[people/stevee/selinux-policy.git] / policy / modules / admin / dpkg.te

policy_module(dpkg, 1.7.0)

########################################
#
# Declarations
#

type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t, dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
role system_r types dpkg_t;

# lockfile
type dpkg_lock_t;
files_lock_file(dpkg_lock_t)

type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)

type dpkg_tmpfs_t;
files_tmpfs_file(dpkg_tmpfs_t)

# status files
type dpkg_var_lib_t alias var_lib_dpkg_t;
files_type(dpkg_var_lib_t)

# package scripts
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
role system_r types dpkg_script_t;

type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)

type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)

########################################
#
# dpkg Local policy
#

allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connectto;
allow dpkg_t self:udp_socket { connect create_socket_perms };
allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };

allow dpkg_t dpkg_lock_t:file manage_file_perms;

manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })

manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })

# Access /var/lib/dpkg files
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)

kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)

corecmd_exec_all_executables(dpkg_t)

# TODO: do we really need all networking?
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
corenet_raw_sendrecv_generic_if(dpkg_t)
corenet_udp_sendrecv_generic_if(dpkg_t)
corenet_tcp_sendrecv_generic_node(dpkg_t)
corenet_raw_sendrecv_generic_node(dpkg_t)
corenet_udp_sendrecv_generic_node(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)

dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)

domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
domain_use_interactive_fds(dpkg_t)
domain_dontaudit_getattr_all_pipes(dpkg_t)
domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)

fs_manage_nfs_dirs(dpkg_t)
fs_manage_nfs_files(dpkg_t)
fs_manage_nfs_symlinks(dpkg_t)
fs_getattr_all_fs(dpkg_t)
fs_search_auto_mountpoints(dpkg_t)

mls_file_read_all_levels(dpkg_t)
mls_file_write_all_levels(dpkg_t)
mls_file_upgrade(dpkg_t)

selinux_get_fs_mount(dpkg_t)
selinux_validate_context(dpkg_t)
selinux_compute_access_vector(dpkg_t)
selinux_compute_create_context(dpkg_t)
selinux_compute_relabel_context(dpkg_t)
selinux_compute_user_contexts(dpkg_t)

storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)

auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)

files_exec_etc_files(dpkg_t)

init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)

libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
libs_domtrans_ldconfig(dpkg_t)

logging_send_syslog_msg(dpkg_t)

# allow compiling and loading new policy
seutil_manage_src_policy(dpkg_t)
seutil_manage_bin_policy(dpkg_t)

sysnet_read_config(dpkg_t)

userdom_use_inherited_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)

# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;

optional_policy(`
	apt_use_ptys(dpkg_t)
')

# TODO: allow?
#optional_policy(`
#	cron_system_entry(dpkg_t,dpkg_exec_t)
#')

optional_policy(`
	nis_use_ypbind(dpkg_t)
')

optional_policy(`
	unconfined_domain(dpkg_t)
')

# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_setfiles(dpkg_t)
userdom_use_all_users_fds(dpkg_t)

optional_policy(`
	mta_send_mail(dpkg_t)
')

optional_policy(`
	modutils_domtrans_depmod(dpkg_t)
	modutils_domtrans_insmod(dpkg_t)
')

optional_policy(`
	usermanage_domtrans_groupadd(dpkg_t)
	usermanage_domtrans_useradd(dpkg_t)
')

########################################
#
# dpkg-script Local policy
#
# TODO: actually use dpkg_script_t

allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_script_t self:unix_dgram_socket sendto;
allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };

allow dpkg_script_t dpkg_tmp_t:file read_file_perms;

allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })

allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })

kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

corecmd_exec_all_executables(dpkg_script_t)

dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(dpkg_script_t)
dev_manage_generic_chr_files(dpkg_script_t)
dev_manage_all_blk_files(dpkg_script_t)
dev_manage_all_chr_files(dpkg_script_t)

domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)

files_exec_etc_files(dpkg_script_t)
files_read_etc_runtime_files(dpkg_script_t)
files_exec_usr_files(dpkg_script_t)

fs_manage_nfs_files(dpkg_script_t)
fs_getattr_nfs(dpkg_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(dpkg_script_t)
fs_mount_xattr_fs(dpkg_script_t)
fs_unmount_xattr_fs(dpkg_script_t)
fs_search_auto_mountpoints(dpkg_script_t)

mls_file_read_all_levels(dpkg_script_t)
mls_file_write_all_levels(dpkg_script_t)

selinux_get_fs_mount(dpkg_script_t)
selinux_validate_context(dpkg_script_t)
selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)

storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)

term_use_all_inherited_terms(dpkg_script_t)

auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(dpkg_script_t)

init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)

libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
libs_domtrans_ldconfig(dpkg_script_t)

logging_send_syslog_msg(dpkg_script_t)

miscfiles_read_localization(dpkg_script_t)

seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_setfiles(dpkg_script_t)

userdom_use_all_users_fds(dpkg_script_t)

tunable_policy(`allow_execmem',`
	allow dpkg_script_t self:process execmem;
')

optional_policy(`
	apt_rw_pipes(dpkg_script_t)
	apt_use_fds(dpkg_script_t)
')

optional_policy(`
	bootloader_domtrans(dpkg_script_t)
')

optional_policy(`
	modutils_domtrans_depmod(dpkg_script_t)
	modutils_domtrans_insmod(dpkg_script_t)
')

optional_policy(`
	mta_send_mail(dpkg_script_t)
')

optional_policy(`
	nis_use_ypbind(dpkg_script_t)
')

optional_policy(`
	unconfined_domain(dpkg_script_t)
')

optional_policy(`
	usermanage_domtrans_groupadd(dpkg_script_t)
	usermanage_domtrans_useradd(dpkg_script_t)
')
Commit	Line	Data
9570b288	1	policy_module(dpkg, 1.7.0)
0c54fcf8 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type dpkg_t;
	9	type dpkg_exec_t;
	10	# dpkg can start/stop services
0bfccda4	11	init_system_domain(dpkg_t, dpkg_exec_t)
0c54fcf8 CP	12	# dpkg can change file labels, roles, IO
	13	domain_obj_id_change_exemption(dpkg_t)
	14	domain_role_change_exemption(dpkg_t)
	15	domain_system_change_exemption(dpkg_t)
	16	domain_interactive_fd(dpkg_t)
	17	role system_r types dpkg_t;
	18
	19	# lockfile
	20	type dpkg_lock_t;
f673c046	21	files_lock_file(dpkg_lock_t)
0c54fcf8 CP	22
	23	type dpkg_tmp_t;
	24	files_tmp_file(dpkg_tmp_t)
	25
	26	type dpkg_tmpfs_t;
	27	files_tmpfs_file(dpkg_tmpfs_t)
	28
	29	# status files
	30	type dpkg_var_lib_t alias var_lib_dpkg_t;
	31	files_type(dpkg_var_lib_t)
	32
	33	# package scripts
	34	type dpkg_script_t;
	35	domain_type(dpkg_script_t)
	36	domain_entry_file(dpkg_t, dpkg_var_lib_t)
	37	corecmd_shell_entry_type(dpkg_script_t)
	38	domain_obj_id_change_exemption(dpkg_script_t)
	39	domain_system_change_exemption(dpkg_script_t)
	40	domain_interactive_fd(dpkg_script_t)
	41	role system_r types dpkg_script_t;
	42
	43	type dpkg_script_tmp_t;
	44	files_tmp_file(dpkg_script_tmp_t)
	45
	46	type dpkg_script_tmpfs_t;
	47	files_tmpfs_file(dpkg_script_tmpfs_t)
	48
	49	########################################
	50	#
	51	# dpkg Local policy
	52	#
	53
	54	allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
	55	allow dpkg_t self:process { setpgid fork getsched setfscreate };
	56	allow dpkg_t self:fd use;
c0868a7a	57	allow dpkg_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	58	allow dpkg_t self:unix_dgram_socket create_socket_perms;
	59	allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
	60	allow dpkg_t self:unix_dgram_socket sendto;
	61	allow dpkg_t self:unix_stream_socket connectto;
	62	allow dpkg_t self:udp_socket { connect create_socket_perms };
	63	allow dpkg_t self:tcp_socket create_stream_socket_perms;
	64	allow dpkg_t self:shm create_shm_perms;
	65	allow dpkg_t self:sem create_sem_perms;
	66	allow dpkg_t self:msgq create_msgq_perms;
	67	allow dpkg_t self:msg { send receive };
	68
	69	allow dpkg_t dpkg_lock_t:file manage_file_perms;
	70
0bfccda4 CP	71	manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0bfccda4 CP	72	manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0c54fcf8 CP	73	files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
0c54fcf8 CP	74
0bfccda4 CP	75	manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	76	manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	77	manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	78	manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	79	manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	80	fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	81
0c54fcf8 CP	82	# Access /var/lib/dpkg files
0bfccda4 CP	83	manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
0bfccda4 CP	84	files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
0c54fcf8 CP	85
	86	kernel_read_system_state(dpkg_t)
	87	kernel_read_kernel_sysctls(dpkg_t)
	88
fb63d0b5	89	corecmd_exec_all_executables(dpkg_t)
0c54fcf8 CP	90
0c54fcf8 CP	91	# TODO: do we really need all networking?
19006686 CP	92	corenet_all_recvfrom_unlabeled(dpkg_t)
19006686 CP	93	corenet_all_recvfrom_netlabel(dpkg_t)
668b3093 CP	94	corenet_tcp_sendrecv_generic_if(dpkg_t)
	95	corenet_raw_sendrecv_generic_if(dpkg_t)
	96	corenet_udp_sendrecv_generic_if(dpkg_t)
c1262146 CP	97	corenet_tcp_sendrecv_generic_node(dpkg_t)
	98	corenet_raw_sendrecv_generic_node(dpkg_t)
	99	corenet_udp_sendrecv_generic_node(dpkg_t)
0c54fcf8 CP	100	corenet_tcp_sendrecv_all_ports(dpkg_t)
0c54fcf8 CP	101	corenet_udp_sendrecv_all_ports(dpkg_t)
0c54fcf8	102	corenet_tcp_connect_all_ports(dpkg_t)
9d0c9b3e	103	corenet_sendrecv_all_client_packets(dpkg_t)
0c54fcf8 CP	104
	105	dev_list_sysfs(dpkg_t)
	106	dev_list_usbfs(dpkg_t)
	107	dev_read_urand(dpkg_t)
	108	#devices_manage_all_device_types(dpkg_t)
	109
0c54fcf8 CP	110	domain_read_all_domains_state(dpkg_t)
	111	domain_getattr_all_domains(dpkg_t)
	112	domain_dontaudit_ptrace_all_domains(dpkg_t)
	113	domain_use_interactive_fds(dpkg_t)
	114	domain_dontaudit_getattr_all_pipes(dpkg_t)
	115	domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
	116	domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
	117	domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
	118	domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
	119	domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
	120	domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
	121
	122	fs_manage_nfs_dirs(dpkg_t)
	123	fs_manage_nfs_files(dpkg_t)
	124	fs_manage_nfs_symlinks(dpkg_t)
	125	fs_getattr_all_fs(dpkg_t)
	126	fs_search_auto_mountpoints(dpkg_t)
	127
f8233ab7 CP	128	mls_file_read_all_levels(dpkg_t)
f8233ab7 CP	129	mls_file_write_all_levels(dpkg_t)
0c54fcf8 CP	130	mls_file_upgrade(dpkg_t)
	131
	132	selinux_get_fs_mount(dpkg_t)
	133	selinux_validate_context(dpkg_t)
	134	selinux_compute_access_vector(dpkg_t)
	135	selinux_compute_create_context(dpkg_t)
	136	selinux_compute_relabel_context(dpkg_t)
	137	selinux_compute_user_contexts(dpkg_t)
	138
	139	storage_raw_write_fixed_disk(dpkg_t)
	140	# for installing kernel packages
	141	storage_raw_read_fixed_disk(dpkg_t)
	142
0c54fcf8 CP	143	auth_relabel_all_files_except_shadow(dpkg_t)
	144	auth_manage_all_files_except_shadow(dpkg_t)
	145	auth_dontaudit_read_shadow(dpkg_t)
	146
	147	files_exec_etc_files(dpkg_t)
	148
	149	init_domtrans_script(dpkg_t)
e065ac8a	150	init_use_script_ptys(dpkg_t)
0c54fcf8	151
0c54fcf8 CP	152	libs_exec_ld_so(dpkg_t)
	153	libs_exec_lib_files(dpkg_t)
	154	libs_domtrans_ldconfig(dpkg_t)
	155
	156	logging_send_syslog_msg(dpkg_t)
	157
	158	# allow compiling and loading new policy
	159	seutil_manage_src_policy(dpkg_t)
	160	seutil_manage_bin_policy(dpkg_t)
	161
	162	sysnet_read_config(dpkg_t)
	163
af2d8802	164	userdom_use_inherited_user_terminals(dpkg_t)
0c54fcf8 CP	165	userdom_use_unpriv_users_fds(dpkg_t)
	166
	167	# transition to dpkg script:
	168	dpkg_domtrans_script(dpkg_t)
	169	# since the scripts aren't labeled correctly yet...
0b36a214	170	allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
0c54fcf8	171
e065ac8a CP	172	optional_policy(`
	173	apt_use_ptys(dpkg_t)
	174	')
	175
0c54fcf8	176	# TODO: allow?
bb7170f6	177	#optional_policy(`
0c54fcf8 CP	178	# cron_system_entry(dpkg_t,dpkg_exec_t)
	179	#')
	180
bb7170f6	181	optional_policy(`
0c54fcf8 CP	182	nis_use_ypbind(dpkg_t)
	183	')
	184
350b6ab7 CP	185	optional_policy(`
	186	unconfined_domain(dpkg_t)
	187	')
	188
0c54fcf8 CP	189	# TODO: the following was copied from dpkg_script_t, and could probably
	190	# be removed again when dpkg_script_t is actually used...
	191	domain_signal_all_domains(dpkg_t)
	192	domain_signull_all_domains(dpkg_t)
	193	files_read_etc_runtime_files(dpkg_t)
	194	files_exec_usr_files(dpkg_t)
	195	miscfiles_read_localization(dpkg_t)
0c54fcf8	196	seutil_domtrans_loadpolicy(dpkg_t)
762d2cb9	197	seutil_domtrans_setfiles(dpkg_t)
0c54fcf8	198	userdom_use_all_users_fds(dpkg_t)
2371d8d8	199
bb7170f6	200	optional_policy(`
0c54fcf8 CP	201	mta_send_mail(dpkg_t)
0c54fcf8 CP	202	')
2371d8d8 MG	203
	204	optional_policy(`
	205	modutils_domtrans_depmod(dpkg_t)
	206	modutils_domtrans_insmod(dpkg_t)
	207	')
	208
bb7170f6	209	optional_policy(`
0c54fcf8 CP	210	usermanage_domtrans_groupadd(dpkg_t)
	211	usermanage_domtrans_useradd(dpkg_t)
	212	')
	213
	214	########################################
	215	#
	216	# dpkg-script Local policy
	217	#
	218	# TODO: actually use dpkg_script_t
	219
	220	allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
	221	allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	222	allow dpkg_script_t self:fd use;
ef659a47	223	allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	224	allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
	225	allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
	226	allow dpkg_script_t self:unix_dgram_socket sendto;
	227	allow dpkg_script_t self:unix_stream_socket connectto;
	228	allow dpkg_script_t self:shm create_shm_perms;
	229	allow dpkg_script_t self:sem create_sem_perms;
	230	allow dpkg_script_t self:msgq create_msgq_perms;
	231	allow dpkg_script_t self:msg { send receive };
	232
ef659a47	233	allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
0c54fcf8 CP	234
	235	allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
	236	allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
	237	files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
	238
	239	allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
	240	allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
ef659a47 CP	241	allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
	242	allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
	243	allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
0bfccda4	244	fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	245
	246	kernel_read_kernel_sysctls(dpkg_script_t)
	247	kernel_read_system_state(dpkg_script_t)
	248
fb63d0b5	249	corecmd_exec_all_executables(dpkg_script_t)
0c54fcf8 CP	250
	251	dev_list_sysfs(dpkg_script_t)
	252	# ideally we would not need this
	253	dev_manage_generic_blk_files(dpkg_script_t)
	254	dev_manage_generic_chr_files(dpkg_script_t)
	255	dev_manage_all_blk_files(dpkg_script_t)
	256	dev_manage_all_chr_files(dpkg_script_t)
	257
	258	domain_read_all_domains_state(dpkg_script_t)
	259	domain_getattr_all_domains(dpkg_script_t)
	260	domain_dontaudit_ptrace_all_domains(dpkg_script_t)
	261	domain_use_interactive_fds(dpkg_script_t)
0c54fcf8 CP	262	domain_signal_all_domains(dpkg_script_t)
	263	domain_signull_all_domains(dpkg_script_t)
	264
	265	files_exec_etc_files(dpkg_script_t)
	266	files_read_etc_runtime_files(dpkg_script_t)
	267	files_exec_usr_files(dpkg_script_t)
	268
	269	fs_manage_nfs_files(dpkg_script_t)
	270	fs_getattr_nfs(dpkg_script_t)
	271	# why is this not using mount?
	272	fs_getattr_xattr_fs(dpkg_script_t)
	273	fs_mount_xattr_fs(dpkg_script_t)
	274	fs_unmount_xattr_fs(dpkg_script_t)
	275	fs_search_auto_mountpoints(dpkg_script_t)
	276
f8233ab7 CP	277	mls_file_read_all_levels(dpkg_script_t)
f8233ab7 CP	278	mls_file_write_all_levels(dpkg_script_t)
0c54fcf8 CP	279
	280	selinux_get_fs_mount(dpkg_script_t)
	281	selinux_validate_context(dpkg_script_t)
	282	selinux_compute_access_vector(dpkg_script_t)
	283	selinux_compute_create_context(dpkg_script_t)
	284	selinux_compute_relabel_context(dpkg_script_t)
	285	selinux_compute_user_contexts(dpkg_script_t)
	286
	287	storage_raw_read_fixed_disk(dpkg_script_t)
	288	storage_raw_write_fixed_disk(dpkg_script_t)
	289
af2d8802	290	term_use_all_inherited_terms(dpkg_script_t)
0c54fcf8 CP	291
	292	auth_dontaudit_getattr_shadow(dpkg_script_t)
	293	# ideally we would not need this
	294	auth_manage_all_files_except_shadow(dpkg_script_t)
	295
	296	init_domtrans_script(dpkg_script_t)
e065ac8a	297	init_use_script_fds(dpkg_script_t)
0c54fcf8	298
0c54fcf8 CP	299	libs_exec_ld_so(dpkg_script_t)
	300	libs_exec_lib_files(dpkg_script_t)
	301	libs_domtrans_ldconfig(dpkg_script_t)
	302
	303	logging_send_syslog_msg(dpkg_script_t)
	304
	305	miscfiles_read_localization(dpkg_script_t)
	306
0c54fcf8	307	seutil_domtrans_loadpolicy(dpkg_script_t)
762d2cb9	308	seutil_domtrans_setfiles(dpkg_script_t)
0c54fcf8 CP	309
	310	userdom_use_all_users_fds(dpkg_script_t)
	311
0c54fcf8 CP	312	tunable_policy(`allow_execmem',`
	313	allow dpkg_script_t self:process execmem;
	314	')
	315
e065ac8a CP	316	optional_policy(`
	317	apt_rw_pipes(dpkg_script_t)
	318	apt_use_fds(dpkg_script_t)
	319	')
	320
350b6ab7 CP	321	optional_policy(`
	322	bootloader_domtrans(dpkg_script_t)
	323	')
	324
2371d8d8 MG	325	optional_policy(`
	326	modutils_domtrans_depmod(dpkg_script_t)
	327	modutils_domtrans_insmod(dpkg_script_t)
	328	')
	329
bb7170f6	330	optional_policy(`
0c54fcf8 CP	331	mta_send_mail(dpkg_script_t)
	332	')
	333
bb7170f6	334	optional_policy(`
0c54fcf8 CP	335	nis_use_ypbind(dpkg_script_t)
	336	')
	337
350b6ab7 CP	338	optional_policy(`
	339	unconfined_domain(dpkg_script_t)
	340	')
	341
bb7170f6	342	optional_policy(`
0c54fcf8 CP	343	usermanage_domtrans_groupadd(dpkg_script_t)
	344	usermanage_domtrans_useradd(dpkg_script_t)
	345	')