Remove module for backup.

[people/stevee/selinux-policy.git] / policy / modules / admin / apt.if

diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 06ae950b7036d017b028746b296aeaa365b2a02a..e696b80c628e272f91ec3676a7b5e6f04af7419f 100644 (file)
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -1,4 +1,4 @@
-## <summary>APT advanced package toll.</summary>
+## <summary>APT advanced package tool.</summary>
 
 ########################################
 ## <summary>
@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed to transition.
 ##     </summary>
 ## </param>
 #
@@ -17,7 +17,7 @@ interface(`apt_domtrans',`
 
        files_search_usr($1)
        corecmd_search_bin($1)
-       domtrans_pattern($1,apt_exec_t,apt_t)
+       domtrans_pattern($1, apt_exec_t, apt_t)
 ')
 
 ########################################
@@ -26,7 +26,7 @@ interface(`apt_domtrans',`
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed to transition.
 ##     </summary>
 ## </param>
 ## <param name="role">
@@ -34,11 +34,6 @@ interface(`apt_domtrans',`
 ##     The role to allow the apt domain.
 ##     </summary>
 ## </param>
-## <param name="terminal">
-##     <summary>
-##     The type of the terminal allow the apt domain to use.
-##     </summary>
-## </param>
 ## <rolecap/>
 #
 interface(`apt_run',`
@@ -48,7 +43,6 @@ interface(`apt_run',`
 
        apt_domtrans($1)
        role $2 types apt_t;
-       allow apt_t $3:chr_file rw_term_perms;
        # TODO: likely have to add dpkg_run here.
 ')
 
@@ -58,7 +52,7 @@ interface(`apt_run',`
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
@@ -71,13 +65,31 @@ interface(`apt_use_fds',`
        # TODO: enforce dpkg_use_fd?
 ')
 
+########################################
+## <summary>
+##     Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to not audit.
+##     </summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+       gen_require(`
+               type apt_t;
+       ')
+
+       dontaudit $1 apt_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##     Read from an unnamed apt pipe.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
@@ -96,7 +108,7 @@ interface(`apt_read_pipes',`
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
@@ -127,13 +139,34 @@ interface(`apt_use_ptys',`
        allow $1 apt_devpts_t:chr_file rw_term_perms;
 ')
 
+########################################
+## <summary>
+##     Read the apt package cache.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`apt_read_cache',`
+       gen_require(`
+               type apt_var_cache_t;
+       ')
+
+       files_search_var($1)
+       allow $1 apt_var_cache_t:dir list_dir_perms;
+       dontaudit $1 apt_var_cache_t:dir write;
+       allow $1 apt_var_cache_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##     Read the apt package database.
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
@@ -144,8 +177,8 @@ interface(`apt_read_db',`
 
        files_search_var_lib($1)
        allow $1 apt_var_lib_t:dir list_dir_perms;
-       read_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
-       read_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+       read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+       read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
 ')
 
 ########################################
@@ -154,7 +187,7 @@ interface(`apt_read_db',`
 ## </summary>
 ## <param name="domain">
 ##     <summary>
-##     The type of the process performing this action.
+##     Domain allowed access.
 ##     </summary>
 ## </param>
 #
@@ -164,10 +197,10 @@ interface(`apt_manage_db',`
        ')
 
        files_search_var_lib($1)
-       manage_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+       manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
        # cjp: shouldnt this be manage_lnk_files?
-       rw_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
-       delete_lnk_files_pattern($1,apt_var_lib_t,apt_var_lib_t)
+       rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
+       delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
 ')
 
 ########################################