- Added modules:
amavis (Erich Schubert)
+ apt (Erich Schubert)
clamav (Erich Schubert)
+ dpkg (Erich Schubert)
tor (Erich Schubert)
* Tue Mar 07 2006 Chris PeBenito <selinux@tresys.com> - 20060307
--- /dev/null
+/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
+# apt-shell is redhat specific
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
+# other package managers
+/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+# package cache repository
+/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+
+# package list repository
+/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
--- /dev/null
+## <summary>APT advanced package toll.</summary>
+
+########################################
+## <summary>
+## Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_domtrans',`
+ gen_require(`
+ type apt_t, apt_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,apt_exec_t,apt_t)
+
+ # allow basic communication
+ allow $1 apt_t:fd use;
+ allow apt_t $1:fd use;
+ allow apt_t $1:fifo_file rw_file_perms;
+ allow apt_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute apt programs in the apt domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the apt domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the apt domain to use.
+## </summary>
+## </param>
+#
+interface(`apt_run',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ apt_domtrans($1)
+ role $2 types apt_t;
+ allow apt_t $3:chr_file rw_term_perms;
+ # TODO: likely have to add dpkg_run here.
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from apt.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_use_fds',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fd use;
+ # TODO: enforce dpkg_use_fd?
+')
+
+########################################
+## <summary>
+## Read from an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_read_pipes',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fifo_file r_file_perms;
+ # TODO: enforce dpkg_read_pipes?
+')
+
+########################################
+## <summary>
+## Read and write an unnamed apt pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_rw_pipes',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ allow $1 apt_t:fifo_file rw_file_perms;
+ # TODO: enforce dpkg_rw_pipes?
+')
+
+########################################
+## <summary>
+## Read the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_read_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 apt_var_lib_t:dir r_dir_perms;
+ allow $1 apt_var_lib_t:file { getattr read };
+ allow $1 apt_var_lib_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_manage_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 apt_var_lib_t:dir rw_dir_perms;
+ allow $1 apt_var_lib_t:file { getattr create read write append unlink };
+ allow $1 apt_var_lib_t:lnk_file { getattr read write unlink };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the apt package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`apt_dontaudit_manage_db',`
+ gen_require(`
+ type apt_var_lib_t;
+ ')
+
+ dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 apt_var_lib_t:file create_file_perms;
+ dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms;
+')
--- /dev/null
+
+policy_module(apt,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type apt_t;
+type apt_exec_t;
+init_system_domain(apt_t,apt_exec_t)
+domain_system_change_exemption(apt_t)
+domain_getattr_all_domains(apt_t)
+role system_r types apt_t;
+
+type apt_tmp_t;
+files_tmp_file(apt_tmp_t)
+
+type apt_tmpfs_t;
+files_tmpfs_file(apt_tmpfs_t)
+
+# status files
+type apt_var_lib_t alias var_lib_apt_t;
+files_type(apt_var_lib_t)
+
+# package cache
+type apt_var_cache_t alias var_cache_apt_t;
+files_type(apt_var_cache_t)
+
+########################################
+#
+# apt Local policy
+#
+
+allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:process { signal setpgid fork };
+allow apt_t self:fd use;
+allow apt_t self:fifo_file rw_file_perms;
+allow apt_t self:unix_dgram_socket create_socket_perms;
+allow apt_t self:unix_stream_socket rw_stream_socket_perms;
+allow apt_t self:unix_dgram_socket sendto;
+allow apt_t self:unix_stream_socket connectto;
+allow apt_t self:udp_socket { connect create_socket_perms };
+allow apt_t self:tcp_socket create_stream_socket_perms;
+allow apt_t self:shm create_shm_perms;
+allow apt_t self:sem create_sem_perms;
+allow apt_t self:msgq create_msgq_perms;
+allow apt_t self:msg { send receive };
+
+# Access /var/cache/apt files
+allow apt_t apt_var_cache_t:file create_file_perms;
+allow apt_t apt_var_cache_t:dir rw_dir_perms;
+files_var_filetrans(apt_t,apt_var_cache_t,dir)
+
+allow apt_t apt_tmp_t:dir create_dir_perms;
+allow apt_t apt_tmp_t:file create_file_perms;
+files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
+
+allow apt_t apt_tmpfs_t:dir create_dir_perms;
+allow apt_t apt_tmpfs_t:file create_file_perms;
+allow apt_t apt_tmpfs_t:lnk_file create_file_perms;
+allow apt_t apt_tmpfs_t:sock_file create_file_perms;
+allow apt_t apt_tmpfs_t:fifo_file create_file_perms;
+fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/apt files
+allow apt_t apt_var_lib_t:file create_file_perms;
+allow apt_t apt_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
+
+kernel_read_system_state(apt_t)
+kernel_read_kernel_sysctls(apt_t)
+
+# to launch dpkg-preconfigure
+corecmd_exec_bin(apt_t)
+corecmd_exec_shell(apt_t)
+corecmd_exec_sbin(apt_t)
+
+corenet_tcp_sendrecv_all_if(apt_t)
+corenet_udp_sendrecv_all_if(apt_t)
+corenet_tcp_sendrecv_all_nodes(apt_t)
+corenet_udp_sendrecv_all_nodes(apt_t)
+corenet_tcp_sendrecv_all_ports(apt_t)
+corenet_udp_sendrecv_all_ports(apt_t)
+corenet_non_ipsec_sendrecv(apt_t)
+# TODO: reall allow all these?
+corenet_tcp_bind_all_nodes(apt_t)
+corenet_udp_bind_all_nodes(apt_t)
+corenet_tcp_connect_all_ports(apt_t)
+
+dev_read_urand(apt_t)
+
+files_exec_usr_files(apt_t)
+files_read_etc_files(apt_t)
+files_read_etc_runtime_files(apt_t)
+
+term_list_ptys(apt_t)
+term_use_all_terms(apt_t)
+
+libs_use_ld_so(apt_t)
+libs_use_shared_libs(apt_t)
+libs_exec_ld_so(apt_t)
+libs_exec_lib_files(apt_t)
+
+logging_send_syslog_msg(apt_t)
+
+miscfiles_read_localization(apt_t)
+
+seutil_use_newrole_fds(apt_t)
+
+sysnet_read_config(apt_t)
+
+ifdef(`targeted_policy',`
+ unconfined_domain(apt_t)
+')
+
+# with boolean, for cron-apt and such?
+#optional_policy(`cron',`
+# cron_system_entry(apt_t,apt_exec_t)
+#')
+
+optional_policy(`dpkg',`
+ # dpkg interaction
+ dpkg_read_db(apt_t)
+ dpkg_domtrans(apt_t)
+ dpkg_lock_db(apt_t)
+')
+
+optional_policy(`nis',`
+ nis_use_ypbind(apt_t)
+')
+
+optional_policy(`rpm',`
+ rpm_read_db(apt_t)
+ rpm_domtrans(apt_t)
+')
--- /dev/null
+# Debian package manager
+/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+# not sure if dselect should be in apt instead?
+/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+
+/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0)
+# lockfile is treated specially, since used by apt, too
+/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0)
+
+/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
+/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0)
--- /dev/null
+## <summary>Policy for the Debian package manager.</summary>
+# TODO: need debconf policy
+# TODO: need install-menu policy
+
+########################################
+## <summary>
+## Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_domtrans',`
+ gen_require(`
+ type dpkg_t, dpkg_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+ domain_auto_trans($1,dpkg_exec_t,dpkg_t)
+
+ # allow basic communication
+ allow $1 dpkg_t:fd use;
+ allow dpkg_t $1:fd use;
+ allow dpkg_t $1:fifo_file rw_file_perms;
+ allow dpkg_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dpkg_script programs in the dpkg_script domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_domtrans_script',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ # transition to dpkg script:
+ corecmd_shell_domtrans($1,dpkg_script_t)
+
+ allow $1 dpkg_script_t:fd use;
+ allow dpkg_script_t $1:fd use;
+ allow dpkg_script_t $1:fifo_file rw_file_perms;
+ allow dpkg_script_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+## Execute dpkg programs in the dpkg domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the dpkg domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the dpkg domain to use.
+## </summary>
+## </param>
+#
+interface(`dpkg_run',`
+ gen_require(`
+ type dpkg_t, dpkg_script_t;
+ ')
+
+ dpkg_domtrans($1)
+ role $2 types dpkg_t;
+ role $2 types dpkg_script_t;
+ seutil_run_loadpolicy(dpkg_script_t,$2,$3)
+ allow dpkg_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from dpkg.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_use_fds',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fd use;
+')
+
+########################################
+## <summary>
+## Read from an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Read and write an unnamed dpkg pipe.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_rw_pipes',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:fifo_file rw_file_perms;
+')
+
+########################################
+## <summary>
+## Inherit and use file descriptors from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_use_script_fds',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+')
+
+########################################
+## <summary>
+## Read the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir r_dir_perms;
+ allow $1 dpkg_var_lib_t:file { getattr read };
+ allow $1 dpkg_var_lib_t:lnk_file r_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir rw_dir_perms;
+ allow $1 dpkg_var_lib_t:file manage_file_perms;
+ allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink };
+')
+
+########################################
+## <summary>
+## Do not audit attempts to create, read,
+## write, and delete the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`dpkg_dontaudit_manage_db',`
+ gen_require(`
+ type dpkg_var_lib_t;
+ ')
+
+ dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
+ dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
+ dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms;
+')
+
+########################################
+## <summary>
+## Lock the dpkg package database.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`dpkg_lock_db',`
+ gen_require(`
+ type dpkg_lock_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 dpkg_var_lib_t:dir r_dir_perms;
+ allow $1 dpkg_lock_t:file { getattr create read write append unlink lock };
+')
--- /dev/null
+
+policy_module(dpkg,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type dpkg_t;
+type dpkg_exec_t;
+# dpkg can start/stop services
+init_system_domain(dpkg_t,dpkg_exec_t)
+# dpkg can change file labels, roles, IO
+domain_obj_id_change_exemption(dpkg_t)
+domain_role_change_exemption(dpkg_t)
+domain_system_change_exemption(dpkg_t)
+domain_interactive_fd(dpkg_t)
+role system_r types dpkg_t;
+
+# lockfile
+type dpkg_lock_t;
+files_type(dpkg_lock_t)
+
+type dpkg_tmp_t;
+files_tmp_file(dpkg_tmp_t)
+
+type dpkg_tmpfs_t;
+files_tmpfs_file(dpkg_tmpfs_t)
+
+# status files
+type dpkg_var_lib_t alias var_lib_dpkg_t;
+files_type(dpkg_var_lib_t)
+
+# package scripts
+type dpkg_script_t;
+domain_type(dpkg_script_t)
+domain_entry_file(dpkg_t, dpkg_var_lib_t)
+corecmd_shell_entry_type(dpkg_script_t)
+domain_obj_id_change_exemption(dpkg_script_t)
+domain_system_change_exemption(dpkg_script_t)
+domain_interactive_fd(dpkg_script_t)
+role system_r types dpkg_script_t;
+
+type dpkg_script_tmp_t;
+files_tmp_file(dpkg_script_tmp_t)
+
+type dpkg_script_tmpfs_t;
+files_tmpfs_file(dpkg_script_tmpfs_t)
+
+########################################
+#
+# dpkg Local policy
+#
+
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
+allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:fd use;
+allow dpkg_t self:fifo_file rw_file_perms;
+allow dpkg_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_t self:unix_dgram_socket sendto;
+allow dpkg_t self:unix_stream_socket connectto;
+allow dpkg_t self:udp_socket { connect create_socket_perms };
+allow dpkg_t self:tcp_socket create_stream_socket_perms;
+allow dpkg_t self:shm create_shm_perms;
+allow dpkg_t self:sem create_sem_perms;
+allow dpkg_t self:msgq create_msgq_perms;
+allow dpkg_t self:msg { send receive };
+
+allow dpkg_t dpkg_lock_t:file manage_file_perms;
+
+allow dpkg_t dpkg_tmp_t:dir manage_dir_perms;
+allow dpkg_t dpkg_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
+
+allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms;
+allow dpkg_t dpkg_tmpfs_t:file manage_file_perms;
+allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms;
+allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms;
+allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms;
+fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+# Access /var/lib/dpkg files
+allow dpkg_t dpkg_var_lib_t:file manage_file_perms;
+allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms;
+files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir)
+
+kernel_read_system_state(dpkg_t)
+kernel_read_kernel_sysctls(dpkg_t)
+
+corecmd_exec_bin(dpkg_t)
+corecmd_exec_sbin(dpkg_t)
+
+# TODO: do we really need all networking?
+corenet_tcp_sendrecv_all_if(dpkg_t)
+corenet_raw_sendrecv_all_if(dpkg_t)
+corenet_udp_sendrecv_all_if(dpkg_t)
+corenet_tcp_sendrecv_all_nodes(dpkg_t)
+corenet_raw_sendrecv_all_nodes(dpkg_t)
+corenet_udp_sendrecv_all_nodes(dpkg_t)
+corenet_tcp_sendrecv_all_ports(dpkg_t)
+corenet_udp_sendrecv_all_ports(dpkg_t)
+corenet_non_ipsec_sendrecv(dpkg_t)
+corenet_tcp_bind_all_nodes(dpkg_t)
+corenet_udp_bind_all_nodes(dpkg_t)
+corenet_tcp_connect_all_ports(dpkg_t)
+
+dev_list_sysfs(dpkg_t)
+dev_list_usbfs(dpkg_t)
+dev_read_urand(dpkg_t)
+#devices_manage_all_device_types(dpkg_t)
+
+domain_exec_all_entry_files(dpkg_t)
+domain_read_all_domains_state(dpkg_t)
+domain_getattr_all_domains(dpkg_t)
+domain_dontaudit_ptrace_all_domains(dpkg_t)
+domain_use_interactive_fds(dpkg_t)
+domain_dontaudit_getattr_all_pipes(dpkg_t)
+domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
+domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
+domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
+domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
+domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
+
+fs_manage_nfs_dirs(dpkg_t)
+fs_manage_nfs_files(dpkg_t)
+fs_manage_nfs_symlinks(dpkg_t)
+fs_getattr_all_fs(dpkg_t)
+fs_search_auto_mountpoints(dpkg_t)
+
+mls_file_read_up(dpkg_t)
+mls_file_write_down(dpkg_t)
+mls_file_upgrade(dpkg_t)
+
+selinux_get_fs_mount(dpkg_t)
+selinux_validate_context(dpkg_t)
+selinux_compute_access_vector(dpkg_t)
+selinux_compute_create_context(dpkg_t)
+selinux_compute_relabel_context(dpkg_t)
+selinux_compute_user_contexts(dpkg_t)
+
+storage_raw_write_fixed_disk(dpkg_t)
+# for installing kernel packages
+storage_raw_read_fixed_disk(dpkg_t)
+
+term_list_ptys(dpkg_t)
+
+auth_relabel_all_files_except_shadow(dpkg_t)
+auth_manage_all_files_except_shadow(dpkg_t)
+auth_dontaudit_read_shadow(dpkg_t)
+
+files_exec_etc_files(dpkg_t)
+
+init_domtrans_script(dpkg_t)
+
+libs_use_ld_so(dpkg_t)
+libs_use_shared_libs(dpkg_t)
+libs_exec_ld_so(dpkg_t)
+libs_exec_lib_files(dpkg_t)
+libs_domtrans_ldconfig(dpkg_t)
+
+logging_send_syslog_msg(dpkg_t)
+
+# allow compiling and loading new policy
+seutil_manage_src_policy(dpkg_t)
+seutil_manage_bin_policy(dpkg_t)
+
+sysnet_read_config(dpkg_t)
+
+userdom_use_unpriv_users_fds(dpkg_t)
+
+# transition to dpkg script:
+dpkg_domtrans_script(dpkg_t)
+# since the scripts aren't labeled correctly yet...
+allow dpkg_t dpkg_var_lib_t:file execute;
+
+ifdef(`targeted_policy',`
+ unconfined_domain(dpkg_t)
+')
+
+# TODO: allow?
+#optional_policy(`cron',`
+# cron_system_entry(dpkg_t,dpkg_exec_t)
+#')
+
+optional_policy(`mount',`
+ mount_send_nfs_client_request(dpkg_t)
+')
+
+optional_policy(`nis',`
+ nis_use_ypbind(dpkg_t)
+')
+
+# TODO: the following was copied from dpkg_script_t, and could probably
+# be removed again when dpkg_script_t is actually used...
+domain_signal_all_domains(dpkg_t)
+domain_signull_all_domains(dpkg_t)
+files_read_etc_runtime_files(dpkg_t)
+files_exec_usr_files(dpkg_t)
+miscfiles_read_localization(dpkg_t)
+modutils_domtrans_depmod(dpkg_t)
+modutils_domtrans_insmod(dpkg_t)
+seutil_domtrans_loadpolicy(dpkg_t)
+seutil_domtrans_restorecon(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)
+optional_policy(`mta',`
+ mta_send_mail(dpkg_t)
+')
+optional_policy(`usermanage',`
+ usermanage_domtrans_groupadd(dpkg_t)
+ usermanage_domtrans_useradd(dpkg_t)
+')
+
+########################################
+#
+# dpkg-script Local policy
+#
+# TODO: actually use dpkg_script_t
+
+allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:fd use;
+allow dpkg_script_t self:fifo_file rw_file_perms;
+allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
+allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
+allow dpkg_script_t self:unix_dgram_socket sendto;
+allow dpkg_script_t self:unix_stream_socket connectto;
+allow dpkg_script_t self:shm create_shm_perms;
+allow dpkg_script_t self:sem create_sem_perms;
+allow dpkg_script_t self:msgq create_msgq_perms;
+allow dpkg_script_t self:msg { send receive };
+
+allow dpkg_script_t dpkg_tmp_t:file r_file_perms;
+
+allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
+allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
+files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
+
+allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms;
+allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms;
+fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+kernel_read_kernel_sysctls(dpkg_script_t)
+kernel_read_system_state(dpkg_script_t)
+
+corecmd_exec_bin(dpkg_script_t)
+corecmd_exec_sbin(dpkg_script_t)
+
+dev_list_sysfs(dpkg_script_t)
+# ideally we would not need this
+dev_manage_generic_blk_files(dpkg_script_t)
+dev_manage_generic_chr_files(dpkg_script_t)
+dev_manage_all_blk_files(dpkg_script_t)
+dev_manage_all_chr_files(dpkg_script_t)
+
+domain_read_all_domains_state(dpkg_script_t)
+domain_getattr_all_domains(dpkg_script_t)
+domain_dontaudit_ptrace_all_domains(dpkg_script_t)
+domain_use_interactive_fds(dpkg_script_t)
+domain_exec_all_entry_files(dpkg_script_t)
+domain_signal_all_domains(dpkg_script_t)
+domain_signull_all_domains(dpkg_script_t)
+
+files_exec_etc_files(dpkg_script_t)
+files_read_etc_runtime_files(dpkg_script_t)
+files_exec_usr_files(dpkg_script_t)
+
+fs_manage_nfs_files(dpkg_script_t)
+fs_getattr_nfs(dpkg_script_t)
+# why is this not using mount?
+fs_getattr_xattr_fs(dpkg_script_t)
+fs_mount_xattr_fs(dpkg_script_t)
+fs_unmount_xattr_fs(dpkg_script_t)
+fs_search_auto_mountpoints(dpkg_script_t)
+
+mls_file_read_up(dpkg_script_t)
+mls_file_write_down(dpkg_script_t)
+
+selinux_get_fs_mount(dpkg_script_t)
+selinux_validate_context(dpkg_script_t)
+selinux_compute_access_vector(dpkg_script_t)
+selinux_compute_create_context(dpkg_script_t)
+selinux_compute_relabel_context(dpkg_script_t)
+selinux_compute_user_contexts(dpkg_script_t)
+
+storage_raw_read_fixed_disk(dpkg_script_t)
+storage_raw_write_fixed_disk(dpkg_script_t)
+
+term_getattr_unallocated_ttys(dpkg_script_t)
+term_list_ptys(dpkg_script_t)
+term_use_all_terms(dpkg_script_t)
+
+auth_dontaudit_getattr_shadow(dpkg_script_t)
+# ideally we would not need this
+auth_manage_all_files_except_shadow(dpkg_script_t)
+
+init_domtrans_script(dpkg_script_t)
+
+libs_use_ld_so(dpkg_script_t)
+libs_use_shared_libs(dpkg_script_t)
+libs_exec_ld_so(dpkg_script_t)
+libs_exec_lib_files(dpkg_script_t)
+libs_domtrans_ldconfig(dpkg_script_t)
+
+logging_send_syslog_msg(dpkg_script_t)
+
+miscfiles_read_localization(dpkg_script_t)
+
+modutils_domtrans_depmod(dpkg_script_t)
+modutils_domtrans_insmod(dpkg_script_t)
+
+seutil_domtrans_loadpolicy(dpkg_script_t)
+seutil_domtrans_restorecon(dpkg_script_t)
+
+userdom_use_all_users_fds(dpkg_script_t)
+
+ifdef(`distro_redhat',`
+ unconfined_domain(dpkg_script_t)
+')
+
+ifdef(`targeted_policy',`
+ unconfined_domain(dpkg_script_t)
+',`
+ optional_policy(`bootloader',`
+ bootloader_domtrans(dpkg_script_t)
+ ')
+')
+
+tunable_policy(`allow_execmem',`
+ allow dpkg_script_t self:process execmem;
+')
+
+optional_policy(`mta',`
+ mta_send_mail(dpkg_script_t)
+')
+
+optional_policy(`nis',`
+ nis_use_ypbind(dpkg_script_t)
+')
+
+optional_policy(`usermanage',`
+ usermanage_domtrans_groupadd(dpkg_script_t)
+ usermanage_domtrans_useradd(dpkg_script_t)
+')
/bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0)
-policy_module(rpm,1.3.0)
+policy_module(rpm,1.3.1)
########################################
#
-policy_module(usermanage,1.3.0)
+policy_module(usermanage,1.3.1)
########################################
#
# for when /root is the cwd
userdom_dontaudit_search_sysadm_home_dirs(groupadd_t)
+optional_policy(`dpkg',`
+ dpkg_use_fds(groupadd_t)
+ dpkg_rw_pipes(groupadd_t)
+')
+
optional_policy(`nis',`
nis_use_ypbind(groupadd_t)
')
mta_manage_spool(useradd_t)
+optional_policy(`dpkg',`
+ dpkg_use_fds(useradd_t)
+ dpkg_rw_pipes(useradd_t)
+')
+
optional_policy(`nis',`
nis_use_ypbind(useradd_t)
')
/usr/lib/jvm/java.*/bin -d gen_context(system_u:object_r:bin_t,s0)
/usr/lib/jvm/java.*/bin/.* gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)
/usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
+/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
-policy_module(corecommands,1.3.0)
+policy_module(corecommands,1.3.1)
########################################
#
network_port(syslogd, udp,514,s0)
network_port(telnetd, tcp,23,s0)
network_port(tftp, udp,69,s0)
+network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0)
network_port(transproxy, tcp,8081,s0)
type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
network_port(uucpd, tcp,540,s0)
allow $1 httpd_sys_content_t:dir r_dir_perms;
allow $1 httpd_sys_content_t:file { getattr read };
+ allow $1 httpd_sys_content_t:lnk_file { getattr read };
')
########################################
-policy_module(apache,1.3.0)
+policy_module(apache,1.3.1)
#
# NOTES:
allow httpd_t httpd_sys_content_t:dir r_dir_perms;
allow httpd_t httpd_sys_content_t:file r_file_perms;
+allow httpd_t httpd_sys_content_t:lnk_file r_file_perms;
allow httpd_t httpd_tmp_t:dir create_dir_perms;
allow httpd_t httpd_tmp_t:file create_file_perms;
-policy_module(tor,1.0.0)
+policy_module(tor,1.0.1)
########################################
#
corenet_tcp_connect_all_ports(tor_t)
# ... especially including port 80 and other privileged ports
corenet_tcp_connect_all_reserved_ports(tor_t)
-# TOR may bind to a non-privileged port
-corenet_tcp_bind_all_ports(tor_t)
+corenet_tcp_bind_tor_port(tor_t)
corenet_tcp_bind_all_nodes(tor_t)
# tor uses crypto and needs random
-policy_module(userdomain,1.3.1)
+policy_module(userdomain,1.3.2)
gen_require(`
role sysadm_r, staff_r, user_r;
apm_domtrans_client(sysadm_t)
')
+ optional_policy(`apt',`
+ apt_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`bootloader',`
bootloader_run(sysadm_t,sysadm_r,admin_terminal)
')
dmidecode_run(sysadm_t,sysadm_r,admin_terminal)
')
+ optional_policy(`dpkg',`
+ dpkg_run(sysadm_t,sysadm_r,admin_terminal)
+ ')
+
optional_policy(`firstboot',`
firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t)
')