policy_module(subsonic, 0.1.73)

require {
    type init_t;
    type public_content_t;
    type public_content_rw_t;
    type bin_t;
    type shell_exec_t;
}


# File context for the executable process
type subsonic_t;
type subsonic_exec_t;

type subsonic_rw_t;
files_type(subsonic_rw_t)

type subsonic_ro_t;
files_type(subsonic_ro_t)

_sky_files_use_tmp(subsonic_t, subsonic_tmp_t)

init_daemon_domain(subsonic_t, subsonic_exec_t)

# corenet_udp_sendrecv_generic_port(subsonic_t)
# corenet_udp_bind_generic_port(subsonic_t)
# corenet_udp_bind_generic_node(subsonic_t)
corenet_tcp_sendrecv_generic_port(subsonic_t)
corenet_tcp_bind_generic_port(subsonic_t)
corenet_tcp_bind_generic_node(subsonic_t)

corenet_tcp_connect_unreserved_ports(subsonic_t)
corenet_tcp_connect_http_port(subsonic_t)

allow subsonic_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };

allow init_t subsonic_ro_t:lnk_file read;

# Needed to start /bin/bash
exec_files_pattern(subsonic_t, bin_t, shell_exec_t)

# Needed to start java
exec_files_pattern(subsonic_t, bin_t, bin_t)
_sky_java_process(subsonic_t)

read_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
read_lnk_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
mmap_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)

read_files_pattern(subsonic_t, public_content_t, public_content_t)
read_lnk_files_pattern(subsonic_t, public_content_t, public_content_t)
mmap_files_pattern(subsonic_t, public_content_t, public_content_t)

manage_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
manage_dirs_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
manage_lnk_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
mmap_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)

manage_files_pattern(subsonic_t, public_content_rw_t, public_content_rw_t)
mmap_files_pattern(subsonic_t, public_content_rw_t, public_content_rw_t)

sysnet_dns_name_resolve(subsonic_t)

sssd_read_public_files(subsonic_t)

dev_read_rand(subsonic_t)
dev_read_sysfs(subsonic_t)