## Mplayer media player and encoder. ######################################## ## ## Role access for mplayer ## ## ## ## The prefix of the user role (e.g., user ## is the prefix for user_r). ## ## ## ## ## User domain for the role. ## ## ## ## ## User exec domain for execute and transition access. ## ## ## ## ## Role allowed access ## ## # template(`mplayer_role',` gen_require(` attribute_role mencoder_roles, mplayer_roles; type mencoder_t, mencoder_exec_t, mplayer_home_t; type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t; ') ######################################## # # Declarations # roleattribute $4 mencoder_roles; roleattribute $4 mplayer_roles; ######################################## # # Policy # domtrans_pattern($3, mencoder_exec_t, mencoder_t) domtrans_pattern($3, mplayer_exec_t, mplayer_t) allow $3 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms }; ps_process_pattern($3, { mplayer_t mencoder_t }) allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms }; allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms }; allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer") allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms }; allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; optional_policy(` systemd_user_app_status($1, mencoder_t) systemd_user_app_status($1, mplayer_t) ') ') ######################################## ## ## Run mplayer in mplayer domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`mplayer_domtrans',` gen_require(` type mplayer_t, mplayer_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, mplayer_exec_t, mplayer_t) ') ######################################## ## ## Execute mplayer in the caller domain. ## ## ## ## Domain allowed access. ## ## # # interface(`mplayer_exec',` gen_require(` type mplayer_exec_t; ') corecmd_search_bin($1) can_exec($1, mplayer_exec_t) ') ######################################## ## ## Read mplayer user home content files. ## ## ## ## Domain allowed access. ## ## # interface(`mplayer_read_user_home_files',` gen_require(` type mplayer_home_t; ') userdom_search_user_home_dirs($1) read_files_pattern($1, mplayer_home_t, mplayer_home_t) ') ######################################## ## ## Create, read, write, and delete ## generic mplayer home content. ## ## ## ## Domain allowed access. ## ## # interface(`mplayer_manage_generic_home_content',` gen_require(` type mplayer_home_t; ') userdom_search_user_home_dirs($1) allow $1 mplayer_home_t:dir manage_dir_perms; allow $1 mplayer_home_t:file manage_file_perms; allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms; ') ######################################## ## ## Create specified objects in user home ## directories with the generic mplayer ## home type. ## ## ## ## Domain allowed access. ## ## ## ## ## Class of the object being created. ## ## ## ## ## The name of the object being created. ## ## # interface(`mplayer_home_filetrans_mplayer_home',` gen_require(` type mplayer_home_t; ') userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3) ')