[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/

Jason Zaman Tue, 15 Jul 2025 00:54:46 -0700

commit:     c2817e17d2f7bad5c05f30a1a6dd5ea12574b927
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Jun 17 12:41:05 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c2817e17


apt and aptcacher changes

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/apt.te          |  3 +++
 policy/modules/services/aptcacher.te | 13 ++++++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 5327f3ed8..7aea9c951 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -106,6 +106,8 @@ files_read_etc_runtime_files(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
+init_get_system_status(apt_t)
+
 term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
@@ -156,6 +158,7 @@ optional_policy(`
 
 optional_policy(`
        networkmanager_dbus_chat(apt_t)
+       networkmanager_status(apt_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/services/aptcacher.te 
b/policy/modules/services/aptcacher.te
index 10a0e54e1..6131d48e8 100644
--- a/policy/modules/services/aptcacher.te
+++ b/policy/modules/services/aptcacher.te
@@ -36,7 +36,7 @@ files_runtime_file(aptcacher_runtime_t)
 # Local policy
 #
 
-allow aptcacher_t self:process signal;
+allow aptcacher_t self:process { signal getsched };
 
 allow aptcacher_t self:fifo_file rw_inherited_fifo_file_perms;
 allow aptcacher_t self:tcp_socket create_stream_socket_perms;
@@ -64,6 +64,8 @@ manage_files_pattern(aptcacher_t, aptcacher_log_t, 
aptcacher_log_t)
 
 manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, 
aptcacher_runtime_t)
 
+kernel_read_kernel_sysctls(aptcacher_t)
+kernel_read_system_state(aptcacher_t)
 kernel_read_vm_overcommit_sysctl(aptcacher_t)
 
 # Calls system()
@@ -75,7 +77,11 @@ corenet_tcp_connect_http_port(aptcacher_t)
 
 auth_use_nsswitch(aptcacher_t)
 
+dev_read_rand(aptcacher_t)
+dev_read_urand(aptcacher_t)
+
 files_read_etc_files(aptcacher_t)
+files_read_usr_files(aptcacher_t)
 
 # Uses sd_notify() to inform systemd it has properly started
 init_dgram_send(aptcacher_t)
@@ -93,14 +99,19 @@ sysnet_mmap_config_files(aptcacher_t)
 # acngtool local policy
 #
 
+allow acngtool_t self:capability dac_override;
 allow acngtool_t self:tcp_socket create_stream_socket_perms;
 allow acngtool_t self:unix_stream_socket create_socket_perms;
 
 allow acngtool_t aptcacher_conf_t:dir list_dir_perms;
 allow acngtool_t aptcacher_conf_t:file mmap_read_file_perms;
 
+kernel_read_kernel_sysctls(acngtool_t)
+
 aptcacher_stream_connect(acngtool_t)
 
+dev_read_rand(acngtool_t)
+dev_read_urand(acngtool_t)
 corenet_tcp_connect_aptcacher_port(acngtool_t)
 
 auth_use_nsswitch(acngtool_t)

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/, policy/modules/admin/

Reply via email to