Merge pull request #137 from bigon/aptcacher
This commit is contained in:
commit
aafca49ae8
|
@ -89,6 +89,7 @@ network_port(amqp, udp,5671-5672,s0, tcp,5671-5672,s0)
|
|||
network_port(aol, udp,5190-5193,s0, tcp,5190-5193,s0)
|
||||
network_port(apcupsd, tcp,3551,s0, udp,3551,s0)
|
||||
network_port(apertus_ldp, tcp,539,s0, udp,539,s0)
|
||||
network_port(aptcacher, tcp,3142,s0)
|
||||
network_port(armtechdaemon, tcp,9292,s0, udp,9292,s0)
|
||||
network_port(asterisk, tcp,1720,s0, udp,2427,s0, udp,2727,s0, udp,4569,s0)
|
||||
network_port(audit, tcp,60,s0)
|
||||
|
|
|
@ -150,6 +150,10 @@ optional_policy(`
|
|||
apt_run(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
aptcacher_run_acngtool(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
arpwatch_admin(sysadm_t, sysadm_r)
|
||||
')
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
/etc/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_conf_t,s0)
|
||||
|
||||
/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
|
||||
|
||||
/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
|
||||
|
||||
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
|
||||
|
||||
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
|
||||
|
||||
/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
|
||||
|
||||
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
|
|
@ -0,0 +1,65 @@
|
|||
## <summary>apt-cacher, cache for Debian APT repositories.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute acngtool in the acngtool domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`aptcacher_domtrans_acngtool',`
|
||||
gen_require(`
|
||||
type acngtool_t, acngtool_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, acngtool_exec_t, acngtool_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute acngtool in the acngtool domain, and
|
||||
## allow the specified role the acngtool domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`aptcacher_run_acngtool',`
|
||||
gen_require(`
|
||||
attribute_role acngtool_roles;
|
||||
')
|
||||
|
||||
aptcacher_domtrans_acngtool($1)
|
||||
roleattribute $2 acngtool_roles;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Connect to aptcacher using a unix
|
||||
## stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`aptcacher_stream_connect',`
|
||||
gen_require(`
|
||||
type aptcacher_t, aptcacher_runtime_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
|
||||
')
|
|
@ -0,0 +1,111 @@
|
|||
policy_module(aptcacher, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute_role acngtool_roles;
|
||||
|
||||
type acngtool_t;
|
||||
type acngtool_exec_t;
|
||||
application_domain(acngtool_t, acngtool_exec_t)
|
||||
role acngtool_roles types acngtool_t;
|
||||
|
||||
type aptcacher_t;
|
||||
type aptcacher_exec_t;
|
||||
init_daemon_domain(aptcacher_t, aptcacher_exec_t)
|
||||
|
||||
type aptcacher_conf_t;
|
||||
files_config_file(aptcacher_conf_t)
|
||||
|
||||
type aptcacher_cache_t;
|
||||
files_type(aptcacher_cache_t)
|
||||
|
||||
type aptcacher_lib_t;
|
||||
files_type(aptcacher_lib_t)
|
||||
|
||||
type aptcacher_log_t;
|
||||
logging_log_file(aptcacher_log_t)
|
||||
|
||||
type aptcacher_runtime_t;
|
||||
files_pid_file(aptcacher_runtime_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Local policy
|
||||
#
|
||||
|
||||
allow aptcacher_t self:process signal;
|
||||
|
||||
allow aptcacher_t self:fifo_file rw_inherited_fifo_file_perms;
|
||||
allow aptcacher_t self:tcp_socket create_stream_socket_perms;
|
||||
allow aptcacher_t self:unix_dgram_socket create_socket_perms;
|
||||
allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
|
||||
|
||||
can_exec(aptcacher_t, acngtool_exec_t)
|
||||
|
||||
allow aptcacher_t aptcacher_conf_t:dir list_dir_perms;
|
||||
allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms;
|
||||
# /etc/apt-cacher-ng/ contains symlinks that point to /var/lib/apt-cacher-ng/
|
||||
allow aptcacher_t aptcacher_conf_t:lnk_file read_lnk_file_perms;
|
||||
|
||||
allow aptcacher_t aptcacher_cache_t:dir manage_dir_perms;
|
||||
allow aptcacher_t aptcacher_cache_t:file { manage_file_perms map };
|
||||
allow aptcacher_t aptcacher_cache_t:lnk_file manage_lnk_file_perms;
|
||||
|
||||
allow aptcacher_t aptcacher_lib_t:file map;
|
||||
files_search_var_lib(aptcacher_t)
|
||||
read_files_pattern(aptcacher_t, aptcacher_lib_t, aptcacher_lib_t)
|
||||
|
||||
allow aptcacher_t aptcacher_log_t:file map;
|
||||
logging_search_logs(aptcacher_t)
|
||||
manage_files_pattern(aptcacher_t, aptcacher_log_t, aptcacher_log_t)
|
||||
|
||||
manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
|
||||
|
||||
kernel_read_vm_overcommit_sysctl(aptcacher_t)
|
||||
|
||||
# Calls system()
|
||||
corecmd_exec_shell(aptcacher_t)
|
||||
|
||||
corenet_tcp_bind_aptcacher_port(aptcacher_t)
|
||||
corenet_tcp_bind_generic_node(aptcacher_t)
|
||||
corenet_tcp_connect_http_port(aptcacher_t)
|
||||
|
||||
auth_use_nsswitch(aptcacher_t)
|
||||
|
||||
# Uses sd_notify() to inform systemd it has properly started
|
||||
init_dgram_send(aptcacher_t)
|
||||
|
||||
miscfiles_read_generic_certs(aptcacher_t)
|
||||
|
||||
# Reads /usr/share/zoneinfo/
|
||||
miscfiles_read_localization(aptcacher_t)
|
||||
|
||||
# For some reasons it's trying to mmap /etc/hosts.deny
|
||||
sysnet_mmap_config_files(aptcacher_t)
|
||||
|
||||
#######################################
|
||||
#
|
||||
# acngtool local policy
|
||||
#
|
||||
|
||||
allow acngtool_t self:tcp_socket create_stream_socket_perms;
|
||||
allow acngtool_t self:unix_stream_socket create_socket_perms;
|
||||
|
||||
allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
|
||||
allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
|
||||
|
||||
aptcacher_stream_connect(acngtool_t)
|
||||
|
||||
corenet_tcp_connect_aptcacher_port(acngtool_t)
|
||||
|
||||
auth_use_nsswitch(acngtool_t)
|
||||
|
||||
# For some reasons it's trying to mmap /etc/hosts.deny
|
||||
sysnet_mmap_config_files(acngtool_t)
|
||||
|
||||
optional_policy(`
|
||||
cron_system_entry(acngtool_t, acngtool_exec_t)
|
||||
')
|
|
@ -364,6 +364,31 @@ interface(`sysnet_read_config',`
|
|||
')
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Map network config files.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to mmap the
|
||||
## general network configuration files.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`sysnet_mmap_config_files',`
|
||||
gen_require(`
|
||||
type net_conf_t;
|
||||
')
|
||||
|
||||
files_search_etc($1)
|
||||
allow $1 net_conf_t:file map;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read network config files.
|
||||
|
|
Loading…
Reference in New Issue