commit: c4b26faf064b20ca42e230b0192fcf08430a5fe5 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Sat Jul 11 14:56:08 2015 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Mon Jul 13 21:43:34 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c4b26faf
Introduce policy for subsonic music server policy/modules/contrib/subsonic.fc | 6 +++++ policy/modules/contrib/subsonic.if | 1 + policy/modules/contrib/subsonic.te | 48 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc new file mode 100644 index 0000000..b1d2550 --- /dev/null +++ b/policy/modules/contrib/subsonic.fc @@ -0,0 +1,6 @@ + +/usr/bin/subsonic -- gen_context(system_u:object_r:subsonic_exec_t,s0) + +/var/lib/subsonic(/.*)? gen_context(system_u:object_r:subsonic_var_lib_t,s0) + +/var/run/subsonic(/.*)? gen_context(system_u:object_r:subsonic_run_t,s0) diff --git a/policy/modules/contrib/subsonic.if b/policy/modules/contrib/subsonic.if new file mode 100644 index 0000000..97e7342 --- /dev/null +++ b/policy/modules/contrib/subsonic.if @@ -0,0 +1 @@ +## <summary>Subsonic Music Streaming Server</summary> diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te new file mode 100644 index 0000000..cb0c5ac --- /dev/null +++ b/policy/modules/contrib/subsonic.te @@ -0,0 +1,48 @@ +policy_module(subsonic, 0.1.0) + +######################################## +# +# Declarations +# + +type subsonic_t; +type subsonic_exec_t; +init_daemon_domain(subsonic_t, subsonic_exec_t) + +type subsonic_var_lib_t; +files_type(subsonic_var_lib_t) + +type subsonic_run_t; +files_pid_file(subsonic_run_t) + +############################## +# +# Subsonic local policy +# + +allow subsonic_t self:tcp_socket listen; + +java_domain_type(subsonic_t) + +kernel_dontaudit_list_all_proc(subsonic_t) + +manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t) +manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t) +files_pid_filetrans(subsonic_t, subsonic_run_t, dir) + +manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t) +manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t) +files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir) + +corecmd_exec_bin(subsonic_t) +corecmd_exec_shell(subsonic_t) + +corenet_tcp_bind_all_unreserved_ports(subsonic_t) +corenet_tcp_bind_generic_node(subsonic_t) +corenet_tcp_connect_http_port(subsonic_t) + +domain_use_interactive_fds(subsonic_t) + +optional_policy(` + miscfiles_read_public_files(subsonic_t) +')
