Add policy for acngtool

Signed-off-by: Laurent Bigonville <bigon@bigon.be>

policy/modules/roles/sysadm.te

@@ -142,6 +142,10 @@ optional_policy(`
 	apt_run(sysadm_t, sysadm_r)
 ')
 
+optional_policy(`
+	aptcacher_run_acngtool(sysadm_t, sysadm_r)
+')
+
 optional_policy(`
 	arpwatch_admin(sysadm_t, sysadm_r)
 ')

policy/modules/services/aptcacher.fc

@@ -1,5 +1,7 @@
 /etc/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_conf_t,s0)
 
+/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
+
 /usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
 
 /run/apt-cacher-ng(/.*)?  gen_context(system_u:object_r:aptcacher_runtime_t,s0)

policy/modules/services/aptcacher.if

@@ -1,5 +1,49 @@
 ## <summary>apt-cacher, cache for Debian APT repositories.</summary>
 
+########################################
+## <summary>
+##	Execute acngtool in the acngtool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_domtrans_acngtool',`
+	gen_require(`
+		type acngtool_t, acngtool_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, acngtool_exec_t, acngtool_t)
+')
+
+########################################
+## <summary>
+##	Execute acngtool in the acngtool domain, and
+##	allow the specified role the acngtool domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_run_acngtool',`
+	gen_require(`
+		attribute_role acngtool_roles;
+	')
+
+	aptcacher_domtrans_acngtool($1)
+	roleattribute $2 acngtool_roles;
+')
+
 ########################################
 ## <summary>
 ##	Connect to aptcacher using a unix

policy/modules/services/aptcacher.te

@@ -5,6 +5,13 @@ policy_module(aptcacher, 1.0.0)
 # Declarations
 #
 
+attribute_role acngtool_roles;
+
+type acngtool_t;
+type acngtool_exec_t;
+application_domain(acngtool_t, acngtool_exec_t)
+role acngtool_roles types acngtool_t;
+
 type aptcacher_t;
 type aptcacher_exec_t;
 init_daemon_domain(aptcacher_t, aptcacher_exec_t)
@@ -36,6 +43,8 @@ allow aptcacher_t self:tcp_socket create_stream_socket_perms;
 allow aptcacher_t self:unix_dgram_socket create_socket_perms;
 allow aptcacher_t self:unix_stream_socket create_stream_socket_perms;
 
+can_exec(aptcacher_t, acngtool_exec_t)
+
 allow aptcacher_t aptcacher_conf_t:dir list_dir_perms;
 allow aptcacher_t aptcacher_conf_t:file mmap_read_file_perms;
 # /etc/apt-cacher-ng/ contains symlinks that point to /var/lib/apt-cacher-ng/
@@ -57,6 +66,9 @@ manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
 
 kernel_read_vm_overcommit_sysctl(aptcacher_t)
 
+# Calls system()
+corecmd_exec_shell(aptcacher_t)
+
 corenet_tcp_bind_aptcacher_port(aptcacher_t)
 corenet_tcp_bind_generic_node(aptcacher_t)
 corenet_tcp_connect_http_port(aptcacher_t)
@@ -73,3 +85,27 @@ miscfiles_read_localization(aptcacher_t)
 
 # For some reasons it's trying to mmap /etc/hosts.deny
 sysnet_mmap_config_files(aptcacher_t)
+
+#######################################
+#
+# acngtool local policy
+#
+
+allow acngtool_t self:tcp_socket create_stream_socket_perms;
+allow acngtool_t self:unix_stream_socket create_socket_perms;
+
+allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
+allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
+
+aptcacher_stream_connect(acngtool_t)
+
+corenet_tcp_connect_aptcacher_port(acngtool_t)
+
+auth_use_nsswitch(acngtool_t)
+
+# For some reasons it's trying to mmap /etc/hosts.deny
+sysnet_mmap_config_files(acngtool_t)
+
+optional_policy(`
+	cron_system_entry(acngtool_t, acngtool_exec_t)
+')