[people/stevee/selinux-policy.git] / policy / modules / admin / dpkg.te

policy_module(dpkg, 1.7.0)

########################################
#
# Declarations
#

type dpkg_t;
type dpkg_exec_t;
# dpkg can start/stop services
init_system_domain(dpkg_t, dpkg_exec_t)
# dpkg can change file labels, roles, IO
domain_obj_id_change_exemption(dpkg_t)
domain_role_change_exemption(dpkg_t)
domain_system_change_exemption(dpkg_t)
domain_interactive_fd(dpkg_t)
role system_r types dpkg_t;

# lockfile
type dpkg_lock_t;
files_lock_file(dpkg_lock_t)

type dpkg_tmp_t;
files_tmp_file(dpkg_tmp_t)

type dpkg_tmpfs_t;
files_tmpfs_file(dpkg_tmpfs_t)

# status files
type dpkg_var_lib_t alias var_lib_dpkg_t;
files_type(dpkg_var_lib_t)

# package scripts
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
domain_interactive_fd(dpkg_script_t)
role system_r types dpkg_script_t;

type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)

type dpkg_script_tmpfs_t;
files_tmpfs_file(dpkg_script_tmpfs_t)

########################################
#
# dpkg Local policy
#

allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
allow dpkg_t self:process { setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connectto;
allow dpkg_t self:udp_socket { connect create_socket_perms };
allow dpkg_t self:tcp_socket create_stream_socket_perms;
allow dpkg_t self:shm create_shm_perms;
allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };

allow dpkg_t dpkg_lock_t:file manage_file_perms;

manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })

manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })

# Access /var/lib/dpkg files
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)

kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)

corecmd_exec_all_executables(dpkg_t)

# TODO: do we really need all networking?
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
corenet_raw_sendrecv_generic_if(dpkg_t)
corenet_udp_sendrecv_generic_if(dpkg_t)
corenet_tcp_sendrecv_generic_node(dpkg_t)
corenet_raw_sendrecv_generic_node(dpkg_t)
corenet_udp_sendrecv_generic_node(dpkg_t)
corenet_tcp_sendrecv_all_ports(dpkg_t)
corenet_udp_sendrecv_all_ports(dpkg_t)
corenet_tcp_connect_all_ports(dpkg_t)
corenet_sendrecv_all_client_packets(dpkg_t)

dev_list_sysfs(dpkg_t)
dev_list_usbfs(dpkg_t)
dev_read_urand(dpkg_t)
#devices_manage_all_device_types(dpkg_t)

domain_read_all_domains_state(dpkg_t)
domain_getattr_all_domains(dpkg_t)
domain_dontaudit_ptrace_all_domains(dpkg_t)
domain_use_interactive_fds(dpkg_t)
domain_dontaudit_getattr_all_pipes(dpkg_t)
domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)

fs_manage_nfs_dirs(dpkg_t)
fs_manage_nfs_files(dpkg_t)
fs_manage_nfs_symlinks(dpkg_t)
fs_getattr_all_fs(dpkg_t)
fs_search_auto_mountpoints(dpkg_t)

mls_file_read_all_levels(dpkg_t)
mls_file_write_all_levels(dpkg_t)
mls_file_upgrade(dpkg_t)

selinux_get_fs_mount(dpkg_t)
selinux_validate_context(dpkg_t)
selinux_compute_access_vector(dpkg_t)
selinux_compute_create_context(dpkg_t)
selinux_compute_relabel_context(dpkg_t)
selinux_compute_user_contexts(dpkg_t)

storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)

auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)

files_exec_etc_files(dpkg_t)

init_domtrans_script(dpkg_t)
init_use_script_ptys(dpkg_t)

libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
libs_domtrans_ldconfig(dpkg_t)

logging_send_syslog_msg(dpkg_t)

# allow compiling and loading new policy
seutil_manage_src_policy(dpkg_t)
seutil_manage_bin_policy(dpkg_t)

sysnet_read_config(dpkg_t)

userdom_use_inherited_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)

# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;

# TODO: allow?
#optional_policy(`
#	cron_system_entry(dpkg_t,dpkg_exec_t)
#')

optional_policy(`
	nis_use_ypbind(dpkg_t)
')

optional_policy(`
	unconfined_domain(dpkg_t)
')

# TODO: the following was copied from dpkg_script_t, and could probably
# be removed again when dpkg_script_t is actually used...
domain_signal_all_domains(dpkg_t)
domain_signull_all_domains(dpkg_t)
files_read_etc_runtime_files(dpkg_t)
files_exec_usr_files(dpkg_t)
miscfiles_read_localization(dpkg_t)
seutil_domtrans_loadpolicy(dpkg_t)
seutil_domtrans_setfiles(dpkg_t)
userdom_use_all_users_fds(dpkg_t)

optional_policy(`
	mta_send_mail(dpkg_t)
')

optional_policy(`
	modutils_domtrans_depmod(dpkg_t)
	modutils_domtrans_insmod(dpkg_t)
')

optional_policy(`
	usermanage_domtrans_groupadd(dpkg_t)
	usermanage_domtrans_useradd(dpkg_t)
')

########################################
#
# dpkg-script Local policy
#
# TODO: actually use dpkg_script_t

allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
allow dpkg_script_t self:unix_dgram_socket sendto;
allow dpkg_script_t self:unix_stream_socket connectto;
allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };

allow dpkg_script_t dpkg_tmp_t:file read_file_perms;

allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })

allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })

kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

corecmd_exec_all_executables(dpkg_script_t)

dev_list_sysfs(dpkg_script_t)
# ideally we would not need this
dev_manage_generic_blk_files(dpkg_script_t)
dev_manage_generic_chr_files(dpkg_script_t)
dev_manage_all_blk_files(dpkg_script_t)
dev_manage_all_chr_files(dpkg_script_t)

domain_read_all_domains_state(dpkg_script_t)
domain_getattr_all_domains(dpkg_script_t)
domain_dontaudit_ptrace_all_domains(dpkg_script_t)
domain_use_interactive_fds(dpkg_script_t)
domain_signal_all_domains(dpkg_script_t)
domain_signull_all_domains(dpkg_script_t)

files_exec_etc_files(dpkg_script_t)
files_read_etc_runtime_files(dpkg_script_t)
files_exec_usr_files(dpkg_script_t)

fs_manage_nfs_files(dpkg_script_t)
fs_getattr_nfs(dpkg_script_t)
# why is this not using mount?
fs_getattr_xattr_fs(dpkg_script_t)
fs_mount_xattr_fs(dpkg_script_t)
fs_unmount_xattr_fs(dpkg_script_t)
fs_search_auto_mountpoints(dpkg_script_t)

mls_file_read_all_levels(dpkg_script_t)
mls_file_write_all_levels(dpkg_script_t)

selinux_get_fs_mount(dpkg_script_t)
selinux_validate_context(dpkg_script_t)
selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)

storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)

term_use_all_inherited_terms(dpkg_script_t)

auth_dontaudit_getattr_shadow(dpkg_script_t)
# ideally we would not need this
auth_manage_all_files_except_shadow(dpkg_script_t)

init_domtrans_script(dpkg_script_t)
init_use_script_fds(dpkg_script_t)

libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
libs_domtrans_ldconfig(dpkg_script_t)

logging_send_syslog_msg(dpkg_script_t)

miscfiles_read_localization(dpkg_script_t)

seutil_domtrans_loadpolicy(dpkg_script_t)
seutil_domtrans_setfiles(dpkg_script_t)

userdom_use_all_users_fds(dpkg_script_t)

tunable_policy(`allow_execmem',`
	allow dpkg_script_t self:process execmem;
')

optional_policy(`
	bootloader_domtrans(dpkg_script_t)
')

optional_policy(`
	modutils_domtrans_depmod(dpkg_script_t)
	modutils_domtrans_insmod(dpkg_script_t)
')

optional_policy(`
	mta_send_mail(dpkg_script_t)
')

optional_policy(`
	nis_use_ypbind(dpkg_script_t)
')

optional_policy(`
	unconfined_domain(dpkg_script_t)
')

optional_policy(`
	usermanage_domtrans_groupadd(dpkg_script_t)
	usermanage_domtrans_useradd(dpkg_script_t)
')
Commit	Line	Data
9570b288	1	policy_module(dpkg, 1.7.0)
0c54fcf8 CP	2
	3	########################################
	4	#
	5	# Declarations
	6	#
	7
	8	type dpkg_t;
	9	type dpkg_exec_t;
	10	# dpkg can start/stop services
0bfccda4	11	init_system_domain(dpkg_t, dpkg_exec_t)
0c54fcf8 CP	12	# dpkg can change file labels, roles, IO
	13	domain_obj_id_change_exemption(dpkg_t)
	14	domain_role_change_exemption(dpkg_t)
	15	domain_system_change_exemption(dpkg_t)
	16	domain_interactive_fd(dpkg_t)
	17	role system_r types dpkg_t;
	18
	19	# lockfile
	20	type dpkg_lock_t;
f673c046	21	files_lock_file(dpkg_lock_t)
0c54fcf8 CP	22
	23	type dpkg_tmp_t;
	24	files_tmp_file(dpkg_tmp_t)
	25
	26	type dpkg_tmpfs_t;
	27	files_tmpfs_file(dpkg_tmpfs_t)
	28
	29	# status files
	30	type dpkg_var_lib_t alias var_lib_dpkg_t;
	31	files_type(dpkg_var_lib_t)
	32
	33	# package scripts
	34	type dpkg_script_t;
	35	domain_type(dpkg_script_t)
	36	domain_entry_file(dpkg_t, dpkg_var_lib_t)
	37	corecmd_shell_entry_type(dpkg_script_t)
	38	domain_obj_id_change_exemption(dpkg_script_t)
	39	domain_system_change_exemption(dpkg_script_t)
	40	domain_interactive_fd(dpkg_script_t)
	41	role system_r types dpkg_script_t;
	42
	43	type dpkg_script_tmp_t;
	44	files_tmp_file(dpkg_script_tmp_t)
	45
	46	type dpkg_script_tmpfs_t;
	47	files_tmpfs_file(dpkg_script_tmpfs_t)
	48
	49	########################################
	50	#
	51	# dpkg Local policy
	52	#
	53
	54	allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
	55	allow dpkg_t self:process { setpgid fork getsched setfscreate };
	56	allow dpkg_t self:fd use;
c0868a7a	57	allow dpkg_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	58	allow dpkg_t self:unix_dgram_socket create_socket_perms;
	59	allow dpkg_t self:unix_stream_socket rw_stream_socket_perms;
	60	allow dpkg_t self:unix_dgram_socket sendto;
	61	allow dpkg_t self:unix_stream_socket connectto;
	62	allow dpkg_t self:udp_socket { connect create_socket_perms };
	63	allow dpkg_t self:tcp_socket create_stream_socket_perms;
	64	allow dpkg_t self:shm create_shm_perms;
	65	allow dpkg_t self:sem create_sem_perms;
	66	allow dpkg_t self:msgq create_msgq_perms;
	67	allow dpkg_t self:msg { send receive };
	68
	69	allow dpkg_t dpkg_lock_t:file manage_file_perms;
	70
0bfccda4 CP	71	manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0bfccda4 CP	72	manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
0c54fcf8 CP	73	files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
0c54fcf8 CP	74
0bfccda4 CP	75	manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	76	manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	77	manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	78	manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	79	manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t)
	80	fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	81
0c54fcf8 CP	82	# Access /var/lib/dpkg files
0bfccda4 CP	83	manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t)
0bfccda4 CP	84	files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
0c54fcf8 CP	85
	86	kernel_read_system_state(dpkg_t)
	87	kernel_read_kernel_sysctls(dpkg_t)
	88
fb63d0b5	89	corecmd_exec_all_executables(dpkg_t)
0c54fcf8 CP	90
0c54fcf8 CP	91	# TODO: do we really need all networking?
19006686 CP	92	corenet_all_recvfrom_unlabeled(dpkg_t)
19006686 CP	93	corenet_all_recvfrom_netlabel(dpkg_t)
668b3093 CP	94	corenet_tcp_sendrecv_generic_if(dpkg_t)
	95	corenet_raw_sendrecv_generic_if(dpkg_t)
	96	corenet_udp_sendrecv_generic_if(dpkg_t)
c1262146 CP	97	corenet_tcp_sendrecv_generic_node(dpkg_t)
	98	corenet_raw_sendrecv_generic_node(dpkg_t)
	99	corenet_udp_sendrecv_generic_node(dpkg_t)
0c54fcf8 CP	100	corenet_tcp_sendrecv_all_ports(dpkg_t)
0c54fcf8 CP	101	corenet_udp_sendrecv_all_ports(dpkg_t)
0c54fcf8	102	corenet_tcp_connect_all_ports(dpkg_t)
9d0c9b3e	103	corenet_sendrecv_all_client_packets(dpkg_t)
0c54fcf8 CP	104
	105	dev_list_sysfs(dpkg_t)
	106	dev_list_usbfs(dpkg_t)
	107	dev_read_urand(dpkg_t)
	108	#devices_manage_all_device_types(dpkg_t)
	109
0c54fcf8 CP	110	domain_read_all_domains_state(dpkg_t)
	111	domain_getattr_all_domains(dpkg_t)
	112	domain_dontaudit_ptrace_all_domains(dpkg_t)
	113	domain_use_interactive_fds(dpkg_t)
	114	domain_dontaudit_getattr_all_pipes(dpkg_t)
	115	domain_dontaudit_getattr_all_tcp_sockets(dpkg_t)
	116	domain_dontaudit_getattr_all_udp_sockets(dpkg_t)
	117	domain_dontaudit_getattr_all_packet_sockets(dpkg_t)
	118	domain_dontaudit_getattr_all_raw_sockets(dpkg_t)
	119	domain_dontaudit_getattr_all_stream_sockets(dpkg_t)
	120	domain_dontaudit_getattr_all_dgram_sockets(dpkg_t)
	121
	122	fs_manage_nfs_dirs(dpkg_t)
	123	fs_manage_nfs_files(dpkg_t)
	124	fs_manage_nfs_symlinks(dpkg_t)
	125	fs_getattr_all_fs(dpkg_t)
	126	fs_search_auto_mountpoints(dpkg_t)
	127
f8233ab7 CP	128	mls_file_read_all_levels(dpkg_t)
f8233ab7 CP	129	mls_file_write_all_levels(dpkg_t)
0c54fcf8 CP	130	mls_file_upgrade(dpkg_t)
	131
	132	selinux_get_fs_mount(dpkg_t)
	133	selinux_validate_context(dpkg_t)
	134	selinux_compute_access_vector(dpkg_t)
	135	selinux_compute_create_context(dpkg_t)
	136	selinux_compute_relabel_context(dpkg_t)
	137	selinux_compute_user_contexts(dpkg_t)
	138
	139	storage_raw_write_fixed_disk(dpkg_t)
	140	# for installing kernel packages
	141	storage_raw_read_fixed_disk(dpkg_t)
	142
0c54fcf8 CP	143	auth_relabel_all_files_except_shadow(dpkg_t)
	144	auth_manage_all_files_except_shadow(dpkg_t)
	145	auth_dontaudit_read_shadow(dpkg_t)
	146
	147	files_exec_etc_files(dpkg_t)
	148
	149	init_domtrans_script(dpkg_t)
e065ac8a	150	init_use_script_ptys(dpkg_t)
0c54fcf8	151
0c54fcf8 CP	152	libs_exec_ld_so(dpkg_t)
	153	libs_exec_lib_files(dpkg_t)
	154	libs_domtrans_ldconfig(dpkg_t)
	155
	156	logging_send_syslog_msg(dpkg_t)
	157
	158	# allow compiling and loading new policy
	159	seutil_manage_src_policy(dpkg_t)
	160	seutil_manage_bin_policy(dpkg_t)
	161
	162	sysnet_read_config(dpkg_t)
	163
af2d8802	164	userdom_use_inherited_user_terminals(dpkg_t)
0c54fcf8 CP	165	userdom_use_unpriv_users_fds(dpkg_t)
	166
	167	# transition to dpkg script:
	168	dpkg_domtrans_script(dpkg_t)
	169	# since the scripts aren't labeled correctly yet...
0b36a214	170	allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
0c54fcf8	171
0c54fcf8	172	# TODO: allow?
bb7170f6	173	#optional_policy(`
0c54fcf8 CP	174	# cron_system_entry(dpkg_t,dpkg_exec_t)
	175	#')
	176
bb7170f6	177	optional_policy(`
0c54fcf8 CP	178	nis_use_ypbind(dpkg_t)
	179	')
	180
350b6ab7 CP	181	optional_policy(`
	182	unconfined_domain(dpkg_t)
	183	')
	184
0c54fcf8 CP	185	# TODO: the following was copied from dpkg_script_t, and could probably
	186	# be removed again when dpkg_script_t is actually used...
	187	domain_signal_all_domains(dpkg_t)
	188	domain_signull_all_domains(dpkg_t)
	189	files_read_etc_runtime_files(dpkg_t)
	190	files_exec_usr_files(dpkg_t)
	191	miscfiles_read_localization(dpkg_t)
0c54fcf8	192	seutil_domtrans_loadpolicy(dpkg_t)
762d2cb9	193	seutil_domtrans_setfiles(dpkg_t)
0c54fcf8	194	userdom_use_all_users_fds(dpkg_t)
2371d8d8	195
bb7170f6	196	optional_policy(`
0c54fcf8 CP	197	mta_send_mail(dpkg_t)
0c54fcf8 CP	198	')
2371d8d8 MG	199
	200	optional_policy(`
	201	modutils_domtrans_depmod(dpkg_t)
	202	modutils_domtrans_insmod(dpkg_t)
	203	')
	204
bb7170f6	205	optional_policy(`
0c54fcf8 CP	206	usermanage_domtrans_groupadd(dpkg_t)
	207	usermanage_domtrans_useradd(dpkg_t)
	208	')
	209
	210	########################################
	211	#
	212	# dpkg-script Local policy
	213	#
	214	# TODO: actually use dpkg_script_t
	215
	216	allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
	217	allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	218	allow dpkg_script_t self:fd use;
ef659a47	219	allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
0c54fcf8 CP	220	allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
	221	allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms;
	222	allow dpkg_script_t self:unix_dgram_socket sendto;
	223	allow dpkg_script_t self:unix_stream_socket connectto;
	224	allow dpkg_script_t self:shm create_shm_perms;
	225	allow dpkg_script_t self:sem create_sem_perms;
	226	allow dpkg_script_t self:msgq create_msgq_perms;
	227	allow dpkg_script_t self:msg { send receive };
	228
ef659a47	229	allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
0c54fcf8 CP	230
	231	allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton };
	232	allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms;
	233	files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir })
	234
	235	allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms;
	236	allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms;
ef659a47 CP	237	allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms;
	238	allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms;
	239	allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms;
0bfccda4	240	fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
0c54fcf8 CP	241
	242	kernel_read_kernel_sysctls(dpkg_script_t)
	243	kernel_read_system_state(dpkg_script_t)
	244
fb63d0b5	245	corecmd_exec_all_executables(dpkg_script_t)
0c54fcf8 CP	246
	247	dev_list_sysfs(dpkg_script_t)
	248	# ideally we would not need this
	249	dev_manage_generic_blk_files(dpkg_script_t)
	250	dev_manage_generic_chr_files(dpkg_script_t)
	251	dev_manage_all_blk_files(dpkg_script_t)
	252	dev_manage_all_chr_files(dpkg_script_t)
	253
	254	domain_read_all_domains_state(dpkg_script_t)
	255	domain_getattr_all_domains(dpkg_script_t)
	256	domain_dontaudit_ptrace_all_domains(dpkg_script_t)
	257	domain_use_interactive_fds(dpkg_script_t)
0c54fcf8 CP	258	domain_signal_all_domains(dpkg_script_t)
	259	domain_signull_all_domains(dpkg_script_t)
	260
	261	files_exec_etc_files(dpkg_script_t)
	262	files_read_etc_runtime_files(dpkg_script_t)
	263	files_exec_usr_files(dpkg_script_t)
	264
	265	fs_manage_nfs_files(dpkg_script_t)
	266	fs_getattr_nfs(dpkg_script_t)
	267	# why is this not using mount?
	268	fs_getattr_xattr_fs(dpkg_script_t)
	269	fs_mount_xattr_fs(dpkg_script_t)
	270	fs_unmount_xattr_fs(dpkg_script_t)
	271	fs_search_auto_mountpoints(dpkg_script_t)
	272
f8233ab7 CP	273	mls_file_read_all_levels(dpkg_script_t)
f8233ab7 CP	274	mls_file_write_all_levels(dpkg_script_t)
0c54fcf8 CP	275
	276	selinux_get_fs_mount(dpkg_script_t)
	277	selinux_validate_context(dpkg_script_t)
	278	selinux_compute_access_vector(dpkg_script_t)
	279	selinux_compute_create_context(dpkg_script_t)
	280	selinux_compute_relabel_context(dpkg_script_t)
	281	selinux_compute_user_contexts(dpkg_script_t)
	282
	283	storage_raw_read_fixed_disk(dpkg_script_t)
	284	storage_raw_write_fixed_disk(dpkg_script_t)
	285
af2d8802	286	term_use_all_inherited_terms(dpkg_script_t)
0c54fcf8 CP	287
	288	auth_dontaudit_getattr_shadow(dpkg_script_t)
	289	# ideally we would not need this
	290	auth_manage_all_files_except_shadow(dpkg_script_t)
	291
	292	init_domtrans_script(dpkg_script_t)
e065ac8a	293	init_use_script_fds(dpkg_script_t)
0c54fcf8	294
0c54fcf8 CP	295	libs_exec_ld_so(dpkg_script_t)
	296	libs_exec_lib_files(dpkg_script_t)
	297	libs_domtrans_ldconfig(dpkg_script_t)
	298
	299	logging_send_syslog_msg(dpkg_script_t)
	300
	301	miscfiles_read_localization(dpkg_script_t)
	302
0c54fcf8	303	seutil_domtrans_loadpolicy(dpkg_script_t)
762d2cb9	304	seutil_domtrans_setfiles(dpkg_script_t)
0c54fcf8 CP	305
	306	userdom_use_all_users_fds(dpkg_script_t)
	307
0c54fcf8 CP	308	tunable_policy(`allow_execmem',`
	309	allow dpkg_script_t self:process execmem;
	310	')
	311
350b6ab7 CP	312	optional_policy(`
	313	bootloader_domtrans(dpkg_script_t)
	314	')
	315
2371d8d8 MG	316	optional_policy(`
	317	modutils_domtrans_depmod(dpkg_script_t)
	318	modutils_domtrans_insmod(dpkg_script_t)
	319	')
	320
bb7170f6	321	optional_policy(`
0c54fcf8 CP	322	mta_send_mail(dpkg_script_t)
	323	')
	324
bb7170f6	325	optional_policy(`
0c54fcf8 CP	326	nis_use_ypbind(dpkg_script_t)
	327	')
	328
350b6ab7 CP	329	optional_policy(`
	330	unconfined_domain(dpkg_script_t)
	331	')
	332
bb7170f6	333	optional_policy(`
0c54fcf8 CP	334	usermanage_domtrans_groupadd(dpkg_script_t)
	335	usermanage_domtrans_useradd(dpkg_script_t)
	336	')