Add policy for subsonic

[selinux.git] / subsonic / subsonic.te

diff --git a/subsonic/subsonic.te b/subsonic/subsonic.te
new file mode 100644 (file)
index 0000000..63ad0c2
--- /dev/null
+++ b/subsonic/subsonic.te
@@ -0,0 +1,61 @@
+policy_module(subsonic, 0.1.64)
+
+require {
+    type init_t;
+    type public_content_t;
+    type public_content_rw_t;
+    type bin_t;
+    type shell_exec_t;
+}
+
+
+# File context for the executable process
+type subsonic_t;
+type subsonic_exec_t;
+
+type subsonic_rw_t;
+files_type(subsonic_rw_t)
+
+type subsonic_ro_t;
+files_type(subsonic_ro_t)
+
+_sky_files_use_tmp(subsonic_t, subsonic_tmp_t)
+
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+# corenet_udp_sendrecv_generic_port(subsonic_t)
+# corenet_udp_bind_generic_port(subsonic_t)
+# corenet_udp_bind_generic_node(subsonic_t)
+corenet_tcp_sendrecv_generic_port(subsonic_t)
+corenet_tcp_bind_generic_port(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+
+corenet_tcp_connect_unreserved_ports(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+allow subsonic_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+
+allow init_t subsonic_ro_t:lnk_file read;
+
+# Needed to start /bin/bash
+exec_files_pattern(subsonic_t, bin_t, shell_exec_t)
+
+# Needed to start java
+exec_files_pattern(subsonic_t, bin_t, bin_t)
+_sky_java_process(subsonic_t)
+
+read_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
+read_lnk_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
+read_files_pattern(subsonic_t, public_content_t, public_content_t)
+read_lnk_files_pattern(subsonic_t, public_content_t, public_content_t)
+
+manage_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
+manage_lnk_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
+manage_files_pattern(subsonic_t, public_content_rw_t, public_content_rw_t)
+
+sysnet_dns_name_resolve(subsonic_t)
+
+sssd_read_public_files(subsonic_t)
+
+dev_read_rand(subsonic_t)
+