diff --git a/policy/modules/services/icecast.fc b/policy/modules/services/icecast.fc
index 3f1a6c2ce..a81e09008 100644
--- a/policy/modules/services/icecast.fc
+++ b/policy/modules/services/icecast.fc
@@ -1,4 +1,3 @@
-
/etc/rc\.d/init\.d/icecast -- gen_context(system_u:object_r:icecast_initrc_exec_t,s0)
/usr/bin/icecast -- gen_context(system_u:object_r:icecast_exec_t,s0)
diff --git a/policy/modules/services/icecast.if b/policy/modules/services/icecast.if
index 8e6759df1..96ab89275 100644
--- a/policy/modules/services/icecast.if
+++ b/policy/modules/services/icecast.if
@@ -1,4 +1,3 @@
-
## ShoutCast compatible streaming media server
########################################
@@ -19,6 +18,24 @@ interface(`icecast_domtrans',`
domtrans_pattern($1, icecast_exec_t, icecast_t)
')
+########################################
+##
+## Allow domain signal icecast
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`icecast_signal',`
+ gen_require(`
+ type icecast_t;
+ ')
+
+ allow $1 icecast_t:process signal;
+')
+
########################################
##
## Execute icecast server in the icecast domain.
@@ -131,32 +148,12 @@ interface(`icecast_manage_log',`
')
logging_search_logs($1)
- manage_dirs_pattern($1, icecast_log_t, icecast_log_t)
manage_files_pattern($1, icecast_log_t, icecast_log_t)
- manage_lnk_files_pattern($1, icecast_log_t, icecast_log_t)
')
########################################
##
-## Allow domain signal icecast
-##
-##
-##
-## Domain allowed access.
-##
-##
-#
-interface(`icecast_signal',`
- gen_require(`
- type icecast_t;
- ')
-
- allow $1 icecast_t:process signal;
-')
-
-########################################
-##
-## All of the rules required to administrate
+## All of the rules required to administrate
## an icecast environment
##
##
@@ -176,9 +173,8 @@ interface(`icecast_admin',`
type icecast_t, icecast_initrc_exec_t;
')
- allow $1 icecast_t:process { ptrace signal_perms getattr };
- read_files_pattern($1, icecast_t, icecast_t)
-
+ ps_process_pattern($1, icecast_t)
+
# Allow icecast_t to restart the apache service
icecast_initrc_domtrans($1)
domain_system_change_exemption($1)
diff --git a/policy/modules/services/icecast.te b/policy/modules/services/icecast.te
index 87159be81..71984e4e1 100644
--- a/policy/modules/services/icecast.te
+++ b/policy/modules/services/icecast.te
@@ -1,4 +1,5 @@
-policy_module(icecast,1.0.0)
+
+policy_module(icecast, 1.0.0)
########################################
#
@@ -25,18 +26,16 @@ logging_log_file(icecast_log_t)
allow icecast_t self:capability { dac_override setgid setuid sys_nice };
allow icecast_t self:process { getsched fork setsched signal };
-
-# internal communication is often done using fifo and unix sockets.
allow icecast_t self:fifo_file rw_fifo_file_perms;
allow icecast_t self:unix_stream_socket create_stream_socket_perms;
allow icecast_t self:tcp_socket create_stream_socket_perms;
-manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
-manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
+manage_dirs_pattern(icecast_t, icecast_log_t, icecast_log_t)
+manage_files_pattern(icecast_t, icecast_log_t, icecast_log_t)
logging_log_filetrans(icecast_t, icecast_log_t, { file dir } )
-manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
-manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+manage_dirs_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
+manage_files_pattern(icecast_t, icecast_var_run_t, icecast_var_run_t)
files_pid_filetrans(icecast_t, icecast_var_run_t, { file dir })
corenet_tcp_bind_soundd_port(icecast_t)
@@ -53,5 +52,5 @@ miscfiles_read_localization(icecast_t)
sysnet_dns_name_resolve(icecast_t)
optional_policy(`
- rtkit_schedule(icecast_t)
+ rtkit_schedule(icecast_t)
')