Skip to content

Commit 6571f50

Browse files
pebenitopebenito
authored
Merge pull request #932 from etbe/apt
apt-aptcacher
2 parents 9efd902 + 81cc6bc commit 6571f50

File tree

2 files changed

+16
-1
lines changed

2 files changed

+16
-1
lines changed

policy/modules/admin/apt.te

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,8 @@ files_read_etc_runtime_files(apt_t)
106106

107107
fs_getattr_all_fs(apt_t)
108108

109+
init_get_system_status(apt_t)
110+
109111
term_create_pty(apt_t, apt_devpts_t)
110112
term_list_ptys(apt_t)
111113
term_use_all_terms(apt_t)
@@ -156,6 +158,7 @@ optional_policy(`
156158

157159
optional_policy(`
158160
networkmanager_dbus_chat(apt_t)
161+
networkmanager_status(apt_t)
159162
')
160163

161164
optional_policy(`

policy/modules/services/aptcacher.te

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@ files_runtime_file(aptcacher_runtime_t)
3636
# Local policy
3737
#
3838

39-
allow aptcacher_t self:process signal;
39+
allow aptcacher_t self:process { signal getsched };
4040

4141
allow aptcacher_t self:fifo_file rw_inherited_fifo_file_perms;
4242
allow aptcacher_t self:tcp_socket create_stream_socket_perms;
@@ -64,6 +64,8 @@ manage_files_pattern(aptcacher_t, aptcacher_log_t, aptcacher_log_t)
6464

6565
manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
6666

67+
kernel_read_kernel_sysctls(aptcacher_t)
68+
kernel_read_system_state(aptcacher_t)
6769
kernel_read_vm_overcommit_sysctl(aptcacher_t)
6870

6971
# Calls system()
@@ -75,7 +77,11 @@ corenet_tcp_connect_http_port(aptcacher_t)
7577

7678
auth_use_nsswitch(aptcacher_t)
7779

80+
dev_read_rand(aptcacher_t)
81+
dev_read_urand(aptcacher_t)
82+
7883
files_read_etc_files(aptcacher_t)
84+
files_read_usr_files(aptcacher_t)
7985

8086
# Uses sd_notify() to inform systemd it has properly started
8187
init_dgram_send(aptcacher_t)
@@ -93,16 +99,22 @@ sysnet_mmap_config_files(aptcacher_t)
9399
# acngtool local policy
94100
#
95101

102+
allow acngtool_t self:capability dac_override;
96103
allow acngtool_t self:tcp_socket create_stream_socket_perms;
97104
allow acngtool_t self:unix_stream_socket create_socket_perms;
98105

99106
allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
100107
allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
101108

109+
kernel_read_kernel_sysctls(acngtool_t)
110+
102111
aptcacher_stream_connect(acngtool_t)
103112

104113
corenet_tcp_connect_aptcacher_port(acngtool_t)
105114

115+
dev_read_rand(acngtool_t)
116+
dev_read_urand(acngtool_t)
117+
106118
auth_use_nsswitch(acngtool_t)
107119

108120
# For some reasons it's trying to mmap /etc/hosts.deny

0 commit comments

Comments
 (0)