From f30e6ea8c645fb55d41491f085f5a2a06085aa2f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 28 Apr 2006 18:30:02 +0000
Subject: [PATCH] add yam, bug 1554

---
 refpolicy/Changelog                           |   1 +
 refpolicy/policy/modules/apps/yam.fc          |   6 +
 refpolicy/policy/modules/apps/yam.if          |  76 ++++++++++
 refpolicy/policy/modules/apps/yam.te          | 134 ++++++++++++++++++
 refpolicy/policy/modules/kernel/files.if      |  19 +++
 refpolicy/policy/modules/kernel/files.te      |   2 +-
 refpolicy/policy/modules/kernel/filesystem.if |  21 +++
 refpolicy/policy/modules/kernel/filesystem.te |   2 +-
 refpolicy/policy/modules/services/apache.te   |   6 +-
 refpolicy/policy/modules/services/rsync.if    |  18 +++
 refpolicy/policy/modules/services/rsync.te    |   2 +-
 refpolicy/policy/modules/system/userdomain.te |   6 +-
 12 files changed, 288 insertions(+), 5 deletions(-)
 create mode 100644 refpolicy/policy/modules/apps/yam.fc
 create mode 100644 refpolicy/policy/modules/apps/yam.if
 create mode 100644 refpolicy/policy/modules/apps/yam.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index aeccccd7..e7e4abd2 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -81,6 +81,7 @@
 	vmware
 	xen (Dan Walsh)
 	xprint
+	yam
 
 * Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
 - Make all interface parameters required.
diff --git a/refpolicy/policy/modules/apps/yam.fc b/refpolicy/policy/modules/apps/yam.fc
new file mode 100644
index 00000000..2875fb6a
--- /dev/null
+++ b/refpolicy/policy/modules/apps/yam.fc
@@ -0,0 +1,6 @@
+/etc/yam.conf		--	gen_context(system_u:object_r:yam_etc_t,s0)
+
+/usr/bin/yam		--	gen_context(system_u:object_r:yam_exec_t,s0)
+
+/var/yam(/.*)?			gen_context(system_u:object_r:yam_content_t,s0)
+/var/www/yam(/.*)?		gen_context(system_u:object_r:yam_content_t,s0)
diff --git a/refpolicy/policy/modules/apps/yam.if b/refpolicy/policy/modules/apps/yam.if
new file mode 100644
index 00000000..450fb4e7
--- /dev/null
+++ b/refpolicy/policy/modules/apps/yam.if
@@ -0,0 +1,76 @@
+## <summary>Yum/Apt Mirroring</summary>
+
+########################################
+## <summary>
+##	Execute yam in the yam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`yam_domtrans',`
+	gen_require(`
+		type yam_t, yam_exec_t;
+	')
+
+	corecmd_search_sbin($1)
+	domain_auto_trans($1,yam_exec_t,yam_t)
+
+	allow $1 yam_t:fd use;
+	allow yam_t $1:fd use;
+	allow yam_t $1:fifo_file rw_file_perms;
+	allow yam_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute yam in the yam domain, and
+##	allow the specified role the yam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed the yam domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow the yam domain to use.
+##	</summary>
+## </param>
+#
+interface(`yam_run',`
+	gen_require(`
+		type yam_t;
+	')
+
+	yam_domtrans($1)
+	role $2 types yam_t;
+	allow yam_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Read yam content.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`yam_read_content',`
+	gen_require(`
+		type yam_content_t;
+	')
+
+	allow $1 yam_content_t:dir list_dir_perms;
+	allow $1 yam_content_t:file read_file_perms;
+	allow $1 yam_content_t:lnk_file { getattr read };
+')
diff --git a/refpolicy/policy/modules/apps/yam.te b/refpolicy/policy/modules/apps/yam.te
new file mode 100644
index 00000000..90e1c04e
--- /dev/null
+++ b/refpolicy/policy/modules/apps/yam.te
@@ -0,0 +1,134 @@
+
+policy_module(yam,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type yam_t alias yam_crond_t;
+type yam_exec_t;
+domain_type(yam_t)
+domain_entry_file(yam_t,yam_exec_t)
+
+type yam_content_t;
+files_mountpoint(yam_content_t)
+
+type yam_etc_t;
+files_config_file(yam_etc_t)
+
+type yam_tmp_t;
+files_tmp_file(yam_tmp_t)
+
+########################################
+#
+# Local policy
+#
+
+allow yam_t self:capability { chown fowner fsetid dac_override };
+allow yam_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow yam_t self:process execmem;
+allow yam_t self:fd use;
+allow yam_t self:fifo_file rw_file_perms;
+allow yam_t self:unix_stream_socket { create_stream_socket_perms connectto };
+allow yam_t self:unix_dgram_socket { create_socket_perms sendto };
+allow yam_t self:shm create_shm_perms;
+allow yam_t self:sem create_sem_perms;
+allow yam_t self:msgq create_msgq_perms;
+allow yam_t self:msg { send receive };
+allow yam_t self:tcp_socket create_socket_perms;
+allow yam_t self:udp_socket create_socket_perms;
+
+# Update the content being managed by yam.
+allow yam_t yam_content_t:dir create_dir_perms;
+allow yam_t yam_content_t:file create_file_perms;
+allow yam_t yam_content_t:lnk_file create_lnk_perms;
+
+allow yam_t yam_etc_t:file { getattr read };
+files_search_etc(yam_t)
+
+allow yam_t yam_tmp_t:dir create_dir_perms;
+allow yam_t yam_tmp_t:file create_file_perms;
+files_tmp_filetrans(yam_t, yam_tmp_t, { file dir })
+
+kernel_read_kernel_sysctls(yam_t)
+kernel_read_proc_symlinks(yam_t)
+# Python works fine without reading /proc/meminfo
+kernel_dontaudit_read_system_state(yam_t)
+
+corecmd_exec_shell(yam_t)
+corecmd_exec_bin(yam_t)
+
+# Rsync and lftp need to network.  They also set files attributes to
+# match whats on the remote server.
+corenet_tcp_sendrecv_generic_if(yam_t)
+corenet_udp_sendrecv_generic_if(yam_t)
+corenet_raw_sendrecv_generic_if(yam_t)
+corenet_tcp_sendrecv_all_nodes(yam_t)
+corenet_udp_sendrecv_all_nodes(yam_t)
+corenet_raw_sendrecv_all_nodes(yam_t)
+corenet_tcp_sendrecv_all_ports(yam_t)
+corenet_udp_sendrecv_all_ports(yam_t)
+corenet_non_ipsec_sendrecv(yam_t)
+corenet_tcp_bind_all_nodes(yam_t)
+corenet_udp_bind_all_nodes(yam_t)
+corenet_tcp_connect_http_port(yam_t)
+corenet_tcp_connect_rsync_port(yam_t)
+
+# mktemp
+dev_read_urand(yam_t)
+
+files_read_etc_files(yam_t)
+files_read_etc_runtime_files(yam_t)
+# /usr/share/createrepo/genpkgmetadata.py:
+files_exec_usr_files(yam_t)
+# Programs invoked to build package lists need various permissions.
+# genpkglist creates tmp files in /var/cache/apt/genpkglist
+files_rw_var_files(yam_t)
+
+fs_search_auto_mountpoints(yam_t)
+# Content can also be on ISO image files.
+fs_read_iso9660_files(yam_t)
+
+term_search_ptys(yam_t)
+
+libs_use_ld_so(yam_t)
+libs_use_shared_libs(yam_t)
+
+logging_send_syslog_msg(yam_t)
+
+miscfiles_read_localization(yam_t)
+
+seutil_read_config(yam_t)
+
+sysnet_read_config(yam_t)
+
+userdom_use_unpriv_users_fds(yam_t)
+# Reading dotfiles...
+# cjp: ?
+userdom_search_all_users_home_dirs(yam_t)
+
+# The whole point of this program is to make updates available on a
+# local web server.  Need to go through /var to get to /var/yam
+# Go through /var/www to get to /var/www/yam
+apache_search_sys_content(yam_t)
+
+optional_policy(`
+	cron_system_entry(yam_t,yam_exec_t)
+')
+
+optional_policy(`
+	mount_domtrans(yam_t)
+')
+
+optional_policy(`
+	nis_use_ypbind(yam_t)
+')
+
+optional_policy(`
+	nscd_socket_use(yam_t)
+')
+
+optional_policy(`
+	rsync_exec(yam_t)
+')
diff --git a/refpolicy/policy/modules/kernel/files.if b/refpolicy/policy/modules/kernel/files.if
index c990af74..77dad24c 100644
--- a/refpolicy/policy/modules/kernel/files.if
+++ b/refpolicy/policy/modules/kernel/files.if
@@ -3181,6 +3181,25 @@ interface(`files_read_var_files',`
 	allow $1 var_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Read and write files in the /var directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_rw_var_files',`
+	gen_require(`
+		type var_t;
+	')
+
+	allow $1 var_t:dir rw_dir_perms;
+	allow $1 var_t:file create_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files in the /var directory.
diff --git a/refpolicy/policy/modules/kernel/files.te b/refpolicy/policy/modules/kernel/files.te
index 3f0a33ca..947082f9 100644
--- a/refpolicy/policy/modules/kernel/files.te
+++ b/refpolicy/policy/modules/kernel/files.te
@@ -1,5 +1,5 @@
 
-policy_module(files,1.2.8)
+policy_module(files,1.2.9)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/kernel/filesystem.if b/refpolicy/policy/modules/kernel/filesystem.if
index a4930d95..3312c1ec 100644
--- a/refpolicy/policy/modules/kernel/filesystem.if
+++ b/refpolicy/policy/modules/kernel/filesystem.if
@@ -1125,6 +1125,27 @@ interface(`fs_getattr_iso9660_fs',`
 	allow $1 iso9660_t:filesystem getattr;
 ')
 
+########################################
+## <summary>
+##	Read files on an iso9660 filesystem, which
+##	is usually used on CDs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fs_read_iso9660_files',`
+	gen_require(`
+		type iso9660_t;
+	')
+
+	allow $1 iso9660_t:dir list_dir_perms;
+	allow $1 iso9660_t:file read_file_perms;
+	allow $1 iso9660_t:lnk_file { getattr read };
+')
+
 ########################################
 ## <summary>
 ##	Mount a NFS filesystem.
diff --git a/refpolicy/policy/modules/kernel/filesystem.te b/refpolicy/policy/modules/kernel/filesystem.te
index f9491c09..f947f635 100644
--- a/refpolicy/policy/modules/kernel/filesystem.te
+++ b/refpolicy/policy/modules/kernel/filesystem.te
@@ -1,5 +1,5 @@
 
-policy_module(filesystem,1.3.5)
+policy_module(filesystem,1.3.6)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te
index e4d9dbee..8f1bdd57 100644
--- a/refpolicy/policy/modules/services/apache.te
+++ b/refpolicy/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
 
-policy_module(apache,1.3.7)
+policy_module(apache,1.3.8)
 
 #
 # NOTES: 
@@ -443,6 +443,10 @@ optional_policy(`
 	udev_read_db(httpd_t)
 ')
 
+optional_policy(`
+	yam_read_content(httpd_t)
+')
+
 ifdef(`TODO',`
 can_tcp_connect(web_client_domain, httpd_t)
 
diff --git a/refpolicy/policy/modules/services/rsync.if b/refpolicy/policy/modules/services/rsync.if
index 78e11fc4..9f1bdd8d 100644
--- a/refpolicy/policy/modules/services/rsync.if
+++ b/refpolicy/policy/modules/services/rsync.if
@@ -84,3 +84,21 @@ interface(`rsync_entry_domtrans',`
 
 	domain_auto_trans($1,rsync_exec_t,$2)
 ')
+
+########################################
+## <summary>
+##	Execute rsync in the caller domain domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`rsync_exec',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	can_exec($1,rsync_exec_t)
+')
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index 7e4cba2c..ec485258 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
 
-policy_module(rsync,1.2.2)
+policy_module(rsync,1.2.3)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 603d1eb4..0931a3ff 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.20)
+policy_module(userdomain,1.3.21)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -436,4 +436,8 @@ ifdef(`targeted_policy',`
 	optional_policy(`
 		webalizer_run(sysadm_t,sysadm_r,admin_terminal)
 	')
+
+	optional_policy(`
+		yam_run(sysadm_t,sysadm_r,admin_terminal)
+	')
 ')