[refpolicy] [PATCH 06/19] Enhance pulseaudio domain with XDG privilege sets

Sven Vermeulen sven.vermeulen at siphos.be
Mon May 22 16:11:42 UTC 2017


The pulseaudio domain was configured to use the ~/.config/pulse/
location as pulseaudio_home_t. With the introduction of the XDG-based
types, this can now be switched to pulseaudio_xdg_config_home_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 pulseaudio.fc |  2 +-
 pulseaudio.te | 11 +++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/pulseaudio.fc b/pulseaudio.fc
index 146b5a7..fb861b7 100644
--- a/pulseaudio.fc
+++ b/pulseaudio.fc
@@ -1,7 +1,7 @@
 HOME_DIR/\.esd_auth	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_home_t,s0)
 HOME_DIR/\.pulse-cookie	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
-HOME_DIR/\.config/pulse(/.*)?	--	gen_context(system_u:object_r:pulseaudio_home_t,s0)
+HOME_DIR/\.config/pulse(/.*)?	gen_context(system_u:object_r:pulseaudio_xdg_config_home_t,s0)
 
 /usr/bin/pulseaudio	--	gen_context(system_u:object_r:pulseaudio_exec_t,s0)
 
diff --git a/pulseaudio.te b/pulseaudio.te
index 0c4945b..ff43d55 100644
--- a/pulseaudio.te
+++ b/pulseaudio.te
@@ -39,6 +39,9 @@ files_type(pulseaudio_var_lib_t)
 type pulseaudio_var_run_t;
 files_pid_file(pulseaudio_var_run_t)
 
+type pulseaudio_xdg_config_home_t;
+xdg_config_home_content(pulseaudio_xdg_config_home_t)
+
 ########################################
 #
 # Local policy
@@ -85,6 +88,10 @@ manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
 files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
 
+manage_dirs_pattern(pulseaudio_t, pulseaudio_xdg_config_home_t, pulseaudio_xdg_config_home_t)
+manage_files_pattern(pulseaudio_t, pulseaudio_xdg_config_home_t, pulseaudio_xdg_config_home_t)
+xdg_config_home_filetrans(pulseaudio_t, pulseaudio_xdg_config_home_t, dir, "pulse")
+
 allow pulseaudio_t pulseaudio_client:process signull;
 ps_process_pattern(pulseaudio_t, pulseaudio_client)
 
@@ -240,6 +247,10 @@ allow pulseaudio_client pulseaudio_tmp_t:sock_file manage_sock_file_perms;
 rw_files_pattern(pulseaudio_client, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t }, { pulseaudio_tmpfsfile pulseaudio_tmpfs_t })
 delete_files_pattern(pulseaudio_client, pulseaudio_tmpfsfile, pulseaudio_tmpfsfile)
 
+manage_dirs_pattern(pulseaudio_client, pulseaudio_xdg_config_home_t, pulseaudio_xdg_config_home_t)
+manage_files_pattern(pulseaudio_client, pulseaudio_xdg_config_home_t, pulseaudio_xdg_config_home_t)
+xdg_config_home_filetrans(pulseaudio_client, pulseaudio_xdg_config_home_t, dir, "pulse")
+
 fs_getattr_tmpfs(pulseaudio_client)
 
 corenet_all_recvfrom_unlabeled(pulseaudio_client)
-- 
2.13.0



More information about the refpolicy mailing list