Research Menu

Skip Search Box

SELinux Mailing List

Re: New policy for yam

From: Daniel J Walsh <>
Date: Tue, 15 Mar 2005 09:20:30 -0500

David Hampton wrote:

>This is written on an FC3 base system using the selinux-policy-strict-
>sources-1.22.1-2 policy from March 11th. These are the first policies
>I've submitted so I'd appreciate any comments on how to write better

Why did you create a yam_crond_t? Why not just transition to yam_t from crond?


># yam
>/etc/yam.conf -- system_u:object_r:yam_etc_t
>/usr/bin/yam system_u:object_r:yam_exec_t
>/var/yam(/.*)? system_u:object_r:yam_content_t
>/var/www/yam(/.*)? system_u:object_r:yam_content_t
># DESC yam - Yum/Apt Mirroring
># Author: David Hampton <>
># Yam downloads lots of files, indexes them, and makes them available
># for upload. Define a type for these file.
>type yam_content_t, file_type, sysadmfile, httpdcontent;
># Common definitions used by both the command line and the cron
># invocation of yam.
># Update the content being managed by yam.
>create_dir_file($1_t, yam_content_t)
># Content can also be on ISO image files.
>r_dir_file($1_t, iso9660_t)
># Need to go through /var to get to /var/yam
># Go through /var/www to get to /var/www/yam
>allow $1_t var_t:dir { getattr search };
>allow $1_t httpd_sys_content_t:dir { getattr search };
># Allow access to locale database, nsswitch, and mtab
>allow $1_t etc_t:file { getattr read };
>allow $1_t etc_runtime_t:file { getattr read };
># Python seems to need things from various places
>allow $1_t { bin_t sbin_t }:dir { search getattr };
>allow $1_t { bin_t sbin_t lib_t usr_t }:file { getattr read };
>allow $1_t bin_t:lnk_file read;
># Python works fine without reading /proc/meminfo
>dontaudit $1_t proc_t:dir search;
>dontaudit $1_t proc_t:file { getattr read };
># Yam wants to run rsync, lftp, mount, and a shell. Allow the latter
># two here. Run rsync and lftp in the yam_t context so that we dont
># have to give any other programs write access to the yam_t files.
>can_exec($1_t, shell_exec_t)
>can_exec($1_t, rsync_exec_t)
>can_exec($1_t, bin_t)
>can_exec($1_t, usr_t) #/usr/share/createrepo/
>ifdef(`mount.te', `
>domain_auto_trans($1_t, mount_exec_t, mount_t)
># Rsync and lftp need to network. They also set files attributes to
># match whats on the remote server.
>allow $1_t self:capability { chown fowner fsetid dac_override };
># access to sysctl_kernel_t ( proc/sys/kernel/* )
># Programs invoked to build package lists need various permissions.
># genpkglist creates tmp files in /var/cache/apt/genpkglist
>allow $1_t var_t:file { getattr read write };
>allow $1_t var_t:dir read;
># mktemp
>allow $1_t urandom_device_t:chr_file read;
># mv
>allow $1_t proc_t:lnk_file read;
>allow $1_t selinux_config_t:dir search;
>allow $1_t selinux_config_t:file { getattr read };
># Runnig yam from the command line
>application_domain(yam, `, nscd_client_domain')
>role system_r types yam_t;
># Terminal access
>allow yam_t devpts_t:dir search;
>allow yam_t devtty_t:chr_file { read write };
>allow yam_t sshd_t:fd use;
>allow yam_t sysadm_devpts_t:chr_file { getattr ioctl read write };
># Reading dotfiles...
>dontaudit yam_t staff_home_dir_t:dir search; # /root
>allow yam_t home_root_t:dir search; # /home
>allow yam_t user_home_dir_t:dir { getattr search }; # /home/user
># Running yam from cron
>application_domain(yam_crond, `, nscd_client_domain')
>role system_r types yam_crond_t;
>ifdef(`crond.te', `
>system_crond_entry(yam_exec_t, yam_crond_t)
>allow yam_crond_t yam_etc_t:file r_file_perms;
>file_type_auto_trans(yam_crond_t, tmp_t, yam_tmp_t, `{ file dir }')
>allow yam_crond_t devtty_t:chr_file { read write };
># Reading dotfiles...
># LFTP uses a directory for its dotfiles
>allow yam_crond_t default_t:dir search;
># Don't know why init tries to read this.
>allow initrc_t yam_etc_t:file read;
># The whole point of this program is to make updates available on a
># local web server. Allow apache access to these files.
>ifdef(`apache.te', `
>allow httpd_t yam_content_t:dir { getattr search };
>allow httpd_t yam_content_t:file { getattr read };
>allow httpd_t yam_content_t:lnk_file { getattr read };
># Mount needs access to the yam directories in order to mount the ISO
># files on a loobpack file system.
>ifdef(`mount.te', `
>allow mount_t yam_content_t:dir mounton;
>allow mount_t yam_content_t:file { read write };
>fedora-selinux-list mailing list


This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to with
the words "unsubscribe selinux" without quotes as the message.
Received on Tue 15 Mar 2005 - 09:29:04 EST

Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009


National Security Agency / Central Security Service