Update policy with suggestions by dgrift

3 files changed, 35 insertions, 25 deletions

diff --git a/policy/modules/contrib/minidlna.fc b/policy/modules/contrib/minidlna.fc
index 05ad732b1..9d4cd52a2 100644
--- a/policy/modules/contrib/minidlna.fc
+++ b/policy/modules/contrib/minidlna.fc
@@ -1,11 +1,14 @@
 /etc/rc\.d/init\.d/minidlna	--	gen_context(system_u:object_r:minidlna_initrc_exec_t,s0)
 
-/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_etc_t,s0)
+/etc/minidlna\.conf	--	gen_context(system_u:object_r:minidlna_conf_t,s0)
 
 /usr/sbin/minidlna	--	gen_context(system_u:object_r:minidlna_exec_t,s0)
 
+/var/cache/minidlna(/.*)?	gen_context(system_u:object_r:minidlna_db_t,s0)
+
 /var/lib/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_db_t,s0)
 
-/var/log/minidlna\.log	--	gen_context(system_u:object_r:minidlna_log_t,s0)
+/var/log/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_log_t,s0)
+/var/log/minidlna\.log.*	--	gen_context(system_u:object_r:minidlna_log_t,s0)
 
 /var/run/minidlna(/.*)?		gen_context(system_u:object_r:minidlna_var_run_t,s0)
diff --git a/policy/modules/contrib/minidlna.if b/policy/modules/contrib/minidlna.if
index d27f6340f..358917aa0 100644
--- a/policy/modules/contrib/minidlna.if
+++ b/policy/modules/contrib/minidlna.if
@@ -1,4 +1,4 @@
-## <summary>MiniDLNA server</summary>
+## <summary>MiniDLNA lightweight DLNA/UPnP media server</summary>
 
 ########################################
 ## <summary>
@@ -20,7 +20,7 @@
 interface(`minidlna_admin',`
 	gen_require(`
 		type minidlna_t, minidlna_var_run_t, minidlna_initrc_exec_t;
-		type minidlna_etc_t, minidlna_log_t, minidlna_db_t;
+		type minidlna_conf_t, minidlna_log_t, minidlna_db_t;
 	')
 
 	allow $1 minidlna_t:process { ptrace signal_perms };
@@ -32,7 +32,7 @@ interface(`minidlna_admin',`
 	allow $2 system_r;
 
 	files_search_etc($1)
-	admin_pattern($1, minidlna_etc_t)
+	admin_pattern($1, minidlna_conf_t)
 
 	logging_search_logs($1)
 	admin_pattern($1, minidlna_log_t)
diff --git a/policy/modules/contrib/minidlna.te b/policy/modules/contrib/minidlna.te
index 3becc3fcb..d3a5978c5 100644
--- a/policy/modules/contrib/minidlna.te
+++ b/policy/modules/contrib/minidlna.te
@@ -7,21 +7,21 @@ policy_module(minidlna, 0.1)
 
 ## <desc>
 ##	<p>
-##	Allow minidlna to read generic user content
+##	Determine whether minidlna can read generic user content.
 ##	</p>
 ## </desc>
 gen_tunable(minidlna_read_generic_user_content, false)
 
 ## <desc>
 ##	<p>
-##	Allow minidlna to read all user content
+##	Determine whether minidlna can read all user content.
 ##	</p>
 ## </desc>
 gen_tunable(minidlna_read_all_user_content, false)
 
 ## <desc>
 ##	<p>
-##	Allow minidlna to read xdg videos, pictures and music labeled files
+##	Determine whether minidlna can read users xdg videos, pictures and music labeled files
 ##	</p>
 ## </desc>
 gen_tunable(minidlna_read_xdg_media_content, false)
@@ -33,8 +33,8 @@ init_daemon_domain(minidlna_t, minidlna_exec_t)
 type minidlna_initrc_exec_t;
 init_script_file(minidlna_initrc_exec_t)
 
-type minidlna_etc_t;
-files_config_file(minidlna_etc_t)
+type minidlna_conf_t;
+files_config_file(minidlna_conf_t)
 
 type minidlna_log_t;
 logging_log_file(minidlna_log_t)
@@ -50,27 +50,33 @@ files_pid_file(minidlna_var_run_t)
 # Local policy
 #
 
-allow minidlna_t self:process { setsched };
+allow minidlna_t self:process setsched;
 allow minidlna_t self:tcp_socket create_stream_socket_perms;
-allow minidlna_t self:udp_socket { create_socket_perms node_bind };
-allow minidlna_t self:netlink_route_socket rw_netlink_socket_perms;
-allow minidlna_t minidlna_log_t:file { create_file_perms append_file_perms };
-allow minidlna_t minidlna_etc_t:file read_file_perms;
-
-manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
-files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
-
-manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
-rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+allow minidlna_t self:udp_socket create_socket_perms;
+allow minidlna_t self:netlink_route_socket r_netlink_socket_perms;
+allow minidlna_t minidlna_conf_t:file read_file_perms;
+
+allow minidlna_t minidlna_db_t:dir { create_dir_perms rw_dir_perms };
+allow minidlna_t minidlna_db_t:file manage_file_perms;
+#manage_files_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+#create_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+#rw_dirs_pattern(minidlna_t, minidlna_db_t, minidlna_db_t)
+#files_var_lib_filetrans(minidlna_t, minidlna_db_t, dir)
+
+allow minidlna_t minidlna_log_t:file append_file_perms;
+create_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
+#append_files_pattern(minidlna_t, minidlna_log_t, minidlna_log_t)
+logging_log_filetrans(minidlna_t, minidlna_log_t, file)
+
+allow minidlna_t minidlna_var_run_t:file manage_file_perms;
+allow minidlna_t minidlna_var_run_t:dir rw_dir_perms;
+#manage_files_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
+#rw_dirs_pattern(minidlna_t, minidlna_var_run_t, minidlna_var_run_t)
 files_pid_filetrans(minidlna_t, minidlna_var_run_t, file)
 
 kernel_read_fs_sysctls(minidlna_t)
 kernel_read_system_state(minidlna_t)
 
-logging_log_filetrans(minidlna_t, minidlna_log_t, file)
-
 corecmd_exec_bin(minidlna_t)
 corecmd_exec_shell(minidlna_t)
 
@@ -92,6 +98,7 @@ corenet_sendrecv_trivnet1_server_packets(minidlna_t)
 corenet_tcp_bind_trivnet1_port(minidlna_t)
 
 files_read_etc_files(minidlna_t)
+files_search_var_lib(minidlna_t)
 
 miscfiles_read_localization(minidlna_t)
 miscfiles_read_public_files(minidlna_t)