]>
Commit | Line | Data |
---|---|---|
0c54fcf8 CP |
1 | |
2 | policy_module(dpkg,1.0.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type dpkg_t; | |
10 | type dpkg_exec_t; | |
11 | # dpkg can start/stop services | |
12 | init_system_domain(dpkg_t,dpkg_exec_t) | |
13 | # dpkg can change file labels, roles, IO | |
14 | domain_obj_id_change_exemption(dpkg_t) | |
15 | domain_role_change_exemption(dpkg_t) | |
16 | domain_system_change_exemption(dpkg_t) | |
17 | domain_interactive_fd(dpkg_t) | |
18 | role system_r types dpkg_t; | |
19 | ||
20 | # lockfile | |
21 | type dpkg_lock_t; | |
22 | files_type(dpkg_lock_t) | |
23 | ||
24 | type dpkg_tmp_t; | |
25 | files_tmp_file(dpkg_tmp_t) | |
26 | ||
27 | type dpkg_tmpfs_t; | |
28 | files_tmpfs_file(dpkg_tmpfs_t) | |
29 | ||
30 | # status files | |
31 | type dpkg_var_lib_t alias var_lib_dpkg_t; | |
32 | files_type(dpkg_var_lib_t) | |
33 | ||
34 | # package scripts | |
35 | type dpkg_script_t; | |
36 | domain_type(dpkg_script_t) | |
37 | domain_entry_file(dpkg_t, dpkg_var_lib_t) | |
38 | corecmd_shell_entry_type(dpkg_script_t) | |
39 | domain_obj_id_change_exemption(dpkg_script_t) | |
40 | domain_system_change_exemption(dpkg_script_t) | |
41 | domain_interactive_fd(dpkg_script_t) | |
42 | role system_r types dpkg_script_t; | |
43 | ||
44 | type dpkg_script_tmp_t; | |
45 | files_tmp_file(dpkg_script_tmp_t) | |
46 | ||
47 | type dpkg_script_tmpfs_t; | |
48 | files_tmpfs_file(dpkg_script_tmpfs_t) | |
49 | ||
50 | ######################################## | |
51 | # | |
52 | # dpkg Local policy | |
53 | # | |
54 | ||
55 | allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; | |
56 | allow dpkg_t self:process { setpgid fork getsched setfscreate }; | |
57 | allow dpkg_t self:fd use; | |
58 | allow dpkg_t self:fifo_file rw_file_perms; | |
59 | allow dpkg_t self:unix_dgram_socket create_socket_perms; | |
60 | allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; | |
61 | allow dpkg_t self:unix_dgram_socket sendto; | |
62 | allow dpkg_t self:unix_stream_socket connectto; | |
63 | allow dpkg_t self:udp_socket { connect create_socket_perms }; | |
64 | allow dpkg_t self:tcp_socket create_stream_socket_perms; | |
65 | allow dpkg_t self:shm create_shm_perms; | |
66 | allow dpkg_t self:sem create_sem_perms; | |
67 | allow dpkg_t self:msgq create_msgq_perms; | |
68 | allow dpkg_t self:msg { send receive }; | |
69 | ||
70 | allow dpkg_t dpkg_lock_t:file manage_file_perms; | |
71 | ||
72 | allow dpkg_t dpkg_tmp_t:dir manage_dir_perms; | |
73 | allow dpkg_t dpkg_tmp_t:file manage_file_perms; | |
74 | files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) | |
75 | ||
76 | allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms; | |
77 | allow dpkg_t dpkg_tmpfs_t:file manage_file_perms; | |
78 | allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms; | |
79 | allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms; | |
80 | allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms; | |
81 | fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) | |
82 | ||
83 | # Access /var/lib/dpkg files | |
84 | allow dpkg_t dpkg_var_lib_t:file manage_file_perms; | |
85 | allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms; | |
86 | files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir) | |
87 | ||
88 | kernel_read_system_state(dpkg_t) | |
89 | kernel_read_kernel_sysctls(dpkg_t) | |
90 | ||
91 | corecmd_exec_bin(dpkg_t) | |
92 | corecmd_exec_sbin(dpkg_t) | |
93 | ||
94 | # TODO: do we really need all networking? | |
95 | corenet_tcp_sendrecv_all_if(dpkg_t) | |
96 | corenet_raw_sendrecv_all_if(dpkg_t) | |
97 | corenet_udp_sendrecv_all_if(dpkg_t) | |
98 | corenet_tcp_sendrecv_all_nodes(dpkg_t) | |
99 | corenet_raw_sendrecv_all_nodes(dpkg_t) | |
100 | corenet_udp_sendrecv_all_nodes(dpkg_t) | |
101 | corenet_tcp_sendrecv_all_ports(dpkg_t) | |
102 | corenet_udp_sendrecv_all_ports(dpkg_t) | |
103 | corenet_non_ipsec_sendrecv(dpkg_t) | |
104 | corenet_tcp_bind_all_nodes(dpkg_t) | |
105 | corenet_udp_bind_all_nodes(dpkg_t) | |
106 | corenet_tcp_connect_all_ports(dpkg_t) | |
107 | ||
108 | dev_list_sysfs(dpkg_t) | |
109 | dev_list_usbfs(dpkg_t) | |
110 | dev_read_urand(dpkg_t) | |
111 | #devices_manage_all_device_types(dpkg_t) | |
112 | ||
113 | domain_exec_all_entry_files(dpkg_t) | |
114 | domain_read_all_domains_state(dpkg_t) | |
115 | domain_getattr_all_domains(dpkg_t) | |
116 | domain_dontaudit_ptrace_all_domains(dpkg_t) | |
117 | domain_use_interactive_fds(dpkg_t) | |
118 | domain_dontaudit_getattr_all_pipes(dpkg_t) | |
119 | domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) | |
120 | domain_dontaudit_getattr_all_udp_sockets(dpkg_t) | |
121 | domain_dontaudit_getattr_all_packet_sockets(dpkg_t) | |
122 | domain_dontaudit_getattr_all_raw_sockets(dpkg_t) | |
123 | domain_dontaudit_getattr_all_stream_sockets(dpkg_t) | |
124 | domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) | |
125 | ||
126 | fs_manage_nfs_dirs(dpkg_t) | |
127 | fs_manage_nfs_files(dpkg_t) | |
128 | fs_manage_nfs_symlinks(dpkg_t) | |
129 | fs_getattr_all_fs(dpkg_t) | |
130 | fs_search_auto_mountpoints(dpkg_t) | |
131 | ||
132 | mls_file_read_up(dpkg_t) | |
133 | mls_file_write_down(dpkg_t) | |
134 | mls_file_upgrade(dpkg_t) | |
135 | ||
136 | selinux_get_fs_mount(dpkg_t) | |
137 | selinux_validate_context(dpkg_t) | |
138 | selinux_compute_access_vector(dpkg_t) | |
139 | selinux_compute_create_context(dpkg_t) | |
140 | selinux_compute_relabel_context(dpkg_t) | |
141 | selinux_compute_user_contexts(dpkg_t) | |
142 | ||
143 | storage_raw_write_fixed_disk(dpkg_t) | |
144 | # for installing kernel packages | |
145 | storage_raw_read_fixed_disk(dpkg_t) | |
146 | ||
147 | term_list_ptys(dpkg_t) | |
148 | ||
149 | auth_relabel_all_files_except_shadow(dpkg_t) | |
150 | auth_manage_all_files_except_shadow(dpkg_t) | |
151 | auth_dontaudit_read_shadow(dpkg_t) | |
152 | ||
153 | files_exec_etc_files(dpkg_t) | |
154 | ||
155 | init_domtrans_script(dpkg_t) | |
156 | ||
157 | libs_use_ld_so(dpkg_t) | |
158 | libs_use_shared_libs(dpkg_t) | |
159 | libs_exec_ld_so(dpkg_t) | |
160 | libs_exec_lib_files(dpkg_t) | |
161 | libs_domtrans_ldconfig(dpkg_t) | |
162 | ||
163 | logging_send_syslog_msg(dpkg_t) | |
164 | ||
165 | # allow compiling and loading new policy | |
166 | seutil_manage_src_policy(dpkg_t) | |
167 | seutil_manage_bin_policy(dpkg_t) | |
168 | ||
169 | sysnet_read_config(dpkg_t) | |
170 | ||
171 | userdom_use_unpriv_users_fds(dpkg_t) | |
172 | ||
173 | # transition to dpkg script: | |
174 | dpkg_domtrans_script(dpkg_t) | |
175 | # since the scripts aren't labeled correctly yet... | |
176 | allow dpkg_t dpkg_var_lib_t:file execute; | |
177 | ||
178 | ifdef(`targeted_policy',` | |
179 | unconfined_domain(dpkg_t) | |
180 | ') | |
181 | ||
182 | # TODO: allow? | |
183 | #optional_policy(`cron',` | |
184 | # cron_system_entry(dpkg_t,dpkg_exec_t) | |
185 | #') | |
186 | ||
187 | optional_policy(`mount',` | |
188 | mount_send_nfs_client_request(dpkg_t) | |
189 | ') | |
190 | ||
191 | optional_policy(`nis',` | |
192 | nis_use_ypbind(dpkg_t) | |
193 | ') | |
194 | ||
195 | # TODO: the following was copied from dpkg_script_t, and could probably | |
196 | # be removed again when dpkg_script_t is actually used... | |
197 | domain_signal_all_domains(dpkg_t) | |
198 | domain_signull_all_domains(dpkg_t) | |
199 | files_read_etc_runtime_files(dpkg_t) | |
200 | files_exec_usr_files(dpkg_t) | |
201 | miscfiles_read_localization(dpkg_t) | |
202 | modutils_domtrans_depmod(dpkg_t) | |
203 | modutils_domtrans_insmod(dpkg_t) | |
204 | seutil_domtrans_loadpolicy(dpkg_t) | |
205 | seutil_domtrans_restorecon(dpkg_t) | |
206 | userdom_use_all_users_fds(dpkg_t) | |
207 | optional_policy(`mta',` | |
208 | mta_send_mail(dpkg_t) | |
209 | ') | |
210 | optional_policy(`usermanage',` | |
211 | usermanage_domtrans_groupadd(dpkg_t) | |
212 | usermanage_domtrans_useradd(dpkg_t) | |
213 | ') | |
214 | ||
215 | ######################################## | |
216 | # | |
217 | # dpkg-script Local policy | |
218 | # | |
219 | # TODO: actually use dpkg_script_t | |
220 | ||
221 | allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; | |
222 | allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
223 | allow dpkg_script_t self:fd use; | |
224 | allow dpkg_script_t self:fifo_file rw_file_perms; | |
225 | allow dpkg_script_t self:unix_dgram_socket create_socket_perms; | |
226 | allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; | |
227 | allow dpkg_script_t self:unix_dgram_socket sendto; | |
228 | allow dpkg_script_t self:unix_stream_socket connectto; | |
229 | allow dpkg_script_t self:shm create_shm_perms; | |
230 | allow dpkg_script_t self:sem create_sem_perms; | |
231 | allow dpkg_script_t self:msgq create_msgq_perms; | |
232 | allow dpkg_script_t self:msg { send receive }; | |
233 | ||
234 | allow dpkg_script_t dpkg_tmp_t:file r_file_perms; | |
235 | ||
236 | allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; | |
237 | allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; | |
238 | files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) | |
239 | ||
240 | allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; | |
241 | allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; | |
242 | allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms; | |
243 | allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms; | |
244 | allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms; | |
245 | fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) | |
246 | ||
247 | kernel_read_kernel_sysctls(dpkg_script_t) | |
248 | kernel_read_system_state(dpkg_script_t) | |
249 | ||
250 | corecmd_exec_bin(dpkg_script_t) | |
251 | corecmd_exec_sbin(dpkg_script_t) | |
252 | ||
253 | dev_list_sysfs(dpkg_script_t) | |
254 | # ideally we would not need this | |
255 | dev_manage_generic_blk_files(dpkg_script_t) | |
256 | dev_manage_generic_chr_files(dpkg_script_t) | |
257 | dev_manage_all_blk_files(dpkg_script_t) | |
258 | dev_manage_all_chr_files(dpkg_script_t) | |
259 | ||
260 | domain_read_all_domains_state(dpkg_script_t) | |
261 | domain_getattr_all_domains(dpkg_script_t) | |
262 | domain_dontaudit_ptrace_all_domains(dpkg_script_t) | |
263 | domain_use_interactive_fds(dpkg_script_t) | |
264 | domain_exec_all_entry_files(dpkg_script_t) | |
265 | domain_signal_all_domains(dpkg_script_t) | |
266 | domain_signull_all_domains(dpkg_script_t) | |
267 | ||
268 | files_exec_etc_files(dpkg_script_t) | |
269 | files_read_etc_runtime_files(dpkg_script_t) | |
270 | files_exec_usr_files(dpkg_script_t) | |
271 | ||
272 | fs_manage_nfs_files(dpkg_script_t) | |
273 | fs_getattr_nfs(dpkg_script_t) | |
274 | # why is this not using mount? | |
275 | fs_getattr_xattr_fs(dpkg_script_t) | |
276 | fs_mount_xattr_fs(dpkg_script_t) | |
277 | fs_unmount_xattr_fs(dpkg_script_t) | |
278 | fs_search_auto_mountpoints(dpkg_script_t) | |
279 | ||
280 | mls_file_read_up(dpkg_script_t) | |
281 | mls_file_write_down(dpkg_script_t) | |
282 | ||
283 | selinux_get_fs_mount(dpkg_script_t) | |
284 | selinux_validate_context(dpkg_script_t) | |
285 | selinux_compute_access_vector(dpkg_script_t) | |
286 | selinux_compute_create_context(dpkg_script_t) | |
287 | selinux_compute_relabel_context(dpkg_script_t) | |
288 | selinux_compute_user_contexts(dpkg_script_t) | |
289 | ||
290 | storage_raw_read_fixed_disk(dpkg_script_t) | |
291 | storage_raw_write_fixed_disk(dpkg_script_t) | |
292 | ||
293 | term_getattr_unallocated_ttys(dpkg_script_t) | |
294 | term_list_ptys(dpkg_script_t) | |
295 | term_use_all_terms(dpkg_script_t) | |
296 | ||
297 | auth_dontaudit_getattr_shadow(dpkg_script_t) | |
298 | # ideally we would not need this | |
299 | auth_manage_all_files_except_shadow(dpkg_script_t) | |
300 | ||
301 | init_domtrans_script(dpkg_script_t) | |
302 | ||
303 | libs_use_ld_so(dpkg_script_t) | |
304 | libs_use_shared_libs(dpkg_script_t) | |
305 | libs_exec_ld_so(dpkg_script_t) | |
306 | libs_exec_lib_files(dpkg_script_t) | |
307 | libs_domtrans_ldconfig(dpkg_script_t) | |
308 | ||
309 | logging_send_syslog_msg(dpkg_script_t) | |
310 | ||
311 | miscfiles_read_localization(dpkg_script_t) | |
312 | ||
313 | modutils_domtrans_depmod(dpkg_script_t) | |
314 | modutils_domtrans_insmod(dpkg_script_t) | |
315 | ||
316 | seutil_domtrans_loadpolicy(dpkg_script_t) | |
317 | seutil_domtrans_restorecon(dpkg_script_t) | |
318 | ||
319 | userdom_use_all_users_fds(dpkg_script_t) | |
320 | ||
321 | ifdef(`distro_redhat',` | |
322 | unconfined_domain(dpkg_script_t) | |
323 | ') | |
324 | ||
325 | ifdef(`targeted_policy',` | |
326 | unconfined_domain(dpkg_script_t) | |
327 | ',` | |
328 | optional_policy(`bootloader',` | |
329 | bootloader_domtrans(dpkg_script_t) | |
330 | ') | |
331 | ') | |
332 | ||
333 | tunable_policy(`allow_execmem',` | |
334 | allow dpkg_script_t self:process execmem; | |
335 | ') | |
336 | ||
337 | optional_policy(`mta',` | |
338 | mta_send_mail(dpkg_script_t) | |
339 | ') | |
340 | ||
341 | optional_policy(`nis',` | |
342 | nis_use_ypbind(dpkg_script_t) | |
343 | ') | |
344 | ||
345 | optional_policy(`usermanage',` | |
346 | usermanage_domtrans_groupadd(dpkg_script_t) | |
347 | usermanage_domtrans_useradd(dpkg_script_t) | |
348 | ') |