subsonic/subsonic.te

   1 policy_module(subsonic, 0.1.65)
   2
   3 require {
   4     type init_t;
   5     type public_content_t;
   6     type public_content_rw_t;
   7     type bin_t;
   8     type shell_exec_t;
   9 }
  10
  11
  12 # File context for the executable process
  13 type subsonic_t;
  14 type subsonic_exec_t;
  15
  16 type subsonic_rw_t;
  17 files_type(subsonic_rw_t)
  18
  19 type subsonic_ro_t;
  20 files_type(subsonic_ro_t)
  21
  22 _sky_files_use_tmp(subsonic_t, subsonic_tmp_t)
  23
  24 init_daemon_domain(subsonic_t, subsonic_exec_t)
  25
  26 # corenet_udp_sendrecv_generic_port(subsonic_t)
  27 # corenet_udp_bind_generic_port(subsonic_t)
  28 # corenet_udp_bind_generic_node(subsonic_t)
  29 corenet_tcp_sendrecv_generic_port(subsonic_t)
  30 corenet_tcp_bind_generic_port(subsonic_t)
  31 corenet_tcp_bind_generic_node(subsonic_t)
  32
  33 corenet_tcp_connect_unreserved_ports(subsonic_t)
  34 corenet_tcp_connect_http_port(subsonic_t)
  35
  36 allow subsonic_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
  37
  38 allow init_t subsonic_ro_t:lnk_file read;
  39
  40 # Needed to start /bin/bash
  41 exec_files_pattern(subsonic_t, bin_t, shell_exec_t)
  42
  43 # Needed to start java
  44 exec_files_pattern(subsonic_t, bin_t, bin_t)
  45 _sky_java_process(subsonic_t)
  46
  47 read_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
  48 read_lnk_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
  49 read_files_pattern(subsonic_t, public_content_t, public_content_t)
  50 read_lnk_files_pattern(subsonic_t, public_content_t, public_content_t)
  51
  52 manage_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
  53 manage_lnk_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
  54 manage_files_pattern(subsonic_t, public_content_rw_t, public_content_rw_t)
  55
  56 sysnet_dns_name_resolve(subsonic_t)
  57
  58 sssd_read_public_files(subsonic_t)
  59
  60 dev_read_rand(subsonic_t)
  61 dev_read_sysfs(subsonic_t)
  62