## Pulseaudio network sound server.
########################################
##
## Role access for pulseaudio.
##
##
##
## Role allowed access.
##
##
##
##
## User domain for the role.
##
##
#
interface(`pulseaudio_role',`
gen_require(`
attribute pulseaudio_tmpfsfile;
type pulseaudio_t, pulseaudio_home_t, pulseaudio_tmpfs_t;
type pulseaudio_tmp_t;
')
pulseaudio_run($2, $1)
allow $2 pulseaudio_t:process { ptrace signal_perms };
allow $2 pulseaudio_t:fd use;
ps_process_pattern($2, pulseaudio_t)
allow $2 pulseaudio_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_home_t:file { manage_file_perms relabel_file_perms };
allow $2 pulseaudio_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms };
allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms };
allow $2 pulseaudio_tmp_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pulseaudio_tmp_t:file { manage_file_perms relabel_file_perms };
allow $2 pulseaudio_tmp_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
allow pulseaudio_t $2:unix_stream_socket connectto;
')
########################################
##
## Execute a domain transition to run pulseaudio.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`pulseaudio_domtrans',`
gen_require(`
attribute pulseaudio_client;
type pulseaudio_t, pulseaudio_exec_t;
')
typeattribute $1 pulseaudio_client;
corecmd_search_bin($1)
domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t)
')
########################################
##
## Execute pulseaudio in the pulseaudio
## domain, and allow the specified role
## the pulseaudio domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## Role allowed access.
##
##
#
interface(`pulseaudio_run',`
gen_require(`
attribute_role pulseaudio_roles;
')
pulseaudio_domtrans($1)
roleattribute $2 pulseaudio_roles;
')
########################################
##
## Execute pulseaudio in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_exec',`
gen_require(`
type pulseaudio_exec_t;
')
corecmd_search_bin($1)
can_exec($1, pulseaudio_exec_t)
')
########################################
##
## Do not audit attempts to execute pulseaudio.
##
##
##
## Domain to not audit.
##
##
#
interface(`pulseaudio_dontaudit_exec',`
gen_require(`
type pulseaudio_exec_t;
')
dontaudit $1 pulseaudio_exec_t:file exec_file_perms;
')
########################################
##
## Send null signals to pulseaudio.
## processes.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_signull',`
gen_require(`
type pulseaudio_t;
')
allow $1 pulseaudio_t:process signull;
')
########################################
##
## Use file descriptors for
## pulseaudio.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_use_fds',`
gen_require(`
type pulseaudio_t;
')
allow $1 pulseaudio_t:fd use;
')
########################################
##
## Do not audit attempts to use the
## file descriptors for pulseaudio.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_dontaudit_use_fds',`
gen_require(`
type pulseaudio_t;
')
dontaudit $1 pulseaudio_t:fd use;
')
#####################################
##
## Connect to pulseaudio with a unix
## domain stream socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_stream_connect',`
gen_require(`
type pulseaudio_t, pulseaudio_var_run_t, pulseaudio_tmp_t;
')
files_search_pids($1)
stream_connect_pattern($1, { pulseaudio_tmp_t pulseaudio_var_run_t }, { pulseaudio_tmp_t pulseaudio_var_run_t }, pulseaudio_t)
')
########################################
##
## Send and receive messages from
## pulseaudio over dbus.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_dbus_chat',`
gen_require(`
type pulseaudio_t;
class dbus send_msg;
')
allow $1 pulseaudio_t:dbus send_msg;
allow pulseaudio_t $1:dbus send_msg;
')
########################################
##
## Set attributes of pulseaudio home directories.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_setattr_home_dir',`
gen_require(`
type pulseaudio_home_t;
')
allow $1 pulseaudio_home_t:dir setattr_dir_perms;
')
########################################
##
## Read pulseaudio home content.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_read_home_files',`
refpolicywarn(`$0($*) has been deprecated, use pulseaudio_read_home() instead.')
pulseaudio_read_home($1)
')
########################################
##
## Read pulseaudio home content.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_read_home',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 pulseaudio_home_t:dir list_dir_perms;
allow $1 pulseaudio_home_t:file read_file_perms;
allow $1 pulseaudio_home_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Read and write Pulse Audio files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_rw_home_files',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t)
')
########################################
##
## Create, read, write, and delete
## pulseaudio home content.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_manage_home_files',`
refpolicywarn(`$0($*) has been deprecated, use pulseaudio_manage_home() instead.')
pulseaudio_manage_home($1)
')
########################################
##
## Create, read, write, and delete
## pulseaudio home content.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_manage_home',`
gen_require(`
type pulseaudio_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 pulseaudio_home_t:dir manage_dir_perms;
allow $1 pulseaudio_home_t:file manage_file_perms;
allow $1 pulseaudio_home_t:lnk_file manage_lnk_file_perms;
')
########################################
##
## Create objects in user home
## directories with the pulseaudio
## home type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`pulseaudio_home_filetrans_pulseaudio_home',`
gen_require(`
type pulseaudio_home_t;
')
userdom_user_home_dir_filetrans($1, pulseaudio_home_t, $2, $3)
')
########################################
##
## Make the specified tmpfs file type
## pulseaudio tmpfs content.
##
##
##
## File type to make pulseaudio tmpfs content.
##
##
#
interface(`pulseaudio_tmpfs_content',`
gen_require(`
attribute pulseaudio_tmpfsfile;
')
typeattribute $1 pulseaudio_tmpfsfile;
')
# Below are Gentoo specifics but ifdef distro_gentoo cannot be used in interfaces
########################################
##
## Mark the specified domain as a PulseAudio client domain
## and the related tmpfs file type as a (shared) PulseAudio tmpfs
## file type used for the shared memory access
##
##
##
## Domain to become a PulseAudio client domain
##
##
##
##
## Tmpfs type used for shared memory of the given domain
##
##
#
interface(`pulseaudio_client_domain',`
pulseaudio_domtrans($1)
pulseaudio_tmpfs_content($2)
')
#######################################
##
## Read pulseaudio tmpfs files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_read_tmpfs_files',`
gen_require(`
type pulseaudio_tmpfs_t;
')
fs_search_tmpfs($1)
read_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')
#######################################
##
## Read and write pulseaudio tmpfs
## files.
##
##
##
## Domain allowed access.
##
##
#
interface(`pulseaudio_rw_tmpfs_files',`
gen_require(`
type pulseaudio_tmpfs_t;
')
fs_search_tmpfs($1)
rw_files_pattern($1, pulseaudio_tmpfs_t, pulseaudio_tmpfs_t)
')