usr.local.jellyfin.jellyfin
1 #include <tunables/global> 2 3 profile jellyfin /usr/local/jellyfin/jellyfin { 4 #include <abstractions/base> 5 #include <abstractions/nameservice> 6 #include <abstractions/ssl_certs> 7 8 # Jellyfin binary and libraries 9 /usr/local/jellyfin/jellyfin rw, 10 /usr/local/jellyfin/** rm, 11 /usr/local/jellyfin/jellyfin rix, 12 /usr/local/jellyfin/*.so* m, 13 /usr/local/jellyfin/**/*.so* m, 14 /usr/share/zoneinfo/** r, 15 16 /etc/resolv.conf r, 17 /var/lib/dhcp/** r, 18 /etc/samba/smb.conf r, 19 20 /usr/bin/ffmpeg ix, 21 /usr/bin/ffprobe ix, 22 23 # Jellyfin directories 24 /var/cache/jellyfin/ r, 25 /var/cache/jellyfin/** rwk, 26 27 /var/lib/jellyfin/** rwk, 28 29 /var/log/jellyfin/ r, 30 /var/log/jellyfin/** rwk, 31 32 /etc/jellyfin/ r, 33 /etc/jellyfin/** rwk, 34 35 /usr/local/jellyfin/ r, 36 /usr/local/jellyfin/** rwk, 37 38 # Transcoding temp files 39 /tmp/** rw, 40 /var/tmp/** rw, 41 42 # Hardware acceleration (if using) 43 /dev/dri/** rw, 44 /sys/devices/** r, 45 /sys/class/drm/** r, 46 47 # Network 48 network inet stream, 49 network inet6 stream, 50 network inet dgram, 51 network inet6 dgram, 52 53 # Proc/sys access 54 /proc/sys/kernel/random/uuid r, 55 /proc/sys/net/ipv4/ip_forward r, 56 /proc/sys/net/ipv4/conf/lo/forwarding r, 57 /proc/@{pid}/** r, 58 59 /proc/*/net/ipv6_route r, 60 /proc/*/mountinfo r, 61 # Proc access 62 /proc/sys/kernel/random/uuid r, 63 /proc/*/stat r, 64 /proc/*/cgroup r, 65 /proc/*/status r, 66 /proc/meminfo r, 67 /proc/cpuinfo r, 68 /proc/*/comm rw, 69 /proc/*/task/*/comm rw, 70 owner /proc/*/comm rw, 71 owner /proc/*/task/*/comm rw, 72 73 /sys/fs/cgroup/system.slice/jellyfin.service/cpu.max r, 74 /sys/fs/cgroup/system.slice/jellyfin.service/memory.max r, 75 /sys/fs/cgroup/system.slice/memory.max r, 76 77 78 /dev/null rw, 79 /dev/zero r, 80 /dev/urandom r, 81 82 # Capability restrictions 83 capability setuid, 84 capability setgid, 85 capability chown, 86 capability dac_override, 87 88 #include if exists <local/usr.local.jellyfin.jellyfin> 89 }