policy/modules/admin/apt.te

   1 policy_module(apt, 1.6.0)
   2
   3 ########################################
   4 #
   5 # Declarations
   6 #
   7
   8 type apt_t;
   9 type apt_exec_t;
  10 init_system_domain(apt_t, apt_exec_t)
  11 domain_system_change_exemption(apt_t)
  12 role system_r types apt_t;
  13
  14 # pseudo terminal for running dpkg
  15 type apt_devpts_t;
  16 term_pty(apt_devpts_t)
  17
  18 # aptitude lock file
  19 type apt_lock_t;
  20 files_lock_file(apt_lock_t)
  21
  22 type apt_tmp_t;
  23 files_tmp_file(apt_tmp_t)
  24
  25 type apt_tmpfs_t;
  26 files_tmpfs_file(apt_tmpfs_t)
  27
  28 # package cache
  29 type apt_var_cache_t alias var_cache_apt_t;
  30 files_type(apt_var_cache_t)
  31
  32 # status files
  33 type apt_var_lib_t alias var_lib_apt_t;
  34 files_type(apt_var_lib_t)
  35
  36 # aptitude log file
  37 type apt_var_log_t;
  38 logging_log_file(apt_var_log_t)
  39
  40 ########################################
  41 #
  42 # apt Local policy
  43 #
  44
  45 allow apt_t self:capability { chown dac_override fowner fsetid };
  46 allow apt_t self:process { signal setpgid fork };
  47 allow apt_t self:fd use;
  48 allow apt_t self:fifo_file rw_fifo_file_perms;
  49 allow apt_t self:unix_dgram_socket create_socket_perms;
  50 allow apt_t self:unix_stream_socket rw_stream_socket_perms;
  51 allow apt_t self:unix_dgram_socket sendto;
  52 allow apt_t self:unix_stream_socket connectto;
  53 allow apt_t self:udp_socket { connect create_socket_perms };
  54 allow apt_t self:tcp_socket create_stream_socket_perms;
  55 allow apt_t self:shm create_shm_perms;
  56 allow apt_t self:sem create_sem_perms;
  57 allow apt_t self:msgq create_msgq_perms;
  58 allow apt_t self:msg { send receive };
  59 # Run update
  60 allow apt_t self:netlink_route_socket r_netlink_socket_perms;
  61
  62 # lock files
  63 allow apt_t apt_lock_t:dir manage_dir_perms;
  64 allow apt_t apt_lock_t:file manage_file_perms;
  65 files_lock_filetrans(apt_t, apt_lock_t, {dir file})
  66
  67 manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
  68 manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
  69 files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
  70
  71 manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
  72 manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
  73 manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
  74 manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
  75 manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
  76 fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  77
  78 # Access /var/cache/apt files
  79 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
  80 files_var_filetrans(apt_t, apt_var_cache_t, dir)
  81
  82 # Access /var/lib/apt files
  83 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
  84 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
  85
  86 # log files
  87 allow apt_t apt_var_log_t:file manage_file_perms;
  88 logging_log_filetrans(apt_t, apt_var_log_t, file)
  89
  90 kernel_read_system_state(apt_t)
  91 kernel_read_kernel_sysctls(apt_t)
  92
  93 # to launch dpkg-preconfigure
  94 corecmd_exec_bin(apt_t)
  95 corecmd_exec_shell(apt_t)
  96
  97 corenet_all_recvfrom_unlabeled(apt_t)
  98 corenet_all_recvfrom_netlabel(apt_t)
  99 corenet_tcp_sendrecv_generic_if(apt_t)
 100 corenet_udp_sendrecv_generic_if(apt_t)
 101 corenet_tcp_sendrecv_generic_node(apt_t)
 102 corenet_udp_sendrecv_generic_node(apt_t)
 103 corenet_tcp_sendrecv_all_ports(apt_t)
 104 corenet_udp_sendrecv_all_ports(apt_t)
 105 # TODO: really allow all these?
 106 corenet_tcp_bind_generic_node(apt_t)
 107 corenet_udp_bind_generic_node(apt_t)
 108 corenet_tcp_connect_all_ports(apt_t)
 109 corenet_sendrecv_all_client_packets(apt_t)
 110
 111 dev_read_urand(apt_t)
 112
 113 domain_getattr_all_domains(apt_t)
 114 domain_use_interactive_fds(apt_t)
 115
 116 files_exec_usr_files(apt_t)
 117 files_read_etc_files(apt_t)
 118 files_read_etc_runtime_files(apt_t)
 119
 120 fs_getattr_all_fs(apt_t)
 121
 122 term_create_pty(apt_t, apt_devpts_t)
 123 term_list_ptys(apt_t)
 124 term_use_all_terms(apt_t)
 125
 126 libs_exec_ld_so(apt_t)
 127 libs_exec_lib_files(apt_t)
 128
 129 logging_send_syslog_msg(apt_t)
 130
 131 miscfiles_read_localization(apt_t)
 132
 133 seutil_use_newrole_fds(apt_t)
 134
 135 sysnet_read_config(apt_t)
 136
 137 userdom_use_user_terminals(apt_t)
 138
 139 # with boolean, for cron-apt and such?
 140 #optional_policy(`
 141 #       cron_system_entry(apt_t,apt_exec_t)
 142 #')
 143
 144 optional_policy(`
 145         # dpkg interaction
 146         dpkg_read_db(apt_t)
 147         dpkg_domtrans(apt_t)
 148         dpkg_lock_db(apt_t)
 149 ')
 150
 151 optional_policy(`
 152         nis_use_ypbind(apt_t)
 153 ')
 154
 155 optional_policy(`
 156         rpm_read_db(apt_t)
 157         rpm_domtrans(apt_t)
 158 ')
 159
 160 optional_policy(`
 161         unconfined_domain(apt_t)
 162 ')