[people/stevee/selinux-policy.git] / refpolicy / policy / modules / admin / dpkg.te


policy_module(dpkg,1.0.0)

########################################
#
# Declarations
#

type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t,dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
role system_r types dpkg_t;

# lockfile
type dpkg_lock_t;
files_type(dpkg_lock_t)

type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)

type dpkg_tmpfs_t;
files_tmpfs_file(dpkg_tmpfs_t)

# status files
type dpkg_var_lib_t alias var_lib_dpkg_t;
files_type(dpkg_var_lib_t)

# package scripts
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
role system_r types dpkg_script_t;

type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)

type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)

########################################
#
# dpkg Local policy
#

allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connectto;
allow dpkg_t self:udp_socket { connect create_socket_perms };
allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };

allow dpkg_t dpkg_lock_t:file manage_file_perms;

allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
allow dpkg_t dpkg_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })

allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

# Access /var/lib/dpkg files
allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)

kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)

corecmd_exec_bin(dpkg_t)
corecmd_exec_sbin(dpkg_t)

# TODO: do we really need all networking?
corenet_tcp_sendrecv_all_if(dpkg_t)
corenet_raw_sendrecv_all_if(dpkg_t)
corenet_udp_sendrecv_all_if(dpkg_t)
corenet_tcp_sendrecv_all_nodes(dpkg_t)
corenet_raw_sendrecv_all_nodes(dpkg_t)
corenet_udp_sendrecv_all_nodes(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_non_ipsec_sendrecv(dpkg_t)
corenet_tcp_bind_all_nodes(dpkg_t)
corenet_udp_bind_all_nodes(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)

dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)

domain_exec_all_entry_files(dpkg_t)
domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
domain_use_interactive_fds(dpkg_t)
domain_dontaudit_getattr_all_pipes(dpkg_t)
domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)

fs_manage_nfs_dirs(dpkg_t)
fs_manage_nfs_files(dpkg_t)
fs_manage_nfs_symlinks(dpkg_t)
fs_getattr_all_fs(dpkg_t)
fs_search_auto_mountpoints(dpkg_t)

mls_file_read_up(dpkg_t)
mls_file_write_down(dpkg_t)
mls_file_upgrade(dpkg_t)

selinux_get_fs_mount(dpkg_t)
selinux_validate_context(dpkg_t)
selinux_compute_access_vector(dpkg_t)
selinux_compute_create_context(dpkg_t)
selinux_compute_relabel_context(dpkg_t)
selinux_compute_user_contexts(dpkg_t)

storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)

term_list_ptys(dpkg_t)

auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)

files_exec_etc_files(dpkg_t)

init_domtrans_script(dpkg_t)

libs_use_ld_so(dpkg_t)
libs_use_shared_libs(dpkg_t)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
libs_domtrans_ldconfig(dpkg_t)

logging_send_syslog_msg(dpkg_t)

# allow compiling and loading new policy
seutil_manage_src_policy(dpkg_t)
seutil_manage_bin_policy(dpkg_t)

sysnet_read_config(dpkg_t)

userdom_use_unpriv_users_fds(dpkg_t)

# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file execute;

ifdef(`targeted_policy',`
	unconfined_domain(dpkg_t)
')

# TODO: allow?
#optional_policy(`cron',`
#	cron_system_entry(dpkg_t,dpkg_exec_t)
#')

optional_policy(`mount',`
	mount_send_nfs_client_request(dpkg_t)
')

optional_policy(`nis',`
	nis_use_ypbind(dpkg_t)
')

# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
modutils_domtrans_depmod(dpkg_t)
modutils_domtrans_insmod(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_restorecon(dpkg_t)
userdom_use_all_users_fds(dpkg_t)
optional_policy(`mta',`
	mta_send_mail(dpkg_t)
')
optional_policy(`usermanage',`
	usermanage_domtrans_groupadd(dpkg_t)
	usermanage_domtrans_useradd(dpkg_t)
')

########################################
#
# dpkg-script Local policy
#
# TODO: actually use dpkg_script_t

allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_script_t self:unix_dgram_socket sendto;
allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };

allow dpkg_script_t dpkg_tmp_t:file r_file_perms;

allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })

allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })

kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

corecmd_exec_bin(dpkg_script_t)
corecmd_exec_sbin(dpkg_script_t)

dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(dpkg_script_t)
dev_manage_generic_chr_files(dpkg_script_t)
dev_manage_all_blk_files(dpkg_script_t)
dev_manage_all_chr_files(dpkg_script_t)

domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
domain_exec_all_entry_files(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)

files_exec_etc_files(dpkg_script_t)
files_read_etc_runtime_files(dpkg_script_t)
files_exec_usr_files(dpkg_script_t)

fs_manage_nfs_files(dpkg_script_t)
fs_getattr_nfs(dpkg_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(dpkg_script_t)
fs_mount_xattr_fs(dpkg_script_t)
fs_unmount_xattr_fs(dpkg_script_t)
fs_search_auto_mountpoints(dpkg_script_t)

mls_file_read_up(dpkg_script_t)
mls_file_write_down(dpkg_script_t)

selinux_get_fs_mount(dpkg_script_t)
selinux_validate_context(dpkg_script_t)
selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)

storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)

term_getattr_unallocated_ttys(dpkg_script_t)
term_list_ptys(dpkg_script_t)
term_use_all_terms(dpkg_script_t)

auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(dpkg_script_t)

init_domtrans_script(dpkg_script_t)

libs_use_ld_so(dpkg_script_t)
libs_use_shared_libs(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
libs_domtrans_ldconfig(dpkg_script_t)

logging_send_syslog_msg(dpkg_script_t)

miscfiles_read_localization(dpkg_script_t)

modutils_domtrans_depmod(dpkg_script_t)
modutils_domtrans_insmod(dpkg_script_t)

seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_restorecon(dpkg_script_t)

userdom_use_all_users_fds(dpkg_script_t)

ifdef(`distro_redhat',`
	unconfined_domain(dpkg_script_t)
')

ifdef(`targeted_policy',`
	unconfined_domain(dpkg_script_t)
',`
	optional_policy(`bootloader',`
		bootloader_domtrans(dpkg_script_t)
	')
')

tunable_policy(`allow_execmem',`
	allow dpkg_script_t self:process execmem;
')

optional_policy(`mta',`
	mta_send_mail(dpkg_script_t)
')

optional_policy(`nis',`
	nis_use_ypbind(dpkg_script_t)
')

optional_policy(`usermanage',`
	usermanage_domtrans_groupadd(dpkg_script_t)
	usermanage_domtrans_useradd(dpkg_script_t)
')
Commit	Line	Data
0c54fcf8 CP	1
	2	policy_module(dpkg,1.0.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type dpkg_t;
	10	type dpkg_exec_t;
	11	# dpkg can start/stop services
	12	init_system_domain(dpkg_t,dpkg_exec_t)
	13	# dpkg can change file labels, roles, IO
	14	domain_obj_id_change_exemption(dpkg_t)
	15	domain_role_change_exemption(dpkg_t)
	16	domain_system_change_exemption(dpkg_t)
	17	domain_interactive_fd(dpkg_t)
	18	role system_r types dpkg_t;
	19
	20	# lockfile
	21	type dpkg_lock_t;
	22	files_type(dpkg_lock_t)
	23
	24	type dpkg_tmp_t;
	25	files_tmp_file(dpkg_tmp_t)
	26
	27	type dpkg_tmpfs_t;
	28	files_tmpfs_file(dpkg_tmpfs_t)
	29
	30	# status files
	31	type dpkg_var_lib_t alias var_lib_dpkg_t;
	32	files_type(dpkg_var_lib_t)
	33
	34	# package scripts
	35	type dpkg_script_t;
	36	domain_type(dpkg_script_t)
	37	domain_entry_file(dpkg_t, dpkg_var_lib_t)
	38	corecmd_shell_entry_type(dpkg_script_t)
	39	domain_obj_id_change_exemption(dpkg_script_t)
	40	domain_system_change_exemption(dpkg_script_t)
	41	domain_interactive_fd(dpkg_script_t)
	42	role system_r types dpkg_script_t;
	43
	44	type dpkg_script_tmp_t;
	45	files_tmp_file(dpkg_script_tmp_t)
	46
	47	type dpkg_script_tmpfs_t;
	48	files_tmpfs_file(dpkg_script_tmpfs_t)
	49
	50	########################################
	51	#
	52	# dpkg Local policy
	53	#
	54
	55	allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
	56	allow dpkg_t self:process { setpgid fork getsched setfscreate };
	57	allow dpkg_t self:fd use;
	58	allow dpkg_t self:fifo_file rw_file_perms;
	59	allow dpkg_t self:unix_dgram_socket create_socket_perms;
	60	allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
	61	allow dpkg_t self:unix_dgram_socket sendto;
	62	allow dpkg_t self:unix_stream_socket connectto;
	63	allow dpkg_t self:udp_socket { connect create_socket_perms };
	64	allow dpkg_t self:tcp_socket create_stream_socket_perms;
65	allow dpkg_t self:shm create_shm_perms;
66	allow dpkg_t self:sem create_sem_perms;
67	allow dpkg_t self:msgq create_msgq_perms;
68	allow dpkg_t self:msg { send receive };
69
70	allow dpkg_t dpkg_lock_t:file manage_file_perms;
71
72	allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
73	allow dpkg_t dpkg_tmp_t:file manage_file_perms;
74	files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
75
76	allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
77	allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
78	allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
79	allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
80	allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
81	fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
82
83	# Access /var/lib/dpkg files
84	allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
85	allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
86	files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
87
88	kernel_read_system_state(dpkg_t)
89	kernel_read_kernel_sysctls(dpkg_t)
90
91	corecmd_exec_bin(dpkg_t)
92	corecmd_exec_sbin(dpkg_t)
93
94	# TODO: do we really need all networking?
95	corenet_tcp_sendrecv_all_if(dpkg_t)
96	corenet_raw_sendrecv_all_if(dpkg_t)
97	corenet_udp_sendrecv_all_if(dpkg_t)
98	corenet_tcp_sendrecv_all_nodes(dpkg_t)
99	corenet_raw_sendrecv_all_nodes(dpkg_t)
100	corenet_udp_sendrecv_all_nodes(dpkg_t)
101	corenet_tcp_sendrecv_all_ports(dpkg_t)
102	corenet_udp_sendrecv_all_ports(dpkg_t)
103	corenet_non_ipsec_sendrecv(dpkg_t)
104	corenet_tcp_bind_all_nodes(dpkg_t)
105	corenet_udp_bind_all_nodes(dpkg_t)
106	corenet_tcp_connect_all_ports(dpkg_t)
107
108	dev_list_sysfs(dpkg_t)
109	dev_list_usbfs(dpkg_t)
110	dev_read_urand(dpkg_t)
111	#devices_manage_all_device_types(dpkg_t)
112
113	domain_exec_all_entry_files(dpkg_t)
114	domain_read_all_domains_state(dpkg_t)
115	domain_getattr_all_domains(dpkg_t)
116	domain_dontaudit_ptrace_all_domains(dpkg_t)
117	domain_use_interactive_fds(dpkg_t)
118	domain_dontaudit_getattr_all_pipes(dpkg_t)
119	domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
120	domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
121	domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
122	domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
123	domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
124	domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
125
126	fs_manage_nfs_dirs(dpkg_t)
127	fs_manage_nfs_files(dpkg_t)
128	fs_manage_nfs_symlinks(dpkg_t)
129	fs_getattr_all_fs(dpkg_t)
130	fs_search_auto_mountpoints(dpkg_t)
131
132	mls_file_read_up(dpkg_t)
133	mls_file_write_down(dpkg_t)
134	mls_file_upgrade(dpkg_t)
135
136	selinux_get_fs_mount(dpkg_t)
137	selinux_validate_context(dpkg_t)
138	selinux_compute_access_vector(dpkg_t)
139	selinux_compute_create_context(dpkg_t)
140	selinux_compute_relabel_context(dpkg_t)
141	selinux_compute_user_contexts(dpkg_t)
142
143	storage_raw_write_fixed_disk(dpkg_t)
144	# for installing kernel packages
145	storage_raw_read_fixed_disk(dpkg_t)
146
147	term_list_ptys(dpkg_t)
148
149	auth_relabel_all_files_except_shadow(dpkg_t)
150	auth_manage_all_files_except_shadow(dpkg_t)
151	auth_dontaudit_read_shadow(dpkg_t)
152
153	files_exec_etc_files(dpkg_t)
154
155	init_domtrans_script(dpkg_t)
156
157	libs_use_ld_so(dpkg_t)
158	libs_use_shared_libs(dpkg_t)
159	libs_exec_ld_so(dpkg_t)
160	libs_exec_lib_files(dpkg_t)
161	libs_domtrans_ldconfig(dpkg_t)
162
163	logging_send_syslog_msg(dpkg_t)
164
165	# allow compiling and loading new policy
166	seutil_manage_src_policy(dpkg_t)
167	seutil_manage_bin_policy(dpkg_t)
168
169	sysnet_read_config(dpkg_t)
170
171	userdom_use_unpriv_users_fds(dpkg_t)
172
173	# transition to dpkg script:
174	dpkg_domtrans_script(dpkg_t)
175	# since the scripts aren't labeled correctly yet...
176	allow dpkg_t dpkg_var_lib_t:file execute;
177
178	ifdef(`targeted_policy',`
179	unconfined_domain(dpkg_t)
180	')
181
182	# TODO: allow?
183	#optional_policy(`cron',`
184	# cron_system_entry(dpkg_t,dpkg_exec_t)
185	#')
186
187	optional_policy(`mount',`
188	mount_send_nfs_client_request(dpkg_t)
189	')
190
191	optional_policy(`nis',`
192	nis_use_ypbind(dpkg_t)
193	')
194
195	# TODO: the following was copied from dpkg_script_t, and could probably
196	# be removed again when dpkg_script_t is actually used...
197	domain_signal_all_domains(dpkg_t)
198	domain_signull_all_domains(dpkg_t)
199	files_read_etc_runtime_files(dpkg_t)
200	files_exec_usr_files(dpkg_t)
201	miscfiles_read_localization(dpkg_t)
202	modutils_domtrans_depmod(dpkg_t)
203	modutils_domtrans_insmod(dpkg_t)
204	seutil_domtrans_loadpolicy(dpkg_t)
205	seutil_domtrans_restorecon(dpkg_t)
206	userdom_use_all_users_fds(dpkg_t)
207	optional_policy(`mta',`
208	mta_send_mail(dpkg_t)
209	')
210	optional_policy(`usermanage',`
211	usermanage_domtrans_groupadd(dpkg_t)
212	usermanage_domtrans_useradd(dpkg_t)
213	')
214
215	########################################
216	#
217	# dpkg-script Local policy
218	#
219	# TODO: actually use dpkg_script_t
220
221	allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
222	allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
223	allow dpkg_script_t self:fd use;
224	allow dpkg_script_t self:fifo_file rw_file_perms;
225	allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
226	allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
227	allow dpkg_script_t self:unix_dgram_socket sendto;
228	allow dpkg_script_t self:unix_stream_socket connectto;
229	allow dpkg_script_t self:shm create_shm_perms;
230	allow dpkg_script_t self:sem create_sem_perms;
231	allow dpkg_script_t self:msgq create_msgq_perms;
232	allow dpkg_script_t self:msg { send receive };
233
234	allow dpkg_script_t dpkg_tmp_t:file r_file_perms;
235
236	allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
237	allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
238	files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
239
240	allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
241	allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
242	allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms;
243	allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms;
244	allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms;
245	fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
246
247	kernel_read_kernel_sysctls(dpkg_script_t)
248	kernel_read_system_state(dpkg_script_t)
249
250	corecmd_exec_bin(dpkg_script_t)
251	corecmd_exec_sbin(dpkg_script_t)
252
253	dev_list_sysfs(dpkg_script_t)
254	# ideally we would not need this
255	dev_manage_generic_blk_files(dpkg_script_t)
256	dev_manage_generic_chr_files(dpkg_script_t)
257	dev_manage_all_blk_files(dpkg_script_t)
258	dev_manage_all_chr_files(dpkg_script_t)
259
260	domain_read_all_domains_state(dpkg_script_t)
261	domain_getattr_all_domains(dpkg_script_t)
262	domain_dontaudit_ptrace_all_domains(dpkg_script_t)
263	domain_use_interactive_fds(dpkg_script_t)
264	domain_exec_all_entry_files(dpkg_script_t)
265	domain_signal_all_domains(dpkg_script_t)
266	domain_signull_all_domains(dpkg_script_t)
267
268	files_exec_etc_files(dpkg_script_t)
269	files_read_etc_runtime_files(dpkg_script_t)
270	files_exec_usr_files(dpkg_script_t)
271
272	fs_manage_nfs_files(dpkg_script_t)
273	fs_getattr_nfs(dpkg_script_t)
274	# why is this not using mount?
275	fs_getattr_xattr_fs(dpkg_script_t)
276	fs_mount_xattr_fs(dpkg_script_t)
277	fs_unmount_xattr_fs(dpkg_script_t)
278	fs_search_auto_mountpoints(dpkg_script_t)
279
280	mls_file_read_up(dpkg_script_t)
281	mls_file_write_down(dpkg_script_t)
282
283	selinux_get_fs_mount(dpkg_script_t)
284	selinux_validate_context(dpkg_script_t)
285	selinux_compute_access_vector(dpkg_script_t)
286	selinux_compute_create_context(dpkg_script_t)
287	selinux_compute_relabel_context(dpkg_script_t)
288	selinux_compute_user_contexts(dpkg_script_t)
289
290	storage_raw_read_fixed_disk(dpkg_script_t)
291	storage_raw_write_fixed_disk(dpkg_script_t)
292
293	term_getattr_unallocated_ttys(dpkg_script_t)
294	term_list_ptys(dpkg_script_t)
295	term_use_all_terms(dpkg_script_t)
296
297	auth_dontaudit_getattr_shadow(dpkg_script_t)
298	# ideally we would not need this
299	auth_manage_all_files_except_shadow(dpkg_script_t)
300
301	init_domtrans_script(dpkg_script_t)
302
303	libs_use_ld_so(dpkg_script_t)
304	libs_use_shared_libs(dpkg_script_t)
305	libs_exec_ld_so(dpkg_script_t)
306	libs_exec_lib_files(dpkg_script_t)
307	libs_domtrans_ldconfig(dpkg_script_t)
308
309	logging_send_syslog_msg(dpkg_script_t)
310
311	miscfiles_read_localization(dpkg_script_t)
312
313	modutils_domtrans_depmod(dpkg_script_t)
314	modutils_domtrans_insmod(dpkg_script_t)
315
316	seutil_domtrans_loadpolicy(dpkg_script_t)
317	seutil_domtrans_restorecon(dpkg_script_t)
318
319	userdom_use_all_users_fds(dpkg_script_t)
320
321	ifdef(`distro_redhat',`
322	unconfined_domain(dpkg_script_t)
323	')
324
325	ifdef(`targeted_policy',`
326	unconfined_domain(dpkg_script_t)
327	',`
328	optional_policy(`bootloader',`
329	bootloader_domtrans(dpkg_script_t)
330	')
331	')
332
333	tunable_policy(`allow_execmem',`
334	allow dpkg_script_t self:process execmem;
335	')
336
337	optional_policy(`mta',`
338	mta_send_mail(dpkg_script_t)
339	')
340
341	optional_policy(`nis',`
342	nis_use_ypbind(dpkg_script_t)
343	')
344
345	optional_policy(`usermanage',`
346	usermanage_domtrans_groupadd(dpkg_script_t)
347	usermanage_domtrans_useradd(dpkg_script_t)
348	')