Chris PeBenito 31b7c0
# DESC yam - Yum/Apt Mirroring
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Author: David Hampton <hampton@employees.org>
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Yam downloads lots of files, indexes them, and makes them available
Chris PeBenito 31b7c0
# for upload.  Define a type for these file.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
type yam_content_t, file_type, sysadmfile, httpdcontent;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Common definitions used by both the command line and the cron
Chris PeBenito 31b7c0
# invocation of yam.
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
define(`yam_common',`
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Update the content being managed by yam.
Chris PeBenito 31b7c0
create_dir_file($1_t, yam_content_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Content can also be on ISO image files.
Chris PeBenito 31b7c0
r_dir_file($1_t, iso9660_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Need to go through /var to get to /var/yam
Chris PeBenito 31b7c0
# Go through /var/www to get to /var/www/yam
Chris PeBenito 31b7c0
allow $1_t var_t:dir { getattr search };
Chris PeBenito 31b7c0
allow $1_t httpd_sys_content_t:dir { getattr search };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Allow access to locale database,  nsswitch, and mtab
Chris PeBenito 31b7c0
read_locale($1_t)
Chris PeBenito 31b7c0
allow $1_t etc_t:file { getattr read };
Chris PeBenito 31b7c0
allow $1_t etc_runtime_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Python seems to need things from various places
Chris PeBenito 31b7c0
allow $1_t { bin_t sbin_t }:dir { search getattr };
Chris PeBenito 31b7c0
allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read };
Chris PeBenito 31b7c0
allow $1_t bin_t:lnk_file read;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Python works fine without reading /proc/meminfo
Chris PeBenito 31b7c0
dontaudit $1_t proc_t:dir search;
Chris PeBenito 31b7c0
dontaudit $1_t proc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Yam wants to run rsync, lftp, mount, and a shell.  Allow the latter
Chris PeBenito 31b7c0
# two here.  Run rsync and lftp in the yam_t context so that we dont
Chris PeBenito 31b7c0
# have to give any other programs write access to the yam_t files.
Chris PeBenito 31b7c0
general_domain_access($1_t)
Chris PeBenito 31b7c0
can_exec($1_t, shell_exec_t)
Chris PeBenito 31b7c0
can_exec($1_t, rsync_exec_t)
Chris PeBenito 31b7c0
can_exec($1_t, bin_t)
Chris PeBenito 31b7c0
can_exec($1_t, usr_t) #/usr/share/createrepo/genpkgmetadata.py
Chris PeBenito 31b7c0
ifdef(`mount.te', `
Chris PeBenito 31b7c0
domain_auto_trans($1_t, mount_exec_t, mount_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Rsync and lftp need to network.  They also set files attributes to
Chris PeBenito 31b7c0
# match whats on the remote server.
Chris PeBenito 31b7c0
can_network_client($1_t)
Chris PeBenito 31b7c0
allow $1_t { http_port_t rsync_port_t }:tcp_socket name_connect;
Chris PeBenito 31b7c0
allow $1_t self:capability { chown fowner fsetid dac_override };
Chris PeBenito 31b7c0
allow $1_t self:process execmem;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# access to sysctl_kernel_t ( proc/sys/kernel/* )
Chris PeBenito 31b7c0
read_sysctl($1_t)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Programs invoked to build package lists need various permissions.
Chris PeBenito 31b7c0
# genpkglist creates tmp files in /var/cache/apt/genpkglist
Chris PeBenito 31b7c0
allow $1_t var_t:file { getattr read write };
Chris PeBenito 31b7c0
allow $1_t var_t:dir read;
Chris PeBenito 31b7c0
# mktemp
Chris PeBenito 31b7c0
allow $1_t urandom_device_t:chr_file read;
Chris PeBenito 31b7c0
# mv
Chris PeBenito 31b7c0
allow $1_t proc_t:lnk_file read;
Chris PeBenito 31b7c0
allow $1_t selinux_config_t:dir search;
Chris PeBenito 31b7c0
allow $1_t selinux_config_t:file { getattr read };
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##########
Chris PeBenito 31b7c0
##########
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Runnig yam from the command line
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
application_domain(yam, `, nscd_client_domain')
Chris PeBenito 31b7c0
role system_r types yam_t;
Chris PeBenito 31b7c0
yam_common(yam)
Chris PeBenito 31b7c0
etc_domain(yam)
Chris PeBenito 31b7c0
tmp_domain(yam)
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Terminal access
Chris PeBenito 31b7c0
allow yam_t devpts_t:dir search;
Chris PeBenito 31b7c0
allow yam_t devtty_t:chr_file { read write };
Chris PeBenito 31b7c0
allow yam_t sshd_t:fd use;
Chris PeBenito 31b7c0
allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Reading dotfiles...
Chris PeBenito 31b7c0
allow yam_t sysadm_home_dir_t:dir search;		# /root
Chris PeBenito 31b7c0
allow yam_t sysadm_home_t:dir search;			# /root/xxx
Chris PeBenito 31b7c0
allow yam_t home_root_t:dir search;			# /home
Chris PeBenito 31b7c0
allow yam_t user_home_dir_t:dir r_dir_perms;		# /home/user
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##########
Chris PeBenito 31b7c0
##########
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
# Running yam from cron
Chris PeBenito 31b7c0
#
Chris PeBenito 31b7c0
application_domain(yam_crond, `, nscd_client_domain')
Chris PeBenito 31b7c0
role system_r types yam_crond_t;
Chris PeBenito 31b7c0
ifdef(`crond.te', `
Chris PeBenito 31b7c0
system_crond_entry(yam_exec_t, yam_crond_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
yam_common(yam_crond)
Chris PeBenito 31b7c0
allow yam_crond_t yam_etc_t:file r_file_perms;
Chris PeBenito 31b7c0
file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
allow yam_crond_t devtty_t:chr_file { read write };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Reading dotfiles...
Chris PeBenito 31b7c0
# LFTP uses a directory for its dotfiles
Chris PeBenito 31b7c0
allow yam_crond_t default_t:dir search;
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Don't know why init tries to read this.
Chris PeBenito 31b7c0
allow initrc_t yam_etc_t:file { getattr read };
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
##########
Chris PeBenito 31b7c0
##########
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# The whole point of this program is to make updates available on a
Chris PeBenito 31b7c0
# local web server.  Allow apache access to these files.
Chris PeBenito 31b7c0
ifdef(`apache.te', `
Chris PeBenito 31b7c0
r_dir_file(httpd_t, yam_content_t)
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
ifdef(`webalizer.te', `
Chris PeBenito 31b7c0
dontaudit webalizer_t yam_content_t:dir search;
Chris PeBenito 31b7c0
')
Chris PeBenito 31b7c0
Chris PeBenito 31b7c0
# Mount needs access to the yam directories in order to mount the ISO
Chris PeBenito 31b7c0
# files on a loobpack file system.
Chris PeBenito 31b7c0
ifdef(`mount.te', `
Chris PeBenito 31b7c0
allow mount_t yam_content_t:dir mounton;
Chris PeBenito 31b7c0
allow mount_t yam_content_t:file { read write };
Chris PeBenito 31b7c0
')