[selinux-policy/master_contrib: 34/47] mythtv policy

Wed Jan 16 13:33:22 UTC 2013

commit 4d4ae9fdd940e84d71ab210e6c953259bd91180f
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Tue Jan 15 11:50:59 2013 -0500

    mythtv policy

 apache.fc |    4 --
 mythtv.fc |    9 ++++
 mythtv.if |  157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 mythtv.te |   43 +++++++++++++++++
 4 files changed, 209 insertions(+), 4 deletions(-)
---

diff --git a/apache.fc b/apache.fc
index dcb9d6e..d2af19f 100644
--- a/apache.fc
+++ b/apache.fc
@@ -70,10 +70,6 @@ ifdef(`distro_suse', `
 
 /usr/share/htdig(/.*)?			gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/icecast(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl		gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/ntop/html(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/openca/htdocs(/.*)?		gen_context(system_u:object_r:httpd_sys_content_t,s0)
 /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/mythtv.fc b/mythtv.fc
new file mode 100644
index 0000000..3a1c423
--- /dev/null
+++ b/mythtv.fc
@@ -0,0 +1,9 @@
+/usr/share/mythweb/mythweb\.pl	--	gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
+
+/var/lib/mythtv(/.*)?	gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+/var/log/mythtv(/.*)?	gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
+/usr/share/mythtv(/.*)?		gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+/usr/share/mythweb(/.*)?	gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
diff --git a/mythtv.if b/mythtv.if
new file mode 100644
index 0000000..6ad142d
--- /dev/null
+++ b/mythtv.if
@@ -0,0 +1,157 @@
+
+## <summary>policy for httpd_mythtv_script</summary>
+
+########################################
+## <summary>
+##	Execute TEMPLATE in the httpd_mythtv_script domin.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`httpd_mythtv_script_domtrans',`
+	gen_require(`
+		type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
+')
+
+#######################################
+## <summary>
+##	read mythtv libs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_read_lib',`
+	gen_require(`
+		type mythtv_var_lib_t;
+	')
+
+	read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+	files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	mythtv lib content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_manage_lib',`
+	gen_require(`
+		type mythtv_var_lib_t;
+	')
+
+	manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+	manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+	files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+##	read mythtv logs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_read_log',`
+	gen_require(`
+		type mythtv_var_log_t;
+	')
+
+	read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Append mythtv log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_append_log',`
+	gen_require(`
+		type mythtv_var_log_t;
+	')
+
+	append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+##	Create, read, write, and delete
+##	mythtv log content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mythtv_manage_log',`
+	gen_require(`
+		type mythtv_var_log_t;
+	')
+
+	manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+	logging_search_logs($1)
+')
+
+########################################
+## <summary>
+##	All of the rules required to
+##	administrate an mythtv environment.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`mythtv_admin',`
+	gen_require(`
+		type httpd_mythtv_script_t, mythtv_var_lib_t;
+		type mythtv_var_log_t;
+	')
+
+	allow $1 httpd_mythtv_script_t:process signal_perms;
+	ps_process_pattern($1, httpd_mythtv_script_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 httpd_mythtv_script_t:process ptrace;
+	')
+
+	logging_list_logs($1)
+	admin_pattern($1, mythtv_var_log_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, mythtv_var_lib_t)
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
index 0000000..2ec33e7
--- /dev/null
+++ b/mythtv.te
@@ -0,0 +1,43 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mythtv)
+
+permissive httpd_mythtv_script_t;
+
+type mythtv_var_lib_t;
+files_type(mythtv_var_lib_t)
+
+type mythtv_var_log_t;
+logging_log_file(mythtv_var_log_t)
+
+########################################
+#
+# httpd_mythtv_script local policy
+#
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
+
+domain_use_interactive_fds(httpd_mythtv_script_t)
+
+files_read_etc_files(httpd_mythtv_script_t)
+
+fs_read_nfs_files(httpd_mythtv_script_t)
+
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
+	mysql_read_config(httpd_mythtv_script_t)
+	mysql_stream_connect(httpd_mythtv_script_t)
+	mysql_tcp_connect(httpd_mythtv_script_t)
+')
