]>
Commit | Line | Data |
---|---|---|
0c54fcf8 CP |
1 | ## <summary>Policy for the Debian package manager.</summary> |
2 | # TODO: need debconf policy | |
3 | # TODO: need install-menu policy | |
4 | ||
5 | ######################################## | |
6 | ## <summary> | |
7 | ## Execute dpkg programs in the dpkg domain. | |
8 | ## </summary> | |
9 | ## <param name="domain"> | |
10 | ## <summary> | |
11 | ## The type of the process performing this action. | |
12 | ## </summary> | |
13 | ## </param> | |
14 | # | |
15 | interface(`dpkg_domtrans',` | |
16 | gen_require(` | |
17 | type dpkg_t, dpkg_exec_t; | |
18 | ') | |
19 | ||
20 | files_search_usr($1) | |
21 | corecmd_search_bin($1) | |
0bfccda4 | 22 | domtrans_pattern($1, dpkg_exec_t, dpkg_t) |
0c54fcf8 CP |
23 | ') |
24 | ||
25 | ######################################## | |
26 | ## <summary> | |
27 | ## Execute dpkg_script programs in the dpkg_script domain. | |
28 | ## </summary> | |
29 | ## <param name="domain"> | |
30 | ## <summary> | |
31 | ## Domain allowed access. | |
32 | ## </summary> | |
33 | ## </param> | |
34 | # | |
35 | interface(`dpkg_domtrans_script',` | |
36 | gen_require(` | |
37 | type dpkg_script_t; | |
38 | ') | |
39 | ||
40 | # transition to dpkg script: | |
41 | corecmd_shell_domtrans($1,dpkg_script_t) | |
0c54fcf8 CP |
42 | allow dpkg_script_t $1:fd use; |
43 | allow dpkg_script_t $1:fifo_file rw_file_perms; | |
44 | allow dpkg_script_t $1:process sigchld; | |
45 | ') | |
46 | ||
47 | ######################################## | |
48 | ## <summary> | |
49 | ## Execute dpkg programs in the dpkg domain. | |
50 | ## </summary> | |
51 | ## <param name="domain"> | |
52 | ## <summary> | |
53 | ## The type of the process performing this action. | |
54 | ## </summary> | |
55 | ## </param> | |
56 | ## <param name="role"> | |
57 | ## <summary> | |
58 | ## The role to allow the dpkg domain. | |
59 | ## </summary> | |
60 | ## </param> | |
bbcd3c97 | 61 | ## <rolecap/> |
0c54fcf8 CP |
62 | # |
63 | interface(`dpkg_run',` | |
64 | gen_require(` | |
65 | type dpkg_t, dpkg_script_t; | |
66 | ') | |
67 | ||
68 | dpkg_domtrans($1) | |
69 | role $2 types dpkg_t; | |
70 | role $2 types dpkg_script_t; | |
296273a7 | 71 | seutil_run_loadpolicy(dpkg_script_t, $2) |
0c54fcf8 CP |
72 | ') |
73 | ||
74 | ######################################## | |
75 | ## <summary> | |
76 | ## Inherit and use file descriptors from dpkg. | |
77 | ## </summary> | |
78 | ## <param name="domain"> | |
79 | ## <summary> | |
80 | ## The type of the process performing this action. | |
81 | ## </summary> | |
82 | ## </param> | |
83 | # | |
84 | interface(`dpkg_use_fds',` | |
85 | gen_require(` | |
86 | type dpkg_t; | |
87 | ') | |
88 | ||
89 | allow $1 dpkg_t:fd use; | |
90 | ') | |
91 | ||
92 | ######################################## | |
93 | ## <summary> | |
94 | ## Read from an unnamed dpkg pipe. | |
95 | ## </summary> | |
96 | ## <param name="domain"> | |
97 | ## <summary> | |
98 | ## The type of the process performing this action. | |
99 | ## </summary> | |
100 | ## </param> | |
101 | # | |
102 | interface(`dpkg_read_pipes',` | |
103 | gen_require(` | |
104 | type dpkg_t; | |
105 | ') | |
106 | ||
c0868a7a | 107 | allow $1 dpkg_t:fifo_file read_fifo_file_perms; |
0c54fcf8 CP |
108 | ') |
109 | ||
110 | ######################################## | |
111 | ## <summary> | |
112 | ## Read and write an unnamed dpkg pipe. | |
113 | ## </summary> | |
114 | ## <param name="domain"> | |
115 | ## <summary> | |
116 | ## The type of the process performing this action. | |
117 | ## </summary> | |
118 | ## </param> | |
119 | # | |
120 | interface(`dpkg_rw_pipes',` | |
121 | gen_require(` | |
122 | type dpkg_t; | |
123 | ') | |
124 | ||
c0868a7a | 125 | allow $1 dpkg_t:fifo_file rw_fifo_file_perms; |
0c54fcf8 CP |
126 | ') |
127 | ||
128 | ######################################## | |
129 | ## <summary> | |
130 | ## Inherit and use file descriptors from dpkg scripts. | |
131 | ## </summary> | |
132 | ## <param name="domain"> | |
133 | ## <summary> | |
134 | ## The type of the process performing this action. | |
135 | ## </summary> | |
136 | ## </param> | |
137 | # | |
138 | interface(`dpkg_use_script_fds',` | |
139 | gen_require(` | |
140 | type dpkg_script_t; | |
141 | ') | |
142 | ||
143 | allow $1 dpkg_script_t:fd use; | |
144 | ') | |
145 | ||
146 | ######################################## | |
147 | ## <summary> | |
148 | ## Read the dpkg package database. | |
149 | ## </summary> | |
150 | ## <param name="domain"> | |
151 | ## <summary> | |
152 | ## The type of the process performing this action. | |
153 | ## </summary> | |
154 | ## </param> | |
155 | # | |
156 | interface(`dpkg_read_db',` | |
157 | gen_require(` | |
158 | type dpkg_var_lib_t; | |
159 | ') | |
160 | ||
161 | files_search_var_lib($1) | |
c0868a7a | 162 | allow $1 dpkg_var_lib_t:dir list_dir_perms; |
0bfccda4 CP |
163 | read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) |
164 | read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) | |
0c54fcf8 CP |
165 | ') |
166 | ||
167 | ######################################## | |
168 | ## <summary> | |
169 | ## Create, read, write, and delete the dpkg package database. | |
170 | ## </summary> | |
171 | ## <param name="domain"> | |
172 | ## <summary> | |
173 | ## The type of the process performing this action. | |
174 | ## </summary> | |
175 | ## </param> | |
176 | # | |
177 | interface(`dpkg_manage_db',` | |
178 | gen_require(` | |
179 | type dpkg_var_lib_t; | |
180 | ') | |
181 | ||
182 | files_search_var_lib($1) | |
0bfccda4 CP |
183 | manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) |
184 | manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t) | |
0c54fcf8 CP |
185 | ') |
186 | ||
187 | ######################################## | |
188 | ## <summary> | |
189 | ## Do not audit attempts to create, read, | |
190 | ## write, and delete the dpkg package database. | |
191 | ## </summary> | |
192 | ## <param name="domain"> | |
193 | ## <summary> | |
194 | ## Domain to not audit. | |
195 | ## </summary> | |
196 | ## </param> | |
197 | # | |
198 | interface(`dpkg_dontaudit_manage_db',` | |
199 | gen_require(` | |
200 | type dpkg_var_lib_t; | |
201 | ') | |
202 | ||
203 | dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; | |
204 | dontaudit $1 dpkg_var_lib_t:file manage_file_perms; | |
c0868a7a | 205 | dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms; |
0c54fcf8 CP |
206 | ') |
207 | ||
208 | ######################################## | |
209 | ## <summary> | |
210 | ## Lock the dpkg package database. | |
211 | ## </summary> | |
212 | ## <param name="domain"> | |
213 | ## <summary> | |
214 | ## The type of the process performing this action. | |
215 | ## </summary> | |
216 | ## </param> | |
217 | # | |
218 | interface(`dpkg_lock_db',` | |
219 | gen_require(` | |
ff4085da | 220 | type dpkg_lock_t, dpkg_var_lib_t; |
0c54fcf8 CP |
221 | ') |
222 | ||
223 | files_search_var_lib($1) | |
c0868a7a | 224 | allow $1 dpkg_var_lib_t:dir list_dir_perms; |
82d2775c | 225 | allow $1 dpkg_lock_t:file manage_file_perms; |
0c54fcf8 | 226 | ') |