]>
Commit | Line | Data |
---|---|---|
0c54fcf8 | 1 | |
0bfccda4 | 2 | policy_module(dpkg, 1.5.0) |
0c54fcf8 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dpkg_t; | |
10 | type dpkg_exec_t; | |
11 | # dpkg can start/stop services | |
0bfccda4 | 12 | init_system_domain(dpkg_t, dpkg_exec_t) |
0c54fcf8 CP |
13 | # dpkg can change file labels, roles, IO |
14 | domain_obj_id_change_exemption(dpkg_t) | |
15 | domain_role_change_exemption(dpkg_t) | |
16 | domain_system_change_exemption(dpkg_t) | |
17 | domain_interactive_fd(dpkg_t) | |
18 | role system_r types dpkg_t; | |
19 | ||
20 | # lockfile | |
21 | type dpkg_lock_t; | |
22 | files_type(dpkg_lock_t) | |
23 | ||
24 | type dpkg_tmp_t; | |
25 | files_tmp_file(dpkg_tmp_t) | |
26 | ||
27 | type dpkg_tmpfs_t; | |
28 | files_tmpfs_file(dpkg_tmpfs_t) | |
29 | ||
30 | # status files | |
31 | type dpkg_var_lib_t alias var_lib_dpkg_t; | |
32 | files_type(dpkg_var_lib_t) | |
33 | ||
34 | # package scripts | |
35 | type dpkg_script_t; | |
36 | domain_type(dpkg_script_t) | |
37 | domain_entry_file(dpkg_t, dpkg_var_lib_t) | |
38 | corecmd_shell_entry_type(dpkg_script_t) | |
39 | domain_obj_id_change_exemption(dpkg_script_t) | |
40 | domain_system_change_exemption(dpkg_script_t) | |
41 | domain_interactive_fd(dpkg_script_t) | |
42 | role system_r types dpkg_script_t; | |
43 | ||
44 | type dpkg_script_tmp_t; | |
45 | files_tmp_file(dpkg_script_tmp_t) | |
46 | ||
47 | type dpkg_script_tmpfs_t; | |
48 | files_tmpfs_file(dpkg_script_tmpfs_t) | |
49 | ||
50 | ######################################## | |
51 | # | |
52 | # dpkg Local policy | |
53 | # | |
54 | ||
55 | allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; | |
56 | allow dpkg_t self:process { setpgid fork getsched setfscreate }; | |
57 | allow dpkg_t self:fd use; | |
c0868a7a | 58 | allow dpkg_t self:fifo_file rw_fifo_file_perms; |
0c54fcf8 CP |
59 | allow dpkg_t self:unix_dgram_socket create_socket_perms; |
60 | allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; | |
61 | allow dpkg_t self:unix_dgram_socket sendto; | |
62 | allow dpkg_t self:unix_stream_socket connectto; | |
63 | allow dpkg_t self:udp_socket { connect create_socket_perms }; | |
64 | allow dpkg_t self:tcp_socket create_stream_socket_perms; | |
65 | allow dpkg_t self:shm create_shm_perms; | |
66 | allow dpkg_t self:sem create_sem_perms; | |
67 | allow dpkg_t self:msgq create_msgq_perms; | |
68 | allow dpkg_t self:msg { send receive }; | |
69 | ||
70 | allow dpkg_t dpkg_lock_t:file manage_file_perms; | |
71 | ||
0bfccda4 CP |
72 | manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) |
73 | manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) | |
0c54fcf8 CP |
74 | files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) |
75 | ||
0bfccda4 CP |
76 | manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) |
77 | manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
78 | manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
79 | manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
80 | manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
81 | fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
0c54fcf8 CP |
82 | |
83 | # Access /var/lib/dpkg files | |
0bfccda4 CP |
84 | manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) |
85 | files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) | |
0c54fcf8 CP |
86 | |
87 | kernel_read_system_state(dpkg_t) | |
88 | kernel_read_kernel_sysctls(dpkg_t) | |
89 | ||
fb63d0b5 | 90 | corecmd_exec_all_executables(dpkg_t) |
0c54fcf8 CP |
91 | |
92 | # TODO: do we really need all networking? | |
19006686 CP |
93 | corenet_all_recvfrom_unlabeled(dpkg_t) |
94 | corenet_all_recvfrom_netlabel(dpkg_t) | |
0c54fcf8 CP |
95 | corenet_tcp_sendrecv_all_if(dpkg_t) |
96 | corenet_raw_sendrecv_all_if(dpkg_t) | |
97 | corenet_udp_sendrecv_all_if(dpkg_t) | |
98 | corenet_tcp_sendrecv_all_nodes(dpkg_t) | |
99 | corenet_raw_sendrecv_all_nodes(dpkg_t) | |
100 | corenet_udp_sendrecv_all_nodes(dpkg_t) | |
101 | corenet_tcp_sendrecv_all_ports(dpkg_t) | |
102 | corenet_udp_sendrecv_all_ports(dpkg_t) | |
0c54fcf8 | 103 | corenet_tcp_connect_all_ports(dpkg_t) |
9d0c9b3e | 104 | corenet_sendrecv_all_client_packets(dpkg_t) |
0c54fcf8 CP |
105 | |
106 | dev_list_sysfs(dpkg_t) | |
107 | dev_list_usbfs(dpkg_t) | |
108 | dev_read_urand(dpkg_t) | |
109 | #devices_manage_all_device_types(dpkg_t) | |
110 | ||
0c54fcf8 CP |
111 | domain_read_all_domains_state(dpkg_t) |
112 | domain_getattr_all_domains(dpkg_t) | |
113 | domain_dontaudit_ptrace_all_domains(dpkg_t) | |
114 | domain_use_interactive_fds(dpkg_t) | |
115 | domain_dontaudit_getattr_all_pipes(dpkg_t) | |
116 | domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) | |
117 | domain_dontaudit_getattr_all_udp_sockets(dpkg_t) | |
118 | domain_dontaudit_getattr_all_packet_sockets(dpkg_t) | |
119 | domain_dontaudit_getattr_all_raw_sockets(dpkg_t) | |
120 | domain_dontaudit_getattr_all_stream_sockets(dpkg_t) | |
121 | domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) | |
122 | ||
123 | fs_manage_nfs_dirs(dpkg_t) | |
124 | fs_manage_nfs_files(dpkg_t) | |
125 | fs_manage_nfs_symlinks(dpkg_t) | |
126 | fs_getattr_all_fs(dpkg_t) | |
127 | fs_search_auto_mountpoints(dpkg_t) | |
128 | ||
f8233ab7 CP |
129 | mls_file_read_all_levels(dpkg_t) |
130 | mls_file_write_all_levels(dpkg_t) | |
0c54fcf8 CP |
131 | mls_file_upgrade(dpkg_t) |
132 | ||
133 | selinux_get_fs_mount(dpkg_t) | |
134 | selinux_validate_context(dpkg_t) | |
135 | selinux_compute_access_vector(dpkg_t) | |
136 | selinux_compute_create_context(dpkg_t) | |
137 | selinux_compute_relabel_context(dpkg_t) | |
138 | selinux_compute_user_contexts(dpkg_t) | |
139 | ||
140 | storage_raw_write_fixed_disk(dpkg_t) | |
141 | # for installing kernel packages | |
142 | storage_raw_read_fixed_disk(dpkg_t) | |
143 | ||
144 | term_list_ptys(dpkg_t) | |
145 | ||
146 | auth_relabel_all_files_except_shadow(dpkg_t) | |
147 | auth_manage_all_files_except_shadow(dpkg_t) | |
148 | auth_dontaudit_read_shadow(dpkg_t) | |
149 | ||
150 | files_exec_etc_files(dpkg_t) | |
151 | ||
152 | init_domtrans_script(dpkg_t) | |
e065ac8a | 153 | init_use_script_ptys(dpkg_t) |
0c54fcf8 CP |
154 | |
155 | libs_use_ld_so(dpkg_t) | |
156 | libs_use_shared_libs(dpkg_t) | |
157 | libs_exec_ld_so(dpkg_t) | |
158 | libs_exec_lib_files(dpkg_t) | |
159 | libs_domtrans_ldconfig(dpkg_t) | |
160 | ||
161 | logging_send_syslog_msg(dpkg_t) | |
162 | ||
163 | # allow compiling and loading new policy | |
164 | seutil_manage_src_policy(dpkg_t) | |
165 | seutil_manage_bin_policy(dpkg_t) | |
166 | ||
167 | sysnet_read_config(dpkg_t) | |
168 | ||
169 | userdom_use_unpriv_users_fds(dpkg_t) | |
170 | ||
171 | # transition to dpkg script: | |
172 | dpkg_domtrans_script(dpkg_t) | |
173 | # since the scripts aren't labeled correctly yet... | |
0b36a214 | 174 | allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; |
0c54fcf8 | 175 | |
e065ac8a CP |
176 | optional_policy(` |
177 | apt_use_ptys(dpkg_t) | |
178 | ') | |
179 | ||
0c54fcf8 | 180 | # TODO: allow? |
bb7170f6 | 181 | #optional_policy(` |
0c54fcf8 CP |
182 | # cron_system_entry(dpkg_t,dpkg_exec_t) |
183 | #') | |
184 | ||
bb7170f6 | 185 | optional_policy(` |
0c54fcf8 CP |
186 | nis_use_ypbind(dpkg_t) |
187 | ') | |
188 | ||
350b6ab7 CP |
189 | optional_policy(` |
190 | unconfined_domain(dpkg_t) | |
191 | ') | |
192 | ||
0c54fcf8 CP |
193 | # TODO: the following was copied from dpkg_script_t, and could probably |
194 | # be removed again when dpkg_script_t is actually used... | |
195 | domain_signal_all_domains(dpkg_t) | |
196 | domain_signull_all_domains(dpkg_t) | |
197 | files_read_etc_runtime_files(dpkg_t) | |
198 | files_exec_usr_files(dpkg_t) | |
199 | miscfiles_read_localization(dpkg_t) | |
200 | modutils_domtrans_depmod(dpkg_t) | |
201 | modutils_domtrans_insmod(dpkg_t) | |
202 | seutil_domtrans_loadpolicy(dpkg_t) | |
762d2cb9 | 203 | seutil_domtrans_setfiles(dpkg_t) |
0c54fcf8 | 204 | userdom_use_all_users_fds(dpkg_t) |
bb7170f6 | 205 | optional_policy(` |
0c54fcf8 CP |
206 | mta_send_mail(dpkg_t) |
207 | ') | |
bb7170f6 | 208 | optional_policy(` |
0c54fcf8 CP |
209 | usermanage_domtrans_groupadd(dpkg_t) |
210 | usermanage_domtrans_useradd(dpkg_t) | |
211 | ') | |
212 | ||
213 | ######################################## | |
214 | # | |
215 | # dpkg-script Local policy | |
216 | # | |
217 | # TODO: actually use dpkg_script_t | |
218 | ||
219 | allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; | |
220 | allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
221 | allow dpkg_script_t self:fd use; | |
ef659a47 | 222 | allow dpkg_script_t self:fifo_file rw_fifo_file_perms; |
0c54fcf8 CP |
223 | allow dpkg_script_t self:unix_dgram_socket create_socket_perms; |
224 | allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; | |
225 | allow dpkg_script_t self:unix_dgram_socket sendto; | |
226 | allow dpkg_script_t self:unix_stream_socket connectto; | |
227 | allow dpkg_script_t self:shm create_shm_perms; | |
228 | allow dpkg_script_t self:sem create_sem_perms; | |
229 | allow dpkg_script_t self:msgq create_msgq_perms; | |
230 | allow dpkg_script_t self:msg { send receive }; | |
231 | ||
ef659a47 | 232 | allow dpkg_script_t dpkg_tmp_t:file read_file_perms; |
0c54fcf8 CP |
233 | |
234 | allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; | |
235 | allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; | |
236 | files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) | |
237 | ||
238 | allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; | |
239 | allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; | |
ef659a47 CP |
240 | allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; |
241 | allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; | |
242 | allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; | |
0bfccda4 | 243 | fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
0c54fcf8 CP |
244 | |
245 | kernel_read_kernel_sysctls(dpkg_script_t) | |
246 | kernel_read_system_state(dpkg_script_t) | |
247 | ||
fb63d0b5 | 248 | corecmd_exec_all_executables(dpkg_script_t) |
0c54fcf8 CP |
249 | |
250 | dev_list_sysfs(dpkg_script_t) | |
251 | # ideally we would not need this | |
252 | dev_manage_generic_blk_files(dpkg_script_t) | |
253 | dev_manage_generic_chr_files(dpkg_script_t) | |
254 | dev_manage_all_blk_files(dpkg_script_t) | |
255 | dev_manage_all_chr_files(dpkg_script_t) | |
256 | ||
257 | domain_read_all_domains_state(dpkg_script_t) | |
258 | domain_getattr_all_domains(dpkg_script_t) | |
259 | domain_dontaudit_ptrace_all_domains(dpkg_script_t) | |
260 | domain_use_interactive_fds(dpkg_script_t) | |
0c54fcf8 CP |
261 | domain_signal_all_domains(dpkg_script_t) |
262 | domain_signull_all_domains(dpkg_script_t) | |
263 | ||
264 | files_exec_etc_files(dpkg_script_t) | |
265 | files_read_etc_runtime_files(dpkg_script_t) | |
266 | files_exec_usr_files(dpkg_script_t) | |
267 | ||
268 | fs_manage_nfs_files(dpkg_script_t) | |
269 | fs_getattr_nfs(dpkg_script_t) | |
270 | # why is this not using mount? | |
271 | fs_getattr_xattr_fs(dpkg_script_t) | |
272 | fs_mount_xattr_fs(dpkg_script_t) | |
273 | fs_unmount_xattr_fs(dpkg_script_t) | |
274 | fs_search_auto_mountpoints(dpkg_script_t) | |
275 | ||
f8233ab7 CP |
276 | mls_file_read_all_levels(dpkg_script_t) |
277 | mls_file_write_all_levels(dpkg_script_t) | |
0c54fcf8 CP |
278 | |
279 | selinux_get_fs_mount(dpkg_script_t) | |
280 | selinux_validate_context(dpkg_script_t) | |
281 | selinux_compute_access_vector(dpkg_script_t) | |
282 | selinux_compute_create_context(dpkg_script_t) | |
283 | selinux_compute_relabel_context(dpkg_script_t) | |
284 | selinux_compute_user_contexts(dpkg_script_t) | |
285 | ||
286 | storage_raw_read_fixed_disk(dpkg_script_t) | |
287 | storage_raw_write_fixed_disk(dpkg_script_t) | |
288 | ||
289 | term_getattr_unallocated_ttys(dpkg_script_t) | |
290 | term_list_ptys(dpkg_script_t) | |
291 | term_use_all_terms(dpkg_script_t) | |
292 | ||
293 | auth_dontaudit_getattr_shadow(dpkg_script_t) | |
294 | # ideally we would not need this | |
295 | auth_manage_all_files_except_shadow(dpkg_script_t) | |
296 | ||
297 | init_domtrans_script(dpkg_script_t) | |
e065ac8a | 298 | init_use_script_fds(dpkg_script_t) |
0c54fcf8 CP |
299 | |
300 | libs_use_ld_so(dpkg_script_t) | |
301 | libs_use_shared_libs(dpkg_script_t) | |
302 | libs_exec_ld_so(dpkg_script_t) | |
303 | libs_exec_lib_files(dpkg_script_t) | |
304 | libs_domtrans_ldconfig(dpkg_script_t) | |
305 | ||
306 | logging_send_syslog_msg(dpkg_script_t) | |
307 | ||
308 | miscfiles_read_localization(dpkg_script_t) | |
309 | ||
310 | modutils_domtrans_depmod(dpkg_script_t) | |
311 | modutils_domtrans_insmod(dpkg_script_t) | |
312 | ||
313 | seutil_domtrans_loadpolicy(dpkg_script_t) | |
762d2cb9 | 314 | seutil_domtrans_setfiles(dpkg_script_t) |
0c54fcf8 CP |
315 | |
316 | userdom_use_all_users_fds(dpkg_script_t) | |
317 | ||
0c54fcf8 CP |
318 | tunable_policy(`allow_execmem',` |
319 | allow dpkg_script_t self:process execmem; | |
320 | ') | |
321 | ||
e065ac8a CP |
322 | optional_policy(` |
323 | apt_rw_pipes(dpkg_script_t) | |
324 | apt_use_fds(dpkg_script_t) | |
325 | ') | |
326 | ||
350b6ab7 CP |
327 | optional_policy(` |
328 | bootloader_domtrans(dpkg_script_t) | |
329 | ') | |
330 | ||
bb7170f6 | 331 | optional_policy(` |
0c54fcf8 CP |
332 | mta_send_mail(dpkg_script_t) |
333 | ') | |
334 | ||
bb7170f6 | 335 | optional_policy(` |
0c54fcf8 CP |
336 | nis_use_ypbind(dpkg_script_t) |
337 | ') | |
338 | ||
350b6ab7 CP |
339 | optional_policy(` |
340 | unconfined_domain(dpkg_script_t) | |
341 | ') | |
342 | ||
bb7170f6 | 343 | optional_policy(` |
0c54fcf8 CP |
344 | usermanage_domtrans_groupadd(dpkg_script_t) |
345 | usermanage_domtrans_useradd(dpkg_script_t) | |
346 | ') |