[people/stevee/selinux-policy.git] / policy / modules / admin / dpkg.te


policy_module(dpkg, 1.6.1)

########################################
#
# Declarations
#

type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t, dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
role system_r types dpkg_t;

# lockfile
type dpkg_lock_t;
files_type(dpkg_lock_t)

type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)

type dpkg_tmpfs_t;
files_tmpfs_file(dpkg_tmpfs_t)

# status files
type dpkg_var_lib_t alias var_lib_dpkg_t;
files_type(dpkg_var_lib_t)

# package scripts
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
role system_r types dpkg_script_t;

type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)

type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)

########################################
#
# dpkg Local policy
#

allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connectto;
allow dpkg_t self:udp_socket { connect create_socket_perms };
allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };

allow dpkg_t dpkg_lock_t:file manage_file_perms;

manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })

manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })

# Access /var/lib/dpkg files
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)

kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)

corecmd_exec_all_executables(dpkg_t)

# TODO: do we really need all networking?
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
corenet_raw_sendrecv_generic_if(dpkg_t)
corenet_udp_sendrecv_generic_if(dpkg_t)
corenet_tcp_sendrecv_all_nodes(dpkg_t)
corenet_raw_sendrecv_all_nodes(dpkg_t)
corenet_udp_sendrecv_all_nodes(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)

dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)

domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
domain_use_interactive_fds(dpkg_t)
domain_dontaudit_getattr_all_pipes(dpkg_t)
domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)

fs_manage_nfs_dirs(dpkg_t)
fs_manage_nfs_files(dpkg_t)
fs_manage_nfs_symlinks(dpkg_t)
fs_getattr_all_fs(dpkg_t)
fs_search_auto_mountpoints(dpkg_t)

mls_file_read_all_levels(dpkg_t)
mls_file_write_all_levels(dpkg_t)
mls_file_upgrade(dpkg_t)

selinux_get_fs_mount(dpkg_t)
selinux_validate_context(dpkg_t)
selinux_compute_access_vector(dpkg_t)
selinux_compute_create_context(dpkg_t)
selinux_compute_relabel_context(dpkg_t)
selinux_compute_user_contexts(dpkg_t)

storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)

auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)

files_exec_etc_files(dpkg_t)

init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)

libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
libs_domtrans_ldconfig(dpkg_t)

logging_send_syslog_msg(dpkg_t)

# allow compiling and loading new policy
seutil_manage_src_policy(dpkg_t)
seutil_manage_bin_policy(dpkg_t)

sysnet_read_config(dpkg_t)

userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)

# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;

optional_policy(`
	apt_use_ptys(dpkg_t)
')

# TODO: allow?
#optional_policy(`
#	cron_system_entry(dpkg_t,dpkg_exec_t)
#')

optional_policy(`
	nis_use_ypbind(dpkg_t)
')

optional_policy(`
	unconfined_domain(dpkg_t)
')

# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
modutils_domtrans_depmod(dpkg_t)
modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_setfiles(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`
	mta_send_mail(dpkg_t)
')
optional_policy(`
	usermanage_domtrans_groupadd(dpkg_t)
	usermanage_domtrans_useradd(dpkg_t)
')

########################################
#
# dpkg-script Local policy
#
# TODO: actually use dpkg_script_t

allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_script_t self:unix_dgram_socket sendto;
allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };

allow dpkg_script_t dpkg_tmp_t:file read_file_perms;

allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })

allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })

kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

corecmd_exec_all_executables(dpkg_script_t)

dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(dpkg_script_t)
dev_manage_generic_chr_files(dpkg_script_t)
dev_manage_all_blk_files(dpkg_script_t)
dev_manage_all_chr_files(dpkg_script_t)

domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)

files_exec_etc_files(dpkg_script_t)
files_read_etc_runtime_files(dpkg_script_t)
files_exec_usr_files(dpkg_script_t)

fs_manage_nfs_files(dpkg_script_t)
fs_getattr_nfs(dpkg_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(dpkg_script_t)
fs_mount_xattr_fs(dpkg_script_t)
fs_unmount_xattr_fs(dpkg_script_t)
fs_search_auto_mountpoints(dpkg_script_t)

mls_file_read_all_levels(dpkg_script_t)
mls_file_write_all_levels(dpkg_script_t)

selinux_get_fs_mount(dpkg_script_t)
selinux_validate_context(dpkg_script_t)
selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)

storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)

term_use_all_terms(dpkg_script_t)

auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(dpkg_script_t)

init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)

libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
libs_domtrans_ldconfig(dpkg_script_t)

logging_send_syslog_msg(dpkg_script_t)

miscfiles_read_localization(dpkg_script_t)

modutils_domtrans_depmod(dpkg_script_t)
modutils_domtrans_insmod(dpkg_script_t)

seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_setfiles(dpkg_script_t)

userdom_use_all_users_fds(dpkg_script_t)

tunable_policy(`allow_execmem',`
	allow dpkg_script_t self:process execmem;
')

optional_policy(`
	apt_rw_pipes(dpkg_script_t)
	apt_use_fds(dpkg_script_t)
')

optional_policy(`
	bootloader_domtrans(dpkg_script_t)
')

optional_policy(`
	mta_send_mail(dpkg_script_t)
')

optional_policy(`
	nis_use_ypbind(dpkg_script_t)
')

optional_policy(`
	unconfined_domain(dpkg_script_t)
')

optional_policy(`
	usermanage_domtrans_groupadd(dpkg_script_t)
	usermanage_domtrans_useradd(dpkg_script_t)
')
Commit	Line	Data
0c54fcf8	1
668b3093	2	policy_module(dpkg, 1.6.1)
0c54fcf8 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dpkg_t;
	10	type dpkg_exec_t;
	11	# dpkg can start/stop services
0bfccda4	12	init_system_domain(dpkg_t, dpkg_exec_t)
0c54fcf8 CP	13	# dpkg can change file labels, roles, IO
	14	domain_obj_id_change_exemption(dpkg_t)
	15	domain_role_change_exemption(dpkg_t)
	16	domain_system_change_exemption(dpkg_t)
	17	domain_interactive_fd(dpkg_t)
	18	role system_r types dpkg_t;
	19
	20	# lockfile
	21	type dpkg_lock_t;
	22	files_type(dpkg_lock_t)
	23
	24	type dpkg_tmp_t;
	25	files_tmp_file(dpkg_tmp_t)
	26
	27	type dpkg_tmpfs_t;
	28	files_tmpfs_file(dpkg_tmpfs_t)
	29
	30	# status files
	31	type dpkg_var_lib_t alias var_lib_dpkg_t;
	32	files_type(dpkg_var_lib_t)
	33
	34	# package scripts
	35	type dpkg_script_t;
	36	domain_type(dpkg_script_t)
	37	domain_entry_file(dpkg_t, dpkg_var_lib_t)
	38	corecmd_shell_entry_type(dpkg_script_t)
	39	domain_obj_id_change_exemption(dpkg_script_t)
	40	domain_system_change_exemption(dpkg_script_t)
	41	domain_interactive_fd(dpkg_script_t)
	42	role system_r types dpkg_script_t;
	43
	44	type dpkg_script_tmp_t;
	45	files_tmp_file(dpkg_script_tmp_t)
	46
	47	type dpkg_script_tmpfs_t;
	48	files_tmpfs_file(dpkg_script_tmpfs_t)
	49
	50	########################################
	51	#
	52	# dpkg Local policy
	53	#
	54
	55	allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
	56	allow dpkg_t self:process { setpgid fork getsched setfscreate };
	57	allow dpkg_t self:fd use;
c0868a7a	58	allow dpkg_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	59	allow dpkg_t self:unix_dgram_socket create_socket_perms;
	60	allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
	61	allow dpkg_t self:unix_dgram_socket sendto;
	62	allow dpkg_t self:unix_stream_socket connectto;
	63	allow dpkg_t self:udp_socket { connect create_socket_perms };
	64	allow dpkg_t self:tcp_socket create_stream_socket_perms;
	65	allow dpkg_t self:shm create_shm_perms;
	66	allow dpkg_t self:sem create_sem_perms;
	67	allow dpkg_t self:msgq create_msgq_perms;
	68	allow dpkg_t self:msg { send receive };
	69
	70	allow dpkg_t dpkg_lock_t:file manage_file_perms;
	71
0bfccda4 CP	72	manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0bfccda4 CP	73	manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0c54fcf8 CP	74	files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
0c54fcf8 CP	75
0bfccda4 CP	76	manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	77	manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	78	manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	79	manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	80	manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	81	fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	82
0c54fcf8 CP	83	# Access /var/lib/dpkg files
0bfccda4 CP	84	manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
0bfccda4 CP	85	files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
0c54fcf8 CP	86
	87	kernel_read_system_state(dpkg_t)
	88	kernel_read_kernel_sysctls(dpkg_t)
	89
fb63d0b5	90	corecmd_exec_all_executables(dpkg_t)
0c54fcf8 CP	91
0c54fcf8 CP	92	# TODO: do we really need all networking?
19006686 CP	93	corenet_all_recvfrom_unlabeled(dpkg_t)
19006686 CP	94	corenet_all_recvfrom_netlabel(dpkg_t)
668b3093 CP	95	corenet_tcp_sendrecv_generic_if(dpkg_t)
	96	corenet_raw_sendrecv_generic_if(dpkg_t)
	97	corenet_udp_sendrecv_generic_if(dpkg_t)
0c54fcf8 CP	98	corenet_tcp_sendrecv_all_nodes(dpkg_t)
	99	corenet_raw_sendrecv_all_nodes(dpkg_t)
	100	corenet_udp_sendrecv_all_nodes(dpkg_t)
	101	corenet_tcp_sendrecv_all_ports(dpkg_t)
	102	corenet_udp_sendrecv_all_ports(dpkg_t)
0c54fcf8	103	corenet_tcp_connect_all_ports(dpkg_t)
9d0c9b3e	104	corenet_sendrecv_all_client_packets(dpkg_t)
0c54fcf8 CP	105
	106	dev_list_sysfs(dpkg_t)
	107	dev_list_usbfs(dpkg_t)
	108	dev_read_urand(dpkg_t)
	109	#devices_manage_all_device_types(dpkg_t)
	110
0c54fcf8 CP	111	domain_read_all_domains_state(dpkg_t)
	112	domain_getattr_all_domains(dpkg_t)
	113	domain_dontaudit_ptrace_all_domains(dpkg_t)
	114	domain_use_interactive_fds(dpkg_t)
	115	domain_dontaudit_getattr_all_pipes(dpkg_t)
	116	domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
	117	domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
	118	domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
	119	domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
	120	domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
	121	domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
	122
	123	fs_manage_nfs_dirs(dpkg_t)
	124	fs_manage_nfs_files(dpkg_t)
	125	fs_manage_nfs_symlinks(dpkg_t)
	126	fs_getattr_all_fs(dpkg_t)
	127	fs_search_auto_mountpoints(dpkg_t)
	128
f8233ab7 CP	129	mls_file_read_all_levels(dpkg_t)
f8233ab7 CP	130	mls_file_write_all_levels(dpkg_t)
0c54fcf8 CP	131	mls_file_upgrade(dpkg_t)
	132
	133	selinux_get_fs_mount(dpkg_t)
	134	selinux_validate_context(dpkg_t)
	135	selinux_compute_access_vector(dpkg_t)
	136	selinux_compute_create_context(dpkg_t)
	137	selinux_compute_relabel_context(dpkg_t)
	138	selinux_compute_user_contexts(dpkg_t)
	139
	140	storage_raw_write_fixed_disk(dpkg_t)
	141	# for installing kernel packages
	142	storage_raw_read_fixed_disk(dpkg_t)
	143
0c54fcf8 CP	144	auth_relabel_all_files_except_shadow(dpkg_t)
	145	auth_manage_all_files_except_shadow(dpkg_t)
	146	auth_dontaudit_read_shadow(dpkg_t)
	147
	148	files_exec_etc_files(dpkg_t)
	149
	150	init_domtrans_script(dpkg_t)
e065ac8a	151	init_use_script_ptys(dpkg_t)
0c54fcf8	152
0c54fcf8 CP	153	libs_exec_ld_so(dpkg_t)
	154	libs_exec_lib_files(dpkg_t)
	155	libs_domtrans_ldconfig(dpkg_t)
	156
	157	logging_send_syslog_msg(dpkg_t)
	158
	159	# allow compiling and loading new policy
	160	seutil_manage_src_policy(dpkg_t)
	161	seutil_manage_bin_policy(dpkg_t)
	162
	163	sysnet_read_config(dpkg_t)
	164
296273a7	165	userdom_use_user_terminals(dpkg_t)
0c54fcf8 CP	166	userdom_use_unpriv_users_fds(dpkg_t)
	167
	168	# transition to dpkg script:
	169	dpkg_domtrans_script(dpkg_t)
	170	# since the scripts aren't labeled correctly yet...
0b36a214	171	allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
0c54fcf8	172
e065ac8a CP	173	optional_policy(`
	174	apt_use_ptys(dpkg_t)
	175	')
	176
0c54fcf8	177	# TODO: allow?
bb7170f6	178	#optional_policy(`
0c54fcf8 CP	179	# cron_system_entry(dpkg_t,dpkg_exec_t)
	180	#')
	181
bb7170f6	182	optional_policy(`
0c54fcf8 CP	183	nis_use_ypbind(dpkg_t)
	184	')
	185
350b6ab7 CP	186	optional_policy(`
	187	unconfined_domain(dpkg_t)
	188	')
	189
0c54fcf8 CP	190	# TODO: the following was copied from dpkg_script_t, and could probably
	191	# be removed again when dpkg_script_t is actually used...
	192	domain_signal_all_domains(dpkg_t)
	193	domain_signull_all_domains(dpkg_t)
	194	files_read_etc_runtime_files(dpkg_t)
	195	files_exec_usr_files(dpkg_t)
	196	miscfiles_read_localization(dpkg_t)
	197	modutils_domtrans_depmod(dpkg_t)
	198	modutils_domtrans_insmod(dpkg_t)
	199	seutil_domtrans_loadpolicy(dpkg_t)
762d2cb9	200	seutil_domtrans_setfiles(dpkg_t)
0c54fcf8	201	userdom_use_all_users_fds(dpkg_t)
bb7170f6	202	optional_policy(`
0c54fcf8 CP	203	mta_send_mail(dpkg_t)
0c54fcf8 CP	204	')
bb7170f6	205	optional_policy(`
0c54fcf8 CP	206	usermanage_domtrans_groupadd(dpkg_t)
	207	usermanage_domtrans_useradd(dpkg_t)
	208	')
	209
	210	########################################
	211	#
	212	# dpkg-script Local policy
	213	#
	214	# TODO: actually use dpkg_script_t
	215
	216	allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
	217	allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	218	allow dpkg_script_t self:fd use;
ef659a47	219	allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	220	allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
	221	allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
	222	allow dpkg_script_t self:unix_dgram_socket sendto;
	223	allow dpkg_script_t self:unix_stream_socket connectto;
	224	allow dpkg_script_t self:shm create_shm_perms;
	225	allow dpkg_script_t self:sem create_sem_perms;
	226	allow dpkg_script_t self:msgq create_msgq_perms;
	227	allow dpkg_script_t self:msg { send receive };
	228
ef659a47	229	allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
0c54fcf8 CP	230
	231	allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
	232	allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
	233	files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
	234
	235	allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
	236	allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
ef659a47 CP	237	allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
	238	allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
	239	allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
0bfccda4	240	fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	241
	242	kernel_read_kernel_sysctls(dpkg_script_t)
	243	kernel_read_system_state(dpkg_script_t)
	244
fb63d0b5	245	corecmd_exec_all_executables(dpkg_script_t)
0c54fcf8 CP	246
	247	dev_list_sysfs(dpkg_script_t)
	248	# ideally we would not need this
	249	dev_manage_generic_blk_files(dpkg_script_t)
	250	dev_manage_generic_chr_files(dpkg_script_t)
	251	dev_manage_all_blk_files(dpkg_script_t)
	252	dev_manage_all_chr_files(dpkg_script_t)
	253
	254	domain_read_all_domains_state(dpkg_script_t)
	255	domain_getattr_all_domains(dpkg_script_t)
	256	domain_dontaudit_ptrace_all_domains(dpkg_script_t)
	257	domain_use_interactive_fds(dpkg_script_t)
0c54fcf8 CP	258	domain_signal_all_domains(dpkg_script_t)
	259	domain_signull_all_domains(dpkg_script_t)
	260
	261	files_exec_etc_files(dpkg_script_t)
	262	files_read_etc_runtime_files(dpkg_script_t)
	263	files_exec_usr_files(dpkg_script_t)
	264
	265	fs_manage_nfs_files(dpkg_script_t)
	266	fs_getattr_nfs(dpkg_script_t)
	267	# why is this not using mount?
	268	fs_getattr_xattr_fs(dpkg_script_t)
	269	fs_mount_xattr_fs(dpkg_script_t)
	270	fs_unmount_xattr_fs(dpkg_script_t)
	271	fs_search_auto_mountpoints(dpkg_script_t)
	272
f8233ab7 CP	273	mls_file_read_all_levels(dpkg_script_t)
f8233ab7 CP	274	mls_file_write_all_levels(dpkg_script_t)
0c54fcf8 CP	275
	276	selinux_get_fs_mount(dpkg_script_t)
	277	selinux_validate_context(dpkg_script_t)
	278	selinux_compute_access_vector(dpkg_script_t)
	279	selinux_compute_create_context(dpkg_script_t)
	280	selinux_compute_relabel_context(dpkg_script_t)
	281	selinux_compute_user_contexts(dpkg_script_t)
	282
	283	storage_raw_read_fixed_disk(dpkg_script_t)
	284	storage_raw_write_fixed_disk(dpkg_script_t)
	285
0c54fcf8 CP	286	term_use_all_terms(dpkg_script_t)
	287
	288	auth_dontaudit_getattr_shadow(dpkg_script_t)
	289	# ideally we would not need this
	290	auth_manage_all_files_except_shadow(dpkg_script_t)
	291
	292	init_domtrans_script(dpkg_script_t)
e065ac8a	293	init_use_script_fds(dpkg_script_t)
0c54fcf8	294
0c54fcf8 CP	295	libs_exec_ld_so(dpkg_script_t)
	296	libs_exec_lib_files(dpkg_script_t)
	297	libs_domtrans_ldconfig(dpkg_script_t)
	298
	299	logging_send_syslog_msg(dpkg_script_t)
	300
	301	miscfiles_read_localization(dpkg_script_t)
	302
	303	modutils_domtrans_depmod(dpkg_script_t)
	304	modutils_domtrans_insmod(dpkg_script_t)
	305
	306	seutil_domtrans_loadpolicy(dpkg_script_t)
762d2cb9	307	seutil_domtrans_setfiles(dpkg_script_t)
0c54fcf8 CP	308
	309	userdom_use_all_users_fds(dpkg_script_t)
	310
0c54fcf8 CP	311	tunable_policy(`allow_execmem',`
	312	allow dpkg_script_t self:process execmem;
	313	')
	314
e065ac8a CP	315	optional_policy(`
	316	apt_rw_pipes(dpkg_script_t)
	317	apt_use_fds(dpkg_script_t)
	318	')
	319
350b6ab7 CP	320	optional_policy(`
	321	bootloader_domtrans(dpkg_script_t)
	322	')
	323
bb7170f6	324	optional_policy(`
0c54fcf8 CP	325	mta_send_mail(dpkg_script_t)
	326	')
	327
bb7170f6	328	optional_policy(`
0c54fcf8 CP	329	nis_use_ypbind(dpkg_script_t)
	330	')
	331
350b6ab7 CP	332	optional_policy(`
	333	unconfined_domain(dpkg_script_t)
	334	')
	335
bb7170f6	336	optional_policy(`
0c54fcf8 CP	337	usermanage_domtrans_groupadd(dpkg_script_t)
	338	usermanage_domtrans_useradd(dpkg_script_t)
	339	')