From 9d45342268e210841452b11264770b7aba19d9be Mon Sep 17 00:00:00 2001
From: Ralf Ertzinger <ralf@skytale.net>
Date: Sun, 4 Dec 2016 18:47:44 +0000
Subject: [PATCH] Add policy for subsonic

---
 subsonic/subsonic.fc |  3 +++
 subsonic/subsonic.if |  1 +
 subsonic/subsonic.te | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 65 insertions(+)
 create mode 100644 subsonic/subsonic.fc
 create mode 120000 subsonic/subsonic.if
 create mode 100644 subsonic/subsonic.te

diff --git a/subsonic/subsonic.fc b/subsonic/subsonic.fc
new file mode 100644
index 0000000..cdccdf1
--- /dev/null
+++ b/subsonic/subsonic.fc
@@ -0,0 +1,3 @@
+/opt/subsonic/bin/[^/]+/subsonic.sh          -- gen_context(system_u:object_r:subsonic_exec_t,s0)
+/opt/subsonic/var(/.*)?                         gen_context(system_u:object_r:subsonic_rw_t,s0)
+/opt/subsonic(/.*)?                             gen_context(system_u:object_r:subsonic_ro_t,s0)
diff --git a/subsonic/subsonic.if b/subsonic/subsonic.if
new file mode 120000
index 0000000..196caaa
--- /dev/null
+++ b/subsonic/subsonic.if
@@ -0,0 +1 @@
+../include/_sky_.if
\ No newline at end of file
diff --git a/subsonic/subsonic.te b/subsonic/subsonic.te
new file mode 100644
index 0000000..63ad0c2
--- /dev/null
+++ b/subsonic/subsonic.te
@@ -0,0 +1,61 @@
+policy_module(subsonic, 0.1.64)
+
+require {
+    type init_t;
+    type public_content_t;
+    type public_content_rw_t;
+    type bin_t;
+    type shell_exec_t;
+}
+
+
+# File context for the executable process
+type subsonic_t;
+type subsonic_exec_t;
+
+type subsonic_rw_t;
+files_type(subsonic_rw_t)
+
+type subsonic_ro_t;
+files_type(subsonic_ro_t)
+
+_sky_files_use_tmp(subsonic_t, subsonic_tmp_t)
+
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+# corenet_udp_sendrecv_generic_port(subsonic_t)
+# corenet_udp_bind_generic_port(subsonic_t)
+# corenet_udp_bind_generic_node(subsonic_t)
+corenet_tcp_sendrecv_generic_port(subsonic_t)
+corenet_tcp_bind_generic_port(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+
+corenet_tcp_connect_unreserved_ports(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+allow subsonic_t self:tcp_socket { create_stream_socket_perms connected_stream_socket_perms };
+
+allow init_t subsonic_ro_t:lnk_file read;
+
+# Needed to start /bin/bash
+exec_files_pattern(subsonic_t, bin_t, shell_exec_t)
+
+# Needed to start java
+exec_files_pattern(subsonic_t, bin_t, bin_t)
+_sky_java_process(subsonic_t)
+
+read_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
+read_lnk_files_pattern(subsonic_t, subsonic_ro_t, subsonic_ro_t)
+read_files_pattern(subsonic_t, public_content_t, public_content_t)
+read_lnk_files_pattern(subsonic_t, public_content_t, public_content_t)
+
+manage_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
+manage_lnk_files_pattern(subsonic_t, subsonic_rw_t, subsonic_rw_t)
+manage_files_pattern(subsonic_t, public_content_rw_t, public_content_rw_t)
+
+sysnet_dns_name_resolve(subsonic_t)
+
+sssd_read_public_files(subsonic_t)
+
+dev_read_rand(subsonic_t)
+
-- 
1.8.3.1