From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 7 May 2013 20:24:42 +0200
Subject: [refpolicy] [PATCH v2 2/2] Add minidlna policy
In-Reply-To: <20130507182256.GA21025@siphos.be>
References: <20130507182256.GA21025@siphos.be>
Message-ID: <20130507182441.GC21025@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The minidlna policy allows the minidla server to listen on the ssdp and trivnet1
ports (ssdp is for the discovery, trivnet1 for serving the files) and serve
files marked as public_t.

If minidlna_read_generic_user_content is set, the server can also be used to
serve user content.

Changes since v1
- Use minidlna_conf_t instead of minidlna_etc_t
- Add in directories used in fedora
- More descriptive booleans and general module summary
- Remove explicit node_bind permission as it is provided through other interface
  calls
- Allow creating minidlna_log_t entries
- Drop filetransitions for log file and /var/lib
- Use permission sets when combined pattern interfaces are not needed
- Introduce auth_use_nsswitch as minidlna interprets nsswitch.conf
- Drop *_client_packets interfaces (secmark), the domain does not act as a
  client
---
 minidlna.fc |  14 +++++++++
 minidlna.if |  64 ++++++++++++++++++++++++++++++++++++++
 minidlna.te | 102 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 180 insertions(+)
 create mode 100644 minidlna.fc
 create mode 100644 minidlna.if
 create mode 100644 minidlna.te

diff --git a/minidlna.fc b/minidlna.fc
new file mode 100644
index 0000000..9d4cd52
--- /dev/null
+++ b/minidlna.fc
@@ -0,0 +1,14 @@
+/etc/rc\.d/init\.d/minidlna	--	gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
+
+/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_conf_t,s0)
+
+/usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
+
+/var/cache/minidlna(/.*)?	gen_context(system_u:object_r:minidlna_db_t,s0)
+
+/var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)
+
+/var/log/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_log_t,s0)
+/var/log/minidlna\.log.*	--	gen_context(system_u:object_r:minidlna_log_t,s0)
+
+/var/run/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/minidlna.if b/minidlna.if
new file mode 100644
index 0000000..358917a
--- /dev/null
+++ b/minidlna.if
@@ -0,0 +1,64 @@
+## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an minidlna environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`minidlna_admin',`
+	gen_require(`
+		type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
+		type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
+	')
+
+	allow $1 minidlna_t:process { ptrace signal_perms };
+	ps_process_pattern($1, minidlna_t)
+
+	minidlna_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 minidlna_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, minidlna_conf_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, minidlna_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, minidlna_db_t)
+
+	files_search_pids($1)
+	admin_pattern($1, minidlna_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute minidlna init scripts in
+##	the initrc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`minidlna_initrc_domtrans',`
+	gen_require(`
+		type minidlna_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
+')
diff --git a/minidlna.te b/minidlna.te
new file mode 100644
index 0000000..7273853
--- /dev/null
+++ b/minidlna.te
@@ -0,0 +1,102 @@
+policy_module(minidlna, 0.1)
+
+#############################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether minidlna can read generic user content.
+##	</p>
+## </desc>
+gen_tunable(minidlna_read_generic_user_content, false)
+
+type minidlna_t;
+type minidlna_exec_t;
+init_daemon_domain(minidlna_t, minidlna_exec_t)
+
+type minidlna_initrc_exec_t;
+init_script_file(minidlna_initrc_exec_t)
+
+type minidlna_conf_t;
+files_config_file(minidlna_conf_t)
+
+type minidlna_log_t;
+logging_log_file(minidlna_log_t)
+
+type minidlna_db_t;
+files_type(minidlna_db_t)
+
+type minidlna_var_run_t;
+files_pid_file(minidlna_var_run_t)
+
+###############################################
+#
+# Local policy
+#
+
+allow minidlna_t self:process setsched;
+allow minidlna_t self:tcp_socket create_stream_socket_perms;
+allow minidlna_t self:udp_socket create_socket_perms;
+allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
+allow minidlna_t minidlna_conf_t:file read_file_perms;
+
+allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
+allow minidlna_t minidlna_db_t:file manage_file_perms;
+
+allow minidlna_t minidlna_log_t:file append_file_perms;
+create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
+
+allow minidlna_t minidlna_var_run_t:file manage_file_perms;
+allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
+files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
+
+kernel_read_fs_sysctls(minidlna_t)
+kernel_read_system_state(minidlna_t)
+
+corecmd_exec_bin(minidlna_t)
+corecmd_exec_shell(minidlna_t)
+
+corenet_all_recvfrom_netlabel(minidlna_t)
+corenet_all_recvfrom_unlabeled(minidlna_t)
+
+corenet_sendrecv_ssdp_server_packets(minidlna_t)
+corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+
+corenet_tcp_bind_generic_node(minidlna_t)
+corenet_tcp_bind_trivnet1_port(minidlna_t)
+corenet_tcp_sendrecv_generic_if(minidlna_t)
+corenet_tcp_sendrecv_generic_node(minidlna_t)
+corenet_tcp_sendrecv_trivnet1_port(minidlna_t)
+
+corenet_udp_bind_generic_node(minidlna_t)
+corenet_udp_bind_ssdp_port(minidlna_t)
+corenet_udp_sendrecv_generic_if(minidlna_t)
+corenet_udp_sendrecv_generic_node(minidlna_t)
+corenet_udp_sendrecv_ssdp_port(minidlna_t)
+
+files_search_var_lib(minidlna_t)
+
+auth_use_nsswitch(minidlna_t)
+
+logging_search_logs(minidlna_t)
+
+miscfiles_read_localization(minidlna_t)
+miscfiles_read_public_files(minidlna_t)
+
+tunable_policy(`minidlna_read_generic_user_content',`
+	userdom_list_user_tmp(minidlna_t)
+	userdom_read_user_home_content_files(minidlna_t)
+	userdom_read_user_home_content_symlinks(minidlna_t)
+	userdom_read_user_tmp_files(minidlna_t)
+	userdom_read_user_tmp_symlinks(minidlna_t)
+',`
+	files_dontaudit_list_home(minidlna_t)
+	files_dontaudit_list_tmp(minidlna_t)
+
+	userdom_dontaudit_list_user_home_dirs(minidlna_t)
+	userdom_dontaudit_list_user_tmp(minidlna_t)
+	userdom_dontaudit_read_user_home_content_files(minidlna_t)
+	userdom_dontaudit_read_user_tmp_files(minidlna_t)
+')
-- 
1.8.1.5