* Add support for apt-cacher-ng
@ 2019-12-13 13:20 Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
Hello,
Please find here my patches to add support for apt-cacher-ng.
I've labeled acngtool differently as it might be used by users as well
(apt-cacher-ng is calling it internally)
This is based on Russel's work.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/system/sysnetwork.if | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 77eab21e..1f785c7c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -364,6 +364,31 @@ interface(`sysnet_read_config',`
')
')
+#######################################
+## <summary>
+## Map network config files.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to mmap the
+## general network configuration files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_map_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file map;
+')
+
#######################################
## <summary>
## Do not audit attempts to read network config files.
--
2.24.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [RFC 2/3] Add policy for apt-cacher-ng
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/services/aptcacher.fc | 11 ++++
policy/modules/services/aptcacher.if | 21 +++++++
policy/modules/services/aptcacher.te | 81 +++++++++++++++++++++++++
4 files changed, 114 insertions(+)
create mode 100644 policy/modules/services/aptcacher.fc
create mode 100644 policy/modules/services/aptcacher.if
create mode 100644 policy/modules/services/aptcacher.te
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 97870f84..abf0e8d7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -89,6 +89,7 @@ network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+network_port(aptcacher, tcp,3142,s0)
network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
new file mode 100644
index 00000000..6835bab0
--- /dev/null
+++ b/policy/modules/services/aptcacher.fc
@@ -0,0 +1,11 @@
+/etc/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_etc_t,s0)
+
+/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+
+/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
+
+/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_cache_t,s0)
+
+/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_lib_t,s0)
+
+/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_log_t,s0)
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
new file mode 100644
index 00000000..82538dd5
--- /dev/null
+++ b/policy/modules/services/aptcacher.if
@@ -0,0 +1,21 @@
+## <summary>apt-cacher, cache for Debian APT repositories.</summary>
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
new file mode 100644
index 00000000..502ce6e6
--- /dev/null
+++ b/policy/modules/services/aptcacher.te
@@ -0,0 +1,81 @@
+policy_module(aptcacher, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aptcacher_t;
+type aptcacher_exec_t;
+init_daemon_domain(aptcacher_t, aptcacher_exec_t)
+
+type aptcacher_etc_t;
+files_config_file(aptcacher_etc_t)
+
+type aptcacher_var_cache_t;
+files_type(aptcacher_var_cache_t)
+
+type aptcacher_var_lib_t;
+files_type(aptcacher_var_lib_t)
+
+type aptcacher_var_log_t;
+logging_log_file(aptcacher_var_log_t)
+
+type aptcacher_runtime_t;
+files_pid_file(aptcacher_runtime_t)
+
+########################################
+#
+# Local policy
+#
+
+allow aptcacher_t self:process signal;
+
+allow aptcacher_t self:fifo_file { read write };
+allow aptcacher_t self:netlink_route_socket r_netlink_socket_perms;
+allow aptcacher_t self:tcp_socket create_stream_socket_perms;
+allow aptcacher_t self:unix_dgram_socket create_socket_perms;
+allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aptcacher_t aptcacher_etc_t:file map;
+list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+# /etc/apt-cacher-ng/ contains symlinks that point to /var/lib/apt-cacher-ng/
+read_lnk_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+
+allow aptcacher_t aptcacher_var_cache_t:file map;
+manage_dirs_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_lnk_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+
+allow aptcacher_t aptcacher_var_lib_t:file map;
+files_search_var_lib(aptcacher_t)
+read_files_pattern(aptcacher_t, aptcacher_var_lib_t, aptcacher_var_lib_t)
+
+allow aptcacher_t aptcacher_var_log_t:file map;
+logging_search_logs(aptcacher_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_log_t, aptcacher_var_log_t)
+
+manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
+
+kernel_read_vm_overcommit_sysctl(aptcacher_t)
+
+##corecmd_exec_shell(aptcacher_t)
+
+corenet_tcp_bind_aptcacher_port(aptcacher_t)
+corenet_tcp_bind_generic_node(aptcacher_t)
+corenet_tcp_connect_http_port(aptcacher_t)
+
+auth_use_nsswitch(aptcacher_t)
+
+# Uses sd_notify() to inform systemd it has properly started
+init_search_pids(aptcacher_t)
+init_write_runtime_socket(aptcacher_t)
+
+miscfiles_read_generic_certs(aptcacher_t)
+
+# Reads /usr/share/zoneinfo/
+miscfiles_read_localization(aptcacher_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(aptcacher_t)
--
2.24.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [RFC 3/3] Add policy for acngtool
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/services/aptcacher.fc | 2 ++
policy/modules/services/aptcacher.te | 33 +++++++++++++++++++++++++++-
2 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
index 6835bab0..b0b5a800 100644
--- a/policy/modules/services/aptcacher.fc
+++ b/policy/modules/services/aptcacher.fc
@@ -1,5 +1,7 @@
/etc/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_etc_t,s0)
+/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
+
/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 502ce6e6..6780891f 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -5,6 +5,10 @@ policy_module(aptcacher, 1.0.0)
# Declarations
#
+type acngtool_t;
+type acngtool_exec_t;
+application_domain(acngtool_t, acngtool_exec_t)
+
type aptcacher_t;
type aptcacher_exec_t;
init_daemon_domain(aptcacher_t, aptcacher_exec_t)
@@ -37,6 +41,8 @@ allow aptcacher_t self:tcp_socket create_stream_socket_perms;
allow aptcacher_t self:unix_dgram_socket create_socket_perms;
allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
+can_exec(aptcacher_t, acngtool_exec_t)
+
allow aptcacher_t aptcacher_etc_t:file map;
list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
@@ -60,7 +66,8 @@ manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
kernel_read_vm_overcommit_sysctl(aptcacher_t)
-##corecmd_exec_shell(aptcacher_t)
+# Calls system()
+corecmd_exec_shell(aptcacher_t)
corenet_tcp_bind_aptcacher_port(aptcacher_t)
corenet_tcp_bind_generic_node(aptcacher_t)
@@ -79,3 +86,27 @@ miscfiles_read_localization(aptcacher_t)
# For some reasons it's trying to mmap /etc/hosts.deny
sysnet_map_config(aptcacher_t)
+
+#######################################
+#
+# acngtool local policy
+#
+
+allow acngtool_t self:netlink_route_socket r_netlink_socket_perms;
+allow acngtool_t self:tcp_socket create_stream_socket_perms;
+allow acngtool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow acngtool_t aptcacher_etc_t:file map;
+list_dirs_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+
+corenet_tcp_connect_aptcacher_port(acngtool_t)
+
+auth_use_nsswitch(acngtool_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(acngtool_t)
+
+optional_policy(`
+ cron_system_entry(acngtool_t, acngtool_exec_t)
+')
--
2.24.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-13 20:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).