From: Laurent Bigonville <bigon@debian.org>
To: selinux-refpolicy@vger.kernel.org
Subject: [RFC 3/3] Add policy for acngtool
Date: Fri, 13 Dec 2019 14:20:16 +0100 [thread overview]
Message-ID: <20191213132016.308556-4-bigon@debian.org> (raw)
In-Reply-To: <20191213132016.308556-1-bigon@debian.org>
From: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/services/aptcacher.fc | 2 ++
policy/modules/services/aptcacher.te | 33 +++++++++++++++++++++++++++-
2 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
index 6835bab0..b0b5a800 100644
--- a/policy/modules/services/aptcacher.fc
+++ b/policy/modules/services/aptcacher.fc
@@ -1,5 +1,7 @@
/etc/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_etc_t,s0)
+/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
+
/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 502ce6e6..6780891f 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -5,6 +5,10 @@ policy_module(aptcacher, 1.0.0)
# Declarations
#
+type acngtool_t;
+type acngtool_exec_t;
+application_domain(acngtool_t, acngtool_exec_t)
+
type aptcacher_t;
type aptcacher_exec_t;
init_daemon_domain(aptcacher_t, aptcacher_exec_t)
@@ -37,6 +41,8 @@ allow aptcacher_t self:tcp_socket create_stream_socket_perms;
allow aptcacher_t self:unix_dgram_socket create_socket_perms;
allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
+can_exec(aptcacher_t, acngtool_exec_t)
+
allow aptcacher_t aptcacher_etc_t:file map;
list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
@@ -60,7 +66,8 @@ manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
kernel_read_vm_overcommit_sysctl(aptcacher_t)
-##corecmd_exec_shell(aptcacher_t)
+# Calls system()
+corecmd_exec_shell(aptcacher_t)
corenet_tcp_bind_aptcacher_port(aptcacher_t)
corenet_tcp_bind_generic_node(aptcacher_t)
@@ -79,3 +86,27 @@ miscfiles_read_localization(aptcacher_t)
# For some reasons it's trying to mmap /etc/hosts.deny
sysnet_map_config(aptcacher_t)
+
+#######################################
+#
+# acngtool local policy
+#
+
+allow acngtool_t self:netlink_route_socket r_netlink_socket_perms;
+allow acngtool_t self:tcp_socket create_stream_socket_perms;
+allow acngtool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow acngtool_t aptcacher_etc_t:file map;
+list_dirs_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+
+corenet_tcp_connect_aptcacher_port(acngtool_t)
+
+auth_use_nsswitch(acngtool_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(acngtool_t)
+
+optional_policy(`
+ cron_system_entry(acngtool_t, acngtool_exec_t)
+')
--
2.24.0
prev parent reply other threads:[~2019-12-13 20:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` Laurent Bigonville [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191213132016.308556-4-bigon@debian.org \
--to=bigon@debian.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).