shared +## memory segments. +## +## +## Domain allowed access. +## +# +interface(`userdom_manage_unpriv_user_shared_mem',` + gen_require(` + attribute unpriv_userdomain; + ') + + allow $1 unpriv_userdomain:shm create_shm_perms; +') + +######################################## +## ## Execute a shell in the sysadm domain. ## ##