SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* Add support for apt-cacher-ng
@ 2019-12-13 13:20 Laurent Bigonville
  2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
  To: selinux-refpolicy

Hello,

Please find here my patches to add support for apt-cacher-ng.

I've labeled acngtool differently as it might be used by users as well
(apt-cacher-ng is calling it internally)

This is based on Russel's work.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files
  2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
  2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
  2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
  2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
  To: selinux-refpolicy

From: Laurent Bigonville <bigon@bigon.be>

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/system/sysnetwork.if | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 77eab21e..1f785c7c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -364,6 +364,31 @@ interface(`sysnet_read_config',`
 	')
 ')
 
+#######################################
+## <summary>
+##     Map network config files.
+## </summary>
+## <desc>
+##     <p>
+##     Allow the specified domain to mmap the
+##     general network configuration files.
+##     </p>
+## </desc>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`sysnet_map_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file map;
+')
+
 #######################################
 ## <summary>
 ##	Do not audit attempts to read network config files.
-- 
2.24.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [RFC 2/3] Add policy for apt-cacher-ng
  2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
  2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
  2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
  2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
  To: selinux-refpolicy

From: Laurent Bigonville <bigon@bigon.be>

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/kernel/corenetwork.te.in |  1 +
 policy/modules/services/aptcacher.fc    | 11 ++++
 policy/modules/services/aptcacher.if    | 21 +++++++
 policy/modules/services/aptcacher.te    | 81 +++++++++++++++++++++++++
 4 files changed, 114 insertions(+)
 create mode 100644 policy/modules/services/aptcacher.fc
 create mode 100644 policy/modules/services/aptcacher.if
 create mode 100644 policy/modules/services/aptcacher.te

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 97870f84..abf0e8d7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -89,6 +89,7 @@ network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
 network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+network_port(aptcacher, tcp,3142,s0)
 network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
new file mode 100644
index 00000000..6835bab0
--- /dev/null
+++ b/policy/modules/services/aptcacher.fc
@@ -0,0 +1,11 @@
+/etc/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_etc_t,s0)
+
+/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+
+/run/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
+
+/var/cache/apt-cacher-ng(/.*)?	gen_context(system_u:object_r:aptcacher_var_cache_t,s0)
+
+/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_lib_t,s0)
+
+/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_log_t,s0)
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
new file mode 100644
index 00000000..82538dd5
--- /dev/null
+++ b/policy/modules/services/aptcacher.if
@@ -0,0 +1,21 @@
+## <summary>apt-cacher, cache for Debian APT repositories.</summary>
+
+######################################
+## <summary>
+##	read aptcacher config
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to read it.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+	gen_require(`
+		type aptcacher_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 aptcacher_etc_t:dir list_dir_perms;
+	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
new file mode 100644
index 00000000..502ce6e6
--- /dev/null
+++ b/policy/modules/services/aptcacher.te
@@ -0,0 +1,81 @@
+policy_module(aptcacher, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aptcacher_t;
+type aptcacher_exec_t;
+init_daemon_domain(aptcacher_t, aptcacher_exec_t)
+
+type aptcacher_etc_t;
+files_config_file(aptcacher_etc_t)
+
+type aptcacher_var_cache_t;
+files_type(aptcacher_var_cache_t)
+
+type aptcacher_var_lib_t;
+files_type(aptcacher_var_lib_t)
+
+type aptcacher_var_log_t;
+logging_log_file(aptcacher_var_log_t)
+
+type aptcacher_runtime_t;
+files_pid_file(aptcacher_runtime_t)
+
+########################################
+#
+# Local policy
+#
+
+allow aptcacher_t self:process signal;
+
+allow aptcacher_t self:fifo_file { read write };
+allow aptcacher_t self:netlink_route_socket r_netlink_socket_perms;
+allow aptcacher_t self:tcp_socket create_stream_socket_perms;
+allow aptcacher_t self:unix_dgram_socket create_socket_perms;
+allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aptcacher_t aptcacher_etc_t:file map;
+list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+# /etc/apt-cacher-ng/ contains symlinks that point to /var/lib/apt-cacher-ng/
+read_lnk_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+
+allow aptcacher_t aptcacher_var_cache_t:file map;
+manage_dirs_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_lnk_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+
+allow aptcacher_t aptcacher_var_lib_t:file map;
+files_search_var_lib(aptcacher_t)
+read_files_pattern(aptcacher_t, aptcacher_var_lib_t, aptcacher_var_lib_t)
+
+allow aptcacher_t aptcacher_var_log_t:file map;
+logging_search_logs(aptcacher_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_log_t, aptcacher_var_log_t)
+
+manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
+
+kernel_read_vm_overcommit_sysctl(aptcacher_t)
+
+##corecmd_exec_shell(aptcacher_t)
+
+corenet_tcp_bind_aptcacher_port(aptcacher_t)
+corenet_tcp_bind_generic_node(aptcacher_t)
+corenet_tcp_connect_http_port(aptcacher_t)
+
+auth_use_nsswitch(aptcacher_t)
+
+# Uses sd_notify() to inform systemd it has properly started
+init_search_pids(aptcacher_t)
+init_write_runtime_socket(aptcacher_t)
+
+miscfiles_read_generic_certs(aptcacher_t)
+
+# Reads /usr/share/zoneinfo/
+miscfiles_read_localization(aptcacher_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(aptcacher_t)
-- 
2.24.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [RFC 3/3] Add policy for acngtool
  2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
  2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
  2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
  2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
  To: selinux-refpolicy

From: Laurent Bigonville <bigon@bigon.be>

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/services/aptcacher.fc |  2 ++
 policy/modules/services/aptcacher.te | 33 +++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
index 6835bab0..b0b5a800 100644
--- a/policy/modules/services/aptcacher.fc
+++ b/policy/modules/services/aptcacher.fc
@@ -1,5 +1,7 @@
 /etc/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_etc_t,s0)
 
+/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
+
 /usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
 
 /run/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 502ce6e6..6780891f 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -5,6 +5,10 @@ policy_module(aptcacher, 1.0.0)
 # Declarations
 #
 
+type acngtool_t;
+type acngtool_exec_t;
+application_domain(acngtool_t, acngtool_exec_t)
+
 type aptcacher_t;
 type aptcacher_exec_t;
 init_daemon_domain(aptcacher_t, aptcacher_exec_t)
@@ -37,6 +41,8 @@ allow aptcacher_t self:tcp_socket create_stream_socket_perms;
 allow aptcacher_t self:unix_dgram_socket create_socket_perms;
 allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
 
+can_exec(aptcacher_t, acngtool_exec_t)
+
 allow aptcacher_t aptcacher_etc_t:file map;
 list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
 read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
@@ -60,7 +66,8 @@ manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
 
 kernel_read_vm_overcommit_sysctl(aptcacher_t)
 
-##corecmd_exec_shell(aptcacher_t)
+# Calls system()
+corecmd_exec_shell(aptcacher_t)
 
 corenet_tcp_bind_aptcacher_port(aptcacher_t)
 corenet_tcp_bind_generic_node(aptcacher_t)
@@ -79,3 +86,27 @@ miscfiles_read_localization(aptcacher_t)
 
 # For some reasons it's trying to mmap /etc/hosts.deny
 sysnet_map_config(aptcacher_t)
+
+#######################################
+#
+# acngtool local policy
+#
+
+allow acngtool_t self:netlink_route_socket r_netlink_socket_perms;
+allow acngtool_t self:tcp_socket create_stream_socket_perms;
+allow acngtool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow acngtool_t aptcacher_etc_t:file map;
+list_dirs_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+
+corenet_tcp_connect_aptcacher_port(acngtool_t)
+
+auth_use_nsswitch(acngtool_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(acngtool_t)
+
+optional_policy(`
+	cron_system_entry(acngtool_t, acngtool_exec_t)
+')
-- 
2.24.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git