From: domg472@gmail.com (Dominick Grift) Date: Mon, 22 Mar 2010 11:48:18 +0100 Subject: [refpolicy] [ git icecast 1/1] Implement Icecast policy. Message-ID: <20100322104816.GA8177@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Whilst merging Fedoras'Icecast policy into my custom policy based off of refpolicy i made some changes to the policy. Most changes are style related and all changes are purely theory. I have not tested it but it does build. I decided to submit my version in hopes that it increases chances of swift inclusion. Signed-off-by: Dominick Grift --- :100644 100644 2648a1f... ba87caa... M policy/modules/admin/logrotate.te :100644 100644 afcb9bd... ff58b42... M policy/modules/services/apache.fc :000000 100644 0000000... 9832cf3... A policy/modules/services/icecast.fc :000000 100644 0000000... d8befa6... A policy/modules/services/icecast.if :000000 100644 0000000... 87ef543... A policy/modules/services/icecast.te :100644 100644 d536c01... 96f8504... M policy/modules/services/rtkit.if policy/modules/admin/logrotate.te | 4 + policy/modules/services/apache.fc | 1 + policy/modules/services/icecast.fc | 7 ++ policy/modules/services/icecast.if | 206 ++++++++++++++++++++++++++++++++++++ policy/modules/services/icecast.te | 61 +++++++++++ policy/modules/services/rtkit.if | 21 ++++ 6 files changed, 300 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 2648a1f..ba87caa 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -161,6 +161,10 @@ optional_policy(` ') optional_policy(` + icecast_signal(logrotate_t) +') + +optional_policy(` samba_exec_log(logrotate_t) ') diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc index afcb9bd..ff58b42 100644 --- a/policy/modules/services/apache.fc +++ b/policy/modules/services/apache.fc @@ -33,6 +33,7 @@ ifdef(`distro_suse', ` ') /usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) +/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc new file mode 100644 index 0000000..9832cf3 --- /dev/null +++ b/policy/modules/services/icecast.fc @@ -0,0 +1,7 @@ +/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0) + +/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0) + +/var/log/icecast(/.*)? gen_context(system_u:object_r:icecast_var_log_t,s0) + +/var/run/icecast(/.*)? gen_context(system_u:object_r:icecast_var_run_t,s0) diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if new file mode 100644 index 0000000..d8befa6 --- /dev/null +++ b/policy/modules/services/icecast.if @@ -0,0 +1,206 @@ +## ShoutCast compatible streaming media server. +## +##

+## Icecast is a streaming media server which currently +## supports Ogg Vorbis and MP3 audio streams. It can be +## used to create an Internet radio station or a privately +## running jukebox and many things in between. It is very +## versatile in that new formats can be added relatively +## easily and supports open standards for commuincation +## and interaction. +##

+## + +######################################## +## +## Execute a domain transition to run +## icecast. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`icecast_domtrans',` + gen_require(` + type icecast_t, icecast_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, icecast_exec_t, icecast_t) +') + +######################################## +## +## Execute icecast server in the +## icecast domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`icecast_initrc_domtrans',` + gen_require(` + type icecast_initrc_exec_t; + ') + + init_labeled_script_domtrans($1, icecast_initrc_exec_t) +') + +######################################## +## +## Read icecast PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`icecast_read_pid_files',` + gen_require(` + type icecast_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, icecast_var_run_t, icecast_var_run_t) +') + +######################################## +## +## Manage icecast var_run files. +## +## +## +## Domain allowed access. +## +## +# +interface(`icecast_manage_var_run',` + gen_require(` + type icecast_var_run_t; + ') + + files_search_pids($1) + manage_dirs_pattern($1, icecast_var_run_t, icecast_var_run_t) + manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t) + manage_lnk_files_pattern($1, icecast_var_run_t, icecast_var_run_t) +') + + +######################################## +## +## Read icecast's log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`icecast_read_log',` + gen_require(` + type icecast_log_t; + ') + + logging_search_logs($1) + read_files_pattern($1, icecast_log_t, icecast_log_t) +') + +######################################## +## +## Append icecast log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`icecast_append_log',` + gen_require(` + type icecast_var_log_t; + ') + + logging_search_logs($1) + append_files_pattern($1, icecast_var_log_t, icecast_var_log_t) +') + +######################################## +## +## Manage icecast log files +## +## +## +## Domain allowed access. +## +## +# +interface(`icecast_manage_log',` + gen_require(` + type icecast_var_log_t; + ') + + logging_search_logs($1) + manage_dirs_pattern($1, icecast_var_log_t, icecast_var_log_t) + manage_files_pattern($1, icecast_var_log_t, icecast_var_log_t) + manage_lnk_files_pattern($1, icecast_var_log_t, icecast_var_log_t) +') + +######################################## +## +## Signal Icecast. +## +## +## +## Domain allowed access. +## +## +# +interface(`icecast_signal',` + gen_require(` + type icecast_t; + ') + + allow $1 icecast_t:process signal; +') + +######################################## +## +## All of the rules required to +## administrate an icecast environment. +## +## +## +## Domain allowed access. +## +## +## +## +## Role allowed access. +## +## +# +interface(`icecast_admin',` + gen_require(` + type icecast_t, icecast_initrc_exec_t; + type icecast_var_run_t, icecast_var_log_t; + ') + + allow $1 icecast_t:process { ptrace signal_perms getattr }; + read_files_pattern($1, icecast_t, icecast_t) + + icecast_initrc_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 icecast_initrc_exec_t system_r; + allow $2 system_r; + + files_search_pids($1) + admin_pattern($1, icecast_var_run_t) + + logging_search_logs($1) + admin_pattern($1, icecast_var_log_t) +') diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te new file mode 100644 index 0000000..87ef543 --- /dev/null +++ b/policy/modules/services/icecast.te @@ -0,0 +1,61 @@ + +policy_module(icecast, 1.0.0) + +######################################## +# +# Icecast personal declarations. +# + +type icecast_t; +type icecast_exec_t; +init_daemon_domain(icecast_t, icecast_exec_t) + +type icecast_initrc_exec_t; +init_script_file(icecast_initrc_exec_t) + +type icecast_var_log_t; +logging_log_file(icecast_var_log_t) + +type icecast_var_run_t; +files_pid_file(icecast_var_run_t) + +######################################## +# +# Icecast personal policy. +# + +allow icecast_t self:capability { dac_override setgid setuid sys_nice }; +allow icecast_t self:process { getsched fork setsched signal }; +allow icecast_t self:fifo_file rw_fifo_file_perms; +allow icecast_t self:unix_stream_socket create_stream_socket_perms; +allow icecast_t self:tcp_socket create_stream_socket_perms; + +manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t) + +append_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t) +create_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t) +read_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t) +setattr_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t) + +corenet_all_recvfrom_netlabel(icecast_t) +corenet_all_recvfrom_unlabeled(icecast_t) +corenet_sendrecv_soundd_server_packets(icecast_t) +corenet_tcp_bind_generic_node(icecast_t) +corenet_tcp_bind_soundd_port(icecast_t) +corenet_tcp_sendrecv_generic_if(icecast_t) +corenet_tcp_sendrecv_generic_node(icecast_t) +corenet_tcp_sendrecv_generic_port(icecast_t) + +domain_use_interactive_fds(icecast_t) + +files_read_etc_files(icecast_t) + +miscfiles_read_localization(icecast_t) + +auth_use_nsswitch(icecast_t) + +sysnet_dns_name_resolve(icecast_t) + +optional_policy(` + rtkit_daemon_system_domain(icecast_t) +') diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if index d536c01..96f8504 100644 --- a/policy/modules/services/rtkit.if +++ b/policy/modules/services/rtkit.if @@ -38,3 +38,24 @@ interface(`rtkit_daemon_dbus_chat',` allow $1 rtkit_daemon_t:dbus send_msg; allow rtkit_daemon_t $1:dbus send_msg; ') + +######################################## +## +## Allow rtkit to control scheduling +## for your process. +## +## +## +## Domain allowed access. +## +## +# +interface(`rtkit_daemon_system_domain',` + gen_require(` + type rtkit_daemon_t; + ') + + ps_process_pattern(rtkit_daemon_t, $1) + allow rtkit_daemon_t $1:process { getsched setsched }; + rtkit_daemon_dbus_chat($1) +') -- 1.7.0.1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100322/2d621b72/attachment.bin