From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 4B22C138D15 for ; Sat, 11 Jul 2015 19:57:22 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 45503E08D5; Sat, 11 Jul 2015 19:57:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6C438E08DC for ; Sat, 11 Jul 2015 19:57:20 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 732793408A2 for ; Sat, 11 Jul 2015 19:57:19 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2894175F for ; Sat, 11 Jul 2015 19:57:18 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1436644594.d86d22c76f9b27c117a3a2d14539ca2ac23fb8a4.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/subsonic.fc policy/modules/contrib/subsonic.if policy/modules/contrib/subsonic.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: d86d22c76f9b27c117a3a2d14539ca2ac23fb8a4 X-VCS-Branch: next Date: Sat, 11 Jul 2015 19:57:18 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: e79ef5ba-b5ca-4e38-a8c3-a3013c60c21f X-Archives-Hash: bc7d7a9a1e3496e22145f25f37ef3b0c commit: d86d22c76f9b27c117a3a2d14539ca2ac23fb8a4 Author: Jason Zaman perfinion com> AuthorDate: Sat Jul 11 14:56:08 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Jul 11 19:56:34 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d86d22c7 Introduce policy for subsonic music server policy/modules/contrib/subsonic.fc | 6 +++++ policy/modules/contrib/subsonic.if | 1 + policy/modules/contrib/subsonic.te | 48 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) diff --git a/policy/modules/contrib/subsonic.fc b/policy/modules/contrib/subsonic.fc new file mode 100644 index 0000000..b1d2550 --- /dev/null +++ b/policy/modules/contrib/subsonic.fc @@ -0,0 +1,6 @@ + +/usr/bin/subsonic -- gen_context(system_u:object_r:subsonic_exec_t,s0) + +/var/lib/subsonic(/.*)? gen_context(system_u:object_r:subsonic_var_lib_t,s0) + +/var/run/subsonic(/.*)? gen_context(system_u:object_r:subsonic_run_t,s0) diff --git a/policy/modules/contrib/subsonic.if b/policy/modules/contrib/subsonic.if new file mode 100644 index 0000000..97e7342 --- /dev/null +++ b/policy/modules/contrib/subsonic.if @@ -0,0 +1 @@ +## Subsonic Music Streaming Server diff --git a/policy/modules/contrib/subsonic.te b/policy/modules/contrib/subsonic.te new file mode 100644 index 0000000..cb0c5ac --- /dev/null +++ b/policy/modules/contrib/subsonic.te @@ -0,0 +1,48 @@ +policy_module(subsonic, 0.1.0) + +######################################## +# +# Declarations +# + +type subsonic_t; +type subsonic_exec_t; +init_daemon_domain(subsonic_t, subsonic_exec_t) + +type subsonic_var_lib_t; +files_type(subsonic_var_lib_t) + +type subsonic_run_t; +files_pid_file(subsonic_run_t) + +############################## +# +# Subsonic local policy +# + +allow subsonic_t self:tcp_socket listen; + +java_domain_type(subsonic_t) + +kernel_dontaudit_list_all_proc(subsonic_t) + +manage_dirs_pattern(subsonic_t, subsonic_run_t, subsonic_run_t) +manage_files_pattern(subsonic_t, subsonic_run_t, subsonic_run_t) +files_pid_filetrans(subsonic_t, subsonic_run_t, dir) + +manage_dirs_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t) +manage_files_pattern(subsonic_t, subsonic_var_lib_t, subsonic_var_lib_t) +files_var_lib_filetrans(subsonic_t, subsonic_var_lib_t, dir) + +corecmd_exec_bin(subsonic_t) +corecmd_exec_shell(subsonic_t) + +corenet_tcp_bind_all_unreserved_ports(subsonic_t) +corenet_tcp_bind_generic_node(subsonic_t) +corenet_tcp_connect_http_port(subsonic_t) + +domain_use_interactive_fds(subsonic_t) + +optional_policy(` + miscfiles_read_public_files(subsonic_t) +')