]>
Commit | Line | Data |
---|---|---|
9570b288 | 1 | policy_module(dpkg, 1.7.0) |
0c54fcf8 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
8 | type dpkg_t; | |
9 | type dpkg_exec_t; | |
10 | # dpkg can start/stop services | |
0bfccda4 | 11 | init_system_domain(dpkg_t, dpkg_exec_t) |
0c54fcf8 CP |
12 | # dpkg can change file labels, roles, IO |
13 | domain_obj_id_change_exemption(dpkg_t) | |
14 | domain_role_change_exemption(dpkg_t) | |
15 | domain_system_change_exemption(dpkg_t) | |
16 | domain_interactive_fd(dpkg_t) | |
17 | role system_r types dpkg_t; | |
18 | ||
19 | # lockfile | |
20 | type dpkg_lock_t; | |
f673c046 | 21 | files_lock_file(dpkg_lock_t) |
0c54fcf8 CP |
22 | |
23 | type dpkg_tmp_t; | |
24 | files_tmp_file(dpkg_tmp_t) | |
25 | ||
26 | type dpkg_tmpfs_t; | |
27 | files_tmpfs_file(dpkg_tmpfs_t) | |
28 | ||
29 | # status files | |
30 | type dpkg_var_lib_t alias var_lib_dpkg_t; | |
31 | files_type(dpkg_var_lib_t) | |
32 | ||
33 | # package scripts | |
34 | type dpkg_script_t; | |
35 | domain_type(dpkg_script_t) | |
36 | domain_entry_file(dpkg_t, dpkg_var_lib_t) | |
37 | corecmd_shell_entry_type(dpkg_script_t) | |
38 | domain_obj_id_change_exemption(dpkg_script_t) | |
39 | domain_system_change_exemption(dpkg_script_t) | |
40 | domain_interactive_fd(dpkg_script_t) | |
41 | role system_r types dpkg_script_t; | |
42 | ||
43 | type dpkg_script_tmp_t; | |
44 | files_tmp_file(dpkg_script_tmp_t) | |
45 | ||
46 | type dpkg_script_tmpfs_t; | |
47 | files_tmpfs_file(dpkg_script_tmpfs_t) | |
48 | ||
49 | ######################################## | |
50 | # | |
51 | # dpkg Local policy | |
52 | # | |
53 | ||
54 | allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; | |
55 | allow dpkg_t self:process { setpgid fork getsched setfscreate }; | |
56 | allow dpkg_t self:fd use; | |
c0868a7a | 57 | allow dpkg_t self:fifo_file rw_fifo_file_perms; |
0c54fcf8 CP |
58 | allow dpkg_t self:unix_dgram_socket create_socket_perms; |
59 | allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; | |
60 | allow dpkg_t self:unix_dgram_socket sendto; | |
61 | allow dpkg_t self:unix_stream_socket connectto; | |
62 | allow dpkg_t self:udp_socket { connect create_socket_perms }; | |
63 | allow dpkg_t self:tcp_socket create_stream_socket_perms; | |
64 | allow dpkg_t self:shm create_shm_perms; | |
65 | allow dpkg_t self:sem create_sem_perms; | |
66 | allow dpkg_t self:msgq create_msgq_perms; | |
67 | allow dpkg_t self:msg { send receive }; | |
68 | ||
69 | allow dpkg_t dpkg_lock_t:file manage_file_perms; | |
70 | ||
0bfccda4 CP |
71 | manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) |
72 | manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) | |
0c54fcf8 CP |
73 | files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) |
74 | ||
0bfccda4 CP |
75 | manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) |
76 | manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
77 | manage_lnk_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
78 | manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
79 | manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) | |
80 | fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) | |
0c54fcf8 CP |
81 | |
82 | # Access /var/lib/dpkg files | |
0bfccda4 CP |
83 | manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) |
84 | files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) | |
0c54fcf8 CP |
85 | |
86 | kernel_read_system_state(dpkg_t) | |
87 | kernel_read_kernel_sysctls(dpkg_t) | |
88 | ||
fb63d0b5 | 89 | corecmd_exec_all_executables(dpkg_t) |
0c54fcf8 CP |
90 | |
91 | # TODO: do we really need all networking? | |
19006686 CP |
92 | corenet_all_recvfrom_unlabeled(dpkg_t) |
93 | corenet_all_recvfrom_netlabel(dpkg_t) | |
668b3093 CP |
94 | corenet_tcp_sendrecv_generic_if(dpkg_t) |
95 | corenet_raw_sendrecv_generic_if(dpkg_t) | |
96 | corenet_udp_sendrecv_generic_if(dpkg_t) | |
c1262146 CP |
97 | corenet_tcp_sendrecv_generic_node(dpkg_t) |
98 | corenet_raw_sendrecv_generic_node(dpkg_t) | |
99 | corenet_udp_sendrecv_generic_node(dpkg_t) | |
0c54fcf8 CP |
100 | corenet_tcp_sendrecv_all_ports(dpkg_t) |
101 | corenet_udp_sendrecv_all_ports(dpkg_t) | |
0c54fcf8 | 102 | corenet_tcp_connect_all_ports(dpkg_t) |
9d0c9b3e | 103 | corenet_sendrecv_all_client_packets(dpkg_t) |
0c54fcf8 CP |
104 | |
105 | dev_list_sysfs(dpkg_t) | |
106 | dev_list_usbfs(dpkg_t) | |
107 | dev_read_urand(dpkg_t) | |
108 | #devices_manage_all_device_types(dpkg_t) | |
109 | ||
0c54fcf8 CP |
110 | domain_read_all_domains_state(dpkg_t) |
111 | domain_getattr_all_domains(dpkg_t) | |
112 | domain_dontaudit_ptrace_all_domains(dpkg_t) | |
113 | domain_use_interactive_fds(dpkg_t) | |
114 | domain_dontaudit_getattr_all_pipes(dpkg_t) | |
115 | domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) | |
116 | domain_dontaudit_getattr_all_udp_sockets(dpkg_t) | |
117 | domain_dontaudit_getattr_all_packet_sockets(dpkg_t) | |
118 | domain_dontaudit_getattr_all_raw_sockets(dpkg_t) | |
119 | domain_dontaudit_getattr_all_stream_sockets(dpkg_t) | |
120 | domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) | |
121 | ||
122 | fs_manage_nfs_dirs(dpkg_t) | |
123 | fs_manage_nfs_files(dpkg_t) | |
124 | fs_manage_nfs_symlinks(dpkg_t) | |
125 | fs_getattr_all_fs(dpkg_t) | |
126 | fs_search_auto_mountpoints(dpkg_t) | |
127 | ||
f8233ab7 CP |
128 | mls_file_read_all_levels(dpkg_t) |
129 | mls_file_write_all_levels(dpkg_t) | |
0c54fcf8 CP |
130 | mls_file_upgrade(dpkg_t) |
131 | ||
132 | selinux_get_fs_mount(dpkg_t) | |
133 | selinux_validate_context(dpkg_t) | |
134 | selinux_compute_access_vector(dpkg_t) | |
135 | selinux_compute_create_context(dpkg_t) | |
136 | selinux_compute_relabel_context(dpkg_t) | |
137 | selinux_compute_user_contexts(dpkg_t) | |
138 | ||
139 | storage_raw_write_fixed_disk(dpkg_t) | |
140 | # for installing kernel packages | |
141 | storage_raw_read_fixed_disk(dpkg_t) | |
142 | ||
0c54fcf8 CP |
143 | auth_relabel_all_files_except_shadow(dpkg_t) |
144 | auth_manage_all_files_except_shadow(dpkg_t) | |
145 | auth_dontaudit_read_shadow(dpkg_t) | |
146 | ||
147 | files_exec_etc_files(dpkg_t) | |
148 | ||
149 | init_domtrans_script(dpkg_t) | |
e065ac8a | 150 | init_use_script_ptys(dpkg_t) |
0c54fcf8 | 151 | |
0c54fcf8 CP |
152 | libs_exec_ld_so(dpkg_t) |
153 | libs_exec_lib_files(dpkg_t) | |
154 | libs_domtrans_ldconfig(dpkg_t) | |
155 | ||
156 | logging_send_syslog_msg(dpkg_t) | |
157 | ||
158 | # allow compiling and loading new policy | |
159 | seutil_manage_src_policy(dpkg_t) | |
160 | seutil_manage_bin_policy(dpkg_t) | |
161 | ||
162 | sysnet_read_config(dpkg_t) | |
163 | ||
af2d8802 | 164 | userdom_use_inherited_user_terminals(dpkg_t) |
0c54fcf8 CP |
165 | userdom_use_unpriv_users_fds(dpkg_t) |
166 | ||
167 | # transition to dpkg script: | |
168 | dpkg_domtrans_script(dpkg_t) | |
169 | # since the scripts aren't labeled correctly yet... | |
0b36a214 | 170 | allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; |
0c54fcf8 | 171 | |
0c54fcf8 | 172 | # TODO: allow? |
bb7170f6 | 173 | #optional_policy(` |
0c54fcf8 CP |
174 | # cron_system_entry(dpkg_t,dpkg_exec_t) |
175 | #') | |
176 | ||
bb7170f6 | 177 | optional_policy(` |
0c54fcf8 CP |
178 | nis_use_ypbind(dpkg_t) |
179 | ') | |
180 | ||
350b6ab7 CP |
181 | optional_policy(` |
182 | unconfined_domain(dpkg_t) | |
183 | ') | |
184 | ||
0c54fcf8 CP |
185 | # TODO: the following was copied from dpkg_script_t, and could probably |
186 | # be removed again when dpkg_script_t is actually used... | |
187 | domain_signal_all_domains(dpkg_t) | |
188 | domain_signull_all_domains(dpkg_t) | |
189 | files_read_etc_runtime_files(dpkg_t) | |
190 | files_exec_usr_files(dpkg_t) | |
191 | miscfiles_read_localization(dpkg_t) | |
0c54fcf8 | 192 | seutil_domtrans_loadpolicy(dpkg_t) |
762d2cb9 | 193 | seutil_domtrans_setfiles(dpkg_t) |
0c54fcf8 | 194 | userdom_use_all_users_fds(dpkg_t) |
2371d8d8 | 195 | |
bb7170f6 | 196 | optional_policy(` |
0c54fcf8 CP |
197 | mta_send_mail(dpkg_t) |
198 | ') | |
2371d8d8 MG |
199 | |
200 | optional_policy(` | |
201 | modutils_domtrans_depmod(dpkg_t) | |
202 | modutils_domtrans_insmod(dpkg_t) | |
203 | ') | |
204 | ||
bb7170f6 | 205 | optional_policy(` |
0c54fcf8 CP |
206 | usermanage_domtrans_groupadd(dpkg_t) |
207 | usermanage_domtrans_useradd(dpkg_t) | |
208 | ') | |
209 | ||
210 | ######################################## | |
211 | # | |
212 | # dpkg-script Local policy | |
213 | # | |
214 | # TODO: actually use dpkg_script_t | |
215 | ||
216 | allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; | |
217 | allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
218 | allow dpkg_script_t self:fd use; | |
ef659a47 | 219 | allow dpkg_script_t self:fifo_file rw_fifo_file_perms; |
0c54fcf8 CP |
220 | allow dpkg_script_t self:unix_dgram_socket create_socket_perms; |
221 | allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; | |
222 | allow dpkg_script_t self:unix_dgram_socket sendto; | |
223 | allow dpkg_script_t self:unix_stream_socket connectto; | |
224 | allow dpkg_script_t self:shm create_shm_perms; | |
225 | allow dpkg_script_t self:sem create_sem_perms; | |
226 | allow dpkg_script_t self:msgq create_msgq_perms; | |
227 | allow dpkg_script_t self:msg { send receive }; | |
228 | ||
ef659a47 | 229 | allow dpkg_script_t dpkg_tmp_t:file read_file_perms; |
0c54fcf8 CP |
230 | |
231 | allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; | |
232 | allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; | |
233 | files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) | |
234 | ||
235 | allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; | |
236 | allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; | |
ef659a47 CP |
237 | allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file manage_lnk_file_perms; |
238 | allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_sock_file_perms; | |
239 | allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; | |
0bfccda4 | 240 | fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
0c54fcf8 CP |
241 | |
242 | kernel_read_kernel_sysctls(dpkg_script_t) | |
243 | kernel_read_system_state(dpkg_script_t) | |
244 | ||
fb63d0b5 | 245 | corecmd_exec_all_executables(dpkg_script_t) |
0c54fcf8 CP |
246 | |
247 | dev_list_sysfs(dpkg_script_t) | |
248 | # ideally we would not need this | |
249 | dev_manage_generic_blk_files(dpkg_script_t) | |
250 | dev_manage_generic_chr_files(dpkg_script_t) | |
251 | dev_manage_all_blk_files(dpkg_script_t) | |
252 | dev_manage_all_chr_files(dpkg_script_t) | |
253 | ||
254 | domain_read_all_domains_state(dpkg_script_t) | |
255 | domain_getattr_all_domains(dpkg_script_t) | |
256 | domain_dontaudit_ptrace_all_domains(dpkg_script_t) | |
257 | domain_use_interactive_fds(dpkg_script_t) | |
0c54fcf8 CP |
258 | domain_signal_all_domains(dpkg_script_t) |
259 | domain_signull_all_domains(dpkg_script_t) | |
260 | ||
261 | files_exec_etc_files(dpkg_script_t) | |
262 | files_read_etc_runtime_files(dpkg_script_t) | |
263 | files_exec_usr_files(dpkg_script_t) | |
264 | ||
265 | fs_manage_nfs_files(dpkg_script_t) | |
266 | fs_getattr_nfs(dpkg_script_t) | |
267 | # why is this not using mount? | |
268 | fs_getattr_xattr_fs(dpkg_script_t) | |
269 | fs_mount_xattr_fs(dpkg_script_t) | |
270 | fs_unmount_xattr_fs(dpkg_script_t) | |
271 | fs_search_auto_mountpoints(dpkg_script_t) | |
272 | ||
f8233ab7 CP |
273 | mls_file_read_all_levels(dpkg_script_t) |
274 | mls_file_write_all_levels(dpkg_script_t) | |
0c54fcf8 CP |
275 | |
276 | selinux_get_fs_mount(dpkg_script_t) | |
277 | selinux_validate_context(dpkg_script_t) | |
278 | selinux_compute_access_vector(dpkg_script_t) | |
279 | selinux_compute_create_context(dpkg_script_t) | |
280 | selinux_compute_relabel_context(dpkg_script_t) | |
281 | selinux_compute_user_contexts(dpkg_script_t) | |
282 | ||
283 | storage_raw_read_fixed_disk(dpkg_script_t) | |
284 | storage_raw_write_fixed_disk(dpkg_script_t) | |
285 | ||
af2d8802 | 286 | term_use_all_inherited_terms(dpkg_script_t) |
0c54fcf8 CP |
287 | |
288 | auth_dontaudit_getattr_shadow(dpkg_script_t) | |
289 | # ideally we would not need this | |
290 | auth_manage_all_files_except_shadow(dpkg_script_t) | |
291 | ||
292 | init_domtrans_script(dpkg_script_t) | |
e065ac8a | 293 | init_use_script_fds(dpkg_script_t) |
0c54fcf8 | 294 | |
0c54fcf8 CP |
295 | libs_exec_ld_so(dpkg_script_t) |
296 | libs_exec_lib_files(dpkg_script_t) | |
297 | libs_domtrans_ldconfig(dpkg_script_t) | |
298 | ||
299 | logging_send_syslog_msg(dpkg_script_t) | |
300 | ||
301 | miscfiles_read_localization(dpkg_script_t) | |
302 | ||
0c54fcf8 | 303 | seutil_domtrans_loadpolicy(dpkg_script_t) |
762d2cb9 | 304 | seutil_domtrans_setfiles(dpkg_script_t) |
0c54fcf8 CP |
305 | |
306 | userdom_use_all_users_fds(dpkg_script_t) | |
307 | ||
0c54fcf8 CP |
308 | tunable_policy(`allow_execmem',` |
309 | allow dpkg_script_t self:process execmem; | |
310 | ') | |
311 | ||
350b6ab7 CP |
312 | optional_policy(` |
313 | bootloader_domtrans(dpkg_script_t) | |
314 | ') | |
315 | ||
2371d8d8 MG |
316 | optional_policy(` |
317 | modutils_domtrans_depmod(dpkg_script_t) | |
318 | modutils_domtrans_insmod(dpkg_script_t) | |
319 | ') | |
320 | ||
bb7170f6 | 321 | optional_policy(` |
0c54fcf8 CP |
322 | mta_send_mail(dpkg_script_t) |
323 | ') | |
324 | ||
bb7170f6 | 325 | optional_policy(` |
0c54fcf8 CP |
326 | nis_use_ypbind(dpkg_script_t) |
327 | ') | |
328 | ||
350b6ab7 CP |
329 | optional_policy(` |
330 | unconfined_domain(dpkg_script_t) | |
331 | ') | |
332 | ||
bb7170f6 | 333 | optional_policy(` |
0c54fcf8 CP |
334 | usermanage_domtrans_groupadd(dpkg_script_t) |
335 | usermanage_domtrans_useradd(dpkg_script_t) | |
336 | ') |