From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-897407-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 4EB5F1381F1
	for <garchives@archives.gentoo.org>; Wed, 17 Aug 2016 16:59:20 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 7A3A621C132;
	Wed, 17 Aug 2016 16:59:11 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 9DCFC21C10A
	for <gentoo-commits@lists.gentoo.org>; Wed, 17 Aug 2016 16:59:09 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 7E669340F13
	for <gentoo-commits@lists.gentoo.org>; Wed, 17 Aug 2016 16:59:08 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id BDE342464
	for <gentoo-commits@lists.gentoo.org>; Wed, 17 Aug 2016 16:59:04 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1471452415.c62aca80448084d3dd1a37ef55866a1de76e540c.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/alsa.fc policy/modules/contrib/alsa.if policy/modules/contrib/alsa.te policy/modules/contrib/asterisk.te policy/modules/contrib/entropyd.te policy/modules/contrib/hal.te policy/modules/contrib/mpd.te policy/modules/contrib/mplayer.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: c62aca80448084d3dd1a37ef55866a1de76e540c
X-VCS-Branch: master
Date: Wed, 17 Aug 2016 16:59:04 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: c67885c0-a40f-4bc1-8b61-dab6449670b4
X-Archives-Hash: ff8c1b84701c6ac01ddab52bea9738c9

commit:     c62aca80448084d3dd1a37ef55866a1de76e540c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:33:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c62aca80

Update the alsa module so that the alsa_etc_t file context (previously alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files.

The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.

After applying this patch, the recent pulseaudio patch should also
be applied to complete the removal of the _rw_ labels on the alsa
interfaces.

This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.

Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/contrib/alsa.fc     |  9 +++----
 policy/modules/contrib/alsa.if     | 52 ++++++++++++++++++++++++++++++--------
 policy/modules/contrib/alsa.te     | 10 ++++----
 policy/modules/contrib/asterisk.te |  2 +-
 policy/modules/contrib/entropyd.te |  2 +-
 policy/modules/contrib/hal.te      |  2 +-
 policy/modules/contrib/mpd.te      |  2 +-
 policy/modules/contrib/mplayer.te  |  2 +-
 8 files changed, 55 insertions(+), 26 deletions(-)

diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index a8c8a64..112fc62 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
 
 /bin/alsaunmute	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 
-/etc/alsa/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf	gen_context(system_u:object_r:alsa_etc_t,s0)
 
 /sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 /sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
 /usr/sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 /usr/sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 
-/usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
 
 /var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
 

diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 38bbf80..9ffed04 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
 
 ########################################
 ## <summary>
-##	Read writable Alsa configuration content.
+##	Read writable Alsa configuration
+##	content.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
 ## </param>
 #
 interface(`alsa_read_rw_config',`
+	refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
+	alsa_read_config($1)
+')
+
+########################################
+## <summary>
+##	Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_config',`
 	gen_require(`
-		type alsa_etc_rw_t;
+		type alsa_etc_t;
 	')
 
 	files_search_etc($1)
-	allow $1 alsa_etc_rw_t:dir list_dir_perms;
-	read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+	allow $1 alsa_etc_t:dir list_dir_perms;
+	read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
 
 ########################################
 ## <summary>
-##	Manage writable Alsa config files.
+##	Manage writable Alsa config
+##	files.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
 ## </param>
 #
 interface(`alsa_manage_rw_config',`
+	refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
+	alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+##	Manage Alsa config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_config',`
 	gen_require(`
-		type alsa_etc_rw_t;
+		type alsa_etc_t;
 	')
 
 	files_search_etc($1)
-	allow $1 alsa_etc_rw_t:dir list_dir_perms;
-	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+	allow $1 alsa_etc_t:dir list_dir_perms;
+	manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)

diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 17bb145..b08ab0c 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -12,8 +12,8 @@ type alsa_exec_t;
 init_system_domain(alsa_t, alsa_exec_t)
 role alsa_roles types alsa_t;
 
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
 
 type alsa_tmp_t;
 files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { accept listen };
 
 allow alsa_t alsa_home_t:file read_file_perms;
 
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 
 can_exec(alsa_t, alsa_exec_t)
 

diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index fc25311..e901010 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
 userdom_dontaudit_search_user_home_dirs(asterisk_t)
 
 optional_policy(`
-	alsa_read_rw_config(asterisk_t)
+	alsa_read_config(asterisk_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e82f4f5..5068fab 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
 optional_policy(`
 	tunable_policy(`entropyd_use_audio',`
 		alsa_read_lib(entropyd_t)
-		alsa_read_rw_config(entropyd_t)
+		alsa_read_config(entropyd_t)
 	')
 ')
 

diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index bbccc79..2081d14 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(hald_t)
 
 optional_policy(`
 	alsa_domtrans(hald_t)
-	alsa_read_rw_config(hald_t)
+	alsa_read_config(hald_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 01ded5d..f6f9195 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mpd_t)
+	alsa_read_config(mpd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 26ff9aa..e70ee72 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -257,7 +257,7 @@ tunable_policy(`allow_mplayer_execstack',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mplayer_t)
+	alsa_read_config(mplayer_t)
 ')
 
 optional_policy(`


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-897431-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id EC73213832E
	for <garchives@archives.gentoo.org>; Wed, 17 Aug 2016 17:00:26 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id BE2BE21C1C8;
	Wed, 17 Aug 2016 17:00:13 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id A557521C1B3
	for <gentoo-commits@lists.gentoo.org>; Wed, 17 Aug 2016 17:00:10 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id CF5FC340C97
	for <gentoo-commits@lists.gentoo.org>; Wed, 17 Aug 2016 17:00:01 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 3E0E32464
	for <gentoo-commits@lists.gentoo.org>; Wed, 17 Aug 2016 16:59:59 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1471452415.c62aca80448084d3dd1a37ef55866a1de76e540c.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/alsa.fc policy/modules/contrib/alsa.if policy/modules/contrib/alsa.te policy/modules/contrib/asterisk.te policy/modules/contrib/entropyd.te policy/modules/contrib/hal.te policy/modules/contrib/mpd.te policy/modules/contrib/mplayer.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: c62aca80448084d3dd1a37ef55866a1de76e540c
X-VCS-Branch: next
Date: Wed, 17 Aug 2016 16:59:59 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 2d0240c4-4893-4f6a-8f48-cfb95d7cedc0
X-Archives-Hash: 1ef6244fc9f864b68a8c8b69ac02a13f
Message-ID: <20160817165959.7lH8W7Kv4hYT11Yg76Hu1zX_ipKqVMz6ppcRBpjG-_k@z>

commit:     c62aca80448084d3dd1a37ef55866a1de76e540c
Author:     Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:33:24 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:46:55 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c62aca80

Update the alsa module so that the alsa_etc_t file context (previously alsa_etc_rw_t) is widened to the whole alsa share directory, instead of just a couple of files.

The wrong and misleading _rw_ label has been deprecated in the alsa
interface definitions and in their instances throughout the whole
Reference Policy (static and system-wide configuration files are
not runtime-writable). Warning messages are printed when the user
attempts to use the old namings for the above mentioned alsa
interface definitions.

After applying this patch, the recent pulseaudio patch should also
be applied to complete the removal of the _rw_ labels on the alsa
interfaces.

This version of the patch finally removes obsolete file contexts and
grants read permissions instead of manage permissions for static
configuration files in /usr/share/alsa and system-wide configuration
files in /etc.

Thanks to Dominick Grift for pointing out redundant interface usage
in a previous version of this patch.

Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>

 policy/modules/contrib/alsa.fc     |  9 +++----
 policy/modules/contrib/alsa.if     | 52 ++++++++++++++++++++++++++++++--------
 policy/modules/contrib/alsa.te     | 10 ++++----
 policy/modules/contrib/asterisk.te |  2 +-
 policy/modules/contrib/entropyd.te |  2 +-
 policy/modules/contrib/hal.te      |  2 +-
 policy/modules/contrib/mpd.te      |  2 +-
 policy/modules/contrib/mplayer.te  |  2 +-
 8 files changed, 55 insertions(+), 26 deletions(-)

diff --git a/policy/modules/contrib/alsa.fc b/policy/modules/contrib/alsa.fc
index a8c8a64..112fc62 100644
--- a/policy/modules/contrib/alsa.fc
+++ b/policy/modules/contrib/alsa.fc
@@ -6,10 +6,8 @@ ifdef(`distro_debian',`
 
 /bin/alsaunmute	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 
-/etc/alsa/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/etc/asound\.state	--	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/etc/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
+/etc/asound\.conf	gen_context(system_u:object_r:alsa_etc_t,s0)
 
 /sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 /sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
@@ -25,8 +23,7 @@ ifdef(`distro_debian',`
 /usr/sbin/alsactl	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 /usr/sbin/salsa	--	gen_context(system_u:object_r:alsa_exec_t,s0)
 
-/usr/share/alsa/alsa\.conf	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
-/usr/share/alsa/pcm(/.*)?	gen_context(system_u:object_r:alsa_etc_rw_t,s0)
+/usr/share/alsa(/.*)?		gen_context(system_u:object_r:alsa_etc_t,s0)
 
 /var/lib/alsa(/.*)?	gen_context(system_u:object_r:alsa_var_lib_t,s0)
 

diff --git a/policy/modules/contrib/alsa.if b/policy/modules/contrib/alsa.if
index 38bbf80..9ffed04 100644
--- a/policy/modules/contrib/alsa.if
+++ b/policy/modules/contrib/alsa.if
@@ -102,7 +102,8 @@ interface(`alsa_rw_shared_mem',`
 
 ########################################
 ## <summary>
-##	Read writable Alsa configuration content.
+##	Read writable Alsa configuration
+##	content.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -111,14 +112,29 @@ interface(`alsa_rw_shared_mem',`
 ## </param>
 #
 interface(`alsa_read_rw_config',`
+	refpolicywarn(`$0($*) has been deprecated, use alsa_read_config() instead.')
+	alsa_read_config($1)
+')
+
+########################################
+## <summary>
+##	Read Alsa configuration content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_read_config',`
 	gen_require(`
-		type alsa_etc_rw_t;
+		type alsa_etc_t;
 	')
 
 	files_search_etc($1)
-	allow $1 alsa_etc_rw_t:dir list_dir_perms;
-	read_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+	allow $1 alsa_etc_t:dir list_dir_perms;
+	read_files_pattern($1, alsa_etc_t, alsa_etc_t)
+	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)
@@ -127,7 +143,8 @@ interface(`alsa_read_rw_config',`
 
 ########################################
 ## <summary>
-##	Manage writable Alsa config files.
+##	Manage writable Alsa config
+##	files.  (Deprecated)
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -136,14 +153,29 @@ interface(`alsa_read_rw_config',`
 ## </param>
 #
 interface(`alsa_manage_rw_config',`
+	refpolicywarn(`$0($*) has been deprecated, use alsa_manage_config() instead.')
+	alsa_manage_config($1)
+')
+
+########################################
+## <summary>
+##	Manage Alsa config files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`alsa_manage_config',`
 	gen_require(`
-		type alsa_etc_rw_t;
+		type alsa_etc_t;
 	')
 
 	files_search_etc($1)
-	allow $1 alsa_etc_rw_t:dir list_dir_perms;
-	manage_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
-	read_lnk_files_pattern($1, alsa_etc_rw_t, alsa_etc_rw_t)
+	allow $1 alsa_etc_t:dir list_dir_perms;
+	manage_files_pattern($1, alsa_etc_t, alsa_etc_t)
+	read_lnk_files_pattern($1, alsa_etc_t, alsa_etc_t)
 
 	ifdef(`distro_debian',`
 		files_search_usr($1)

diff --git a/policy/modules/contrib/alsa.te b/policy/modules/contrib/alsa.te
index 17bb145..b08ab0c 100644
--- a/policy/modules/contrib/alsa.te
+++ b/policy/modules/contrib/alsa.te
@@ -12,8 +12,8 @@ type alsa_exec_t;
 init_system_domain(alsa_t, alsa_exec_t)
 role alsa_roles types alsa_t;
 
-type alsa_etc_rw_t;
-files_config_file(alsa_etc_rw_t)
+type alsa_etc_t;
+files_config_file(alsa_etc_t)
 
 type alsa_tmp_t;
 files_tmp_file(alsa_tmp_t)
@@ -46,9 +46,9 @@ allow alsa_t self:unix_stream_socket { accept listen };
 
 allow alsa_t alsa_home_t:file read_file_perms;
 
-manage_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-manage_lnk_files_pattern(alsa_t, alsa_etc_rw_t, alsa_etc_rw_t)
-files_etc_filetrans(alsa_t, alsa_etc_rw_t, file)
+list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
+read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 
 can_exec(alsa_t, alsa_exec_t)
 

diff --git a/policy/modules/contrib/asterisk.te b/policy/modules/contrib/asterisk.te
index fc25311..e901010 100644
--- a/policy/modules/contrib/asterisk.te
+++ b/policy/modules/contrib/asterisk.te
@@ -156,7 +156,7 @@ userdom_dontaudit_use_unpriv_user_fds(asterisk_t)
 userdom_dontaudit_search_user_home_dirs(asterisk_t)
 
 optional_policy(`
-	alsa_read_rw_config(asterisk_t)
+	alsa_read_config(asterisk_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/entropyd.te b/policy/modules/contrib/entropyd.te
index e82f4f5..5068fab 100644
--- a/policy/modules/contrib/entropyd.te
+++ b/policy/modules/contrib/entropyd.te
@@ -68,7 +68,7 @@ tunable_policy(`entropyd_use_audio',`
 optional_policy(`
 	tunable_policy(`entropyd_use_audio',`
 		alsa_read_lib(entropyd_t)
-		alsa_read_rw_config(entropyd_t)
+		alsa_read_config(entropyd_t)
 	')
 ')
 

diff --git a/policy/modules/contrib/hal.te b/policy/modules/contrib/hal.te
index bbccc79..2081d14 100644
--- a/policy/modules/contrib/hal.te
+++ b/policy/modules/contrib/hal.te
@@ -213,7 +213,7 @@ userdom_dontaudit_search_user_home_dirs(hald_t)
 
 optional_policy(`
 	alsa_domtrans(hald_t)
-	alsa_read_rw_config(hald_t)
+	alsa_read_config(hald_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/mpd.te b/policy/modules/contrib/mpd.te
index 01ded5d..f6f9195 100644
--- a/policy/modules/contrib/mpd.te
+++ b/policy/modules/contrib/mpd.te
@@ -179,7 +179,7 @@ tunable_policy(`mpd_use_nfs',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mpd_t)
+	alsa_read_config(mpd_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/contrib/mplayer.te b/policy/modules/contrib/mplayer.te
index 26ff9aa..e70ee72 100644
--- a/policy/modules/contrib/mplayer.te
+++ b/policy/modules/contrib/mplayer.te
@@ -257,7 +257,7 @@ tunable_policy(`allow_mplayer_execstack',`
 ')
 
 optional_policy(`
-	alsa_read_rw_config(mplayer_t)
+	alsa_read_config(mplayer_t)
 ')
 
 optional_policy(`