## Pulseaudio network sound server. ######################################## ## ## Role access for pulseaudio. ## ## ## ## Role allowed access. ## ## ## ## ## User domain for the role. ## ## # interface(`pulseaudio_role',` gen_require(` attribute pulseaudio_tmpfsfile; type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t; type pulseaudio_tmp_t; ') pulseaudio_run($2, $1) allow $2 pulseaudio_t:process { ptrace signal_perms }; allow $2 pulseaudio_t:fd use; ps_process_pattern($2, pulseaudio_t) allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms }; allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms }; allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; allow pulseaudio_t $2:unix_stream_socket connectto; ') ######################################## ## ## Execute a domain transition to run pulseaudio. ## ## ## ## Domain allowed to transition. ## ## # interface(`pulseaudio_domtrans',` gen_require(` attribute pulseaudio_client; type pulseaudio_t, pulseaudio_exec_t; ') typeattribute $1 pulseaudio_client; corecmd_search_bin($1) domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) ') ######################################## ## ## Execute pulseaudio in the pulseaudio ## domain, and allow the specified role ## the pulseaudio domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`pulseaudio_run',` gen_require(` attribute_role pulseaudio_roles; ') pulseaudio_domtrans($1) roleattribute $2 pulseaudio_roles; ') ######################################## ## ## Execute pulseaudio in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_exec',` gen_require(` type pulseaudio_exec_t; ') corecmd_search_bin($1) can_exec($1, pulseaudio_exec_t) ') ######################################## ## ## Do not audit attempts to execute pulseaudio. ## ## ## ## Domain to not audit. ## ## # interface(`pulseaudio_dontaudit_exec',` gen_require(` type pulseaudio_exec_t; ') dontaudit $1 pulseaudio_exec_t:file exec_file_perms; ') ######################################## ## ## Send null signals to pulseaudio. ## processes. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_signull',` gen_require(` type pulseaudio_t; ') allow $1 pulseaudio_t:process signull; ') ######################################## ## ## Use file descriptors for ## pulseaudio. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_use_fds',` gen_require(` type pulseaudio_t; ') allow $1 pulseaudio_t:fd use; ') ######################################## ## ## Do not audit attempts to use the ## file descriptors for pulseaudio. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_dontaudit_use_fds',` gen_require(` type pulseaudio_t; ') dontaudit $1 pulseaudio_t:fd use; ') ##################################### ## ## Connect to pulseaudio with a unix ## domain stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_stream_connect',` gen_require(` type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t; ') files_search_pids($1) stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t) ') ######################################## ## ## Send and receive messages from ## pulseaudio over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_dbus_chat',` gen_require(` type pulseaudio_t; class dbus send_msg; ') allow $1 pulseaudio_t:dbus send_msg; allow pulseaudio_t $1:dbus send_msg; ') ######################################## ## ## Set attributes of pulseaudio home directories. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_setattr_home_dir',` gen_require(` type pulseaudio_home_t; ') allow $1 pulseaudio_home_t:dir setattr_dir_perms; ') ######################################## ## ## Read pulseaudio home content. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_read_home_files',` refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.') pulseaudio_read_home($1) ') ######################################## ## ## Read pulseaudio home content. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_read_home',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) allow $1 pulseaudio_home_t:dir list_dir_perms; allow $1 pulseaudio_home_t:file read_file_perms; allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms; ') ######################################## ## ## Read and write Pulse Audio files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_rw_home_files',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') ######################################## ## ## Create, read, write, and delete ## pulseaudio home content. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_manage_home_files',` refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.') pulseaudio_manage_home($1) ') ######################################## ## ## Create, read, write, and delete ## pulseaudio home content. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_manage_home',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) allow $1 pulseaudio_home_t:dir manage_dir_perms; allow $1 pulseaudio_home_t:file manage_file_perms; allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## Create objects in user home ## directories with the pulseaudio ## home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`pulseaudio_home_filetrans_pulseaudio_home',` gen_require(` type pulseaudio_home_t; ') userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3) ') ######################################## ## ## Make the specified tmpfs file type ## pulseaudio tmpfs content. ## ## ## ## File type to make pulseaudio tmpfs content. ## ## # interface(`pulseaudio_tmpfs_content',` gen_require(` attribute pulseaudio_tmpfsfile; ') typeattribute $1 pulseaudio_tmpfsfile; ') # Below are Gentoo specifics but ifdef distro_gentoo cannot be used in interfaces ######################################## ## ## Mark the specified domain as a PulseAudio client domain ## and the related tmpfs file type as a (shared) PulseAudio tmpfs ## file type used for the shared memory access ## ## ## ## Domain to become a PulseAudio client domain ## ## ## ## ## Tmpfs type used for shared memory of the given domain ## ## # interface(`pulseaudio_client_domain',` pulseaudio_domtrans($1) pulseaudio_tmpfs_content($2) ') ####################################### ## ## Read pulseaudio tmpfs files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_read_tmpfs_files',` gen_require(` type pulseaudio_tmpfs_t; ') fs_search_tmpfs($1) read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) ') ####################################### ## ## Read and write pulseaudio tmpfs ## files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_rw_tmpfs_files',` gen_require(` type pulseaudio_tmpfs_t; ') fs_search_tmpfs($1) rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t) ')