]>
Commit | Line | Data |
---|---|---|
f30e6ea8 | 1 | |
0bfccda4 | 2 | policy_module(yam, 1.2.0) |
f30e6ea8 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type yam_t alias yam_crond_t; | |
10 | type yam_exec_t; | |
0bfccda4 | 11 | application_domain(yam_t, yam_exec_t) |
f30e6ea8 CP |
12 | |
13 | type yam_content_t; | |
14 | files_mountpoint(yam_content_t) | |
15 | ||
16 | type yam_etc_t; | |
17 | files_config_file(yam_etc_t) | |
18 | ||
19 | type yam_tmp_t; | |
20 | files_tmp_file(yam_tmp_t) | |
21 | ||
22 | ######################################## | |
23 | # | |
24 | # Local policy | |
25 | # | |
26 | ||
27 | allow yam_t self:capability { chown fowner fsetid dac_override }; | |
28 | allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
29 | allow yam_t self:process execmem; | |
30 | allow yam_t self:fd use; | |
c0868a7a | 31 | allow yam_t self:fifo_file rw_fifo_file_perms; |
f30e6ea8 CP |
32 | allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto }; |
33 | allow yam_t self:unix_dgram_socket { create_socket_perms sendto }; | |
34 | allow yam_t self:shm create_shm_perms; | |
35 | allow yam_t self:sem create_sem_perms; | |
36 | allow yam_t self:msgq create_msgq_perms; | |
37 | allow yam_t self:msg { send receive }; | |
38 | allow yam_t self:tcp_socket create_socket_perms; | |
f30e6ea8 CP |
39 | |
40 | # Update the content being managed by yam. | |
0bfccda4 CP |
41 | manage_dirs_pattern(yam_t, yam_content_t, yam_content_t) |
42 | manage_files_pattern(yam_t, yam_content_t, yam_content_t) | |
43 | manage_lnk_files_pattern(yam_t, yam_content_t, yam_content_t) | |
f30e6ea8 | 44 | |
0b36a214 | 45 | allow yam_t yam_etc_t:file read_file_perms; |
f30e6ea8 CP |
46 | files_search_etc(yam_t) |
47 | ||
0bfccda4 CP |
48 | manage_files_pattern(yam_t, yam_tmp_t, yam_tmp_t) |
49 | manage_dirs_pattern(yam_t, yam_tmp_t, yam_tmp_t) | |
f30e6ea8 CP |
50 | files_tmp_filetrans(yam_t, yam_tmp_t, { file dir }) |
51 | ||
52 | kernel_read_kernel_sysctls(yam_t) | |
53 | kernel_read_proc_symlinks(yam_t) | |
54 | # Python works fine without reading /proc/meminfo | |
55 | kernel_dontaudit_read_system_state(yam_t) | |
56 | ||
57 | corecmd_exec_shell(yam_t) | |
58 | corecmd_exec_bin(yam_t) | |
59 | ||
60 | # Rsync and lftp need to network. They also set files attributes to | |
61 | # match whats on the remote server. | |
19006686 CP |
62 | corenet_all_recvfrom_unlabeled(yam_t) |
63 | corenet_all_recvfrom_netlabel(yam_t) | |
f30e6ea8 | 64 | corenet_tcp_sendrecv_generic_if(yam_t) |
f30e6ea8 | 65 | corenet_tcp_sendrecv_all_nodes(yam_t) |
f30e6ea8 | 66 | corenet_tcp_sendrecv_all_ports(yam_t) |
f30e6ea8 CP |
67 | corenet_tcp_connect_http_port(yam_t) |
68 | corenet_tcp_connect_rsync_port(yam_t) | |
c0d8c41e CP |
69 | corenet_sendrecv_http_client_packets(yam_t) |
70 | corenet_sendrecv_rsync_client_packets(yam_t) | |
f30e6ea8 CP |
71 | |
72 | # mktemp | |
73 | dev_read_urand(yam_t) | |
74 | ||
75 | files_read_etc_files(yam_t) | |
76 | files_read_etc_runtime_files(yam_t) | |
77 | # /usr/share/createrepo/genpkgmetadata.py: | |
78 | files_exec_usr_files(yam_t) | |
79 | # Programs invoked to build package lists need various permissions. | |
80 | # genpkglist creates tmp files in /var/cache/apt/genpkglist | |
81 | files_rw_var_files(yam_t) | |
82 | ||
83 | fs_search_auto_mountpoints(yam_t) | |
84 | # Content can also be on ISO image files. | |
85 | fs_read_iso9660_files(yam_t) | |
86 | ||
87 | term_search_ptys(yam_t) | |
88 | ||
89 | libs_use_ld_so(yam_t) | |
90 | libs_use_shared_libs(yam_t) | |
91 | ||
92 | logging_send_syslog_msg(yam_t) | |
93 | ||
94 | miscfiles_read_localization(yam_t) | |
95 | ||
96 | seutil_read_config(yam_t) | |
97 | ||
c0d8c41e | 98 | sysnet_dns_name_resolve(yam_t) |
f30e6ea8 CP |
99 | sysnet_read_config(yam_t) |
100 | ||
101 | userdom_use_unpriv_users_fds(yam_t) | |
102 | # Reading dotfiles... | |
103 | # cjp: ? | |
104 | userdom_search_all_users_home_dirs(yam_t) | |
105 | ||
106 | # The whole point of this program is to make updates available on a | |
107 | # local web server. Need to go through /var to get to /var/yam | |
108 | # Go through /var/www to get to /var/www/yam | |
109 | apache_search_sys_content(yam_t) | |
110 | ||
111 | optional_policy(` | |
0bfccda4 | 112 | cron_system_entry(yam_t, yam_exec_t) |
f30e6ea8 CP |
113 | ') |
114 | ||
115 | optional_policy(` | |
116 | mount_domtrans(yam_t) | |
117 | ') | |
118 | ||
119 | optional_policy(` | |
120 | nis_use_ypbind(yam_t) | |
121 | ') | |
122 | ||
123 | optional_policy(` | |
124 | nscd_socket_use(yam_t) | |
125 | ') | |
126 | ||
127 | optional_policy(` | |
128 | rsync_exec(yam_t) | |
129 | ') |