[selinux-policy/master_contrib: 34/47] mythtv policy
Miroslav Grepl
mgrepl at fedoraproject.org
Wed Jan 16 13:33:22 UTC 2013
commit 4d4ae9fdd940e84d71ab210e6c953259bd91180f
Author: Dan Walsh <dwalsh at redhat.com>
Date: Tue Jan 15 11:50:59 2013 -0500
mythtv policy
apache.fc | 4 --
mythtv.fc | 9 ++++
mythtv.if | 157 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
mythtv.te | 43 +++++++++++++++++
4 files changed, 209 insertions(+), 4 deletions(-)
---
diff --git a/apache.fc b/apache.fc
index dcb9d6e..d2af19f 100644
--- a/apache.fc
+++ b/apache.fc
@@ -70,10 +70,6 @@ ifdef(`distro_suse', `
/usr/share/htdig(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/icecast(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
-/usr/share/mythweb/mythweb\.pl gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_sys_script_exec_t,s0)
-/usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
/usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
diff --git a/mythtv.fc b/mythtv.fc
new file mode 100644
index 0000000..3a1c423
--- /dev/null
+++ b/mythtv.fc
@@ -0,0 +1,9 @@
+/usr/share/mythweb/mythweb\.pl -- gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
+
+/var/lib/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_lib_t,s0)
+
+/var/log/mythtv(/.*)? gen_context(system_u:object_r:mythtv_var_log_t,s0)
+
+/usr/share/mythtv(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+/usr/share/mythweb(/.*)? gen_context(system_u:object_r:httpd_mythtv_content_t,s0)
+/usr/share/mythtv/mythweather/scripts(/.*)? gen_context(system_u:object_r:httpd_mythtv_script_exec_t,s0)
diff --git a/mythtv.if b/mythtv.if
new file mode 100644
index 0000000..6ad142d
--- /dev/null
+++ b/mythtv.if
@@ -0,0 +1,157 @@
+
+## <summary>policy for httpd_mythtv_script</summary>
+
+########################################
+## <summary>
+## Execute TEMPLATE in the httpd_mythtv_script domin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`httpd_mythtv_script_domtrans',`
+ gen_require(`
+ type httpd_mythtv_script_t, httpd_mythtv_script_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, httpd_mythtv_script_exec_t, httpd_mythtv_script_t)
+')
+
+#######################################
+## <summary>
+## read mythtv libs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_read_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## mythtv lib content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_manage_lib',`
+ gen_require(`
+ type mythtv_var_lib_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ manage_lnk_files_pattern($1, mythtv_var_lib_t, mythtv_var_lib_t)
+ files_list_var_lib($1)
+')
+
+#######################################
+## <summary>
+## read mythtv logs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_read_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ read_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Append mythtv log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_append_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ append_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+#######################################
+## <summary>
+## Create, read, write, and delete
+## mythtv log content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mythtv_manage_log',`
+ gen_require(`
+ type mythtv_var_log_t;
+ ')
+
+ manage_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ manage_lnk_files_pattern($1, mythtv_var_log_t, mythtv_var_log_t)
+ logging_search_logs($1)
+')
+
+########################################
+## <summary>
+## All of the rules required to
+## administrate an mythtv environment.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mythtv_admin',`
+ gen_require(`
+ type httpd_mythtv_script_t, mythtv_var_lib_t;
+ type mythtv_var_log_t;
+ ')
+
+ allow $1 httpd_mythtv_script_t:process signal_perms;
+ ps_process_pattern($1, httpd_mythtv_script_t)
+
+ tunable_policy(`deny_ptrace',`',`
+ allow $1 httpd_mythtv_script_t:process ptrace;
+ ')
+
+ logging_list_logs($1)
+ admin_pattern($1, mythtv_var_log_t)
+
+ files_list_var_lib($1)
+ admin_pattern($1, mythtv_var_lib_t)
+')
diff --git a/mythtv.te b/mythtv.te
new file mode 100644
index 0000000..2ec33e7
--- /dev/null
+++ b/mythtv.te
@@ -0,0 +1,43 @@
+policy_module(mythtv, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+apache_content_template(mythtv)
+
+permissive httpd_mythtv_script_t;
+
+type mythtv_var_lib_t;
+files_type(mythtv_var_lib_t)
+
+type mythtv_var_log_t;
+logging_log_file(mythtv_var_log_t)
+
+########################################
+#
+# httpd_mythtv_script local policy
+#
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_lib_t, mythtv_var_lib_t)
+files_var_lib_filetrans(httpd_mythtv_script_t, mythtv_var_lib_t, { dir file })
+
+manage_files_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+manage_dirs_pattern(httpd_mythtv_script_t, mythtv_var_log_t, mythtv_var_log_t)
+logging_log_filetrans(httpd_mythtv_script_t, mythtv_var_log_t, file )
+
+domain_use_interactive_fds(httpd_mythtv_script_t)
+
+files_read_etc_files(httpd_mythtv_script_t)
+
+fs_read_nfs_files(httpd_mythtv_script_t)
+
+miscfiles_read_localization(httpd_mythtv_script_t)
+
+optional_policy(`
+ mysql_read_config(httpd_mythtv_script_t)
+ mysql_stream_connect(httpd_mythtv_script_t)
+ mysql_tcp_connect(httpd_mythtv_script_t)
+')
More information about the scm-commits
mailing list