* [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock @ 2015-04-13 15:36 Jason Zaman 2015-04-13 15:36 ` [refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd Jason Zaman ` (3 more replies) 0 siblings, 4 replies; 11+ messages in thread From: Jason Zaman @ 2015-04-13 15:36 UTC (permalink / raw) To: refpolicy Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the filetrans rule. $ start-pulseaudio-x11 W: [autospawn] core-util.c: Failed to create lock file '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied E: [pulseaudio] main.c: Failed to acquire autospawn lock --- pulseaudio.te | 1 + 1 file changed, 1 insertion(+) diff --git a/pulseaudio.te b/pulseaudio.te index 4665af2..648de3a 100644 --- a/pulseaudio.te +++ b/pulseaudio.te @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock") userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") -- 2.0.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd 2015-04-13 15:36 [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Jason Zaman @ 2015-04-13 15:36 ` Jason Zaman 2015-04-13 19:32 ` Dominick Grift 2015-04-13 15:36 ` [refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts Jason Zaman ` (2 subsequent siblings) 3 siblings, 1 reply; 11+ messages in thread From: Jason Zaman @ 2015-04-13 15:36 UTC (permalink / raw) To: refpolicy --- snmp.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/snmp.fc b/snmp.fc index 2f0a2f2..d3db67a 100644 --- a/snmp.fc +++ b/snmp.fc @@ -1,5 +1,6 @@ /etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) +/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) /usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) -- 2.0.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd 2015-04-13 15:36 ` [refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd Jason Zaman @ 2015-04-13 19:32 ` Dominick Grift 0 siblings, 0 replies; 11+ messages in thread From: Dominick Grift @ 2015-04-13 19:32 UTC (permalink / raw) To: refpolicy On Mon, Apr 13, 2015 at 07:36:12PM +0400, Jason Zaman wrote: Thanks. Merged > --- > snmp.fc | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/snmp.fc b/snmp.fc > index 2f0a2f2..d3db67a 100644 > --- a/snmp.fc > +++ b/snmp.fc > @@ -1,5 +1,6 @@ > /etc/rc\.d/init\.d/(snmpd|snmptrapd) -- gen_context(system_u:object_r:snmpd_initrc_exec_t,s0) > > +/usr/sbin/snmpd -- gen_context(system_u:object_r:snmpd_exec_t,s0) > /usr/sbin/snmptrap -- gen_context(system_u:object_r:snmpd_exec_t,s0) > /usr/sbin/snmptrapd -- gen_context(system_u:object_r:snmpd_exec_t,s0) > > -- > 2.0.5 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/01b8f83e/attachment.bin ^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts 2015-04-13 15:36 [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Jason Zaman 2015-04-13 15:36 ` [refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd Jason Zaman @ 2015-04-13 15:36 ` Jason Zaman 2015-04-13 19:33 ` Dominick Grift 2015-04-13 17:31 ` [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Sven Vermeulen 2015-04-13 19:32 ` Dominick Grift 3 siblings, 1 reply; 11+ messages in thread From: Jason Zaman @ 2015-04-13 15:36 UTC (permalink / raw) To: refpolicy dnsmasq has the --dhcp-script= option to execute scripts when leases are given. dnsmasq needs to have shell access to run these. --- dnsmasq.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/dnsmasq.te b/dnsmasq.te index e2f8300..b3caf80 100644 --- a/dnsmasq.te +++ b/dnsmasq.te @@ -57,6 +57,8 @@ kernel_read_network_state(dnsmasq_t) kernel_read_system_state(dnsmasq_t) kernel_request_load_module(dnsmasq_t) +corecmd_exec_shell(dnsmasq_t) + corenet_all_recvfrom_unlabeled(dnsmasq_t) corenet_all_recvfrom_netlabel(dnsmasq_t) corenet_tcp_sendrecv_generic_if(dnsmasq_t) -- 2.0.5 ^ permalink raw reply related [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts 2015-04-13 15:36 ` [refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts Jason Zaman @ 2015-04-13 19:33 ` Dominick Grift 0 siblings, 0 replies; 11+ messages in thread From: Dominick Grift @ 2015-04-13 19:33 UTC (permalink / raw) To: refpolicy On Mon, Apr 13, 2015 at 07:36:13PM +0400, Jason Zaman wrote: > dnsmasq has the --dhcp-script= option to execute scripts when leases are > given. dnsmasq needs to have shell access to run these. Thanks. Merged > --- > dnsmasq.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/dnsmasq.te b/dnsmasq.te > index e2f8300..b3caf80 100644 > --- a/dnsmasq.te > +++ b/dnsmasq.te > @@ -57,6 +57,8 @@ kernel_read_network_state(dnsmasq_t) > kernel_read_system_state(dnsmasq_t) > kernel_request_load_module(dnsmasq_t) > > +corecmd_exec_shell(dnsmasq_t) > + > corenet_all_recvfrom_unlabeled(dnsmasq_t) > corenet_all_recvfrom_netlabel(dnsmasq_t) > corenet_tcp_sendrecv_generic_if(dnsmasq_t) > -- > 2.0.5 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/99c9cd42/attachment.bin ^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock 2015-04-13 15:36 [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Jason Zaman 2015-04-13 15:36 ` [refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd Jason Zaman 2015-04-13 15:36 ` [refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts Jason Zaman @ 2015-04-13 17:31 ` Sven Vermeulen 2015-04-13 17:34 ` Dominick Grift 2015-04-13 17:49 ` Sven Vermeulen 2015-04-13 19:32 ` Dominick Grift 3 siblings, 2 replies; 11+ messages in thread From: Sven Vermeulen @ 2015-04-13 17:31 UTC (permalink / raw) To: refpolicy Doesn't the files_tmp_filetrans for the directory class already ensure that the /tmp/pulse-* directory is of the right type? On Apr 13, 2015 6:01 PM, "Jason Zaman" <jason@perfinion.com> wrote: > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the > filetrans rule. > > $ start-pulseaudio-x11 > W: [autospawn] core-util.c: Failed to create lock file > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied > E: [pulseaudio] main.c: Failed to acquire autospawn lock > --- > pulseaudio.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/pulseaudio.te b/pulseaudio.te > index 4665af2..648de3a 100644 > --- a/pulseaudio.te > +++ b/pulseaudio.te > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, > pulseaudio_tmp_t) > manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) > manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > pulseaudio_tmp_t) > files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > "autospawn.lock") > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, > "dbus-socket") > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, > "native") > -- > 2.0.5 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/46dd2c11/attachment-0001.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock 2015-04-13 17:31 ` [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Sven Vermeulen @ 2015-04-13 17:34 ` Dominick Grift 2015-04-13 17:49 ` Sven Vermeulen 1 sibling, 0 replies; 11+ messages in thread From: Dominick Grift @ 2015-04-13 17:34 UTC (permalink / raw) To: refpolicy On Mon, Apr 13, 2015 at 07:31:55PM +0200, Sven Vermeulen wrote: > Doesn't the files_tmp_filetrans for the directory class already ensure that > the /tmp/pulse-* directory is of the right type? Good point. Not everything ends up in that directory though, but i would like to know where does that file exactly end up? > On Apr 13, 2015 6:01 PM, "Jason Zaman" <jason@perfinion.com> wrote: > > > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the > > filetrans rule. > > > > $ start-pulseaudio-x11 > > W: [autospawn] core-util.c: Failed to create lock file > > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied > > E: [pulseaudio] main.c: Failed to acquire autospawn lock > > --- > > pulseaudio.te | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/pulseaudio.te b/pulseaudio.te > > index 4665af2..648de3a 100644 > > --- a/pulseaudio.te > > +++ b/pulseaudio.te > > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, > > pulseaudio_tmp_t) > > manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) > > manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > > pulseaudio_tmp_t) > > files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) > > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > > "autospawn.lock") > > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") > > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, > > "dbus-socket") > > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, > > "native") > > -- > > 2.0.5 > > > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/4cf41bff/attachment.bin ^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock 2015-04-13 17:31 ` [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Sven Vermeulen 2015-04-13 17:34 ` Dominick Grift @ 2015-04-13 17:49 ` Sven Vermeulen 2015-04-13 18:02 ` Jason Zaman 1 sibling, 1 reply; 11+ messages in thread From: Sven Vermeulen @ 2015-04-13 17:49 UTC (permalink / raw) To: refpolicy Meh my mistake. The directory is written by pulseaudio client applications and get the user_tmp_t type. Sorry for the noise. Wkr, Sven Vermeulen On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <sven.vermeulen@siphos.be> wrote: > Doesn't the files_tmp_filetrans for the directory class already ensure > that the /tmp/pulse-* directory is of the right type? > On Apr 13, 2015 6:01 PM, "Jason Zaman" <jason@perfinion.com> wrote: > >> Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the >> filetrans rule. >> >> $ start-pulseaudio-x11 >> W: [autospawn] core-util.c: Failed to create lock file >> '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied >> E: [pulseaudio] main.c: Failed to acquire autospawn lock >> --- >> pulseaudio.te | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/pulseaudio.te b/pulseaudio.te >> index 4665af2..648de3a 100644 >> --- a/pulseaudio.te >> +++ b/pulseaudio.te >> @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, >> pulseaudio_tmp_t) >> manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) >> manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, >> pulseaudio_tmp_t) >> files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) >> +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, >> "autospawn.lock") >> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") >> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, >> "dbus-socket") >> userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, >> "native") >> -- >> 2.0.5 >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/050f7d7b/attachment.html ^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock 2015-04-13 17:49 ` Sven Vermeulen @ 2015-04-13 18:02 ` Jason Zaman 2015-04-13 18:05 ` Dominick Grift 0 siblings, 1 reply; 11+ messages in thread From: Jason Zaman @ 2015-04-13 18:02 UTC (permalink / raw) To: refpolicy On Mon, Apr 13, 2015 at 07:49:37PM +0200, Sven Vermeulen wrote: > Meh my mistake. The directory is written by pulseaudio client > applications and get the user_tmp_t type. Sorry for the noise. for the record: $ ls -alZ /tmp/pulse-PKdhtXMmr18n/ total 4 drwx------. 2 jason users staff_u:object_r:user_tmp_t 80 Apr 13 21:51 ./ drwxrwxrwt. 14 root root system_u:object_r:tmp_t 440 Apr 13 21:53 ../ srwxrwxrwx. 1 jason users staff_u:object_r:pulseaudio_tmp_t 0 Apr 13 21:51 native= -rw-------. 1 jason users staff_u:object_r:pulseaudio_tmp_t 6 Apr 13 21:51 pid autolock.spawn goes away right after the server is spawned, its only there for a short time. Also, the dir does not *have* to be user_tmp_t. The first program that wants sound will start up pulse (usually its gsettings or equivalent tho). eg if you dont have pulse running and start youtube you might get /tmp/pulse-* being mozilla_tmp_t. -- Jason > Wkr, > ? Sven? Vermeulen > > On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[1]sven.vermeulen@siphos.be> > wrote: > > Doesn't the files_tmp_filetrans for the directory class already > ensure that the /tmp/pulse-* directory is of the right type? > > On Apr 13, 2015 6:01 PM, "Jason Zaman" <[2]jason@perfinion.com> wrote: > > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds > the > filetrans rule. > $ start-pulseaudio-x11 > W: [autospawn] core-util.c: Failed to create lock file > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied > E: [pulseaudio] main.c: Failed to acquire autospawn lock > --- > ? pulseaudio.te | 1 + > ? 1 file changed, 1 insertion(+) > diff --git a/pulseaudio.te b/pulseaudio.te > index 4665af2..648de3a 100644 > --- a/pulseaudio.te > +++ b/pulseaudio.te > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, > pulseaudio_tmp_t, pulseaudio_tmp_t) > ? manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > pulseaudio_tmp_t) > ? manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > pulseaudio_tmp_t) > ? files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > "autospawn.lock") > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > "pid") > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, > sock_file, "dbus-socket") > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, > sock_file, "native") > -- > 2.0.5 > _______________________________________________ > refpolicy mailing list > [3]refpolicy at oss.tresys.com > [4]http://oss.tresys.com/mailman/listinfo/refpolicy > > References > > 1. mailto:sven.vermeulen at siphos.be > 2. mailto:jason at perfinion.com > 3. mailto:refpolicy at oss.tresys.com > 4. http://oss.tresys.com/mailman/listinfo/refpolicy ^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock 2015-04-13 18:02 ` Jason Zaman @ 2015-04-13 18:05 ` Dominick Grift 0 siblings, 0 replies; 11+ messages in thread From: Dominick Grift @ 2015-04-13 18:05 UTC (permalink / raw) To: refpolicy On Mon, Apr 13, 2015 at 10:02:30PM +0400, Jason Zaman wrote: > On Mon, Apr 13, 2015 at 07:49:37PM +0200, Sven Vermeulen wrote: > > Meh my mistake. The directory is written by pulseaudio client > > applications and get the user_tmp_t type. Sorry for the noise. > > for the record: > $ ls -alZ /tmp/pulse-PKdhtXMmr18n/ > total 4 > drwx------. 2 jason users staff_u:object_r:user_tmp_t 80 Apr 13 21:51 ./ > drwxrwxrwt. 14 root root system_u:object_r:tmp_t 440 Apr 13 21:53 ../ > srwxrwxrwx. 1 jason users staff_u:object_r:pulseaudio_tmp_t 0 Apr 13 21:51 native= > -rw-------. 1 jason users staff_u:object_r:pulseaudio_tmp_t 6 Apr 13 21:51 pid > > autolock.spawn goes away right after the server is spawned, its only > there for a short time. Also, the dir does not *have* to be user_tmp_t. > The first program that wants sound will start up pulse (usually its > gsettings or equivalent tho). eg if you dont have pulse running and > start youtube you might get /tmp/pulse-* being mozilla_tmp_t. > Yes its fragile, no doubt. Move it to XDG_RUNTIME_DIR, which allows you to get rid of the random suffix , then implement a name-based tt for "pulse" dir there > -- Jason > > > Wkr, > > ? Sven? Vermeulen > > > > On Apr 13, 2015 7:31 PM, "Sven Vermeulen" <[1]sven.vermeulen@siphos.be> > > wrote: > > > > Doesn't the files_tmp_filetrans for the directory class already > > ensure that the /tmp/pulse-* directory is of the right type? > > > > On Apr 13, 2015 6:01 PM, "Jason Zaman" <[2]jason@perfinion.com> wrote: > > > > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds > > the > > filetrans rule. > > $ start-pulseaudio-x11 > > W: [autospawn] core-util.c: Failed to create lock file > > '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied > > E: [pulseaudio] main.c: Failed to acquire autospawn lock > > --- > > ? pulseaudio.te | 1 + > > ? 1 file changed, 1 insertion(+) > > diff --git a/pulseaudio.te b/pulseaudio.te > > index 4665af2..648de3a 100644 > > --- a/pulseaudio.te > > +++ b/pulseaudio.te > > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, > > pulseaudio_tmp_t, pulseaudio_tmp_t) > > ? manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > > pulseaudio_tmp_t) > > ? manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, > > pulseaudio_tmp_t) > > ? files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) > > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > > "autospawn.lock") > > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, > > "pid") > > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, > > sock_file, "dbus-socket") > > ? userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, > > sock_file, "native") > > -- > > 2.0.5 > > _______________________________________________ > > refpolicy mailing list > > [3]refpolicy at oss.tresys.com > > [4]http://oss.tresys.com/mailman/listinfo/refpolicy > > > > References > > > > 1. mailto:sven.vermeulen at siphos.be > > 2. mailto:jason at perfinion.com > > 3. mailto:refpolicy at oss.tresys.com > > 4. http://oss.tresys.com/mailman/listinfo/refpolicy > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/bdb763e9/attachment.bin ^ permalink raw reply [flat|nested] 11+ messages in thread
* [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock 2015-04-13 15:36 [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Jason Zaman ` (2 preceding siblings ...) 2015-04-13 17:31 ` [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Sven Vermeulen @ 2015-04-13 19:32 ` Dominick Grift 3 siblings, 0 replies; 11+ messages in thread From: Dominick Grift @ 2015-04-13 19:32 UTC (permalink / raw) To: refpolicy On Mon, Apr 13, 2015 at 07:36:11PM +0400, Jason Zaman wrote: > Pulseaudio tries to acquire /tmp/pulse-*/autospawn.lock, this adds the > filetrans rule. > > $ start-pulseaudio-x11 > W: [autospawn] core-util.c: Failed to create lock file '/tmp/pulse-PKdhtXMmr18n/autospawn.lock': Permission denied > E: [pulseaudio] main.c: Failed to acquire autospawn lock The pulseaudio policy is fragile, granted, but this rule makes sense to me. Merged, thanks > --- > pulseaudio.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/pulseaudio.te b/pulseaudio.te > index 4665af2..648de3a 100644 > --- a/pulseaudio.te > +++ b/pulseaudio.te > @@ -56,6 +56,7 @@ manage_dirs_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) > manage_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) > manage_sock_files_pattern(pulseaudio_t, pulseaudio_tmp_t, pulseaudio_tmp_t) > files_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, dir) > +userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "autospawn.lock") > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, file, "pid") > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "dbus-socket") > userdom_user_tmp_filetrans(pulseaudio_t, pulseaudio_tmp_t, sock_file, "native") > -- > 2.0.5 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150413/5c36d04b/attachment.bin ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2015-04-13 19:33 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2015-04-13 15:36 [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Jason Zaman 2015-04-13 15:36 ` [refpolicy] [PATCH 2/3] snmp: missing fcontext for snmpd Jason Zaman 2015-04-13 19:32 ` Dominick Grift 2015-04-13 15:36 ` [refpolicy] [PATCH 3/3] dnsmasq: allow exec shell for scripts Jason Zaman 2015-04-13 19:33 ` Dominick Grift 2015-04-13 17:31 ` [refpolicy] [PATCH 1/3] pulseaudio: filetrans for autospawn.lock Sven Vermeulen 2015-04-13 17:34 ` Dominick Grift 2015-04-13 17:49 ` Sven Vermeulen 2015-04-13 18:02 ` Jason Zaman 2015-04-13 18:05 ` Dominick Grift 2015-04-13 19:32 ` Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.