policy/modules/apps/pulseaudio.te

   1 policy_module(pulseaudio, 1.2.3)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type pulseaudio_t;
   9 type pulseaudio_exec_t;
  10 init_daemon_domain(pulseaudio_t, pulseaudio_exec_t)
  11 application_domain(pulseaudio_t, pulseaudio_exec_t)
  12 ubac_constrained(pulseaudio_t)
  13 role system_r types pulseaudio_t;
  14
  15 type pulseaudio_home_t;
  16 userdom_user_home_content(pulseaudio_home_t)
  17
  18 type pulseaudio_tmpfs_t;
  19 files_tmpfs_file(pulseaudio_tmpfs_t)
  20 ubac_constrained(pulseaudio_tmpfs_t)
  21
  22 type pulseaudio_var_lib_t;
  23 files_type(pulseaudio_var_lib_t)
  24 ubac_constrained(pulseaudio_var_lib_t)
  25
  26 type pulseaudio_var_run_t;
  27 files_pid_file(pulseaudio_var_run_t)
  28 ubac_constrained(pulseaudio_var_run_t)
  29
  30 ########################################
  31 #
  32 # pulseaudio local policy
  33 #
  34
  35 allow pulseaudio_t self:capability { fowner fsetid chown setgid setuid sys_nice sys_resource sys_tty_config };
  36 allow pulseaudio_t self:process { getcap setcap setrlimit setsched getsched signal signull };
  37 allow pulseaudio_t self:fifo_file rw_file_perms;
  38 allow pulseaudio_t self:unix_stream_socket { create_stream_socket_perms connectto };
  39 allow pulseaudio_t self:unix_dgram_socket { sendto create_socket_perms };
  40 allow pulseaudio_t self:tcp_socket create_stream_socket_perms;
  41 allow pulseaudio_t self:udp_socket create_socket_perms;
  42 allow pulseaudio_t self:netlink_kobject_uevent_socket create_socket_perms;
  43
  44 manage_dirs_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
  45 manage_files_pattern(pulseaudio_t, pulseaudio_home_t, pulseaudio_home_t)
  46 userdom_search_user_home_dirs(pulseaudio_t)
  47
  48 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
  49 manage_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
  50 manage_lnk_files_pattern(pulseaudio_t, pulseaudio_var_lib_t, pulseaudio_var_lib_t)
  51 files_var_lib_filetrans(pulseaudio_t, pulseaudio_var_lib_t, { dir file })
  52
  53 manage_dirs_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
  54 manage_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
  55 manage_sock_files_pattern(pulseaudio_t, pulseaudio_var_run_t, pulseaudio_var_run_t)
  56 files_pid_filetrans(pulseaudio_t, pulseaudio_var_run_t, { dir file })
  57
  58 can_exec(pulseaudio_t, pulseaudio_exec_t)
  59
  60 kernel_getattr_proc(pulseaudio_t)
  61 kernel_read_system_state(pulseaudio_t)
  62 kernel_read_kernel_sysctls(pulseaudio_t)
  63
  64 corecmd_exec_bin(pulseaudio_t)
  65
  66 corenet_all_recvfrom_unlabeled(pulseaudio_t)
  67 corenet_all_recvfrom_netlabel(pulseaudio_t)
  68 corenet_tcp_bind_pulseaudio_port(pulseaudio_t)
  69 corenet_tcp_bind_soundd_port(pulseaudio_t)
  70 corenet_tcp_sendrecv_generic_if(pulseaudio_t)
  71 corenet_tcp_sendrecv_generic_node(pulseaudio_t)
  72 corenet_udp_bind_sap_port(pulseaudio_t)
  73 corenet_udp_sendrecv_generic_if(pulseaudio_t)
  74 corenet_udp_sendrecv_generic_node(pulseaudio_t)
  75
  76 dev_read_sound(pulseaudio_t)
  77 dev_write_sound(pulseaudio_t)
  78 dev_read_sysfs(pulseaudio_t)
  79 dev_read_urand(pulseaudio_t)
  80
  81 files_read_etc_files(pulseaudio_t)
  82 files_read_usr_files(pulseaudio_t)
  83
  84 fs_rw_anon_inodefs_files(pulseaudio_t)
  85 fs_getattr_tmpfs(pulseaudio_t)
  86 fs_list_inotifyfs(pulseaudio_t)
  87
  88 term_use_all_ttys(pulseaudio_t)
  89 term_use_all_ptys(pulseaudio_t)
  90
  91 auth_use_nsswitch(pulseaudio_t)
  92
  93 logging_send_syslog_msg(pulseaudio_t)
  94
  95 miscfiles_read_localization(pulseaudio_t)
  96
  97 # cjp: this seems excessive. need to confirm
  98 userdom_manage_user_home_content_files(pulseaudio_t)
  99 userdom_manage_user_tmp_files(pulseaudio_t)
 100 userdom_manage_user_tmpfs_files(pulseaudio_t)
 101
 102 optional_policy(`
 103         bluetooth_stream_connect(pulseaudio_t)
 104 ')
 105
 106 optional_policy(`
 107         dbus_system_domain(pulseaudio_t, pulseaudio_exec_t)
 108         dbus_system_bus_client(pulseaudio_t)
 109         dbus_session_bus_client(pulseaudio_t)
 110         dbus_connect_session_bus(pulseaudio_t)
 111
 112         optional_policy(`
 113                 consolekit_dbus_chat(pulseaudio_t)
 114         ')
 115
 116         optional_policy(`
 117                 hal_dbus_chat(pulseaudio_t)
 118         ')
 119
 120         optional_policy(`
 121                 policykit_dbus_chat(pulseaudio_t)
 122         ')
 123
 124         optional_policy(`
 125                 rpm_dbus_chat(pulseaudio_t)
 126         ')
 127 ')
 128
 129 optional_policy(`
 130         rtkit_scheduled(pulseaudio_t)
 131 ')
 132
 133 optional_policy(`
 134         policykit_domtrans_auth(pulseaudio_t)
 135         policykit_read_lib(pulseaudio_t)
 136         policykit_read_reload(pulseaudio_t)
 137 ')
 138
 139 optional_policy(`
 140         udev_read_state(pulseaudio_t)
 141         udev_read_db(pulseaudio_t)
 142 ')
 143
 144 optional_policy(`
 145         xserver_stream_connect(pulseaudio_t)
 146         xserver_manage_xdm_tmp_files(pulseaudio_t)
 147         xserver_read_xdm_lib_files(pulseaudio_t)
 148         xserver_read_xdm_pid(pulseaudio_t)
 149         xserver_user_x_domain_template(pulseaudio, pulseaudio_t, pulseaudio_tmpfs_t)
 150 ')