[RFC 3/3] Add policy for acngtool

From: Laurent Bigonville <bigon@debian.org>
To: selinux-refpolicy@vger.kernel.org
Subject: [RFC 3/3] Add policy for acngtool
Date: Fri, 13 Dec 2019 14:20:16 +0100	[thread overview]
Message-ID: <20191213132016.308556-4-bigon@debian.org> (raw)
In-Reply-To: <20191213132016.308556-1-bigon@debian.org>

From: Laurent Bigonville <bigon@bigon.be>

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/services/aptcacher.fc |  2 ++
 policy/modules/services/aptcacher.te | 33 +++++++++++++++++++++++++++-
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
index 6835bab0..b0b5a800 100644
--- a/policy/modules/services/aptcacher.fc
+++ b/policy/modules/services/aptcacher.fc
@@ -1,5 +1,7 @@
 /etc/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_etc_t,s0)
 
+/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
+
 /usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
 
 /run/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 502ce6e6..6780891f 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -5,6 +5,10 @@ policy_module(aptcacher, 1.0.0)
 # Declarations
 #
 
+type acngtool_t;
+type acngtool_exec_t;
+application_domain(acngtool_t, acngtool_exec_t)
+
 type aptcacher_t;
 type aptcacher_exec_t;
 init_daemon_domain(aptcacher_t, aptcacher_exec_t)
@@ -37,6 +41,8 @@ allow aptcacher_t self:tcp_socket create_stream_socket_perms;
 allow aptcacher_t self:unix_dgram_socket create_socket_perms;
 allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
 
+can_exec(aptcacher_t, acngtool_exec_t)
+
 allow aptcacher_t aptcacher_etc_t:file map;
 list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
 read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
@@ -60,7 +66,8 @@ manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
 
 kernel_read_vm_overcommit_sysctl(aptcacher_t)
 
-##corecmd_exec_shell(aptcacher_t)
+# Calls system()
+corecmd_exec_shell(aptcacher_t)
 
 corenet_tcp_bind_aptcacher_port(aptcacher_t)
 corenet_tcp_bind_generic_node(aptcacher_t)
@@ -79,3 +86,27 @@ miscfiles_read_localization(aptcacher_t)
 
 # For some reasons it's trying to mmap /etc/hosts.deny
 sysnet_map_config(aptcacher_t)
+
+#######################################
+#
+# acngtool local policy
+#
+
+allow acngtool_t self:netlink_route_socket r_netlink_socket_perms;
+allow acngtool_t self:tcp_socket create_stream_socket_perms;
+allow acngtool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow acngtool_t aptcacher_etc_t:file map;
+list_dirs_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+
+corenet_tcp_connect_aptcacher_port(acngtool_t)
+
+auth_use_nsswitch(acngtool_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(acngtool_t)
+
+optional_policy(`
+	cron_system_entry(acngtool_t, acngtool_exec_t)
+')
-- 
2.24.0

