[RFC 2/3] Add policy for apt-cacher-ng

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Laurent Bigonville <bigon@debian.org>
To: selinux-refpolicy@vger.kernel.org
Subject: [RFC 2/3] Add policy for apt-cacher-ng
Date: Fri, 13 Dec 2019 14:20:15 +0100	[thread overview]
Message-ID: <20191213132016.308556-3-bigon@debian.org> (raw)
In-Reply-To: <20191213132016.308556-1-bigon@debian.org>

From: Laurent Bigonville <bigon@bigon.be>

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policy/modules/kernel/corenetwork.te.in |  1 +
 policy/modules/services/aptcacher.fc    | 11 ++++
 policy/modules/services/aptcacher.if    | 21 +++++++
 policy/modules/services/aptcacher.te    | 81 +++++++++++++++++++++++++
 4 files changed, 114 insertions(+)
 create mode 100644 policy/modules/services/aptcacher.fc
 create mode 100644 policy/modules/services/aptcacher.if
 create mode 100644 policy/modules/services/aptcacher.te

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 97870f84..abf0e8d7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -89,6 +89,7 @@ network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
 network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
 network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
 network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+network_port(aptcacher, tcp,3142,s0)
 network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
 network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
 network_port(audit, tcp,60,s0)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
new file mode 100644
index 00000000..6835bab0
--- /dev/null
+++ b/policy/modules/services/aptcacher.fc
@@ -0,0 +1,11 @@
+/etc/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_etc_t,s0)
+
+/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+
+/run/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)
+
+/var/cache/apt-cacher-ng(/.*)?	gen_context(system_u:object_r:aptcacher_var_cache_t,s0)
+
+/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_lib_t,s0)
+
+/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_log_t,s0)
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
new file mode 100644
index 00000000..82538dd5
--- /dev/null
+++ b/policy/modules/services/aptcacher.if
@@ -0,0 +1,21 @@
+## <summary>apt-cacher, cache for Debian APT repositories.</summary>
+
+######################################
+## <summary>
+##	read aptcacher config
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to read it.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+	gen_require(`
+		type aptcacher_etc_t;
+	')
+
+	files_search_etc($1)
+	allow $1 aptcacher_etc_t:dir list_dir_perms;
+	allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
new file mode 100644
index 00000000..502ce6e6
--- /dev/null
+++ b/policy/modules/services/aptcacher.te
@@ -0,0 +1,81 @@
+policy_module(aptcacher, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aptcacher_t;
+type aptcacher_exec_t;
+init_daemon_domain(aptcacher_t, aptcacher_exec_t)
+
+type aptcacher_etc_t;
+files_config_file(aptcacher_etc_t)
+
+type aptcacher_var_cache_t;
+files_type(aptcacher_var_cache_t)
+
+type aptcacher_var_lib_t;
+files_type(aptcacher_var_lib_t)
+
+type aptcacher_var_log_t;
+logging_log_file(aptcacher_var_log_t)
+
+type aptcacher_runtime_t;
+files_pid_file(aptcacher_runtime_t)
+
+########################################
+#
+# Local policy
+#
+
+allow aptcacher_t self:process signal;
+
+allow aptcacher_t self:fifo_file { read write };
+allow aptcacher_t self:netlink_route_socket r_netlink_socket_perms;
+allow aptcacher_t self:tcp_socket create_stream_socket_perms;
+allow aptcacher_t self:unix_dgram_socket create_socket_perms;
+allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aptcacher_t aptcacher_etc_t:file map;
+list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+# /etc/apt-cacher-ng/ contains symlinks that point to /var/lib/apt-cacher-ng/
+read_lnk_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+
+allow aptcacher_t aptcacher_var_cache_t:file map;
+manage_dirs_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_lnk_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+
+allow aptcacher_t aptcacher_var_lib_t:file map;
+files_search_var_lib(aptcacher_t)
+read_files_pattern(aptcacher_t, aptcacher_var_lib_t, aptcacher_var_lib_t)
+
+allow aptcacher_t aptcacher_var_log_t:file map;
+logging_search_logs(aptcacher_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_log_t, aptcacher_var_log_t)
+
+manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
+
+kernel_read_vm_overcommit_sysctl(aptcacher_t)
+
+##corecmd_exec_shell(aptcacher_t)
+
+corenet_tcp_bind_aptcacher_port(aptcacher_t)
+corenet_tcp_bind_generic_node(aptcacher_t)
+corenet_tcp_connect_http_port(aptcacher_t)
+
+auth_use_nsswitch(aptcacher_t)
+
+# Uses sd_notify() to inform systemd it has properly started
+init_search_pids(aptcacher_t)
+init_write_runtime_socket(aptcacher_t)
+
+miscfiles_read_generic_certs(aptcacher_t)
+
+# Reads /usr/share/zoneinfo/
+miscfiles_read_localization(aptcacher_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(aptcacher_t)
-- 
2.24.0

next prev parent reply	other threads:[~2019-12-13 20:37 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
2019-12-13 13:20 ` Laurent Bigonville [this message]
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:97870f8 dfblob:abf0e8d dfblob:6835bab dfblob:82538dd
dfblob:502ce6e )
 OR (
bs:"[RFC 2/3] Add policy for apt-cacher-ng" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191213132016.308556-3-bigon@debian.org \
    --to=bigon@debian.org \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.