## Pulseaudio network sound server. ######################################## ## ## Role access for pulseaudio ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # interface(`pulseaudio_role',` gen_require(` type pulseaudio_t, pulseaudio_exec_t, print_spool_t; class dbus { acquire_svc send_msg }; ') role $1 types pulseaudio_t; # Transition from the user domain to the derived domain. domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) ps_process_pattern($2, pulseaudio_t) allow pulseaudio_t $2:process { signal signull }; allow $2 pulseaudio_t:process { signal signull sigkill }; ps_process_pattern(pulseaudio_t, $2) allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') ######################################## ## ## Execute a domain transition to run pulseaudio. ## ## ## ## Domain allowed to transition. ## ## # interface(`pulseaudio_domtrans',` gen_require(` type pulseaudio_t, pulseaudio_exec_t; ') domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) ') ######################################## ## ## Execute pulseaudio in the pulseaudio domain, and ## allow the specified role the pulseaudio domain. ## ## ## ## Domain allowed access. ## ## ## ## ## Role allowed access. ## ## # interface(`pulseaudio_run',` gen_require(` type pulseaudio_t; ') pulseaudio_domtrans($1) role $2 types pulseaudio_t; ') ######################################## ## ## Execute a pulseaudio in the current domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`pulseaudio_exec',` gen_require(` type pulseaudio_exec_t; ') can_exec($1, pulseaudio_exec_t) ') ######################################## ## ## Do not audit to execute a pulseaudio. ## ## ## ## Domain to not audit. ## ## # interface(`pulseaudio_dontaudit_exec',` gen_require(` type pulseaudio_exec_t; ') dontaudit $1 pulseaudio_exec_t:file exec_file_perms; ') ######################################## ## ## Send signull signal to pulseaudio ## processes. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_signull',` gen_require(` type pulseaudio_t; ') allow $1 pulseaudio_t:process signull; ') ##################################### ## ## Connect to pulseaudio over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_stream_connect',` gen_require(` type pulseaudio_t, pulseaudio_var_run_t; ') files_search_pids($1) allow $1 pulseaudio_t:process signull; allow pulseaudio_t $1:process signull; stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) ') ######################################## ## ## Send and receive messages from ## pulseaudio over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_dbus_chat',` gen_require(` type pulseaudio_t; class dbus send_msg; ') allow $1 pulseaudio_t:dbus send_msg; allow pulseaudio_t $1:dbus send_msg; ') ######################################## ## ## Set the attributes of the pulseaudio homedir. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_setattr_home_dir',` gen_require(` type pulseaudio_home_t; ') allow $1 pulseaudio_home_t:dir setattr; ') ######################################## ## ## Read pulseaudio homedir files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_read_home_files',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') ######################################## ## ## Read and write Pulse Audio files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_rw_home_files',` gen_require(` type pulseaudio_home_t; ') rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) userdom_search_user_home_dirs($1) ') ######################################## ## ## Create, read, write, and delete pulseaudio ## home directory files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_manage_home_files',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ')