Add policy for subsonic

author Ralf Ertzinger <ralf@skytale.net>

Sun, 4 Dec 2016 18:47:44 +0000 (18:47 +0000)

committer Ralf Ertzinger <ralf@skytale.net>

Sun, 4 Dec 2016 18:47:44 +0000 (18:47 +0000)
author Ralf Ertzinger <ralf@skytale.net>
Sun, 4 Dec 2016 18:47:44 +0000 (18:47 +0000)
committer Ralf Ertzinger <ralf@skytale.net>
Sun, 4 Dec 2016 18:47:44 +0000 (18:47 +0000)
diff --git a/subsonic/subsonic.fc b/subsonic/subsonic.fc

new file mode 100644 (file)

index 0000000..cdccdf1
--- /dev/null
+++ b/subsonic/subsonic.fc
@@ -0,0 +1,3 @@
+/opt/subsonic/bin/[^/]+/subsonic.sh          -- gen_context(system_u:object_r:subsonic_exec_t,s0)
+/opt/subsonic/var(/.*)?                         gen_context(system_u:object_r:subsonic_rw_t,s0)
+/opt/subsonic(/.*)?                             gen_context(system_u:object_r:subsonic_ro_t,s0)
diff --git a/subsonic/subsonic.if b/subsonic/subsonic.if

new file mode 120000 (symlink)

index 0000000..196caaa
--- /dev/null
+++ b/subsonic/subsonic.if
@@ -0,0 +1 @@
+../include/_sky_.if
+\ No newline at end of file
diff --git a/subsonic/subsonic.te b/subsonic/subsonic.te

new file mode 100644 (file)

index 0000000..63ad0c2
--- /dev/null
+++ b/subsonic/subsonic.te
@@ -0,0 +1,61 @@
+policy_module(subsonic, 0.1.64)
+
+require {
+    type init_t;
+    type public_content_t;
+    type public_content_rw_t;
+    type bin_t;
+    type shell_exec_t;
+}
+
+
+# File context for the executable process
+type subsonic_t;
+type subsonic_exec_t;
+
+type subsonic_rw_t;
+files_type(subsonic_rw_t)
+
+type subsonic_ro_t;
+files_type(subsonic_ro_t)
+
+_sky_files_use_tmp(subsonic_t, subsonic_tmp_t)
+
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+# corenet_udp_sendrecv_generic_port(subsonic_t)
+# corenet_udp_bind_generic_port(subsonic_t)
+# corenet_udp_bind_generic_node(subsonic_t)
+corenet_tcp_sendrecv_generic_port(subsonic_t)
+corenet_tcp_bind_generic_port(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+
+corenet_tcp_connect_unreserved_ports(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+allow subsonic_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+
+allow init_t subsonic_ro_t:lnk_file read;
+
+# Needed to start /bin/bash
+exec_files_pattern(subsonic_t, bin_t, shell_exec_t)
+
+# Needed to start java
+exec_files_pattern(subsonic_t, bin_t, bin_t)
+_sky_java_process(subsonic_t)
+
+read_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
+read_lnk_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
+read_files_pattern(subsonic_t, public_content_t, public_content_t)
+read_lnk_files_pattern(subsonic_t, public_content_t, public_content_t)
+
+manage_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
+manage_lnk_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
+manage_files_pattern(subsonic_t, public_content_rw_t, public_content_rw_t)
+
+sysnet_dns_name_resolve(subsonic_t)
+
+sssd_read_public_files(subsonic_t)
+
+dev_read_rand(subsonic_t)
+
author	Ralf Ertzinger <ralf@skytale.net>
	Sun, 4 Dec 2016 18:47:44 +0000 (18:47 +0000)
committer	Ralf Ertzinger <ralf@skytale.net>
	Sun, 4 Dec 2016 18:47:44 +0000 (18:47 +0000)
subsonic/subsonic.fc	[new file with mode: 0644]	patch \| blob
subsonic/subsonic.if	[new symlink]	patch \| blob
subsonic/subsonic.te	[new file with mode: 0644]	patch \| blob