commit:     70f80e75e0d49c1c26d4887b8613c60dd5311866
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sat Jul 11 14:56:08 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Jul 11 14:56:08 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70f80e75

Introduce policy for subsonic music server

 policy/modules/contrib/subsonic.fc |  6 +++++
 policy/modules/contrib/subsonic.if |  1 +
 policy/modules/contrib/subsonic.te | 48 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 55 insertions(+)

diff --git a/policy/modules/contrib/subsonic.fc 
b/policy/modules/contrib/subsonic.fc
new file mode 100644
index 0000000..b1d2550
--- /dev/null
+++ b/policy/modules/contrib/subsonic.fc
@@ -0,0 +1,6 @@
+
+/usr/bin/subsonic                      --      
gen_context(system_u:object_r:subsonic_exec_t,s0)
+
+/var/lib/subsonic(/.*)?                                
gen_context(system_u:object_r:subsonic_var_lib_t,s0)
+
+/var/run/subsonic(/.*)?                                
gen_context(system_u:object_r:subsonic_run_t,s0)

diff --git a/policy/modules/contrib/subsonic.if 
b/policy/modules/contrib/subsonic.if
new file mode 100644
index 0000000..97e7342
--- /dev/null
+++ b/policy/modules/contrib/subsonic.if
@@ -0,0 +1 @@
+## <summary>Subsonic Music Streaming Server</summary>

diff --git a/policy/modules/contrib/subsonic.te 
b/policy/modules/contrib/subsonic.te
new file mode 100644
index 0000000..cb0c5ac
--- /dev/null
+++ b/policy/modules/contrib/subsonic.te
@@ -0,0 +1,48 @@
+policy_module(subsonic, 0.1.0)
+
+########################################
+#
+# Declarations
+#
+
+type subsonic_t;
+type subsonic_exec_t;
+init_daemon_domain(subsonic_t, subsonic_exec_t)
+
+type subsonic_var_lib_t;
+files_type(subsonic_var_lib_t)
+
+type subsonic_run_t;
+files_pid_file(subsonic_run_t)
+
+##############################
+#
+# Subsonic local policy
+#
+
+allow subsonic_t self:tcp_socket listen;
+
+java_domain_type(subsonic_t)
+
+kernel_dontaudit_list_all_proc(subsonic_t)
+
+manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t)
+files_pid_filetrans(subsonic_t, subsonic_run_t, dir)
+
+manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t)
+files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir)
+
+corecmd_exec_bin(subsonic_t)
+corecmd_exec_shell(subsonic_t)
+
+corenet_tcp_bind_all_unreserved_ports(subsonic_t)
+corenet_tcp_bind_generic_node(subsonic_t)
+corenet_tcp_connect_http_port(subsonic_t)
+
+domain_use_interactive_fds(subsonic_t)
+
+optional_policy(`
+       miscfiles_read_public_files(subsonic_t)
+')

Reply via email to