# DESC yam - Yum/Apt Mirroring # # Author: David Hampton # # # Yam downloads lots of files, indexes them, and makes them available # for upload. Define a type for these file. # type yam_content_t, file_type, sysadmfile, httpdcontent; # # Common definitions used by both the command line and the cron # invocation of yam. # define(`yam_common',` # Update the content being managed by yam. create_dir_file($1_t, yam_content_t) # Content can also be on ISO image files. r_dir_file($1_t, iso9660_t) # Need to go through /var to get to /var/yam # Go through /var/www to get to /var/www/yam allow $1_t var_t:dir { getattr search }; allow $1_t httpd_sys_content_t:dir { getattr search }; # Allow access to locale database, nsswitch, and mtab read_locale($1_t) allow $1_t etc_t:file { getattr read }; allow $1_t etc_runtime_t:file { getattr read }; # Python seems to need things from various places allow $1_t { bin_t sbin_t }:dir { search getattr }; allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read }; allow $1_t bin_t:lnk_file read; # Python works fine without reading /proc/meminfo dontaudit $1_t proc_t:dir search; dontaudit $1_t proc_t:file { getattr read }; # Yam wants to run rsync, lftp, mount, and a shell. Allow the latter # two here. Run rsync and lftp in the yam_t context so that we dont # have to give any other programs write access to the yam_t files. general_domain_access($1_t) can_exec($1_t, shell_exec_t) can_exec($1_t, rsync_exec_t) can_exec($1_t, bin_t) can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py ifdef(`mount.te', ` domain_auto_trans($1_t, mount_exec_t, mount_t) ') # Rsync and lftp need to network. They also set files attributes to # match whats on the remote server. can_network_client($1_t) allow $1_t self:capability { chown fowner fsetid dac_override }; # access to sysctl_kernel_t ( proc/sys/kernel/* ) read_sysctl($1_t) # Programs invoked to build package lists need various permissions. # genpkglist creates tmp files in /var/cache/apt/genpkglist allow $1_t var_t:file { getattr read write }; allow $1_t var_t:dir read; # mktemp allow $1_t urandom_device_t:chr_file read; # mv allow $1_t proc_t:lnk_file read; allow $1_t selinux_config_t:dir search; allow $1_t selinux_config_t:file { getattr read }; ') ########## ########## # # Runnig yam from the command line # application_domain(yam, `, nscd_client_domain') role system_r types yam_t; yam_common(yam) etc_domain(yam) tmp_domain(yam) # Terminal access allow yam_t devpts_t:dir search; allow yam_t devtty_t:chr_file { read write }; allow yam_t sshd_t:fd use; allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write }; # Reading dotfiles... dontaudit yam_t staff_home_dir_t:dir search; # /root allow yam_t home_root_t:dir search; # /home allow yam_t user_home_dir_t:dir { getattr search }; # /home/user ########## ########## # # Running yam from cron # application_domain(yam_crond, `, nscd_client_domain') role system_r types yam_crond_t; ifdef(`crond.te', ` system_crond_entry(yam_exec_t, yam_crond_t) ') yam_common(yam_crond) allow yam_crond_t yam_etc_t:file r_file_perms; file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }') allow yam_crond_t devtty_t:chr_file { read write }; # Reading dotfiles... # LFTP uses a directory for its dotfiles allow yam_crond_t default_t:dir search; # Don't know why init tries to read this. allow initrc_t yam_etc_t:file read; ########## ########## # The whole point of this program is to make updates available on a # local web server. Allow apache access to these files. ifdef(`apache.te', ` allow httpd_t yam_content_t:dir { getattr search }; allow httpd_t yam_content_t:file { getattr read }; allow httpd_t yam_content_t:lnk_file { getattr read }; ') # Mount needs access to the yam directories in order to mount the ISO # files on a loobpack file system. ifdef(`mount.te', ` allow mount_t yam_content_t:dir mounton; allow mount_t yam_content_t:file { read write }; ')