policy_module(alsa, 1.11.4)

########################################
#
# Declarations
#

attribute_role alsa_roles;

type alsa_t;
type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;

type alsa_etc_rw_t;
files_config_file(alsa_etc_rw_t)

type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)

type alsa_var_lib_t;
files_type(alsa_var_lib_t)

type alsa_home_t;
userdom_user_home_content(alsa_home_t)

type alsa_unit_file_t;
systemd_unit_file(alsa_unit_file_t)

########################################
#
# Local policy
#

allow alsa_t self:capability { dac_read_search dac_override setgid setuid ipc_owner };
dontaudit alsa_t self:capability sys_admin;
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };

allow alsa_t alsa_home_t:file read_file_perms;

manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)

can_exec(alsa_t, alsa_exec_t)

manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })

manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)

kernel_read_system_state(alsa_t)

corecmd_exec_bin(alsa_t)

dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_write_sound(alsa_t)

files_search_var_lib(alsa_t)

term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)

auth_use_nsswitch(alsa_t)

init_use_fds(alsa_t)

logging_send_syslog_msg(alsa_t)

userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)

optional_policy(`
	hal_use_fds(alsa_t)
	hal_write_log(alsa_t)
')