From: Laurent Bigonville <bigon@xxxxxxxx> Signed-off-by: Laurent Bigonville <bigon@xxxxxxxx> --- policy/modules/services/aptcacher.fc | 2 ++ policy/modules/services/aptcacher.te | 33 +++++++++++++++++++++++++++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/aptcacher.fc b/policy/modules/services/aptcacher.fc index 6835bab0..b0b5a800 100644 --- a/policy/modules/services/aptcacher.fc +++ b/policy/modules/services/aptcacher.fc @@ -1,5 +1,7 @@ /etc/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_etc_t,s0) +/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0) + /usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0) /run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0) diff --git a/policy/modules/services/aptcacher.te b/policy/modules/services/aptcacher.te index 502ce6e6..6780891f 100644 --- a/policy/modules/services/aptcacher.te +++ b/policy/modules/services/aptcacher.te @@ -5,6 +5,10 @@ policy_module(aptcacher, 1.0.0) # Declarations # +type acngtool_t; +type acngtool_exec_t; +application_domain(acngtool_t, acngtool_exec_t) + type aptcacher_t; type aptcacher_exec_t; init_daemon_domain(aptcacher_t, aptcacher_exec_t) @@ -37,6 +41,8 @@ allow aptcacher_t self:tcp_socket create_stream_socket_perms; allow aptcacher_t self:unix_dgram_socket create_socket_perms; allow aptcacher_t self:unix_stream_socket create_stream_socket_perms; +can_exec(aptcacher_t, acngtool_exec_t) + allow aptcacher_t aptcacher_etc_t:file map; list_dirs_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t) read_files_pattern(aptcacher_t, aptcacher_etc_t, aptcacher_etc_t) @@ -60,7 +66,8 @@ manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t) kernel_read_vm_overcommit_sysctl(aptcacher_t) -##corecmd_exec_shell(aptcacher_t) +# Calls system() +corecmd_exec_shell(aptcacher_t) corenet_tcp_bind_aptcacher_port(aptcacher_t) corenet_tcp_bind_generic_node(aptcacher_t) @@ -79,3 +86,27 @@ miscfiles_read_localization(aptcacher_t) # For some reasons it's trying to mmap /etc/hosts.deny sysnet_map_config(aptcacher_t) + +####################################### +# +# acngtool local policy +# + +allow acngtool_t self:netlink_route_socket r_netlink_socket_perms; +allow acngtool_t self:tcp_socket create_stream_socket_perms; +allow acngtool_t self:unix_stream_socket create_stream_socket_perms; + +allow acngtool_t aptcacher_etc_t:file map; +list_dirs_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t) +read_files_pattern(acngtool_t, aptcacher_etc_t, aptcacher_etc_t) + +corenet_tcp_connect_aptcacher_port(acngtool_t) + +auth_use_nsswitch(acngtool_t) + +# For some reasons it's trying to mmap /etc/hosts.deny +sysnet_map_config(acngtool_t) + +optional_policy(` + cron_system_entry(acngtool_t, acngtool_exec_t) +') -- 2.24.0