## Pulseaudio network sound server. ######################################## ## ## Role access for pulseaudio ## ## ## ## Role allowed access ## ## ## ## ## User domain for the role ## ## # interface(`pulseaudio_role',` gen_require(` attribute pulseaudio_tmpfsfile; type pulseaudio_t, pulseaudio_exec_t, pulseaudio_tmpfs_t; class dbus { acquire_svc send_msg }; ') role $1 types pulseaudio_t; # Transition from the user domain to the derived domain. domtrans_pattern($2, pulseaudio_exec_t, pulseaudio_t) ps_process_pattern($2, pulseaudio_t) allow pulseaudio_t $2:process { signal signull }; allow $2 pulseaudio_t:process { signal signull sigkill }; allow $2 pulseaudio_t:process2 nnp_transition; ps_process_pattern(pulseaudio_t, $2) allow pulseaudio_t $2:unix_stream_socket connectto; allow $2 pulseaudio_t:unix_stream_socket connectto; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:dir { manage_dir_perms relabel_dir_perms }; allow $2 { pulseaudio_tmpfs_t pulseaudio_tmpfsfile }:file { manage_file_perms relabel_file_perms }; userdom_manage_tmp_role($1, pulseaudio_t) allow $2 pulseaudio_t:dbus send_msg; allow pulseaudio_t $2:dbus { acquire_svc send_msg }; ') ######################################## ## ## Execute a domain transition to run pulseaudio. ## ## ## ## Domain allowed to transition. ## ## # interface(`pulseaudio_domtrans',` gen_require(` attribute pulseaudio_client; type pulseaudio_t, pulseaudio_exec_t; ') typeattribute $1 pulseaudio_client; corecmd_search_bin($1) domtrans_pattern($1, pulseaudio_exec_t, pulseaudio_t) ') ######################################## ## ## Execute pulseaudio in the pulseaudio domain, and ## allow the specified role the pulseaudio domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## # interface(`pulseaudio_run',` gen_require(` type pulseaudio_t; ') pulseaudio_domtrans($1) role $2 types pulseaudio_t; ') ######################################## ## ## Execute a pulseaudio in the current domain. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_exec',` gen_require(` type pulseaudio_exec_t; ') can_exec($1, pulseaudio_exec_t) ') ######################################## ## ## Do not audit to execute a pulseaudio. ## ## ## ## Domain to not audit. ## ## # interface(`pulseaudio_dontaudit_exec',` gen_require(` type pulseaudio_exec_t; ') dontaudit $1 pulseaudio_exec_t:file exec_file_perms; ') ######################################## ## ## Send signull signal to pulseaudio ## processes. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_signull',` gen_require(` type pulseaudio_t; ') allow $1 pulseaudio_t:process signull; ') ##################################### ## ## Connect to pulseaudio over a unix domain ## stream socket. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_stream_connect',` gen_require(` type pulseaudio_t, pulseaudio_var_run_t; type pulseaudio_home_t; ') files_search_pids($1) allow $1 pulseaudio_t:process signull; allow pulseaudio_t $1:process signull; allow $1 pulseaudio_t:unix_stream_socket create_stream_socket_perms; stream_connect_pattern($1, pulseaudio_var_run_t, pulseaudio_var_run_t, pulseaudio_t) stream_connect_pattern($1, pulseaudio_home_t, pulseaudio_home_t, pulseaudio_t) ') ######################################## ## ## Send and receive messages from ## pulseaudio over dbus. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_dbus_chat',` gen_require(` type pulseaudio_t; class dbus send_msg; ') allow $1 pulseaudio_t:dbus send_msg; allow pulseaudio_t $1:dbus send_msg; ') ######################################## ## ## Set the attributes of the pulseaudio homedir. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_setattr_home_dir',` gen_require(` type pulseaudio_home_t; ') allow $1 pulseaudio_home_t:dir setattr; ') ######################################## ## ## Read pulseaudio homedir files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_read_home_files',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') ######################################## ## ## Read and write Pulse Audio files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_rw_home_files',` gen_require(` type pulseaudio_home_t; ') rw_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) userdom_search_user_home_dirs($1) ') ######################################## ## ## Create, read, write, and delete pulseaudio ## home directories. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_manage_home_dirs',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) manage_dirs_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') ######################################## ## ## Create, read, write, and delete pulseaudio ## home directory files. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_manage_home_files',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) manage_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) read_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) pulseaudio_filetrans_home_content($1) ') ######################################## ## ## Create, read, write, and delete pulseaudio ## home directory symlinks. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_manage_home_symlinks',` gen_require(` type pulseaudio_home_t; ') userdom_search_user_home_dirs($1) manage_lnk_files_pattern($1, pulseaudio_home_t, pulseaudio_home_t) ') ######################################## ## ## Create pulseaudio content in the user home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_filetrans_home_content',` gen_require(` type pulseaudio_home_t; ') userdom_user_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") userdom_user_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") optional_policy(` gnome_config_filetrans($1, pulseaudio_home_t, dir, "pulse") ') ') ######################################## ## ## Create pulseaudio content in the admin home directory ## with an correct label. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_filetrans_admin_home_content',` gen_require(` type pulseaudio_home_t; ') userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, dir, ".pulse") userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".pulse-cookie") userdom_admin_home_dir_filetrans($1, pulseaudio_home_t, file, ".esd_auth") ') ####################################### ## ## Make the specified tmpfs file type ## pulseaudio tmpfs content. ## ## ## ## File type to make pulseaudio tmpfs content. ## ## # interface(`pulseaudio_tmpfs_content',` gen_require(` attribute pulseaudio_tmpfsfile; ') typeattribute $1 pulseaudio_tmpfsfile; ') ######################################## ## ## Allow the domain to read pulseaudio state files in /proc. ## ## ## ## Domain allowed access. ## ## # interface(`pulseaudio_read_state',` gen_require(` type pulseaudio_t; ') kernel_search_proc($1) ps_process_pattern($1, pulseaudio_t) ')