[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

Mon, 16 Dec 2019 09:49:33 -0800 

commit:     d7af41866897c6ec751ea4b95413a850a3e04e10
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sun Oct  6 10:01:48 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Dec 16 13:13:11 2019 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d7af4186

Allow alsa_t to create alsa_runtime_t file as well

When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } for  
pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 
tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  pid=804 
comm="alsactl" name="alsactl.pid" scontext=system_u:system_r:alsa_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  pid=9186 
comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 
tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  pid=9186 
comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 
tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  pid=804 
comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 
scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:object_r:var_run_t:s0 
tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon <AT> bigon.be>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/alsa.fc | 1 +
 policy/modules/admin/alsa.te | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 75ea9ebf..3f52f370 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc                             --      
gen_context(system_u:object_r:alsa_home_t,s0)
 /etc/asound\.conf                              --      
gen_context(system_u:object_r:alsa_etc_t,s0)
 
 /run/alsa(/.*)?                                                
gen_context(system_u:object_r:alsa_runtime_t,s0)
+/run/alsactl\.pid                              --      
gen_context(system_u:object_r:alsa_runtime_t,s0)
 
 /usr/bin/ainit                                 --      
gen_context(system_u:object_r:alsa_exec_t,s0)
 /usr/bin/alsactl                               --      
gen_context(system_u:object_r:alsa_exec_t,s0)

diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index 06c7635c..6a0e6fa0 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map;
 can_exec(alsa_t, alsa_exec_t)
 
 allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:file manage_file_perms;
 allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
-files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
 
 manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
 manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)

Reply via email to