]> git.ipfire.org Git - people/stevee/selinux-policy.git/blame - policy/modules/admin/dpkg.if
projects / people / stevee / selinux-policy.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
trunk: merge UBAC.
[people/stevee/selinux-policy.git] / policy / modules / admin / dpkg.if
CommitLineData
0c54fcf8
CP		 1## <summary>Policy for the Debian package manager.</summary>
2# TODO: need debconf policy
3# TODO: need install-menu policy
4
5########################################
6## <summary>
7## Execute dpkg programs in the dpkg domain.
8## </summary>
9## <param name="domain">
10## <summary>
11## The type of the process performing this action.
12## </summary>
13## </param>
14#
15interface(`dpkg_domtrans',`
16 gen_require(`
17 type dpkg_t, dpkg_exec_t;
18 ')
19
20 files_search_usr($1)
21 corecmd_search_bin($1)
0bfccda4 22 domtrans_pattern($1, dpkg_exec_t, dpkg_t)
0c54fcf8
CP		 23')
24
25########################################
26## <summary>
27## Execute dpkg_script programs in the dpkg_script domain.
28## </summary>
29## <param name="domain">
30## <summary>
31## Domain allowed access.
32## </summary>
33## </param>
34#
35interface(`dpkg_domtrans_script',`
36 gen_require(`
37 type dpkg_script_t;
38 ')
39
40 # transition to dpkg script:
41 corecmd_shell_domtrans($1,dpkg_script_t)
0c54fcf8
CP		 42 allow dpkg_script_t $1:fd use;
43 allow dpkg_script_t $1:fifo_file rw_file_perms;
44 allow dpkg_script_t $1:process sigchld;
45')
46
47########################################
48## <summary>
49## Execute dpkg programs in the dpkg domain.
50## </summary>
51## <param name="domain">
52## <summary>
53## The type of the process performing this action.
54## </summary>
55## </param>
56## <param name="role">
57## <summary>
58## The role to allow the dpkg domain.
59## </summary>
60## </param>
bbcd3c97 61## <rolecap/>
0c54fcf8
CP		 62#
63interface(`dpkg_run',`
64 gen_require(`
65 type dpkg_t, dpkg_script_t;
66 ')
67
68 dpkg_domtrans($1)
69 role $2 types dpkg_t;
70 role $2 types dpkg_script_t;
296273a7 71 seutil_run_loadpolicy(dpkg_script_t, $2)
0c54fcf8
CP		 72')
73
74########################################
75## <summary>
76## Inherit and use file descriptors from dpkg.
77## </summary>
78## <param name="domain">
79## <summary>
80## The type of the process performing this action.
81## </summary>
82## </param>
83#
84interface(`dpkg_use_fds',`
85 gen_require(`
86 type dpkg_t;
87 ')
88
89 allow $1 dpkg_t:fd use;
90')
91
92########################################
93## <summary>
94## Read from an unnamed dpkg pipe.
95## </summary>
96## <param name="domain">
97## <summary>
98## The type of the process performing this action.
99## </summary>
100## </param>
101#
102interface(`dpkg_read_pipes',`
103 gen_require(`
104 type dpkg_t;
105 ')
106
c0868a7a 107 allow $1 dpkg_t:fifo_file read_fifo_file_perms;
0c54fcf8
CP		 108')
109
110########################################
111## <summary>
112## Read and write an unnamed dpkg pipe.
113## </summary>
114## <param name="domain">
115## <summary>
116## The type of the process performing this action.
117## </summary>
118## </param>
119#
120interface(`dpkg_rw_pipes',`
121 gen_require(`
122 type dpkg_t;
123 ')
124
c0868a7a 125 allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
0c54fcf8
CP		 126')
127
128########################################
129## <summary>
130## Inherit and use file descriptors from dpkg scripts.
131## </summary>
132## <param name="domain">
133## <summary>
134## The type of the process performing this action.
135## </summary>
136## </param>
137#
138interface(`dpkg_use_script_fds',`
139 gen_require(`
140 type dpkg_script_t;
141 ')
142
143 allow $1 dpkg_script_t:fd use;
144')
145
146########################################
147## <summary>
148## Read the dpkg package database.
149## </summary>
150## <param name="domain">
151## <summary>
152## The type of the process performing this action.
153## </summary>
154## </param>
155#
156interface(`dpkg_read_db',`
157 gen_require(`
158 type dpkg_var_lib_t;
159 ')
160
161 files_search_var_lib($1)
c0868a7a 162 allow $1 dpkg_var_lib_t:dir list_dir_perms;
0bfccda4
CP		 163 read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
164 read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
0c54fcf8
CP		 165')
166
167########################################
168## <summary>
169## Create, read, write, and delete the dpkg package database.
170## </summary>
171## <param name="domain">
172## <summary>
173## The type of the process performing this action.
174## </summary>
175## </param>
176#
177interface(`dpkg_manage_db',`
178 gen_require(`
179 type dpkg_var_lib_t;
180 ')
181
182 files_search_var_lib($1)
0bfccda4
CP		 183 manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
184 manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
0c54fcf8
CP		 185')
186
187########################################
188## <summary>
189## Do not audit attempts to create, read,
190## write, and delete the dpkg package database.
191## </summary>
192## <param name="domain">
193## <summary>
194## Domain to not audit.
195## </summary>
196## </param>
197#
198interface(`dpkg_dontaudit_manage_db',`
199 gen_require(`
200 type dpkg_var_lib_t;
201 ')
202
203 dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
204 dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
c0868a7a 205 dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
0c54fcf8
CP		 206')
207
208########################################
209## <summary>
210## Lock the dpkg package database.
211## </summary>
212## <param name="domain">
213## <summary>
214## The type of the process performing this action.
215## </summary>
216## </param>
217#
218interface(`dpkg_lock_db',`
219 gen_require(`
ff4085da 220 type dpkg_lock_t, dpkg_var_lib_t;
0c54fcf8
CP		 221 ')
222
223 files_search_var_lib($1)
c0868a7a 224 allow $1 dpkg_var_lib_t:dir list_dir_perms;
82d2775c 225 allow $1 dpkg_lock_t:file manage_file_perms;
0c54fcf8 226')
The IPFire selinux policy.