[refpolicy] [alsa patch 1/1] Interaction with alsa home content by confined users.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: domg472@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [alsa patch 1/1] Interaction with alsa home content by confined users.
Date: Wed, 8 Sep 2010 12:41:12 +0200	[thread overview]
Message-ID: <20100908104106.GA31213@localhost.localdomain> (raw)

Confined users can manage and relabel alsa home files.

Plus some cleanups inspired by example policy.

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 69aa742... 376f4f7... M	policy/modules/admin/alsa.if
:100644 100644 0c9876c... f9c23ed... M	policy/modules/roles/staff.te
:100644 100644 2a19751... db0ebdd... M	policy/modules/roles/sysadm.te
:100644 100644 e8a507d... a7620a4... M	policy/modules/roles/unprivuser.te
 policy/modules/admin/alsa.if       |   53 +++++++++++++++++++++++++++++++-----
 policy/modules/roles/staff.te      |    5 +++
 policy/modules/roles/sysadm.te     |    5 +++
 policy/modules/roles/unprivuser.te |    5 +++
 4 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/policy/modules/admin/alsa.if b/policy/modules/admin/alsa.if
index 69aa742..376f4f7 100644
--- a/policy/modules/admin/alsa.if
+++ b/policy/modules/admin/alsa.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute a domain transition to run Alsa.
+##	Transition to the alsa domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -16,12 +16,13 @@ interface(`alsa_domtrans',`
 	')
 
 	corecmd_search_bin($1)
+	files_search_usr($1)
 	domtrans_pattern($1, alsa_exec_t, alsa_t)
 ')
 
 ########################################
 ## <summary>
-##	Read and write Alsa semaphores.
+##	Read and write alsa semaphores.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -39,7 +40,7 @@ interface(`alsa_rw_semaphores',`
 
 ########################################
 ## <summary>
-##	Read and write Alsa shared memory.
+##	Read and write alsa shared memory.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -57,7 +58,7 @@ interface(`alsa_rw_shared_mem',`
 
 ########################################
 ## <summary>
-##	Read writable Alsa config files.
+##	Read writable alsa configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -82,7 +83,7 @@ interface(`alsa_read_rw_config',`
 
 ########################################
 ## <summary>
-##	Manage writable Alsa config files.
+##	Create, read, write, and delete writable alsa configuration files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -107,7 +108,26 @@ interface(`alsa_manage_rw_config',`
 
 ########################################
 ## <summary>
-##	Read Alsa home files.
+##	Manage alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_home_files', `
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Read alsa home files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -126,7 +146,26 @@ interface(`alsa_read_home_files',`
 
 ########################################
 ## <summary>
-##	Read Alsa lib files.
+##	Relabel alsa home files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_relabel_home_files', `
+	gen_require(`
+		type alsa_home_t;
+	')
+
+	userdom_search_user_home_dirs($1)
+	allow $1 alsa_home_t:file relabel_file_perms;
+')
+
+########################################
+## <summary>
+##	Read alsa lib files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0c9876c..f9c23ed 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -53,6 +53,11 @@ optional_policy(`
 
 ifndef(`distro_redhat',`
 	optional_policy(`
+		alsa_manage_home_files(staff_t)
+		alsa_relabel_home_files(staff_t)
+	')
+
+	optional_policy(`
 		auth_role(staff_r, staff_t)
 	')
 
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 2a19751..db0ebdd 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -399,6 +399,11 @@ optional_policy(`
 
 ifndef(`distro_redhat',`
 	optional_policy(`
+		alsa_manage_home_files(sysadm_t)
+		alsa_relabel_home_files(sysadm_t)
+	')
+
+	optional_policy(`
 		auth_role(sysadm_r, sysadm_t)
 	')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index e8a507d..a7620a4 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -26,6 +26,11 @@ optional_policy(`
 
 ifndef(`distro_redhat',`
 	optional_policy(`
+		alsa_manage_home_files(user_t)
+		alsa_relabel_home_files(user_t)
+	')
+
+	optional_policy(`
 		auth_role(user_r, user_t)
 	')
 
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100908/34c0bd17/attachment.bin

next             reply	other threads:[~2010-09-08 10:41 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-09-08 10:41 Dominick Grift [this message]
2010-09-09 12:55 ` [refpolicy] [alsa patch 1/1] Interaction with alsa home content by confined users Christopher J. PeBenito
2010-09-09 12:57   ` Dominick Grift
2010-09-09 13:48     ` Daniel J Walsh
2010-09-09 14:59       ` Christopher J. PeBenito
2010-09-09 15:10         ` Dominick Grift
2010-09-09 18:13           ` Daniel J Walsh

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:69aa742 dfblob:376f4f7 dfblob:0c9876c dfblob:f9c23ed
dfblob:2a19751 dfblob:db0ebdd dfblob:e8a507d dfblob:a7620a4 )
 OR (
bs:"[refpolicy] [alsa patch 1/1] Interaction with alsa home content by confined users." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100908104106.GA31213@localhost.localdomain \
    --to=domg472@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.