commit: c62aca80448084d3dd1a37ef55866a1de76e540c
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:33:24 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c62aca80
Update the alsa module so that the alsa_etc_t file context (previously
alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a
couple of files.
The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.
After applying this patch, the recent pulseaudio patch should also
be applied to complete the removal of the _rw_ labels on the alsa
interfaces.
This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.
Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/contrib/alsa.fc | 9 +++----
policy/modules/contrib/alsa.if | 52 ++++++++++++++++++++++++++++++--------
policy/modules/contrib/alsa.te | 10 ++++----
policy/modules/contrib/asterisk.te | 2 +-
policy/modules/contrib/entropyd.te | 2 +-
policy/modules/contrib/hal.te | 2 +-
policy/modules/contrib/mpd.te | 2 +-
policy/modules/contrib/mplayer.te | 2 +-
8 files changed, 55 insertions(+), 26 deletions(-)
diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index a8c8a64..112fc62 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
/bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/etc/alsa/asound\.state --
gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf gen_context(system_u:object_r:alsa_etc_t,s0)
/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
/usr/sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
/usr/sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
-/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)? gen_context(system_u:object_r:alsa_etc_t,s0)
/var/lib/alsa(/.*)? gen_context(system_u:object_r:alsa_var_lib_t,s0)
diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 38bbf80..9ffed04 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
########################################
## <summary>
-## Read writable Alsa configuration content.
+## Read writable Alsa configuration
+## content. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
## </param>
#
interface(`alsa_read_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_read_config()
instead.')
+ alsa_read_config($1)
+')
+
+########################################
+## <summary>
+## Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_read_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
########################################
## <summary>
-## Manage writable Alsa config files.
+## Manage writable Alsa config
+## files. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
## </param>
#
interface(`alsa_manage_rw_config',`
+ refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config()
instead.')
+ alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+## Manage Alsa config files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`alsa_manage_config',`
gen_require(`
- type alsa_etc_rw_t;
+ type alsa_etc_t;
')
files_search_etc($1)
- allow $1 alsa_etc_rw_t:dir list_dir_perms;
- manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
- read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+ allow $1 alsa_etc_t:dir list_dir_perms;
+ manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+ read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
ifdef(`distro_debian',`
files_search_usr($1)
diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 17bb145..b08ab0c 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -12,8 +12,8 @@ type alsa_exec_t;
init_system_domain(alsa_t, alsa_exec_t)
role alsa_roles types alsa_t;
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
type alsa_tmp_t;
files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { accept listen };
allow alsa_t alsa_home_t:file read_file_perms;
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
can_exec(alsa_t, alsa_exec_t)
diff --git a/policy/modules/contrib/asterisk.te
b/policy/modules/contrib/asterisk.te
index fc25311..e901010 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
userdom_dontaudit_search_user_home_dirs(asterisk_t)
optional_policy(`
- alsa_read_rw_config(asterisk_t)
+ alsa_read_config(asterisk_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/entropyd.te
b/policy/modules/contrib/entropyd.te
index e82f4f5..5068fab 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
optional_policy(`
tunable_policy(`entropyd_use_audio',`
alsa_read_lib(entropyd_t)
- alsa_read_rw_config(entropyd_t)
+ alsa_read_config(entropyd_t)
')
')
diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index bbccc79..2081d14 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(hald_t)
optional_policy(`
alsa_domtrans(hald_t)
- alsa_read_rw_config(hald_t)
+ alsa_read_config(hald_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 01ded5d..f6f9195 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
')
optional_policy(`
- alsa_read_rw_config(mpd_t)
+ alsa_read_config(mpd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/mplayer.te
b/policy/modules/contrib/mplayer.te
index 26ff9aa..e70ee72 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -257,7 +257,7 @@ tunable_policy(`allow_mplayer_execstack',`
')
optional_policy(`
- alsa_read_rw_config(mplayer_t)
+ alsa_read_config(mplayer_t)
')
optional_policy(`
