## Mplayer media player and encoder.
########################################
##
## Role access for mplayer
##
##
##
## The prefix of the user role (e.g., user
## is the prefix for user_r).
##
##
##
##
## User domain for the role.
##
##
##
##
## User exec domain for execute and transition access.
##
##
##
##
## Role allowed access
##
##
#
template(`mplayer_role',`
gen_require(`
attribute_role mencoder_roles, mplayer_roles;
type mencoder_t, mencoder_exec_t, mplayer_home_t;
type mplayer_t, mplayer_exec_t, mplayer_tmpfs_t;
')
########################################
#
# Declarations
#
roleattribute $4 mencoder_roles;
roleattribute $4 mplayer_roles;
########################################
#
# Policy
#
domtrans_pattern($3, mencoder_exec_t, mencoder_t)
domtrans_pattern($3, mplayer_exec_t, mplayer_t)
allow $3 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
ps_process_pattern($3, { mplayer_t mencoder_t })
allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 mplayer_home_t:file { manage_file_perms relabel_file_perms };
allow $2 mplayer_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
userdom_user_home_dir_filetrans($2, mplayer_home_t, dir, ".mplayer")
allow $2 mplayer_tmpfs_t:file { manage_file_perms relabel_file_perms };
allow $2 mplayer_tmpfs_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
allow $2 mplayer_tmpfs_t:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms };
allow $2 mplayer_tmpfs_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };
optional_policy(`
systemd_user_app_status($1, mencoder_t)
systemd_user_app_status($1, mplayer_t)
')
')
########################################
##
## Run mplayer in mplayer domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`mplayer_domtrans',`
gen_require(`
type mplayer_t, mplayer_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, mplayer_exec_t, mplayer_t)
')
########################################
##
## Execute mplayer in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
#
interface(`mplayer_exec',`
gen_require(`
type mplayer_exec_t;
')
corecmd_search_bin($1)
can_exec($1, mplayer_exec_t)
')
########################################
##
## Read mplayer user home content files.
##
##
##
## Domain allowed access.
##
##
#
interface(`mplayer_read_user_home_files',`
gen_require(`
type mplayer_home_t;
')
userdom_search_user_home_dirs($1)
read_files_pattern($1, mplayer_home_t, mplayer_home_t)
')
########################################
##
## Create, read, write, and delete
## generic mplayer home content.
##
##
##
## Domain allowed access.
##
##
#
interface(`mplayer_manage_generic_home_content',`
gen_require(`
type mplayer_home_t;
')
userdom_search_user_home_dirs($1)
allow $1 mplayer_home_t:dir manage_dir_perms;
allow $1 mplayer_home_t:file manage_file_perms;
allow $1 mplayer_home_t:lnk_file manage_lnk_file_perms;
')
########################################
##
## Create specified objects in user home
## directories with the generic mplayer
## home type.
##
##
##
## Domain allowed access.
##
##
##
##
## Class of the object being created.
##
##
##
##
## The name of the object being created.
##
##
#
interface(`mplayer_home_filetrans_mplayer_home',`
gen_require(`
type mplayer_home_t;
')
userdom_user_home_dir_filetrans($1, mplayer_home_t, $2, $3)
')