File: grokmirror.te

package info (click to toggle)
grokmirror 2.0.12-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 516 kB
  • sloc: python: 3,711; sh: 70; makefile: 8
file content (131 lines) | stat: -rw-r--r-- 4,559 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
 
##################
# Author: Konstantin Ryabitsev <konstantin@linuxfoundation.org>
#
policy_module(grokmirror, 1.1.1)

require {
    type gitosis_var_lib_t;
    type git_sys_content_t;
    type net_conf_t;
    type httpd_t;
    type ssh_home_t;
    type passwd_file_t;
    type postfix_etc_t;
}

##################
# Declarations

type grokmirror_t;
type grokmirror_exec_t;
init_daemon_domain(grokmirror_t, grokmirror_exec_t)

type grokmirror_var_lib_t;
files_type(grokmirror_var_lib_t)

type grokmirror_log_t;
logging_log_file(grokmirror_log_t)

type grokmirror_var_run_t;
files_pid_file(grokmirror_var_run_t)

type grokmirror_tmpfs_t;
files_tmpfs_file(grokmirror_tmpfs_t)

gen_tunable(grokmirror_connect_ssh, false)
gen_tunable(grokmirror_connect_all_unreserved, false)

# Uncomment to put these domains into permissive mode
permissive grokmirror_t;

##################
# Daemons policy

domain_use_interactive_fds(grokmirror_t)
files_read_etc_files(grokmirror_t)
miscfiles_read_localization(grokmirror_t)

# Logging
append_files_pattern(grokmirror_t, grokmirror_log_t, grokmirror_log_t)
create_files_pattern(grokmirror_t, grokmirror_log_t, grokmirror_log_t)
setattr_files_pattern(grokmirror_t, grokmirror_log_t, grokmirror_log_t)
logging_log_filetrans(grokmirror_t, grokmirror_log_t, { file dir })
logging_send_syslog_msg(grokmirror_t)

# Allow managing anything grokmirror_var_lib_t
manage_dirs_pattern(grokmirror_t, grokmirror_var_lib_t, grokmirror_var_lib_t)
manage_files_pattern(grokmirror_t, grokmirror_var_lib_t, grokmirror_var_lib_t)
manage_lnk_files_pattern(grokmirror_t, grokmirror_var_lib_t, grokmirror_var_lib_t)
manage_sock_files_pattern(grokmirror_t, grokmirror_var_lib_t, grokmirror_var_lib_t)

# Allow managing git repositories
manage_files_pattern(grokmirror_t, gitosis_var_lib_t, gitosis_var_lib_t)
manage_lnk_files_pattern(grokmirror_t, gitosis_var_lib_t, gitosis_var_lib_t)
manage_dirs_pattern(grokmirror_t, gitosis_var_lib_t, gitosis_var_lib_t)
manage_sock_files_pattern(grokmirror_t, gitosis_var_lib_t, gitosis_var_lib_t)

manage_files_pattern(grokmirror_t, git_sys_content_t, git_sys_content_t)
manage_lnk_files_pattern(grokmirror_t, git_sys_content_t, git_sys_content_t)
manage_dirs_pattern(grokmirror_t, git_sys_content_t, git_sys_content_t)
manage_sock_files_pattern(grokmirror_t, git_sys_content_t, git_sys_content_t)

# Allow executing bin (for git, mostly)
corecmd_exec_bin(grokmirror_t)
libs_exec_ldconfig(grokmirror_t)

# Allow managing httpd content in case the manifest is stored there
apache_manage_sys_content(grokmirror_t)

# git wants to access system state and other bits
kernel_dontaudit_read_system_state(grokmirror_t)

# Allow connecting to http, git
corenet_tcp_connect_http_port(grokmirror_t)
corenet_tcp_connect_git_port(grokmirror_t)
corenet_tcp_bind_generic_node(grokmirror_t)
corenet_tcp_sendrecv_generic_node(grokmirror_t)

# git needs to dns-resolve
sysnet_dns_name_resolve(grokmirror_t)

# Allow reading .netrc files
read_files_pattern(grokmirror_t, net_conf_t, net_conf_t)

# Post-hooks can use grep, which requires execmem
allow grokmirror_t self:process execmem;

fs_getattr_tmpfs(grokmirror_t)
manage_files_pattern(grokmirror_t, grokmirror_tmpfs_t, grokmirror_tmpfs_t)
fs_tmpfs_filetrans(grokmirror_t, grokmirror_tmpfs_t, file)

# Listener socket file
manage_dirs_pattern(grokmirror_t, grokmirror_var_run_t, grokmirror_var_run_t)
manage_files_pattern(grokmirror_t, grokmirror_var_run_t, grokmirror_var_run_t)
manage_sock_files_pattern(grokmirror_t, grokmirror_var_run_t, grokmirror_var_run_t)
files_pid_filetrans(grokmirror_t, grokmirror_var_run_t, { dir file sock_file })

# allow httpd to write to the listener socket
allow httpd_t grokmirror_t:unix_stream_socket connectto;

# Some bogus dontaudits
# ssh tries to open /etc/mailname, which the postfix module labels oddly
dontaudit grokmirror_t postfix_etc_t:file { getattr open read };

tunable_policy(`grokmirror_connect_all_unreserved',`
    corenet_sendrecv_all_client_packets(grokmirror_t)
    corenet_tcp_connect_all_unreserved_ports(grokmirror_t)
')

tunable_policy(`grokmirror_connect_ssh',`
    corenet_sendrecv_ssh_client_packets(grokmirror_t)
    corenet_tcp_connect_ssh_port(grokmirror_t)
    corenet_tcp_sendrecv_ssh_port(grokmirror_t)

    ssh_exec(grokmirror_t)
    ssh_read_user_home_files(grokmirror_t)

    # for the controlmaster socket
    manage_sock_files_pattern(grokmirror_t, ssh_home_t, ssh_home_t)
    allow grokmirror_t self:unix_stream_socket connectto;
    allow grokmirror_t passwd_file_t:file { getattr open read };
')