diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc index f5fc753..bc9a97a 100644 --- a/policy/modules/admin/alsa.fc +++ b/policy/modules/admin/alsa.fc @@ -12,9 +12,7 @@ HOME_DIR/\.asoundrc -- gen_context(system_u:object_r:alsa_home_t,s0) /usr/bin/ainit -- gen_context(system_u:object_r:alsa_exec_t,s0) -ifdef(`distro_debian', ` /usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0) /usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0) -') /var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0) diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if index 090b5c9..30bfb08 100644 --- a/policy/modules/admin/alsa.if +++ b/policy/modules/admin/alsa.if @@ -1,8 +1,8 @@ -## <summary>Ainit ALSA configuration tool</summary> +## <summary>Ainit ALSA configuration tool.</summary> ######################################## ## <summary> -## Domain transition to alsa +## Execute a domain transition to run Alsa. ## </summary> ## <param name="domain"> ## <summary> @@ -15,13 +15,13 @@ interface(`alsa_domtrans',` type alsa_t, alsa_exec_t; ') - domtrans_pattern($1, alsa_exec_t, alsa_t) corecmd_search_bin($1) + domtrans_pattern($1, alsa_exec_t, alsa_t) ') ######################################## ## <summary> -## Allow read and write access to alsa semaphores. +## Read and write Alsa semaphores. ## </summary> ## <param name="domain"> ## <summary> @@ -39,7 +39,7 @@ interface(`alsa_rw_semaphores',` ######################################## ## <summary> -## Allow read and write access to alsa shared memory. +## Read and write Alsa shared memory. ## </summary> ## <param name="domain"> ## <summary> @@ -57,7 +57,7 @@ interface(`alsa_rw_shared_mem',` ######################################## ## <summary> -## Read alsa writable config files. +## Read writable Alsa config files. ## </summary> ## <param name="domain"> ## <summary> @@ -70,15 +70,20 @@ interface(`alsa_read_rw_config',` type alsa_etc_rw_t; ') + files_search_etc($1) allow $1 alsa_etc_rw_t:dir list_dir_perms; read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) files_search_etc($1) + + ifdef(`distro_debian',` + files_search_usr($1) + ') ') ######################################## ## <summary> -## Manage alsa writable config files. +## Manage writable Alsa config files. ## </summary> ## <param name="domain"> ## <summary> @@ -91,15 +96,40 @@ interface(`alsa_manage_rw_config',` type alsa_etc_rw_t; ') + files_search_etc($1) allow $1 alsa_etc_rw_t:dir list_dir_perms; manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t) files_search_etc($1) + + ifdef(`distro_debian',` + files_search_usr($1) + ') ') ######################################## ## <summary> -## Read alsa lib files. +## Read Alsa home files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`alsa_read_home_files',` + gen_require(` + type alsa_home_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 alsa_home_t:file read_file_perms; +>>>>>>> .merge_file_D1FKe3 +') + +######################################## +## <summary> +## Read Alsa lib files. ## </summary> ## <param name="domain"> ## <summary> @@ -112,6 +142,7 @@ interface(`alsa_read_lib',` type alsa_var_lib_t; ') + files_search_var_lib($1) read_files_pattern($1, alsa_var_lib_t, alsa_var_lib_t) files_search_var_lib($1) ') diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te index ed1c3dc..0f227f1 100644 --- a/policy/modules/admin/alsa.te +++ b/policy/modules/admin/alsa.te @@ -1,4 +1,4 @@ -policy_module(alsa, 1.9.1) +policy_module(alsa, 1.9.2) ######################################## # @@ -51,7 +51,6 @@ dev_read_sysfs(alsa_t) corecmd_exec_bin(alsa_t) -files_search_home(alsa_t) files_read_etc_files(alsa_t) files_read_usr_files(alsa_t) diff --git a/policy/modules/kernel/filesystem.fc b/policy/modules/kernel/filesystem.fc index 41dfd80..e9a09e1 100644 --- a/policy/modules/kernel/filesystem.fc +++ b/policy/modules/kernel/filesystem.fc @@ -1,4 +1,5 @@ /dev/shm -d gen_context(system_u:object_r:tmpfs_t,s0) +/dev/shm/.* <<none>> /cgroup(/.*)? gen_context(system_u:object_r:cgroup_t,s0) /sys/fs/cgroup(/.*)? <<none>> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if index 3b34959..8d6d333 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -646,6 +646,7 @@ interface(`fs_search_cgroup_dirs',` ') search_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -664,6 +665,7 @@ interface(`fs_list_cgroup_dirs', ` ') list_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -682,6 +684,7 @@ interface(`fs_delete_cgroup_dirs', ` ') delete_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -701,6 +704,7 @@ interface(`fs_manage_cgroup_dirs',` ') manage_dirs_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -720,6 +724,7 @@ interface(`fs_read_cgroup_files',` ') read_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -738,6 +743,7 @@ interface(`fs_write_cgroup_files', ` ') write_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -757,6 +763,7 @@ interface(`fs_rw_cgroup_files',` ') rw_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## @@ -796,6 +803,7 @@ interface(`fs_manage_cgroup_files',` ') manage_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) ') ######################################## diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te index 3f4cf3d..930062c 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -1,4 +1,4 @@ -policy_module(filesystem, 1.13.2) +policy_module(filesystem, 1.13.3) ######################################## #