diff -Nur svn/policy/modules/services/soundserver.fc svn-soundserver/policy/modules/services/soundserver.fc --- svn/policy/modules/services/soundserver.fc 2007-04-16 14:55:31.000000000 +0800 +++ svn-soundserver/policy/modules/services/soundserver.fc 2007-08-01 09:50:22.000000000 +0800 @@ -1,10 +1,28 @@ -/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) /etc/yiff(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) - -/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) /usr/bin/gpe-soundserver -- gen_context(system_u:object_r:soundd_exec_t,s0) - /usr/sbin/yiff -- gen_context(system_u:object_r:soundd_exec_t,s0) - /var/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) /var/state/yiff(/.*)? gen_context(system_u:object_r:soundd_state_t,s0) + + +# +# Following is for nas + +# +# /usr/bin +# + +/usr/bin/nasd -- gen_context(system_u:object_r:soundd_exec_t,s0) + + +# +# /tmp +# +/tmp/\.sockets -d gen_context(system_u:object_r:soundd_tmp_t,s0) +/tmp/\.sockets/.* -s <> + +# +# /etc +# +/etc/nas(/.*)? gen_context(system_u:object_r:soundd_etc_t,s0) + diff -Nur svn/policy/modules/services/soundserver.if svn-soundserver/policy/modules/services/soundserver.if --- svn/policy/modules/services/soundserver.if 2007-04-16 14:55:35.000000000 +0800 +++ svn-soundserver/policy/modules/services/soundserver.if 2007-08-01 09:50:22.000000000 +0800 @@ -13,3 +13,64 @@ interface(`soundserver_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') + + +######################################## +## +## Execute a domain transition to run soundserver. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`soundserver_domtrans',` + gen_require(` + type soundd_t, soundd_exec_t; + ') + + domain_auto_trans($1,soundd_exec_t,soundd_t) + + allow soundd_t $1:fd use; + allow soundd_t $1:fifo_file rw_file_perms; + allow soundd_t $1:process sigchld; +') + +######################################## +## +## Do not audit attempts to read, +## soundserver tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`soundserver_dontaudit_read_tmp_files',` + gen_require(` + type soundd_tmp_t; + ') + + dontaudit $1 soundd_tmp_t:file r_file_perms; +') + +######################################## +## +## Allow domain to read, soundserver tmp files +## +## +## +## Domain to not audit. +## +## +# +interface(`soundserver_read_tmp_files',` + gen_require(` + type soundd_tmp_t; + ') + + dontaudit $1 soundd_tmp_t:file r_file_perms; +') + diff -Nur svn/policy/modules/services/soundserver.te svn-soundserver/policy/modules/services/soundserver.te --- svn/policy/modules/services/soundserver.te 2007-07-03 15:26:28.000000000 +0800 +++ svn-soundserver/policy/modules/services/soundserver.te 2007-08-01 09:51:59.000000000 +0800 @@ -1,5 +1,5 @@ -policy_module(soundserver,1.3.0) +policy_module(soundserver,1.3.1) ######################################## # @@ -8,10 +8,13 @@ type soundd_t; type soundd_exec_t; +domain_type(soundd_t) +domain_entry_file(soundd_t,soundd_exec_t) init_daemon_domain(soundd_t,soundd_exec_t) type soundd_etc_t alias etc_soundd_t; -files_type(soundd_etc_t) +#files_type(soundd_etc_t) +files_config_file(soundd_etc_t) type soundd_state_t; files_type(soundd_state_t) @@ -28,13 +31,32 @@ ######################################## # -# Declarations +# sound server local policy # dontaudit soundd_t self:capability sys_tty_config; allow soundd_t self:process { setpgid signal_perms }; + allow soundd_t self:tcp_socket create_stream_socket_perms; allow soundd_t self:udp_socket create_socket_perms; + +allow soundd_t self:unix_stream_socket { connectto create_stream_socket_perms }; +manage_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) +files_tmp_filetrans(soundd_t, soundd_tmp_t, { file dir sock_file }) + + +# Remove /tmp/.sockets/audio$n +delete_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) +delete_sock_files_pattern(soundd_t,soundd_tmp_t,soundd_tmp_t) + +allow soundd_t self:capability { dac_override }; + +fs_getattr_all_fs(soundd_t) + +optional_policy(` + alsa_domtrans(soundd_t) +') + # for yiff allow soundd_t self:shm create_shm_perms;