policy/modules/services/icecast.if

   1 ## <summary> ShoutCast compatible streaming media server</summary>
   2
   3 ########################################
   4 ## <summary>
   5 ##      Execute a domain transition to run icecast.
   6 ## </summary>
   7 ## <param name="domain">
   8 ##      <summary>
   9 ##      Domain allowed to transition.
  10 ##      </summary>
  11 ## </param>
  12 #
  13 interface(`icecast_domtrans',`
  14         gen_require(`
  15                 type icecast_t, icecast_exec_t;
  16         ')
  17
  18         domtrans_pattern($1, icecast_exec_t, icecast_t)
  19 ')
  20
  21 ########################################
  22 ## <summary>
  23 ##      Allow domain signal icecast
  24 ## </summary>
  25 ## <param name="domain">
  26 ##      <summary>
  27 ##      Domain allowed access.
  28 ##      </summary>
  29 ## </param>
  30 #
  31 interface(`icecast_signal',`
  32         gen_require(`
  33                 type icecast_t;
  34         ')
  35
  36         allow $1 icecast_t:process signal;
  37 ')
  38
  39 ########################################
  40 ## <summary>
  41 ##      Execute icecast server in the icecast domain.
  42 ## </summary>
  43 ## <param name="domain">
  44 ##      <summary>
  45 ##      Domain allowed to transition.
  46 ##      </summary>
  47 ## </param>
  48 #
  49 interface(`icecast_initrc_domtrans',`
  50         gen_require(`
  51                 type icecast_initrc_exec_t;
  52         ')
  53
  54         init_labeled_script_domtrans($1, icecast_initrc_exec_t)
  55 ')
  56
  57 ########################################
  58 ## <summary>
  59 ##      Read icecast PID files.
  60 ## </summary>
  61 ## <param name="domain">
  62 ##      <summary>
  63 ##      Domain allowed access.
  64 ##      </summary>
  65 ## </param>
  66 #
  67 interface(`icecast_read_pid_files',`
  68         gen_require(`
  69                 type icecast_var_run_t;
  70         ')
  71
  72         files_search_pids($1)
  73         allow $1 icecast_var_run_t:file read_file_perms;
  74 ')
  75
  76 ########################################
  77 ## <summary>
  78 ##      Manage icecast pid files.
  79 ## </summary>
  80 ## <param name="domain">
  81 ##      <summary>
  82 ##      Domain allowed access.
  83 ##      </summary>
  84 ## </param>
  85 #
  86 interface(`icecast_manage_pid_files',`
  87         gen_require(`
  88                 type icecast_var_run_t;
  89         ')
  90
  91         files_search_pids($1)
  92         manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
  93 ')
  94
  95 ########################################
  96 ## <summary>
  97 ##      Allow the specified domain to read icecast's log files.
  98 ## </summary>
  99 ## <param name="domain">
 100 ##      <summary>
 101 ##      Domain allowed access.
 102 ##      </summary>
 103 ## </param>
 104 ## <rolecap/>
 105 #
 106 interface(`icecast_read_log',`
 107         gen_require(`
 108                 type icecast_log_t;
 109         ')
 110
 111         logging_search_logs($1)
 112         read_files_pattern($1, icecast_log_t, icecast_log_t)
 113 ')
 114
 115 ########################################
 116 ## <summary>
 117 ##      Allow the specified domain to append
 118 ##      icecast log files.
 119 ## </summary>
 120 ## <param name="domain">
 121 ##      <summary>
 122 ##      Domain allowed access.
 123 ##      </summary>
 124 ## </param>
 125 #
 126 interface(`icecast_append_log',`
 127         gen_require(`
 128                 type icecast_log_t;
 129         ')
 130
 131         logging_search_logs($1)
 132         append_files_pattern($1, icecast_log_t, icecast_log_t)
 133 ')
 134
 135 ########################################
 136 ## <summary>
 137 ##      Allow domain to manage icecast log files
 138 ## </summary>
 139 ## <param name="domain">
 140 ##      <summary>
 141 ##      Domain allow access.
 142 ##      </summary>
 143 ## </param>
 144 #
 145 interface(`icecast_manage_log',`
 146         gen_require(`
 147                 type icecast_log_t;
 148         ')
 149
 150         logging_search_logs($1)
 151         manage_files_pattern($1, icecast_log_t, icecast_log_t)
 152 ')
 153
 154 ########################################
 155 ## <summary>
 156 ##      All of the rules required to administrate
 157 ##      an icecast environment
 158 ## </summary>
 159 ## <param name="domain">
 160 ##      <summary>
 161 ##      Domain allowed access.
 162 ##      </summary>
 163 ## </param>
 164 ## <param name="role">
 165 ##      <summary>
 166 ##      Role allowed access.
 167 ##      </summary>
 168 ## </param>
 169 ## <rolecap/>
 170 #
 171 interface(`icecast_admin',`
 172         gen_require(`
 173                 type icecast_t, icecast_initrc_exec_t;
 174         ')
 175
 176         allow $1 icecast_t:process signal_perms;
 177         ps_process_pattern($1, icecast_t)
 178         tunable_policy(`deny_ptrace',`',`
 179                 allow $1 icecast_t:process ptrace;
 180         ')
 181
 182         # Allow icecast_t to restart the apache service
 183         icecast_initrc_domtrans($1)
 184         domain_system_change_exemption($1)
 185         role_transition $2 icecast_initrc_exec_t system_r;
 186         allow $2 system_r;
 187
 188         icecast_manage_pid_files($1)
 189         icecast_manage_log($1)
 190 ')