[people/stevee/selinux-policy.git] / policy / modules / admin / dpkg.te


policy_module(dpkg, 1.5.0)

########################################
#
# Declarations
#

type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t, dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
role system_r types dpkg_t;

# lockfile
type dpkg_lock_t;
files_type(dpkg_lock_t)

type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)

type dpkg_tmpfs_t;
files_tmpfs_file(dpkg_tmpfs_t)

# status files
type dpkg_var_lib_t alias var_lib_dpkg_t;
files_type(dpkg_var_lib_t)

# package scripts
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
role system_r types dpkg_script_t;

type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)

type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)

########################################
#
# dpkg Local policy
#

allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connectto;
allow dpkg_t self:udp_socket { connect create_socket_perms };
allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };

allow dpkg_t dpkg_lock_t:file manage_file_perms;

manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })

manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })

# Access /var/lib/dpkg files
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)

kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)

corecmd_exec_all_executables(dpkg_t)

# TODO: do we really need all networking?
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_all_if(dpkg_t)
corenet_raw_sendrecv_all_if(dpkg_t)
corenet_udp_sendrecv_all_if(dpkg_t)
corenet_tcp_sendrecv_all_nodes(dpkg_t)
corenet_raw_sendrecv_all_nodes(dpkg_t)
corenet_udp_sendrecv_all_nodes(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)

dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)

domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
domain_use_interactive_fds(dpkg_t)
domain_dontaudit_getattr_all_pipes(dpkg_t)
domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)

fs_manage_nfs_dirs(dpkg_t)
fs_manage_nfs_files(dpkg_t)
fs_manage_nfs_symlinks(dpkg_t)
fs_getattr_all_fs(dpkg_t)
fs_search_auto_mountpoints(dpkg_t)

mls_file_read_all_levels(dpkg_t)
mls_file_write_all_levels(dpkg_t)
mls_file_upgrade(dpkg_t)

selinux_get_fs_mount(dpkg_t)
selinux_validate_context(dpkg_t)
selinux_compute_access_vector(dpkg_t)
selinux_compute_create_context(dpkg_t)
selinux_compute_relabel_context(dpkg_t)
selinux_compute_user_contexts(dpkg_t)

storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)

term_list_ptys(dpkg_t)

auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)

files_exec_etc_files(dpkg_t)

init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)

libs_use_ld_so(dpkg_t)
libs_use_shared_libs(dpkg_t)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
libs_domtrans_ldconfig(dpkg_t)

logging_send_syslog_msg(dpkg_t)

# allow compiling and loading new policy
seutil_manage_src_policy(dpkg_t)
seutil_manage_bin_policy(dpkg_t)

sysnet_read_config(dpkg_t)

userdom_use_unpriv_users_fds(dpkg_t)

# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;

optional_policy(`
	apt_use_ptys(dpkg_t)
')

# TODO: allow?
#optional_policy(`
#	cron_system_entry(dpkg_t,dpkg_exec_t)
#')

optional_policy(`
	nis_use_ypbind(dpkg_t)
')

optional_policy(`
	unconfined_domain(dpkg_t)
')

# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
modutils_domtrans_depmod(dpkg_t)
modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_setfiles(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
	mta_send_mail(dpkg_t)
')
optional_policy(`
	usermanage_domtrans_groupadd(dpkg_t)
	usermanage_domtrans_useradd(dpkg_t)
')

########################################
#
# dpkg-script Local policy
#
# TODO: actually use dpkg_script_t

allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_script_t self:unix_dgram_socket sendto;
allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };

allow dpkg_script_t dpkg_tmp_t:file read_file_perms;

allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })

allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })

kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

corecmd_exec_all_executables(dpkg_script_t)

dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(dpkg_script_t)
dev_manage_generic_chr_files(dpkg_script_t)
dev_manage_all_blk_files(dpkg_script_t)
dev_manage_all_chr_files(dpkg_script_t)

domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)

files_exec_etc_files(dpkg_script_t)
files_read_etc_runtime_files(dpkg_script_t)
files_exec_usr_files(dpkg_script_t)

fs_manage_nfs_files(dpkg_script_t)
fs_getattr_nfs(dpkg_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(dpkg_script_t)
fs_mount_xattr_fs(dpkg_script_t)
fs_unmount_xattr_fs(dpkg_script_t)
fs_search_auto_mountpoints(dpkg_script_t)

mls_file_read_all_levels(dpkg_script_t)
mls_file_write_all_levels(dpkg_script_t)

selinux_get_fs_mount(dpkg_script_t)
selinux_validate_context(dpkg_script_t)
selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)

storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)

term_getattr_unallocated_ttys(dpkg_script_t)
term_list_ptys(dpkg_script_t)
term_use_all_terms(dpkg_script_t)

auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(dpkg_script_t)

init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)

libs_use_ld_so(dpkg_script_t)
libs_use_shared_libs(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
libs_domtrans_ldconfig(dpkg_script_t)

logging_send_syslog_msg(dpkg_script_t)

miscfiles_read_localization(dpkg_script_t)

modutils_domtrans_depmod(dpkg_script_t)
modutils_domtrans_insmod(dpkg_script_t)

seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_setfiles(dpkg_script_t)

userdom_use_all_users_fds(dpkg_script_t)

tunable_policy(`allow_execmem',`
	allow dpkg_script_t self:process execmem;
')

optional_policy(`
	apt_rw_pipes(dpkg_script_t)
	apt_use_fds(dpkg_script_t)
')

optional_policy(`
	bootloader_domtrans(dpkg_script_t)
')

optional_policy(`
	mta_send_mail(dpkg_script_t)
')

optional_policy(`
	nis_use_ypbind(dpkg_script_t)
')

optional_policy(`
	unconfined_domain(dpkg_script_t)
')

optional_policy(`
	usermanage_domtrans_groupadd(dpkg_script_t)
	usermanage_domtrans_useradd(dpkg_script_t)
')
Commit	Line	Data
0c54fcf8	1
0bfccda4	2	policy_module(dpkg, 1.5.0)
0c54fcf8 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dpkg_t;
	10	type dpkg_exec_t;
	11	# dpkg can start/stop services
0bfccda4	12	init_system_domain(dpkg_t, dpkg_exec_t)
0c54fcf8 CP	13	# dpkg can change file labels, roles, IO
	14	domain_obj_id_change_exemption(dpkg_t)
	15	domain_role_change_exemption(dpkg_t)
	16	domain_system_change_exemption(dpkg_t)
	17	domain_interactive_fd(dpkg_t)
	18	role system_r types dpkg_t;
	19
	20	# lockfile
	21	type dpkg_lock_t;
	22	files_type(dpkg_lock_t)
	23
	24	type dpkg_tmp_t;
	25	files_tmp_file(dpkg_tmp_t)
	26
	27	type dpkg_tmpfs_t;
	28	files_tmpfs_file(dpkg_tmpfs_t)
	29
	30	# status files
	31	type dpkg_var_lib_t alias var_lib_dpkg_t;
	32	files_type(dpkg_var_lib_t)
	33
	34	# package scripts
	35	type dpkg_script_t;
	36	domain_type(dpkg_script_t)
	37	domain_entry_file(dpkg_t, dpkg_var_lib_t)
	38	corecmd_shell_entry_type(dpkg_script_t)
	39	domain_obj_id_change_exemption(dpkg_script_t)
	40	domain_system_change_exemption(dpkg_script_t)
	41	domain_interactive_fd(dpkg_script_t)
	42	role system_r types dpkg_script_t;
	43
	44	type dpkg_script_tmp_t;
	45	files_tmp_file(dpkg_script_tmp_t)
	46
	47	type dpkg_script_tmpfs_t;
	48	files_tmpfs_file(dpkg_script_tmpfs_t)
	49
	50	########################################
	51	#
	52	# dpkg Local policy
	53	#
	54
	55	allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
	56	allow dpkg_t self:process { setpgid fork getsched setfscreate };
	57	allow dpkg_t self:fd use;
c0868a7a	58	allow dpkg_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	59	allow dpkg_t self:unix_dgram_socket create_socket_perms;
	60	allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
	61	allow dpkg_t self:unix_dgram_socket sendto;
	62	allow dpkg_t self:unix_stream_socket connectto;
	63	allow dpkg_t self:udp_socket { connect create_socket_perms };
	64	allow dpkg_t self:tcp_socket create_stream_socket_perms;
	65	allow dpkg_t self:shm create_shm_perms;
	66	allow dpkg_t self:sem create_sem_perms;
	67	allow dpkg_t self:msgq create_msgq_perms;
	68	allow dpkg_t self:msg { send receive };
	69
	70	allow dpkg_t dpkg_lock_t:file manage_file_perms;
	71
0bfccda4 CP	72	manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0bfccda4 CP	73	manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0c54fcf8 CP	74	files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
0c54fcf8 CP	75
0bfccda4 CP	76	manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	77	manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	78	manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	79	manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	80	manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	81	fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	82
0c54fcf8 CP	83	# Access /var/lib/dpkg files
0bfccda4 CP	84	manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
0bfccda4 CP	85	files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
0c54fcf8 CP	86
	87	kernel_read_system_state(dpkg_t)
	88	kernel_read_kernel_sysctls(dpkg_t)
	89
fb63d0b5	90	corecmd_exec_all_executables(dpkg_t)
0c54fcf8 CP	91
0c54fcf8 CP	92	# TODO: do we really need all networking?
19006686 CP	93	corenet_all_recvfrom_unlabeled(dpkg_t)
19006686 CP	94	corenet_all_recvfrom_netlabel(dpkg_t)
0c54fcf8 CP	95	corenet_tcp_sendrecv_all_if(dpkg_t)
	96	corenet_raw_sendrecv_all_if(dpkg_t)
	97	corenet_udp_sendrecv_all_if(dpkg_t)
	98	corenet_tcp_sendrecv_all_nodes(dpkg_t)
	99	corenet_raw_sendrecv_all_nodes(dpkg_t)
	100	corenet_udp_sendrecv_all_nodes(dpkg_t)
	101	corenet_tcp_sendrecv_all_ports(dpkg_t)
	102	corenet_udp_sendrecv_all_ports(dpkg_t)
0c54fcf8	103	corenet_tcp_connect_all_ports(dpkg_t)
9d0c9b3e	104	corenet_sendrecv_all_client_packets(dpkg_t)
0c54fcf8 CP	105
	106	dev_list_sysfs(dpkg_t)
	107	dev_list_usbfs(dpkg_t)
	108	dev_read_urand(dpkg_t)
	109	#devices_manage_all_device_types(dpkg_t)
	110
0c54fcf8 CP	111	domain_read_all_domains_state(dpkg_t)
	112	domain_getattr_all_domains(dpkg_t)
	113	domain_dontaudit_ptrace_all_domains(dpkg_t)
	114	domain_use_interactive_fds(dpkg_t)
	115	domain_dontaudit_getattr_all_pipes(dpkg_t)
	116	domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
	117	domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
	118	domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
	119	domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
	120	domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
	121	domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
	122
	123	fs_manage_nfs_dirs(dpkg_t)
	124	fs_manage_nfs_files(dpkg_t)
	125	fs_manage_nfs_symlinks(dpkg_t)
	126	fs_getattr_all_fs(dpkg_t)
	127	fs_search_auto_mountpoints(dpkg_t)
	128
f8233ab7 CP	129	mls_file_read_all_levels(dpkg_t)
f8233ab7 CP	130	mls_file_write_all_levels(dpkg_t)
0c54fcf8 CP	131	mls_file_upgrade(dpkg_t)
	132
	133	selinux_get_fs_mount(dpkg_t)
	134	selinux_validate_context(dpkg_t)
	135	selinux_compute_access_vector(dpkg_t)
	136	selinux_compute_create_context(dpkg_t)
	137	selinux_compute_relabel_context(dpkg_t)
	138	selinux_compute_user_contexts(dpkg_t)
	139
	140	storage_raw_write_fixed_disk(dpkg_t)
	141	# for installing kernel packages
	142	storage_raw_read_fixed_disk(dpkg_t)
	143
	144	term_list_ptys(dpkg_t)
	145
	146	auth_relabel_all_files_except_shadow(dpkg_t)
	147	auth_manage_all_files_except_shadow(dpkg_t)
	148	auth_dontaudit_read_shadow(dpkg_t)
	149
	150	files_exec_etc_files(dpkg_t)
	151
	152	init_domtrans_script(dpkg_t)
e065ac8a	153	init_use_script_ptys(dpkg_t)
0c54fcf8 CP	154
	155	libs_use_ld_so(dpkg_t)
	156	libs_use_shared_libs(dpkg_t)
	157	libs_exec_ld_so(dpkg_t)
	158	libs_exec_lib_files(dpkg_t)
	159	libs_domtrans_ldconfig(dpkg_t)
	160
	161	logging_send_syslog_msg(dpkg_t)
	162
	163	# allow compiling and loading new policy
	164	seutil_manage_src_policy(dpkg_t)
	165	seutil_manage_bin_policy(dpkg_t)
	166
	167	sysnet_read_config(dpkg_t)
	168
	169	userdom_use_unpriv_users_fds(dpkg_t)
	170
	171	# transition to dpkg script:
	172	dpkg_domtrans_script(dpkg_t)
	173	# since the scripts aren't labeled correctly yet...
0b36a214	174	allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
0c54fcf8	175
e065ac8a CP	176	optional_policy(`
	177	apt_use_ptys(dpkg_t)
	178	')
	179
0c54fcf8	180	# TODO: allow?
bb7170f6	181	#optional_policy(`
0c54fcf8 CP	182	# cron_system_entry(dpkg_t,dpkg_exec_t)
	183	#')
	184
bb7170f6	185	optional_policy(`
0c54fcf8 CP	186	nis_use_ypbind(dpkg_t)
	187	')
	188
350b6ab7 CP	189	optional_policy(`
	190	unconfined_domain(dpkg_t)
	191	')
	192
0c54fcf8 CP	193	# TODO: the following was copied from dpkg_script_t, and could probably
	194	# be removed again when dpkg_script_t is actually used...
	195	domain_signal_all_domains(dpkg_t)
	196	domain_signull_all_domains(dpkg_t)
	197	files_read_etc_runtime_files(dpkg_t)
	198	files_exec_usr_files(dpkg_t)
	199	miscfiles_read_localization(dpkg_t)
	200	modutils_domtrans_depmod(dpkg_t)
	201	modutils_domtrans_insmod(dpkg_t)
	202	seutil_domtrans_loadpolicy(dpkg_t)
762d2cb9	203	seutil_domtrans_setfiles(dpkg_t)
0c54fcf8	204	userdom_use_all_users_fds(dpkg_t)
bb7170f6	205	optional_policy(`
0c54fcf8 CP	206	mta_send_mail(dpkg_t)
0c54fcf8 CP	207	')
bb7170f6	208	optional_policy(`
0c54fcf8 CP	209	usermanage_domtrans_groupadd(dpkg_t)
	210	usermanage_domtrans_useradd(dpkg_t)
	211	')
	212
	213	########################################
	214	#
	215	# dpkg-script Local policy
	216	#
	217	# TODO: actually use dpkg_script_t
	218
	219	allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
	220	allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	221	allow dpkg_script_t self:fd use;
ef659a47	222	allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	223	allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
	224	allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
	225	allow dpkg_script_t self:unix_dgram_socket sendto;
	226	allow dpkg_script_t self:unix_stream_socket connectto;
	227	allow dpkg_script_t self:shm create_shm_perms;
	228	allow dpkg_script_t self:sem create_sem_perms;
	229	allow dpkg_script_t self:msgq create_msgq_perms;
	230	allow dpkg_script_t self:msg { send receive };
	231
ef659a47	232	allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
0c54fcf8 CP	233
	234	allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
	235	allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
	236	files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
	237
	238	allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
	239	allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
ef659a47 CP	240	allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
	241	allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
	242	allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
0bfccda4	243	fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	244
	245	kernel_read_kernel_sysctls(dpkg_script_t)
	246	kernel_read_system_state(dpkg_script_t)
	247
fb63d0b5	248	corecmd_exec_all_executables(dpkg_script_t)
0c54fcf8 CP	249
	250	dev_list_sysfs(dpkg_script_t)
	251	# ideally we would not need this
	252	dev_manage_generic_blk_files(dpkg_script_t)
	253	dev_manage_generic_chr_files(dpkg_script_t)
	254	dev_manage_all_blk_files(dpkg_script_t)
	255	dev_manage_all_chr_files(dpkg_script_t)
	256
	257	domain_read_all_domains_state(dpkg_script_t)
	258	domain_getattr_all_domains(dpkg_script_t)
	259	domain_dontaudit_ptrace_all_domains(dpkg_script_t)
	260	domain_use_interactive_fds(dpkg_script_t)
0c54fcf8 CP	261	domain_signal_all_domains(dpkg_script_t)
	262	domain_signull_all_domains(dpkg_script_t)
	263
	264	files_exec_etc_files(dpkg_script_t)
	265	files_read_etc_runtime_files(dpkg_script_t)
	266	files_exec_usr_files(dpkg_script_t)
	267
	268	fs_manage_nfs_files(dpkg_script_t)
	269	fs_getattr_nfs(dpkg_script_t)
	270	# why is this not using mount?
	271	fs_getattr_xattr_fs(dpkg_script_t)
	272	fs_mount_xattr_fs(dpkg_script_t)
	273	fs_unmount_xattr_fs(dpkg_script_t)
	274	fs_search_auto_mountpoints(dpkg_script_t)
	275
f8233ab7 CP	276	mls_file_read_all_levels(dpkg_script_t)
f8233ab7 CP	277	mls_file_write_all_levels(dpkg_script_t)
0c54fcf8 CP	278
	279	selinux_get_fs_mount(dpkg_script_t)
	280	selinux_validate_context(dpkg_script_t)
	281	selinux_compute_access_vector(dpkg_script_t)
	282	selinux_compute_create_context(dpkg_script_t)
	283	selinux_compute_relabel_context(dpkg_script_t)
	284	selinux_compute_user_contexts(dpkg_script_t)
	285
	286	storage_raw_read_fixed_disk(dpkg_script_t)
	287	storage_raw_write_fixed_disk(dpkg_script_t)
	288
	289	term_getattr_unallocated_ttys(dpkg_script_t)
	290	term_list_ptys(dpkg_script_t)
	291	term_use_all_terms(dpkg_script_t)
	292
	293	auth_dontaudit_getattr_shadow(dpkg_script_t)
	294	# ideally we would not need this
	295	auth_manage_all_files_except_shadow(dpkg_script_t)
	296
	297	init_domtrans_script(dpkg_script_t)
e065ac8a	298	init_use_script_fds(dpkg_script_t)
0c54fcf8 CP	299
	300	libs_use_ld_so(dpkg_script_t)
	301	libs_use_shared_libs(dpkg_script_t)
	302	libs_exec_ld_so(dpkg_script_t)
	303	libs_exec_lib_files(dpkg_script_t)
	304	libs_domtrans_ldconfig(dpkg_script_t)
	305
	306	logging_send_syslog_msg(dpkg_script_t)
	307
	308	miscfiles_read_localization(dpkg_script_t)
	309
	310	modutils_domtrans_depmod(dpkg_script_t)
	311	modutils_domtrans_insmod(dpkg_script_t)
	312
	313	seutil_domtrans_loadpolicy(dpkg_script_t)
762d2cb9	314	seutil_domtrans_setfiles(dpkg_script_t)
0c54fcf8 CP	315
	316	userdom_use_all_users_fds(dpkg_script_t)
	317
0c54fcf8 CP	318	tunable_policy(`allow_execmem',`
	319	allow dpkg_script_t self:process execmem;
	320	')
	321
e065ac8a CP	322	optional_policy(`
	323	apt_rw_pipes(dpkg_script_t)
	324	apt_use_fds(dpkg_script_t)
	325	')
	326
350b6ab7 CP	327	optional_policy(`
	328	bootloader_domtrans(dpkg_script_t)
	329	')
	330
bb7170f6	331	optional_policy(`
0c54fcf8 CP	332	mta_send_mail(dpkg_script_t)
	333	')
	334
bb7170f6	335	optional_policy(`
0c54fcf8 CP	336	nis_use_ypbind(dpkg_script_t)
	337	')
	338
350b6ab7 CP	339	optional_policy(`
	340	unconfined_domain(dpkg_script_t)
	341	')
	342
bb7170f6	343	optional_policy(`
0c54fcf8 CP	344	usermanage_domtrans_groupadd(dpkg_script_t)
	345	usermanage_domtrans_useradd(dpkg_script_t)
	346	')