[refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules

[refpolicy] [PATCH 0/7] Small set of updates on non-contrib modules

[Sven Vermeulen]

Not sure about patch 5/7 if this is wanted/needed. It just seems like a good
idea to combine the rights as the dontaudit interface itself is meant to, well,
ignore certain behavior of applications. With the move to /sys/fs/selinux, these
applications would otherwise also need the dontaudit rules against the sysfs
parts, so I thought that making them part of the same dontaudit interface makes
sense.

Sven Vermeulen (7):
  Get grub2-install to work properly
  Support /sys/devices/system/cpu/online
  Mark f2fs as a xattr-enabled file system
  The security_t file system can be at /sys/fs/selinux
  Dontaudit access on security_t file system at /sys/fs/selinux
  Support named file transition for fixed_disk_device_t
  Alsasound init script writes asound.state file

 policy/modules/admin/bootloader.fc  |  2 ++
 policy/modules/kernel/devices.fc    |  1 +
 policy/modules/kernel/devices.if    | 61 +++++++++++++++++++++++++++++++++++++
 policy/modules/kernel/devices.te    |  7 +++++
 policy/modules/kernel/domain.te     |  2 ++
 policy/modules/kernel/filesystem.te |  1 +
 policy/modules/kernel/selinux.if    |  8 +++++
 policy/modules/kernel/storage.if    |  7 ++++-
 policy/modules/system/init.te       |  4 +++
 9 files changed, 92 insertions(+), 1 deletion(-)

-- 
1.8.1.5

[refpolicy] [PATCH 1/7] Get grub2-install to work properly

[Sven Vermeulen]

The grub2-install application runs a few grub2-* commands. Two of those,
grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.

Mark those two applications as bootloader_exec_t (as is the case with the "grub"
legacy command in the past) allows the commands to continue.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/bootloader.fc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index 7a6f06f..2626ebf 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -7,3 +7,5 @@
 /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
 
 /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
-- 
1.8.1.5

[refpolicy] [PATCH 1/7] Get grub2-install to work properly

[Christopher J. PeBenito]

On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> The grub2-install application runs a few grub2-* commands. Two of those,
> grub2-bios-setup and grub2-probe, need read/write access to the (fixed) disks.
> 
> Mark those two applications as bootloader_exec_t (as is the case with the "grub"
> legacy command in the past) allows the commands to continue.

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/bootloader.fc | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
> index 7a6f06f..2626ebf 100644
> --- a/policy/modules/admin/bootloader.fc
> +++ b/policy/modules/admin/bootloader.fc
> @@ -7,3 +7,5 @@
>  /sbin/ybin.*		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
>  
>  /usr/sbin/grub		--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-bios-setup	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/grub2-probe	--	gen_context(system_u:object_r:bootloader_exec_t,s0)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online

[Sven Vermeulen]

In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
to grant most domains read access to this file. As we don't want them to have
read access on sysfs_t by default, create a new type (cpu_online_t) and assign
it to the file, and grant domains read access to the file.

This does require systems to relabel the file upon every boot, something
distributions do in their bootup scripts, as /sys devices don't keep their
context.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/devices.fc |  1 +
 policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
 policy/modules/kernel/devices.te |  7 +++++++
 policy/modules/kernel/domain.te  |  2 ++
 4 files changed, 35 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index b31c054..d6ebfcd 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -199,6 +199,7 @@ ifdef(`distro_debian',`
 /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
 
 /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
+/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
 
 ifdef(`distro_redhat',`
 # originally from named.fc
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..49f0acb 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
 
 ########################################
 ## <summary>
+##	Read cpu online hardware state information
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read /sys/devices/system/cpu/online
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_read_cpu_online',`
+	gen_require(`
+		type cpu_online_t;
+	')
+
+	allow $1 cpu_online_t:file read_file_perms;
+
+	dev_search_sysfs($1)
+')
+
+########################################
+## <summary>
 ##	Unconfined access to devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
index 0b1a871..0d7790c 100644
--- a/policy/modules/kernel/devices.te
+++ b/policy/modules/kernel/devices.te
@@ -60,6 +60,13 @@ type cpu_device_t;
 dev_node(cpu_device_t)
 
 #
+# /sys/devices/system/cpu/online device
+#
+type cpu_online_t;
+files_type(cpu_online_t)
+dev_associate_sysfs(cpu_online_t)
+
+#
 # Type for /dev/crash
 #
 type crash_device_t;
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index cf04cb5..ea5cdee 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
 # create child processes in the domain
 allow domain self:process { fork sigchld };
 
+# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
+dev_read_cpu_online(domain)
 # Use trusted objects in /dev
 dev_rw_null(domain)
 dev_rw_zero(domain)
-- 
1.8.1.5

[refpolicy] [PATCH 2/7] Support /sys/devices/system/cpu/online

[Christopher J. PeBenito]

On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> In glibc, the get_nprocs method reads /sys/devices/system/cpu/online, so we need
> to grant most domains read access to this file. As we don't want them to have
> read access on sysfs_t by default, create a new type (cpu_online_t) and assign
> it to the file, and grant domains read access to the file.
> 
> This does require systems to relabel the file upon every boot, something
> distributions do in their bootup scripts, as /sys devices don't keep their
> context.

Adding permissions to all domains shouldn't be taken lightly, so I'll have to do some additional research.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/devices.fc |  1 +
>  policy/modules/kernel/devices.if | 25 +++++++++++++++++++++++++
>  policy/modules/kernel/devices.te |  7 +++++++
>  policy/modules/kernel/domain.te  |  2 ++
>  4 files changed, 35 insertions(+)
> 
> diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
> index b31c054..d6ebfcd 100644
> --- a/policy/modules/kernel/devices.fc
> +++ b/policy/modules/kernel/devices.fc
> @@ -199,6 +199,7 @@ ifdef(`distro_debian',`
>  /lib/udev/devices/zero	-c	gen_context(system_u:object_r:zero_device_t,s0)
>  
>  /sys(/.*)?			gen_context(system_u:object_r:sysfs_t,s0)
> +/sys/devices/system/cpu/online	--	gen_context(system_u:object_r:cpu_online_t,s0)
>  
>  ifdef(`distro_redhat',`
>  # originally from named.fc
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 76f285e..49f0acb 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -4836,6 +4836,31 @@ interface(`dev_create_zero_dev',`
>  
>  ########################################
>  ## <summary>
> +##	Read cpu online hardware state information
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to read /sys/devices/system/cpu/online
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dev_read_cpu_online',`
> +	gen_require(`
> +		type cpu_online_t;
> +	')
> +
> +	allow $1 cpu_online_t:file read_file_perms;
> +
> +	dev_search_sysfs($1)
> +')
> +
> +########################################
> +## <summary>
>  ##	Unconfined access to devices.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te
> index 0b1a871..0d7790c 100644
> --- a/policy/modules/kernel/devices.te
> +++ b/policy/modules/kernel/devices.te
> @@ -60,6 +60,13 @@ type cpu_device_t;
>  dev_node(cpu_device_t)
>  
>  #
> +# /sys/devices/system/cpu/online device
> +#
> +type cpu_online_t;
> +files_type(cpu_online_t)
> +dev_associate_sysfs(cpu_online_t)
> +
> +#
>  # Type for /dev/crash
>  #
>  type crash_device_t;
> diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
> index cf04cb5..ea5cdee 100644
> --- a/policy/modules/kernel/domain.te
> +++ b/policy/modules/kernel/domain.te
> @@ -96,6 +96,8 @@ kernel_dontaudit_link_key(domain)
>  # create child processes in the domain
>  allow domain self:process { fork sigchld };
>  
> +# glibc get_nprocs requires read access to /sys/devices/system/cpu/online
> +dev_read_cpu_online(domain)
>  # Use trusted objects in /dev
>  dev_rw_null(domain)
>  dev_rw_zero(domain)
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/filesystem.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index 1c66416..9949d77 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -26,6 +26,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
 fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
-- 
1.8.1.5

[refpolicy] [PATCH 3/7] Mark f2fs as a xattr-enabled file system

[Christopher J. PeBenito]

Is this support upstreamed?  I don't see it in my 3.10 kernel tree.

On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/filesystem.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
> index 1c66416..9949d77 100644
> --- a/policy/modules/kernel/filesystem.te
> +++ b/policy/modules/kernel/filesystem.te
> @@ -26,6 +26,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
>  fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
>  fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
>  fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
> +fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
>  fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
>  fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
>  fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/7] The security_t file system can be at /sys/fs/selinux

[Sven Vermeulen]

Because it is no longer a top-level file system, we need to enhance some of the
interfaces with the appropriate rights towards sysfs_t.

First set to allow getattr rights on the file system, which now also means
getattr on the sysfs_t file system as well as search privileges in sysfs_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/selinux.if |  4 ++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 49f0acb..a0a2a0d 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3855,6 +3855,24 @@ interface(`dev_getattr_sysfs_dirs',`
 
 ########################################
 ## <summary>
+##	Get the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_getattr_sysfs_fs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	allow $1 sysfs_t:filesystem getattr;
+')
+
+########################################
+## <summary>
 ##	Search the sysfs directories.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 81440c5..9623a80 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -63,6 +63,10 @@ interface(`selinux_get_fs_mount',`
 	# (/selinux) is already a selinuxfs
 	allow $1 security_t:filesystem getattr;
 
+	# Same for /sys/fs/selinux
+	dev_getattr_sysfs_fs($1)
+	dev_search_sysfs($1)
+
 	# read /proc/filesystems to see if selinuxfs is supported
 	# then read /proc/self/mount to see where selinuxfs is mounted
 	kernel_read_system_state($1)
-- 
1.8.1.5

[refpolicy] [PATCH 5/7] Dontaudit access on security_t file system at /sys/fs/selinux

[Sven Vermeulen]

Second part of the support of security_t under /sys/fs/selinux - when asked not
to audit getting attributes on the selinux file system, have this propagate to
the sysfs parts as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/kernel/selinux.if |  4 ++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index a0a2a0d..2a4a3ca 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -3871,6 +3871,24 @@ interface(`dev_getattr_sysfs_fs',`
 	allow $1 sysfs_t:filesystem getattr;
 ')
 
+#######################################
+## <summary>
+##	Do not audit getting the attributes of sysfs filesystem
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to dontaudit access from
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_getattr_sysfs_fs',`
+	gen_require(`
+		type sysfs_t;
+	')
+
+	dontaudit $1 sysfs_t:filesystem getattr;
+')
+
 ########################################
 ## <summary>
 ##	Search the sysfs directories.
diff --git a/policy/modules/kernel/selinux.if b/policy/modules/kernel/selinux.if
index 9623a80..a62ac8f 100644
--- a/policy/modules/kernel/selinux.if
+++ b/policy/modules/kernel/selinux.if
@@ -93,6 +93,10 @@ interface(`selinux_dontaudit_get_fs_mount',`
 	# (/selinux) is already a selinuxfs
 	dontaudit $1 security_t:filesystem getattr;
 
+	# Same for /sys/fs/selinux
+	dev_dontaudit_getattr_sysfs_fs($1)
+	dev_dontaudit_search_sysfs($1)
+
 	# read /proc/filesystems to see if selinuxfs is supported
 	# then read /proc/self/mount to see where selinuxfs is mounted
 	kernel_dontaudit_read_system_state($1)
-- 
1.8.1.5

[refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/storage.if | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
index 1700ef2..64c4cd0 100644
--- a/policy/modules/kernel/storage.if
+++ b/policy/modules/kernel/storage.if
@@ -260,13 +260,18 @@ interface(`storage_manage_fixed_disk',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Optional filename of the block device to be created
+##	</summary>
+## </param>
 #
 interface(`storage_dev_filetrans_fixed_disk',`
 	gen_require(`
 		type fixed_disk_device_t;
 	')
 
-	dev_filetrans($1, fixed_disk_device_t, blk_file)
+	dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
 ')
 
 ########################################
-- 
1.8.1.5

[refpolicy] [PATCH 6/7] Support named file transition for fixed_disk_device_t

[Christopher J. PeBenito]

On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/storage.if | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
> index 1700ef2..64c4cd0 100644
> --- a/policy/modules/kernel/storage.if
> +++ b/policy/modules/kernel/storage.if
> @@ -260,13 +260,18 @@ interface(`storage_manage_fixed_disk',`
>  ##	Domain allowed access.
>  ##	</summary>
>  ## </param>
> +## <param name="filename" optional="true">
> +##	<summary>
> +##	Optional filename of the block device to be created
> +##	</summary>
> +## </param>
>  #
>  interface(`storage_dev_filetrans_fixed_disk',`
>  	gen_require(`
>  		type fixed_disk_device_t;
>  	')
>  
> -	dev_filetrans($1, fixed_disk_device_t, blk_file)
> +	dev_filetrans($1, fixed_disk_device_t, blk_file, $2)
>  ')
>  
>  ########################################
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file

[Sven Vermeulen]

The alsasound init script writes updates into alsa state files, such as
/var/lib/alsa/asound.state (for storing the ALSA mixer levels at shutdown).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a97372a..08dd000 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -578,6 +578,10 @@ ifdef(`distro_suse',`
 ')
 
 optional_policy(`
+	alsa_write_lib(initrc_t)
+')
+
+optional_policy(`
 	amavis_search_lib(initrc_t)
 	amavis_setattr_pid_files(initrc_t)
 ')
-- 
1.8.1.5

[refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file

[Christopher J. PeBenito]

On 08/17/2013 02:51 PM, Sven Vermeulen wrote:
> The alsasound init script writes updates into alsa state files, such as
> /var/lib/alsa/asound.state (for storing the ALSA mixer levels at shutdown).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/init.te | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index a97372a..08dd000 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -578,6 +578,10 @@ ifdef(`distro_suse',`
>  ')
>  
>  optional_policy(`
> +	alsa_write_lib(initrc_t)
> +')
> +
> +optional_policy(`
>  	amavis_search_lib(initrc_t)
>  	amavis_setattr_pid_files(initrc_t)
>  ')
 
Shouldn't this be handled by alsa_t?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 7/7] Alsasound init script writes asound.state file

[Sven Vermeulen]

On Mon, Aug 26, 2013 at 2:57 PM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index a97372a..08dd000 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -578,6 +578,10 @@ ifdef(`distro_suse',`
>>  ')
>>
>>  optional_policy(`
>> +     alsa_write_lib(initrc_t)
>> +')
>> +
>> +optional_policy(`
>>       amavis_search_lib(initrc_t)
>>       amavis_setattr_pid_files(initrc_t)
>>  ')
>
> Shouldn't this be handled by alsa_t?
>

It is the /etc/init.d/alsasound init script itself that is writing
into /var/lib/alsa, for instance:

        for ossfile in /proc/asound/card*/pcm*/oss; do
                [ -e "${ossfile}" ] || continue
                local device=${ossfile##/proc/asound/} ; device=${device%%/oss}
                device="$(echo "${device}" | sed -e 's,/,_,g')"
                mkdir -p "${alsastatedir}/oss/"
                cp "${ossfile}" "${alsastatedir}/oss/${device}"
        done

Here, ${alsastatedir} = /var/lib/alsa.

It does seem however that the asound.state itself is handled by
alsactl (and thus through alsa_t). Shall I update the description to
explain that it is for restoring OSS state information instead?

Wkr,
  Sven Vermeulen