Re: [PATCH 06/10] Allow alsa_t to create alsa_runtime_t file as well

Laurent Bigonville <bigon@xxxxxxxxxx> · Tue, 15 Oct 2019 15:10:23 +0200

Le 12/10/19 à 17:52, Chris PeBenito a écrit :
On 10/11/19 8:24 AM, Laurent Bigonville wrote:
From: Laurent Bigonville <bigon@xxxxxxxx>

When alsactl is started as a daemon, it creates a pidfile
(/run/alsactl.pid), that needs to be allowed

----
time->Sun Oct  6 10:59:09 2019
type=AVC msg=audit(1570352349.743:45): avc:  denied  { write open } 
for  pid=804 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" 
ino=25882 scontext=system_u:system_r:alsa_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570352349.743:45): avc:  denied  { create } for  
pid=804 comm="alsactl" name="alsactl.pid" 
scontext=system_u:system_r:alsa_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.226:657): avc:  denied  { open } for  
pid=9186 comm="alsactl" path="/run/alsactl.pid" dev="tmpfs" ino=25882 
scontext=system_u:system_r:alsa_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1570355678.226:657): avc:  denied  { read } for  
pid=9186 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 
scontext=system_u:system_r:alsa_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1
----
time->Sun Oct  6 11:54:38 2019
type=AVC msg=audit(1570355678.230:659): avc:  denied  { unlink } for  
pid=804 comm="alsactl" name="alsactl.pid" dev="tmpfs" ino=25882 
scontext=system_u:system_r:alsa_t:s0 
tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1

Signed-off-by: Laurent Bigonville <bigon@xxxxxxxx>
---
  policy/modules/admin/alsa.fc | 1 +
  policy/modules/admin/alsa.te | 3 ++-
  2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/alsa.fc b/policy/modules/admin/alsa.fc
index 75ea9ebf..16ccb7ca 100644
--- a/policy/modules/admin/alsa.fc
+++ b/policy/modules/admin/alsa.fc
@@ -4,6 +4,7 @@ HOME_DIR/\.asoundrc                -- 
gen_context(system_u:object_r:alsa_home_t,s0)
  /etc/asound\.conf                -- 
gen_context(system_u:object_r:alsa_etc_t,s0)
    /run/alsa(/.*)? gen_context(system_u:object_r:alsa_runtime_t,s0)
+/run/alsactl.pid                -- 
gen_context(system_u:object_r:alsa_runtime_t,s0)

Needs escaping ( \.pid )

It's fixed in the github merge request

Do you think that you could already merge all the patches of the series 
except the colord one?



    /usr/bin/ainit --    gen_context(system_u:object_r:alsa_exec_t,s0)
  /usr/bin/alsactl                -- 
gen_context(system_u:object_r:alsa_exec_t,s0)
diff --git a/policy/modules/admin/alsa.te b/policy/modules/admin/alsa.te
index e567dd32..9d053c4d 100644
--- a/policy/modules/admin/alsa.te
+++ b/policy/modules/admin/alsa.te
@@ -58,8 +58,9 @@ allow alsa_t alsa_etc_t:file map;
  can_exec(alsa_t, alsa_exec_t)
    allow alsa_t alsa_runtime_t:dir manage_dir_perms;
+allow alsa_t alsa_runtime_t:file manage_file_perms;
  allow alsa_t alsa_runtime_t:lnk_file manage_lnk_file_perms;
-files_pid_filetrans(alsa_t, alsa_runtime_t, dir)
+files_pid_filetrans(alsa_t, alsa_runtime_t, { dir file })
    manage_dirs_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)
  manage_files_pattern(alsa_t, alsa_tmp_t, alsa_tmp_t)









