From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 22 Mar 2010 09:55:08 -0400
Subject: [refpolicy] [ git icecast RETRY 1/1] Implement Icecast policy.
In-Reply-To: <20100322105251.GA8260@localhost.localdomain>
References: <20100322105251.GA8260@localhost.localdomain>
Message-ID: <1269266108.565.11.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2010-03-22 at 11:52 +0100, Dominick Grift wrote:
> I submitted my initial try a bit to fast as i found a minor bug which is fixed in enclosed patch.

Unfortunate timing; you'll have to rebase.  Icecast got merged last
week, but I didn't get it pushed until this morning.

> Signed-off-by: Dominick Grift <domg472@gmail.com>
> ---
> :100644 100644 2648a1f... ba87caa... M	policy/modules/admin/logrotate.te
> :100644 100644 afcb9bd... ff58b42... M	policy/modules/services/apache.fc
> :000000 100644 0000000... 9832cf3... A	policy/modules/services/icecast.fc
> :000000 100644 0000000... 0038e7b... A	policy/modules/services/icecast.if
> :000000 100644 0000000... 87ef543... A	policy/modules/services/icecast.te
> :100644 100644 d536c01... 96f8504... M	policy/modules/services/rtkit.if
>  policy/modules/admin/logrotate.te  |    4 +
>  policy/modules/services/apache.fc  |    1 +
>  policy/modules/services/icecast.fc |    7 ++
>  policy/modules/services/icecast.if |  206 ++++++++++++++++++++++++++++++++++++
>  policy/modules/services/icecast.te |   61 +++++++++++
>  policy/modules/services/rtkit.if   |   21 ++++
>  6 files changed, 300 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
> index 2648a1f..ba87caa 100644
> --- a/policy/modules/admin/logrotate.te
> +++ b/policy/modules/admin/logrotate.te
> @@ -161,6 +161,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	icecast_signal(logrotate_t)
> +')
> +
> +optional_policy(`
>  	samba_exec_log(logrotate_t)
>  ')
>  
> diff --git a/policy/modules/services/apache.fc b/policy/modules/services/apache.fc
> index afcb9bd..ff58b42 100644
> --- a/policy/modules/services/apache.fc
> +++ b/policy/modules/services/apache.fc
> @@ -33,6 +33,7 @@ ifdef(`distro_suse', `
>  ')
>  
>  /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
> +/usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
>  
> diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc
> new file mode 100644
> index 0000000..9832cf3
> --- /dev/null
> +++ b/policy/modules/services/icecast.fc
> @@ -0,0 +1,7 @@
> +/etc/rc\.d/init\.d/icecast	--	gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
> +
> +/usr/bin/icecast			--	gen_context(system_u:object_r:icecast_exec_t,s0)
> +
> +/var/log/icecast(/.*)?			gen_context(system_u:object_r:icecast_var_log_t,s0)
> +
> +/var/run/icecast(/.*)?			gen_context(system_u:object_r:icecast_var_run_t,s0)
> diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
> new file mode 100644
> index 0000000..0038e7b
> --- /dev/null
> +++ b/policy/modules/services/icecast.if
> @@ -0,0 +1,206 @@
> +## <summary>ShoutCast compatible streaming media server.</summary>
> +## <desc>
> +##	<p>
> +##		Icecast is a streaming media server which currently
> +##		supports Ogg Vorbis and MP3 audio streams. It can be
> +##		used to create an Internet radio station or a privately
> +##		running jukebox and many things in between. It is very
> +##		versatile in that new formats can be added relatively
> +##		easily and supports open standards for commuincation
> +##		and interaction.
> +##	</p>
> +## </desc>
> +
> +########################################
> +## <summary>
> +##	Execute a domain transition to run
> +##	icecast.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##	Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`icecast_domtrans',`
> +	gen_require(`
> +		type icecast_t, icecast_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, icecast_exec_t, icecast_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute icecast server in the
> +##	icecast domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`icecast_initrc_domtrans',`
> +	gen_require(`
> +		type icecast_initrc_exec_t;
> +	')
> +
> +	init_labeled_script_domtrans($1, icecast_initrc_exec_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Read icecast PID files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`icecast_read_pid_files',`
> +	gen_require(`
> +		type icecast_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	read_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage icecast var_run files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`icecast_manage_var_run',`
> +	gen_require(`
> +		type icecast_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	manage_dirs_pattern($1, icecast_var_run_t, icecast_var_run_t)
> +	manage_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
> +	manage_lnk_files_pattern($1, icecast_var_run_t, icecast_var_run_t)
> +')
> +
> +
> +########################################
> +## <summary>
> +##	Read icecast's log files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`icecast_read_log',`
> +	gen_require(`
> +		type icecast_var_log_t;
> +	')
> +
> +	logging_search_logs($1)
> +	read_files_pattern($1, icecast_var_log_t, icecast_var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Append icecast log files.
> +## </summary>
> +## <param name="domain">
> +## 	<summary>
> +##	Domain allowed access.
> +## 	</summary>
> +## </param>
> +#
> +interface(`icecast_append_log',`
> +	gen_require(`
> +		type icecast_var_log_t;
> +	')
> +
> +	logging_search_logs($1)
> +	append_files_pattern($1, icecast_var_log_t, icecast_var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Manage icecast log files
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`icecast_manage_log',`
> +	gen_require(`
> +		type icecast_var_log_t;
> +	')
> +
> +	logging_search_logs($1)
> +	manage_dirs_pattern($1, icecast_var_log_t, icecast_var_log_t)
> +	manage_files_pattern($1, icecast_var_log_t, icecast_var_log_t)
> +	manage_lnk_files_pattern($1, icecast_var_log_t, icecast_var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Signal Icecast. 
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`icecast_signal',`
> +	gen_require(`
> +		type icecast_t;
> +	')
> +
> +	allow $1 icecast_t:process signal;
> +')
> +
> +########################################
> +## <summary>
> +##	All of the rules required to
> +##	administrate an icecast environment.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`icecast_admin',`
> +	gen_require(`
> +		type icecast_t, icecast_initrc_exec_t;
> +		type icecast_var_run_t, icecast_var_log_t;
> +	')
> +
> +	allow $1 icecast_t:process { ptrace signal_perms getattr };
> +	read_files_pattern($1, icecast_t, icecast_t)
> +
> +	icecast_initrc_domtrans($1)
> +	domain_system_change_exemption($1)
> +	role_transition $2 icecast_initrc_exec_t system_r;
> +	allow $2 system_r;
> +
> +	files_search_pids($1)
> +	admin_pattern($1, icecast_var_run_t)
> +
> +	logging_search_logs($1)
> +	admin_pattern($1, icecast_var_log_t)
> +')
> diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
> new file mode 100644
> index 0000000..87ef543
> --- /dev/null
> +++ b/policy/modules/services/icecast.te
> @@ -0,0 +1,61 @@
> +
> +policy_module(icecast, 1.0.0) 
> +
> +########################################
> +#
> +# Icecast personal declarations.
> +#
> +
> +type icecast_t;
> +type icecast_exec_t;
> +init_daemon_domain(icecast_t, icecast_exec_t)
> +
> +type icecast_initrc_exec_t;
> +init_script_file(icecast_initrc_exec_t)
> +
> +type icecast_var_log_t;
> +logging_log_file(icecast_var_log_t)
> +
> +type icecast_var_run_t;
> +files_pid_file(icecast_var_run_t)
> +
> +########################################
> +#
> +# Icecast personal policy.
> +#
> +
> +allow icecast_t self:capability { dac_override setgid setuid sys_nice };
> +allow icecast_t self:process { getsched fork setsched signal };
> +allow icecast_t self:fifo_file rw_fifo_file_perms;
> +allow icecast_t self:unix_stream_socket create_stream_socket_perms;
> +allow icecast_t self:tcp_socket create_stream_socket_perms;
> +
> +manage_files_pattern(icecast_t, icecast_var_run_t,  icecast_var_run_t)
> +
> +append_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t)
> +create_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t)
> +read_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t)
> +setattr_files_pattern(icecast_t, icecast_var_log_t, icecast_var_log_t)
> +
> +corenet_all_recvfrom_netlabel(icecast_t)
> +corenet_all_recvfrom_unlabeled(icecast_t)
> +corenet_sendrecv_soundd_server_packets(icecast_t)
> +corenet_tcp_bind_generic_node(icecast_t)
> +corenet_tcp_bind_soundd_port(icecast_t)
> +corenet_tcp_sendrecv_generic_if(icecast_t)
> +corenet_tcp_sendrecv_generic_node(icecast_t)
> +corenet_tcp_sendrecv_generic_port(icecast_t)
> +
> +domain_use_interactive_fds(icecast_t)
> +
> +files_read_etc_files(icecast_t)
> +
> +miscfiles_read_localization(icecast_t)
> +
> +auth_use_nsswitch(icecast_t)
> +
> +sysnet_dns_name_resolve(icecast_t)
> +
> +optional_policy(`
> +	rtkit_daemon_system_domain(icecast_t)
> +')
> diff --git a/policy/modules/services/rtkit.if b/policy/modules/services/rtkit.if
> index d536c01..96f8504 100644
> --- a/policy/modules/services/rtkit.if
> +++ b/policy/modules/services/rtkit.if
> @@ -38,3 +38,24 @@ interface(`rtkit_daemon_dbus_chat',`
>  	allow $1 rtkit_daemon_t:dbus send_msg;
>  	allow rtkit_daemon_t $1:dbus send_msg;
>  ')
> +
> +########################################
> +## <summary>
> +##	Allow rtkit to control scheduling
> +##	for your process.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`rtkit_daemon_system_domain',`
> +	gen_require(`
> +		type rtkit_daemon_t;
> +	')
> +
> +	ps_process_pattern(rtkit_daemon_t, $1)
> +	allow rtkit_daemon_t $1:process { getsched setsched };
> +	rtkit_daemon_dbus_chat($1)
> +')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150