]>
Commit | Line | Data |
---|---|---|
f11f0c10 | 1 | |
5ea24be9 | 2 | policy_module(timidity,1.1.0) |
f11f0c10 CP |
3 | |
4 | # Note: You only need this policy if you want to run timidity as a server | |
5 | ||
6 | ######################################## | |
7 | # | |
8 | # Declarations | |
9 | # | |
10 | ||
11 | type timidity_t; | |
12 | type timidity_exec_t; | |
13 | init_daemon_domain(timidity_t,timidity_exec_t) | |
14 | ||
15 | type timidity_tmpfs_t; | |
16 | files_tmpfs_file(timidity_tmpfs_t) | |
17 | ||
18 | ######################################## | |
19 | # | |
20 | # Local policy | |
21 | # | |
22 | ||
23 | allow timidity_t self:capability { dac_override dac_read_search }; | |
24 | dontaudit timidity_t self:capability sys_tty_config; | |
25 | allow timidity_t self:process { signal_perms getsched }; | |
26 | allow timidity_t self:shm create_shm_perms; | |
27 | allow timidity_t self:unix_stream_socket create_stream_socket_perms; | |
28 | allow timidity_t self:tcp_socket create_stream_socket_perms; | |
29 | allow timidity_t self:udp_socket create_socket_perms; | |
30 | ||
31 | allow timidity_t timidity_tmpfs_t:dir create_dir_perms; | |
32 | allow timidity_t timidity_tmpfs_t:file create_file_perms; | |
33 | allow timidity_t timidity_tmpfs_t:lnk_file create_lnk_perms; | |
34 | allow timidity_t timidity_tmpfs_t:sock_file create_file_perms; | |
35 | allow timidity_t timidity_tmpfs_t:fifo_file create_file_perms; | |
103fe280 | 36 | fs_tmpfs_filetrans(timidity_t,timidity_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) |
f11f0c10 | 37 | |
445522dc | 38 | kernel_read_kernel_sysctls(timidity_t) |
f11f0c10 CP |
39 | # read /proc/cpuinfo |
40 | kernel_read_system_state(timidity_t) | |
41 | ||
42 | corenet_tcp_sendrecv_generic_if(timidity_t) | |
43 | corenet_udp_sendrecv_generic_if(timidity_t) | |
44 | corenet_raw_sendrecv_generic_if(timidity_t) | |
45 | corenet_tcp_sendrecv_all_nodes(timidity_t) | |
46 | corenet_udp_sendrecv_all_nodes(timidity_t) | |
47 | corenet_raw_sendrecv_all_nodes(timidity_t) | |
48 | corenet_tcp_sendrecv_all_ports(timidity_t) | |
49 | corenet_udp_sendrecv_all_ports(timidity_t) | |
bd70373d | 50 | corenet_non_ipsec_sendrecv(timidity_t) |
f11f0c10 CP |
51 | corenet_tcp_bind_all_nodes(timidity_t) |
52 | corenet_udp_bind_all_nodes(timidity_t) | |
53 | ||
54 | dev_read_sysfs(timidity_t) | |
207c4763 CP |
55 | dev_read_sound(timidity_t) |
56 | dev_write_sound(timidity_t) | |
f11f0c10 CP |
57 | |
58 | fs_search_auto_mountpoints(timidity_t) | |
59 | ||
60 | term_dontaudit_use_console(timidity_t) | |
61 | ||
15722ec9 | 62 | domain_use_interactive_fds(timidity_t) |
f11f0c10 CP |
63 | |
64 | files_search_tmp(timidity_t) | |
65 | # read /usr/share/alsa/alsa.conf | |
66 | files_read_usr_files(timidity_t) | |
67 | # read /etc/esd.conf | |
68 | files_read_etc_files(timidity_t) | |
69 | ||
1c1ac67f | 70 | init_use_fds(timidity_t) |
1815bad1 | 71 | init_use_script_ptys(timidity_t) |
f11f0c10 CP |
72 | |
73 | libs_use_ld_so(timidity_t) | |
74 | libs_use_shared_libs(timidity_t) | |
75 | # read libartscbackend.la | |
1815bad1 | 76 | libs_read_lib_files(timidity_t) |
f11f0c10 CP |
77 | |
78 | logging_send_syslog_msg(timidity_t) | |
79 | ||
80 | sysnet_read_config(timidity_t) | |
81 | ||
15722ec9 | 82 | userdom_dontaudit_use_unpriv_user_fds(timidity_t) |
f11f0c10 CP |
83 | # stupid timidity won't start if it can't search its current directory. |
84 | # allow this so /etc/init.d/alsasound start works from /root | |
85 | # cjp: this should be fixed if possible so this rule can be removed. | |
103fe280 | 86 | userdom_search_sysadm_home_dirs(timidity_t) |
f11f0c10 CP |
87 | |
88 | ifdef(`targeted_policy',` | |
1815bad1 CP |
89 | term_dontaudit_use_unallocated_ttys(timidity_t) |
90 | term_dontaudit_use_generic_ptys(timidity_t) | |
9e04f5c5 | 91 | files_dontaudit_read_root_files(timidity_t) |
f11f0c10 CP |
92 | ') |
93 | ||
bb7170f6 | 94 | optional_policy(` |
f11f0c10 CP |
95 | seutil_sigchld_newrole(timidity_t) |
96 | ') | |
97 | ||
bb7170f6 | 98 | optional_policy(` |
f11f0c10 CP |
99 | udev_read_db(timidity_t) |
100 | ') |