[refpolicy] [PATCH 1/2] games: general update and improved pulseaudio integration

From: guido@trentalancia.net (Guido Trentalancia)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/2] games: general update and improved pulseaudio integration
Date: Sat, 17 Dec 2016 19:18:16 +0100	[thread overview]
Message-ID: <1481998696.13429.7.camel@trentalancia.net> (raw)

Update for the games module and integration with pulseaudio.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/contrib/games.if |   41 +++++++++++++++++++++++++++++++++++++++-
 policy/modules/contrib/games.te |   17 ++++++++++++++++
 2 files changed, 57 insertions(+), 1 deletion(-)

diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.if refpolicy-git-07122016/policy/modules/contrib/games.if

--- refpolicy-git-07122016-orig/policy/modules/contrib/games.if	2016-12-08 18:23:14.044084368 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/games.if	2016-12-09 22:13:38.424448790 +0100
@@ -42,7 +42,6 @@ interface(`games_role',`
 ########################################
 ## <summary>
 ##	Read and write games data files.
-##	games data.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -58,3 +57,43 @@ interface(`games_rw_data',`
 	files_search_var_lib($1)
 	rw_files_pattern($1, games_data_t, games_data_t)
 ')
+
+########################################
+## <summary>
+##	Run a game in the game domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`games_domtrans',`
+	gen_require(`
+		type games_t, games_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, games_exec_t, games_t)
+')
+
+########################################
+## <summary>
+##	Send and receive messages from
+##	games over dbus.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`games_dbus_chat',`
+	gen_require(`
+		type games_t;
+		class dbus send_msg;
+	')
+
+	allow $1 games_t:dbus send_msg;
+	allow games_t $1:dbus send_msg;
+')
diff -pruN refpolicy-git-07122016-orig/policy/modules/contrib/games.te refpolicy-git-07122016/policy/modules/contrib/games.te
--- refpolicy-git-07122016-orig/policy/modules/contrib/games.te	2016-12-08 18:23:14.044084368 +0100
+++ refpolicy-git-07122016/policy/modules/contrib/games.te	2016-12-09 22:18:09.451695873 +0100
@@ -42,6 +42,10 @@ typealias games_tmpfs_t alias { user_gam
 typealias games_tmpfs_t alias { auditadm_games_tmpfs_t secadm_games_tmpfs_t };
 userdom_user_tmpfs_file(games_tmpfs_t)
 
+optional_policy(`
+	pulseaudio_tmpfs_content(games_tmpfs_t)
+')
+
 ########################################
 #
 # Server local policy
@@ -95,6 +99,7 @@ optional_policy(`
 # Client local policy
 #
 
+allow games_t self:fifo_file rw_file_perms;
 allow games_t self:sem create_sem_perms;
 allow games_t self:tcp_socket { accept listen };
 
@@ -137,6 +142,7 @@ dev_read_sound(games_t)
 dev_read_input(games_t)
 dev_read_mouse(games_t)
 dev_read_urand(games_t)
+dev_rw_dri(games_t)
 dev_write_sound(games_t)
 
 files_list_var(games_t)
@@ -146,6 +152,8 @@ files_read_etc_files(games_t)
 files_read_usr_files(games_t)
 files_read_var_files(games_t)
 
+fs_dontaudit_getattr_xattr_fs(games_t)
+
 init_dontaudit_rw_utmp(games_t)
 
 logging_dontaudit_search_logs(games_t)
@@ -166,10 +174,19 @@ tunable_policy(`allow_execmem',`
 ')
 
 optional_policy(`
+	dbus_all_session_bus_client(games_t)
+	dbus_connect_all_session_bus(games_t)
+')
+
+optional_policy(`
 	nscd_use(games_t)
 ')
 
 optional_policy(`
+	pulseaudio_run(games_t, games_roles)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
 	xserver_create_xdm_tmp_sockets(games_t)
 	xserver_read_xdm_lib_files(games_t)
