1 ## <summary>APT advanced package tool.</summary>
3 ########################################
5 ## Execute apt programs in the apt domain.
7 ## <param name="domain">
9 ## Domain allowed to transition.
13 interface(`apt_domtrans',`
15 type apt_t, apt_exec_t;
19 corecmd_search_bin($1)
20 domtrans_pattern($1, apt_exec_t, apt_t)
23 ########################################
25 ## Execute apt programs in the apt domain.
27 ## <param name="domain">
29 ## Domain allowed to transition.
32 ## <param name="role">
34 ## The role to allow the apt domain.
46 # TODO: likely have to add dpkg_run here.
49 ########################################
51 ## Inherit and use file descriptors from apt.
53 ## <param name="domain">
55 ## Domain allowed access.
59 interface(`apt_use_fds',`
64 allow $1 apt_t:fd use;
65 # TODO: enforce dpkg_use_fd?
68 ########################################
70 ## Do not audit attempts to use file descriptors from apt.
72 ## <param name="domain">
74 ## Domain to not audit.
78 interface(`apt_dontaudit_use_fds',`
83 dontaudit $1 apt_t:fd use;
86 ########################################
88 ## Read from an unnamed apt pipe.
90 ## <param name="domain">
92 ## Domain allowed access.
96 interface(`apt_read_pipes',`
101 allow $1 apt_t:fifo_file read_fifo_file_perms;
102 # TODO: enforce dpkg_read_pipes?
105 ########################################
107 ## Read and write an unnamed apt pipe.
109 ## <param name="domain">
111 ## Domain allowed access.
115 interface(`apt_rw_pipes',`
120 allow $1 apt_t:fifo_file rw_file_perms;
121 # TODO: enforce dpkg_rw_pipes?
124 ########################################
126 ## Read from and write to apt ptys.
128 ## <param name="domain">
130 ## Domain allowed access.
134 interface(`apt_use_ptys',`
139 allow $1 apt_devpts_t:chr_file rw_term_perms;
142 ########################################
144 ## Read the apt package cache.
146 ## <param name="domain">
148 ## Domain allowed access.
152 interface(`apt_read_cache',`
154 type apt_var_cache_t;
158 allow $1 apt_var_cache_t:dir list_dir_perms;
159 dontaudit $1 apt_var_cache_t:dir write;
160 allow $1 apt_var_cache_t:file read_file_perms;
163 ########################################
165 ## Read the apt package database.
167 ## <param name="domain">
169 ## Domain allowed access.
173 interface(`apt_read_db',`
178 files_search_var_lib($1)
179 allow $1 apt_var_lib_t:dir list_dir_perms;
180 read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
181 read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
184 ########################################
186 ## Create, read, write, and delete the apt package database.
188 ## <param name="domain">
190 ## Domain allowed access.
194 interface(`apt_manage_db',`
199 files_search_var_lib($1)
200 manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
201 # cjp: shouldnt this be manage_lnk_files?
202 rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
203 delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
206 ########################################
208 ## Do not audit attempts to create, read,
209 ## write, and delete the apt package database.
211 ## <param name="domain">
213 ## Domain to not audit.
217 interface(`apt_dontaudit_manage_db',`
222 dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
223 dontaudit $1 apt_var_lib_t:file manage_file_perms;
224 dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;