* Add support for apt-cacher-ng
@ 2019-12-13 13:20 Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
Hello,
Please find here my patches to add support for apt-cacher-ng.
I've labeled acngtool differently as it might be used by users as well
(apt-cacher-ng is calling it internally)
This is based on Russel's work.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/system/sysnetwork.if | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 77eab21e..1f785c7c 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -364,6 +364,31 @@ interface(`sysnet_read_config',`
')
')
+#######################################
+## <summary>
+## Map network config files.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to mmap the
+## general network configuration files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_map_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file map;
+')
+
#######################################
## <summary>
## Do not audit attempts to read network config files.
--
2.24.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [RFC 2/3] Add policy for apt-cacher-ng
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/kernel/corenetwork.te.in | 1 +
policy/modules/services/aptcacher.fc | 11 ++++
policy/modules/services/aptcacher.if | 21 +++++++
policy/modules/services/aptcacher.te | 81 +++++++++++++++++++++++++
4 files changed, 114 insertions(+)
create mode 100644 policy/modules/services/aptcacher.fc
create mode 100644 policy/modules/services/aptcacher.if
create mode 100644 policy/modules/services/aptcacher.te
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 97870f84..abf0e8d7 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -89,6 +89,7 @@ network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
+network_port(aptcacher, tcp,3142,s0)
network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
network_port(audit, tcp,60,s0)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
new file mode 100644
index 00000000..6835bab0
--- /dev/null
+++ b/policy/modules/services/aptcacher.fc
@@ -0,0 +1,11 @@
+/etc/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_etc_t,s0)
+
+/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+
+/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
+
+/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_cache_t,s0)
+
+/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_lib_t,s0)
+
+/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_var_log_t,s0)
diff --git a/policy/modules/services/aptcacher.if b/policy/modules/services/aptcacher.if
new file mode 100644
index 00000000..82538dd5
--- /dev/null
+++ b/policy/modules/services/aptcacher.if
@@ -0,0 +1,21 @@
+## <summary>apt-cacher, cache for Debian APT repositories.</summary>
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
new file mode 100644
index 00000000..502ce6e6
--- /dev/null
+++ b/policy/modules/services/aptcacher.te
@@ -0,0 +1,81 @@
+policy_module(aptcacher, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type aptcacher_t;
+type aptcacher_exec_t;
+init_daemon_domain(aptcacher_t, aptcacher_exec_t)
+
+type aptcacher_etc_t;
+files_config_file(aptcacher_etc_t)
+
+type aptcacher_var_cache_t;
+files_type(aptcacher_var_cache_t)
+
+type aptcacher_var_lib_t;
+files_type(aptcacher_var_lib_t)
+
+type aptcacher_var_log_t;
+logging_log_file(aptcacher_var_log_t)
+
+type aptcacher_runtime_t;
+files_pid_file(aptcacher_runtime_t)
+
+########################################
+#
+# Local policy
+#
+
+allow aptcacher_t self:process signal;
+
+allow aptcacher_t self:fifo_file { read write };
+allow aptcacher_t self:netlink_route_socket r_netlink_socket_perms;
+allow aptcacher_t self:tcp_socket create_stream_socket_perms;
+allow aptcacher_t self:unix_dgram_socket create_socket_perms;
+allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
+
+allow aptcacher_t aptcacher_etc_t:file map;
+list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+# /etc/apt-cacher-ng/ contains symlinks that point to /var/lib/apt-cacher-ng/
+read_lnk_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
+
+allow aptcacher_t aptcacher_var_cache_t:file map;
+manage_dirs_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+manage_lnk_files_pattern(aptcacher_t, aptcacher_var_cache_t, aptcacher_var_cache_t)
+
+allow aptcacher_t aptcacher_var_lib_t:file map;
+files_search_var_lib(aptcacher_t)
+read_files_pattern(aptcacher_t, aptcacher_var_lib_t, aptcacher_var_lib_t)
+
+allow aptcacher_t aptcacher_var_log_t:file map;
+logging_search_logs(aptcacher_t)
+manage_files_pattern(aptcacher_t, aptcacher_var_log_t, aptcacher_var_log_t)
+
+manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
+
+kernel_read_vm_overcommit_sysctl(aptcacher_t)
+
+##corecmd_exec_shell(aptcacher_t)
+
+corenet_tcp_bind_aptcacher_port(aptcacher_t)
+corenet_tcp_bind_generic_node(aptcacher_t)
+corenet_tcp_connect_http_port(aptcacher_t)
+
+auth_use_nsswitch(aptcacher_t)
+
+# Uses sd_notify() to inform systemd it has properly started
+init_search_pids(aptcacher_t)
+init_write_runtime_socket(aptcacher_t)
+
+miscfiles_read_generic_certs(aptcacher_t)
+
+# Reads /usr/share/zoneinfo/
+miscfiles_read_localization(aptcacher_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(aptcacher_t)
--
2.24.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [RFC 3/3] Add policy for acngtool
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
@ 2019-12-13 13:20 ` Laurent Bigonville
2 siblings, 0 replies; 4+ messages in thread
From: Laurent Bigonville @ 2019-12-13 13:20 UTC (permalink / raw)
To: selinux-refpolicy
From: Laurent Bigonville <bigon@bigon.be>
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
policy/modules/services/aptcacher.fc | 2 ++
policy/modules/services/aptcacher.te | 33 +++++++++++++++++++++++++++-
2 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc
index 6835bab0..b0b5a800 100644
--- a/policy/modules/services/aptcacher.fc
+++ b/policy/modules/services/aptcacher.fc
@@ -1,5 +1,7 @@
/etc/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_etc_t,s0)
+/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
+
/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te
index 502ce6e6..6780891f 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -5,6 +5,10 @@ policy_module(aptcacher, 1.0.0)
# Declarations
#
+type acngtool_t;
+type acngtool_exec_t;
+application_domain(acngtool_t, acngtool_exec_t)
+
type aptcacher_t;
type aptcacher_exec_t;
init_daemon_domain(aptcacher_t, aptcacher_exec_t)
@@ -37,6 +41,8 @@ allow aptcacher_t self:tcp_socket create_stream_socket_perms;
allow aptcacher_t self:unix_dgram_socket create_socket_perms;
allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
+can_exec(aptcacher_t, acngtool_exec_t)
+
allow aptcacher_t aptcacher_etc_t:file map;
list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t)
@@ -60,7 +66,8 @@ manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
kernel_read_vm_overcommit_sysctl(aptcacher_t)
-##corecmd_exec_shell(aptcacher_t)
+# Calls system()
+corecmd_exec_shell(aptcacher_t)
corenet_tcp_bind_aptcacher_port(aptcacher_t)
corenet_tcp_bind_generic_node(aptcacher_t)
@@ -79,3 +86,27 @@ miscfiles_read_localization(aptcacher_t)
# For some reasons it's trying to mmap /etc/hosts.deny
sysnet_map_config(aptcacher_t)
+
+#######################################
+#
+# acngtool local policy
+#
+
+allow acngtool_t self:netlink_route_socket r_netlink_socket_perms;
+allow acngtool_t self:tcp_socket create_stream_socket_perms;
+allow acngtool_t self:unix_stream_socket create_stream_socket_perms;
+
+allow acngtool_t aptcacher_etc_t:file map;
+list_dirs_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+read_files_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t)
+
+corenet_tcp_connect_aptcacher_port(acngtool_t)
+
+auth_use_nsswitch(acngtool_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_map_config(acngtool_t)
+
+optional_policy(`
+ cron_system_entry(acngtool_t, acngtool_exec_t)
+')
--
2.24.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-12-13 20:37 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-12-13 13:20 Add support for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 1/3] Add an interface to allow the specified domain to mmap the general network configuration files Laurent Bigonville
2019-12-13 13:20 ` [RFC 2/3] Add policy for apt-cacher-ng Laurent Bigonville
2019-12-13 13:20 ` [RFC 3/3] Add policy for acngtool Laurent Bigonville
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.