policy/modules/services/mpd.if

   1
   2 ## <summary>policy for daemon for playing music</summary>
   3
   4 ########################################
   5 ## <summary>
   6 ##      Execute a domain transition to run mpd.
   7 ## </summary>
   8 ## <param name="domain">
   9 ## <summary>
  10 ##      Domain allowed to transition.
  11 ## </summary>
  12 ## </param>
  13 #
  14 interface(`mpd_domtrans',`
  15         gen_require(`
  16                 type mpd_t, mpd_exec_t;
  17         ')
  18
  19         domtrans_pattern($1, mpd_exec_t, mpd_t)
  20 ')
  21
  22
  23 ########################################
  24 ## <summary>
  25 ##      Execute mpd server in the mpd domain.
  26 ## </summary>
  27 ## <param name="domain">
  28 ##      <summary>
  29 ##      Domain allowed access.
  30 ##      </summary>
  31 ## </param>
  32 #
  33 interface(`mpd_initrc_domtrans',`
  34         gen_require(`
  35                 type mpd_initrc_exec_t;
  36         ')
  37
  38         init_labeled_script_domtrans($1, mpd_initrc_exec_t)
  39 ')
  40
  41 #######################################
  42 ## <summary>
  43 ##      Read mpd data files.
  44 ## </summary>
  45 ## <param name="domain">
  46 ##      <summary>
  47 ##      Domain allowed access.
  48 ##      </summary>
  49 ## </param>
  50 #
  51 interface(`mpd_read_data_files',`
  52         gen_require(`
  53                 type mpd_data_t;
  54         ')
  55
  56         mpd_search_lib($1)
  57         read_files_pattern($1, mpd_data_t, mpd_data_t)
  58 ')
  59
  60 #######################################
  61 ## <summary>
  62 ##      Read mpd tmpfs files.
  63 ## </summary>
  64 ## <param name="domain">
  65 ##      <summary>
  66 ##      Domain allowed access.
  67 ##      </summary>
  68 ## </param>
  69 #
  70 interface(`mpd_read_tmpfs_files',`
  71         gen_require(`
  72                 type mpd_tmpfs_t;
  73         ')
  74
  75         fs_search_tmpfs($1)
  76         read_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
  77 ')
  78
  79 ###################################
  80 ## <summary>
  81 ##      Manage mpd tmpfs files.
  82 ## </summary>
  83 ## <param name="domain">
  84 ##      <summary>
  85 ##      Domain allowed access.
  86 ##      </summary>
  87 ## </param>
  88 #
  89 interface(`mpd_manage_tmpfs_files',`
  90         gen_require(`
  91                 type mpd_tmpfs_t;
  92         ')
  93
  94         fs_search_tmpfs($1)
  95         manage_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
  96         manage_lnk_files_pattern($1, mpd_tmpfs_t, mpd_tmpfs_t)
  97 ')
  98
  99 ######################################
 100 ## <summary>
 101 ##      Manage mpd data files.
 102 ## </summary>
 103 ## <param name="domain">
 104 ##      <summary>
 105 ##      Domain allowed access.
 106 ##      </summary>
 107 ## </param>
 108 #
 109 interface(`mpd_manage_data_files',`
 110         gen_require(`
 111                 type mpd_data_t;
 112         ')
 113
 114         mpd_search_lib($1)
 115         manage_files_pattern($1, mpd_data_t, mpd_data_t)
 116 ')
 117
 118 ########################################
 119 ## <summary>
 120 ##      Search mpd lib directories.
 121 ## </summary>
 122 ## <param name="domain">
 123 ##      <summary>
 124 ##      Domain allowed access.
 125 ##      </summary>
 126 ## </param>
 127 #
 128 interface(`mpd_search_lib',`
 129         gen_require(`
 130                 type mpd_var_lib_t;
 131         ')
 132
 133         allow $1 mpd_var_lib_t:dir search_dir_perms;
 134         files_search_var_lib($1)
 135 ')
 136
 137 ########################################
 138 ## <summary>
 139 ##      Read mpd lib files.
 140 ## </summary>
 141 ## <param name="domain">
 142 ##      <summary>
 143 ##      Domain allowed access.
 144 ##      </summary>
 145 ## </param>
 146 #
 147 interface(`mpd_read_lib_files',`
 148         gen_require(`
 149                 type mpd_var_lib_t;
 150         ')
 151
 152         files_search_var_lib($1)
 153         read_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
 154 ')
 155
 156 ########################################
 157 ## <summary>
 158 ##      Create, read, write, and delete
 159 ##      mpd lib files.
 160 ## </summary>
 161 ## <param name="domain">
 162 ##      <summary>
 163 ##      Domain allowed access.
 164 ##      </summary>
 165 ## </param>
 166 #
 167 interface(`mpd_manage_lib_files',`
 168         gen_require(`
 169                 type mpd_var_lib_t;
 170         ')
 171
 172         files_search_var_lib($1)
 173         manage_files_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
 174 ')
 175
 176 #######################################
 177 ## <summary>
 178 ##      Create an object in the root directory, with a private
 179 ##      type using a type transition.
 180 ## </summary>
 181 ## <param name="domain">
 182 ##      <summary>
 183 ##      Domain allowed access.
 184 ##      </summary>
 185 ## </param>
 186 ## <param name="private type">
 187 ##      <summary>
 188 ##      The type of the object to be created.
 189 ##      </summary>
 190 ## </param>
 191 ## <param name="object">
 192 ##      <summary>
 193 ##      The object class of the object being created.
 194 ##      </summary>
 195 ## </param>
 196 #
 197 interface(`mpd_var_lib_filetrans',`
 198     gen_require(`
 199         type mpd_var_lib_t;
 200     ')
 201
 202     filetrans_pattern($1, mpd_var_lib_t, $2, $3)
 203 ')
 204
 205 ########################################
 206 ## <summary>
 207 ##      Manage mpd lib dirs files.
 208 ## </summary>
 209 ## <param name="domain">
 210 ##      <summary>
 211 ##      Domain allowed access.
 212 ##      </summary>
 213 ## </param>
 214 #
 215 interface(`mpd_manage_lib_dirs',`
 216         gen_require(`
 217                 type mpd_var_lib_t;
 218         ')
 219
 220         files_search_var_lib($1)
 221         manage_dirs_pattern($1, mpd_var_lib_t, mpd_var_lib_t)
 222 ')
 223
 224 ########################################
 225 ## <summary>
 226 ##      All of the rules required to administrate
 227 ##      an mpd environment
 228 ## </summary>
 229 ## <param name="domain">
 230 ##      <summary>
 231 ##      Domain allowed access.
 232 ##      </summary>
 233 ## </param>
 234 ## <param name="role">
 235 ##      <summary>
 236 ##      Role allowed access.
 237 ##      </summary>
 238 ## </param>
 239 ## <rolecap/>
 240 #
 241 interface(`mpd_admin',`
 242         gen_require(`
 243                 type mpd_t;
 244                 type mpd_initrc_exec_t;
 245                 type mpd_etc_t;
 246                 type mpd_data_t;
 247                 type mpd_log_t;
 248                 type mpd_var_lib_t;
 249                 type mpd_tmpfs_t;
 250         ')
 251
 252         allow $1 mpd_t:process { ptrace signal_perms };
 253         ps_process_pattern($1, mpd_t)
 254
 255         mpd_initrc_domtrans($1)
 256         domain_system_change_exemption($1)
 257         role_transition $2 mpd_initrc_exec_t system_r;
 258         allow $2 system_r;
 259
 260         admin_pattern($1, mpd_etc_t)
 261         files_search_etc($1)
 262
 263         files_search_var_lib($1)
 264         admin_pattern($1, mpd_var_lib_t)
 265
 266         mpd_search_lib($1)
 267         admin_pattern($1, mpd_data_t)
 268
 269         admin_pattern($1, mpd_log_t)
 270
 271         fs_search_tmpfs($1)
 272         admin_pattern($1, mpd_tmpfs_t)
 273 ')