]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/admin/apt.if
projects / people / stevee / selinux-policy.git / blob
? search:


e696b80c628e272f91ec3676a7b5e6f04af7419f
[people/stevee/selinux-policy.git] / policy / modules / admin / apt.if
1 ## <summary>APT advanced package tool.</summary>
2
3 ########################################
4 ## <summary>
5 ## Execute apt programs in the apt domain.
6 ## </summary>
7 ## <param name="domain">
8 ## <summary>
9 ## Domain allowed to transition.
10 ## </summary>
11 ## </param>
12 #
13 interface(`apt_domtrans',`
14 gen_require(`
15 type apt_t, apt_exec_t;
16 ')
17
18 files_search_usr($1)
19 corecmd_search_bin($1)
20 domtrans_pattern($1, apt_exec_t, apt_t)
21 ')
22
23 ########################################
24 ## <summary>
25 ## Execute apt programs in the apt domain.
26 ## </summary>
27 ## <param name="domain">
28 ## <summary>
29 ## Domain allowed to transition.
30 ## </summary>
31 ## </param>
32 ## <param name="role">
33 ## <summary>
34 ## The role to allow the apt domain.
35 ## </summary>
36 ## </param>
37 ## <rolecap/>
38 #
39 interface(`apt_run',`
40 gen_require(`
41 type apt_t;
42 ')
43
44 apt_domtrans($1)
45 role $2 types apt_t;
46 # TODO: likely have to add dpkg_run here.
47 ')
48
49 ########################################
50 ## <summary>
51 ## Inherit and use file descriptors from apt.
52 ## </summary>
53 ## <param name="domain">
54 ## <summary>
55 ## Domain allowed access.
56 ## </summary>
57 ## </param>
58 #
59 interface(`apt_use_fds',`
60 gen_require(`
61 type apt_t;
62 ')
63
64 allow $1 apt_t:fd use;
65 # TODO: enforce dpkg_use_fd?
66 ')
67
68 ########################################
69 ## <summary>
70 ## Do not audit attempts to use file descriptors from apt.
71 ## </summary>
72 ## <param name="domain">
73 ## <summary>
74 ## Domain to not audit.
75 ## </summary>
76 ## </param>
77 #
78 interface(`apt_dontaudit_use_fds',`
79 gen_require(`
80 type apt_t;
81 ')
82
83 dontaudit $1 apt_t:fd use;
84 ')
85
86 ########################################
87 ## <summary>
88 ## Read from an unnamed apt pipe.
89 ## </summary>
90 ## <param name="domain">
91 ## <summary>
92 ## Domain allowed access.
93 ## </summary>
94 ## </param>
95 #
96 interface(`apt_read_pipes',`
97 gen_require(`
98 type apt_t;
99 ')
100
101 allow $1 apt_t:fifo_file read_fifo_file_perms;
102 # TODO: enforce dpkg_read_pipes?
103 ')
104
105 ########################################
106 ## <summary>
107 ## Read and write an unnamed apt pipe.
108 ## </summary>
109 ## <param name="domain">
110 ## <summary>
111 ## Domain allowed access.
112 ## </summary>
113 ## </param>
114 #
115 interface(`apt_rw_pipes',`
116 gen_require(`
117 type apt_t;
118 ')
119
120 allow $1 apt_t:fifo_file rw_file_perms;
121 # TODO: enforce dpkg_rw_pipes?
122 ')
123
124 ########################################
125 ## <summary>
126 ## Read from and write to apt ptys.
127 ## </summary>
128 ## <param name="domain">
129 ## <summary>
130 ## Domain allowed access.
131 ## </summary>
132 ## </param>
133 #
134 interface(`apt_use_ptys',`
135 gen_require(`
136 type apt_devpts_t;
137 ')
138
139 allow $1 apt_devpts_t:chr_file rw_term_perms;
140 ')
141
142 ########################################
143 ## <summary>
144 ## Read the apt package cache.
145 ## </summary>
146 ## <param name="domain">
147 ## <summary>
148 ## Domain allowed access.
149 ## </summary>
150 ## </param>
151 #
152 interface(`apt_read_cache',`
153 gen_require(`
154 type apt_var_cache_t;
155 ')
156
157 files_search_var($1)
158 allow $1 apt_var_cache_t:dir list_dir_perms;
159 dontaudit $1 apt_var_cache_t:dir write;
160 allow $1 apt_var_cache_t:file read_file_perms;
161 ')
162
163 ########################################
164 ## <summary>
165 ## Read the apt package database.
166 ## </summary>
167 ## <param name="domain">
168 ## <summary>
169 ## Domain allowed access.
170 ## </summary>
171 ## </param>
172 #
173 interface(`apt_read_db',`
174 gen_require(`
175 type apt_var_lib_t;
176 ')
177
178 files_search_var_lib($1)
179 allow $1 apt_var_lib_t:dir list_dir_perms;
180 read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
181 read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
182 ')
183
184 ########################################
185 ## <summary>
186 ## Create, read, write, and delete the apt package database.
187 ## </summary>
188 ## <param name="domain">
189 ## <summary>
190 ## Domain allowed access.
191 ## </summary>
192 ## </param>
193 #
194 interface(`apt_manage_db',`
195 gen_require(`
196 type apt_var_lib_t;
197 ')
198
199 files_search_var_lib($1)
200 manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
201 # cjp: shouldnt this be manage_lnk_files?
202 rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
203 delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
204 ')
205
206 ########################################
207 ## <summary>
208 ## Do not audit attempts to create, read,
209 ## write, and delete the apt package database.
210 ## </summary>
211 ## <param name="domain">
212 ## <summary>
213 ## Domain to not audit.
214 ## </summary>
215 ## </param>
216 #
217 interface(`apt_dontaudit_manage_db',`
218 gen_require(`
219 type apt_var_lib_t;
220 ')
221
222 dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
223 dontaudit $1 apt_var_lib_t:file manage_file_perms;
224 dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
225 ')
The IPFire selinux policy.