commit: c41bce39e4cc5a7ae57a5a305ab8e7bb1618fcf7 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Wed Oct 13 18:42:42 2021 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sat Nov 20 22:58:24 2021 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c41bce39
mpd, pulseaudio: split domtrans and client access Split `pulseaudio_domtrans()` into two interfaces: one that grants transition access and the other the `pulseaudio_client` attribute. This fixes a build error because calls to `pulseaudio_domtrans()` by the role would associate the client attribute with the user exec domain attribute. Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/apps/pulseaudio.if | 26 ++++++++++++++++++++------ policy/modules/services/mpd.te | 1 + 2 files changed, 21 insertions(+), 6 deletions(-) diff --git a/policy/modules/apps/pulseaudio.if b/policy/modules/apps/pulseaudio.if index 5a2c2a83..1796b771 100644 --- a/policy/modules/apps/pulseaudio.if +++ b/policy/modules/apps/pulseaudio.if @@ -59,6 +59,25 @@ template(`pulseaudio_role',` ') ') +######################################## +## <summary> +## Connect to pulseaudio and manage +## pulseaudio config data. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`pulseaudio_client_domain',` + gen_require(` + attribute pulseaudio_client; + ') + + typeattribute $1 pulseaudio_client; +') + ######################################## ## <summary> ## Execute a domain transition to run pulseaudio. @@ -71,12 +90,9 @@ template(`pulseaudio_role',` # interface(`pulseaudio_domtrans',` gen_require(` - attribute pulseaudio_client; type pulseaudio_t, pulseaudio_exec_t; ') - typeattribute $1 pulseaudio_client; - corecmd_search_bin($1) domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) ') @@ -100,12 +116,10 @@ interface(`pulseaudio_domtrans',` # interface(`pulseaudio_run',` gen_require(` - attribute pulseaudio_client; attribute_role pulseaudio_roles; ') - typeattribute $1 pulseaudio_client; - + pulseaudio_client_domain($1) pulseaudio_domtrans($1) roleattribute $2 pulseaudio_roles; ') diff --git a/policy/modules/services/mpd.te b/policy/modules/services/mpd.te index 4a0650df..3ba4a896 100644 --- a/policy/modules/services/mpd.te +++ b/policy/modules/services/mpd.te @@ -182,6 +182,7 @@ optional_policy(` ') optional_policy(` + pulseaudio_client_domain(mpd_t) pulseaudio_domtrans(mpd_t) ')