1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
|
policy_module(alsa, 1.18.1)
########################################
#
# Declarations
#
attribute_role alsa_roles;
type alsa_t;
type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
type alsa_etc_t alias alsa_etc_rw_t;
files_config_file(alsa_etc_t)
type alsa_home_t;
userdom_user_home_content(alsa_home_t)
type alsa_runtime_t;
files_pid_file(alsa_runtime_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
type alsa_tmpfs_t;
files_tmpfs_file(alsa_tmpfs_t)
type alsa_unit_t;
init_unit_file(alsa_unit_t)
type alsa_var_lib_t;
files_type(alsa_var_lib_t)
type alsa_var_lock_t;
files_lock_file(alsa_var_lock_t)
########################################
#
# Local policy
#
allow alsa_t self:capability { dac_override dac_read_search ipc_owner setgid setuid };
# kill : kill pulseaudio
dontaudit alsa_t self:capability { kill sys_admin };
allow alsa_t self:sem create_sem_perms;
allow alsa_t self:shm create_shm_perms;
allow alsa_t self:unix_stream_socket { accept listen };
allow alsa_t alsa_home_t:file read_file_perms;
list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
allow alsa_t alsa_etc_t:file map;
can_exec(alsa_t, alsa_exec_t)
allow alsa_t alsa_runtime_t:dir manage_dir_perms;
allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
files_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
userdom_user_tmp_filetrans(alsa_t, alsa_tmp_t, { dir file })
allow alsa_t alsa_tmpfs_t:file { manage_file_perms map };
fs_tmpfs_filetrans(alsa_t, alsa_tmpfs_t, file)
manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
allow alsa_t alsa_var_lock_t:file manage_file_perms;
files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
kernel_read_system_state(alsa_t)
corecmd_exec_bin(alsa_t)
dev_getattr_fs(alsa_t)
dev_read_input(alsa_t)
dev_read_sound(alsa_t)
dev_read_sysfs(alsa_t)
dev_read_urand(alsa_t)
dev_write_sound(alsa_t)
files_read_usr_files(alsa_t)
files_search_var_lib(alsa_t)
fs_getattr_tmpfs(alsa_t)
term_dontaudit_use_console(alsa_t)
term_dontaudit_use_generic_ptys(alsa_t)
term_dontaudit_use_all_ptys(alsa_t)
auth_use_nsswitch(alsa_t)
logging_send_syslog_msg(alsa_t)
miscfiles_read_localization(alsa_t)
userdom_manage_unpriv_user_semaphores(alsa_t)
userdom_manage_unpriv_user_shared_mem(alsa_t)
userdom_search_user_home_dirs(alsa_t)
optional_policy(`
hal_use_fds(alsa_t)
hal_write_log(alsa_t)
')
ifdef(`distro_gentoo',`
# alsa_domain - see http://oss.tresys.com/pipermail/refpolicy/2014-March/007029.html
# http://oss.tresys.com/pipermail/refpolicy/2014-April/007044.html
attribute alsadomain;
attribute alsatmpfsfile;
typeattribute alsa_t alsadomain;
################################
#
# alsadomain policy
#
allow alsadomain alsadomain:sem create_sem_perms;
allow alsadomain alsadomain:shm rw_shm_perms;
allow alsadomain alsatmpfsfile:file rw_file_perms;
# ALSA applications need access to /usr/share/alsa/*
files_read_usr_files(alsadomain)
alsa_read_config(alsadomain)
alsa_read_home_files(alsadomain)
')
|
GitWeb