diff options
Diffstat (limited to 'policy/modules/services/mpd.if')
-rw-r--r-- | policy/modules/services/mpd.if | 347 |
1 files changed, 347 insertions, 0 deletions
diff --git a/policy/modules/services/mpd.if b/policy/modules/services/mpd.if new file mode 100644 index 00000000..02faa37e --- /dev/null +++ b/policy/modules/services/mpd.if @@ -0,0 +1,347 @@ +## <summary>Music Player Daemon.</summary> + +######################################## +## <summary> +## Execute a domain transition to run mpd. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mpd_domtrans',` + gen_require(` + type mpd_t, mpd_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, mpd_exec_t, mpd_t) +') + +######################################## +## <summary> +## Execute mpd server in the mpd domain. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed to transition. +## </summary> +## </param> +# +interface(`mpd_initrc_domtrans',` + gen_require(` + type mpd_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, mpd_initrc_exec_t) +') + +####################################### +## <summary> +## Read mpd data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_data_files',` + gen_require(` + type mpd_data_t; + ') + + mpd_search_lib($1) + read_files_pattern($1, mpd_data_t, mpd_data_t) +') + +###################################### +## <summary> +## Create, read, write, and delete +## mpd data files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_data_files',` + gen_require(` + type mpd_data_t; + ') + + mpd_search_lib($1) + manage_files_pattern($1, mpd_data_t, mpd_data_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mpd user data content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_user_data_content',` + gen_require(` + type mpd_user_data_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mpd_user_data_t:dir manage_dir_perms; + allow $1 mpd_user_data_t:file manage_file_perms; + allow $1 mpd_user_data_t:lnk_file manage_lnk_file_perms; +') + +######################################## +## <summary> +## Relabel mpd user data content. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_relabel_user_data_content',` + gen_require(` + type mpd_user_data_t; + ') + + userdom_search_user_home_dirs($1) + allow $1 mpd_user_data_t:dir relabel_dir_perms; + allow $1 mpd_user_data_t:file relabel_file_perms; + allow $1 mpd_user_data_t:lnk_file relabel_lnk_file_perms; +') + +######################################## +## <summary> +## Create objects in user home +## directories with the mpd user data type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="object_class"> +## <summary> +## Class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mpd_home_filetrans_user_data',` + gen_require(` + type mpd_user_data_t; + ') + + userdom_user_home_dir_filetrans($1, mpd_user_data_t, $2, $3) +') + +####################################### +## <summary> +## Read mpd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + fs_search_tmpfs($1) + read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +################################### +## <summary> +## Create, read, write, and delete +## mpd tmpfs files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_tmpfs_files',` + gen_require(` + type mpd_tmpfs_t; + ') + + fs_search_tmpfs($1) + manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) + manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t) +') + +######################################## +## <summary> +## Search mpd lib directories. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_search_lib',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 mpd_var_lib_t:dir search_dir_perms; +') + +######################################## +## <summary> +## Read mpd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_read_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mpd lib files. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_lib_files',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +####################################### +## <summary> +## Create specified objects in mpd +## lib directories with a private type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="private type"> +## <summary> +## The type of the object to be created. +## </summary> +## </param> +## <param name="object"> +## <summary> +## The object class of the object being created. +## </summary> +## </param> +## <param name="name" optional="true"> +## <summary> +## The name of the object being created. +## </summary> +## </param> +# +interface(`mpd_var_lib_filetrans',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + filetrans_pattern($1, mpd_var_lib_t, $2, $3, $4) +') + +######################################## +## <summary> +## Create, read, write, and delete +## mpd lib dirs. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`mpd_manage_lib_dirs',` + gen_require(` + type mpd_var_lib_t; + ') + + files_search_var_lib($1) + manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t) +') + +######################################## +## <summary> +## All of the rules required to +## administrate an mpd environment. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access. +## </summary> +## </param> +## <rolecap/> +# +interface(`mpd_admin',` + gen_require(` + type mpd_t, mpd_initrc_exec_t, mpd_etc_t; + type mpd_data_t, mpd_log_t, mpd_var_lib_t; + type mpd_tmpfs_t, mpd_tmp_t, mpd_user_data_t; + ') + + allow $1 mpd_t:process { ptrace signal_perms }; + ps_process_pattern($1, mpd_t) + + init_startstop_service($1, $2, mpd_t, mpd_initrc_exec_t) + + files_search_etc($1) + admin_pattern($1, mpd_etc_t) + + files_search_var_lib($1) + admin_pattern($1, { mpd_data_t mpd_user_data_t mpd_var_lib_t }) + + logging_search_logs($1) + admin_pattern($1, mpd_log_t) + + files_search_tmp($1) + admin_pattern($1, mpd_tmp_t) + + fs_search_tmpfs($1) + admin_pattern($1, mpd_tmpfs_t) +') |