policy_module(icecast, 1.1.0)

########################################
#
# Declarations
#

## <desc>
##	<p>
##	Allow icecast to connect to all ports, not just
##	sound ports.
##	</p>
## </desc>
gen_tunable(icecast_connect_any, false)

type icecast_t;
type icecast_exec_t;
init_daemon_domain(icecast_t, icecast_exec_t)

type icecast_initrc_exec_t;
init_script_file(icecast_initrc_exec_t)

type icecast_var_run_t;
files_pid_file(icecast_var_run_t)

type icecast_log_t;
logging_log_file(icecast_log_t)

########################################
#
# icecast local policy
#

allow icecast_t self:capability { dac_override setgid setuid sys_nice };
allow icecast_t self:process { getsched fork setsched signal };
allow icecast_t self:fifo_file rw_fifo_file_perms;
allow icecast_t self:unix_stream_socket create_stream_socket_perms;
allow icecast_t self:tcp_socket create_stream_socket_perms;

manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
logging_log_filetrans(icecast_t, icecast_log_t, { file dir })

manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })

kernel_read_system_state(icecast_t)

dev_read_sysfs(icecast_t)
dev_read_urand(icecast_t)
dev_read_rand(icecast_t)

corenet_tcp_bind_soundd_port(icecast_t)
corenet_tcp_connect_soundd_port(icecast_t)

tunable_policy(`icecast_connect_any',`
	corenet_tcp_connect_all_ports(icecast_t)
	corenet_tcp_bind_all_ports(icecast_t)
	corenet_sendrecv_all_client_packets(icecast_t)
')

# Init script handling
domain_use_interactive_fds(icecast_t)

files_read_etc_files(icecast_t)

auth_use_nsswitch(icecast_t)

miscfiles_read_localization(icecast_t)

sysnet_dns_name_resolve(icecast_t)

optional_policy(`
	apache_read_sys_content(icecast_t)
')

optional_policy(`
	rtkit_scheduled(icecast_t)
')