[refpolicy] [PATCH/RFC 2/2] Add minidlna policy

[sven.vermeulen@siphos.be (Sven Vermeulen)]

The minidlna policy allows the minidla server to listen on the ssdp and trivnet1
ports (ssdp is for the discovery, trivnet1 for serving the files) and serve
files marked as public_t.

If minidlna_read_generic_user_content is set, the server can also be used to
serve user content.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 minidlna.fc | 11 +++++++
 minidlna.if | 64 +++++++++++++++++++++++++++++++++++++++
 minidlna.te | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 174 insertions(+)
 create mode 100644 minidlna.fc
 create mode 100644 minidlna.if
 create mode 100644 minidlna.te

diff --git a/minidlna.fc b/minidlna.fc
new file mode 100644
index 0000000..05ad732
--- /dev/null
+++ b/minidlna.fc
@@ -0,0 +1,11 @@
+/etc/rc\.d/init\.d/minidlna	--	gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
+
+/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)
+
+/usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
+
+/var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)
+
+/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)
+
+/var/run/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/minidlna.if b/minidlna.if
new file mode 100644
index 0000000..d27f634
--- /dev/null
+++ b/minidlna.if
@@ -0,0 +1,64 @@
+## <summary>MiniDLNA server</summary>
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an minidlna environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`minidlna_admin',`
+	gen_require(`
+		type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
+		type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
+	')
+
+	allow $1 minidlna_t:process { ptrace signal_perms };
+	ps_process_pattern($1, minidlna_t)
+
+	minidlna_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 minidlna_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_search_etc($1)
+	admin_pattern($1, minidlna_etc_t)
+
+	logging_search_logs($1)
+	admin_pattern($1, minidlna_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, minidlna_db_t)
+
+	files_search_pids($1)
+	admin_pattern($1, minidlna_var_run_t)
+')
+
+########################################
+## <summary>
+##	Execute minidlna init scripts in
+##	the initrc domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`minidlna_initrc_domtrans',`
+	gen_require(`
+		type minidlna_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, minidlna_initrc_exec_t)
+')
diff --git a/minidlna.te b/minidlna.te
new file mode 100644
index 0000000..06ab1c9
--- /dev/null
+++ b/minidlna.te
@@ -0,0 +1,99 @@
+policy_module(minidlna, 0.1)
+
+#############################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Allow minidlna to read generic user content
+##	</p>
+## </desc>
+gen_tunable(minidlna_read_generic_user_content, false)
+
+type minidlna_t;
+type minidlna_exec_t;
+init_daemon_domain(minidlna_t, minidlna_exec_t)
+
+type minidlna_initrc_exec_t;
+init_script_file(minidlna_initrc_exec_t)
+
+type minidlna_etc_t;
+files_config_file(minidlna_etc_t)
+
+type minidlna_log_t;
+logging_log_file(minidlna_log_t)
+
+type minidlna_db_t;
+files_type(minidlna_db_t)
+
+type minidlna_var_run_t;
+files_pid_file(minidlna_var_run_t)
+
+###############################################
+#
+# Local policy
+#
+
+allow minidlna_t self:process { setsched };
+allow minidlna_t self:tcp_socket create_stream_socket_perms;
+allow minidlna_t self:udp_socket { create_socket_perms node_bind };
+allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
+allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
+allow minidlna_t minidlna_etc_t:file read_file_perms;
+
+manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
+
+manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
+
+kernel_read_fs_sysctls(minidlna_t)
+kernel_read_system_state(minidlna_t)
+
+logging_log_filetrans(minidlna_t, minidlna_log_t, file)
+
+corecmd_exec_bin(minidlna_t)
+corecmd_exec_shell(minidlna_t)
+
+corenet_all_recvfrom_netlabel(minidlna_t)
+corenet_all_recvfrom_unlabeled(minidlna_t)
+
+corenet_sendrecv_ssdp_client_packets(minidlna_t)
+corenet_sendrecv_ssdp_server_packets(minidlna_t)
+
+corenet_tcp_bind_generic_node(minidlna_t)
+corenet_tcp_sendrecv_generic_if(minidlna_t)
+corenet_tcp_sendrecv_generic_node(minidlna_t)
+
+corenet_udp_bind_generic_node(minidlna_t)
+corenet_udp_bind_ssdp_port(minidlna_t)
+
+corenet_sendrecv_trivnet1_client_packets(minidlna_t)
+corenet_sendrecv_trivnet1_server_packets(minidlna_t)
+corenet_tcp_bind_trivnet1_port(minidlna_t)
+
+files_read_etc_files(minidlna_t)
+
+miscfiles_read_localization(minidlna_t)
+miscfiles_read_public_files(minidlna_t)
+
+tunable_policy(`minidlna_read_generic_user_content',`
+	userdom_list_user_tmp(minidlna_t)
+	userdom_read_user_home_content_files(minidlna_t)
+	userdom_read_user_home_content_symlinks(minidlna_t)
+	userdom_read_user_tmp_files(minidlna_t)
+	userdom_read_user_tmp_symlinks(minidlna_t)
+',`
+	files_dontaudit_list_home(minidlna_t)
+	files_dontaudit_list_tmp(minidlna_t)
+
+	userdom_dontaudit_list_user_home_dirs(minidlna_t)
+	userdom_dontaudit_list_user_tmp(minidlna_t)
+	userdom_dontaudit_read_user_home_content_files(minidlna_t)
+	userdom_dontaudit_read_user_tmp_files(minidlna_t)
+')
-- 
1.8.1.5