policy/modules/admin/rpm.te

   1 policy_module(rpm, 1.12.0)
   2
   3 attribute rpm_transition_domain;
   4
   5 ########################################
   6 #
   7 # Declarations
   8 #
   9 type debuginfo_exec_t;
  10 domain_entry_file(rpm_t, debuginfo_exec_t)
  11
  12 type rpm_t;
  13 type rpm_exec_t;
  14 init_system_domain(rpm_t, rpm_exec_t)
  15 domain_obj_id_change_exemption(rpm_t)
  16 domain_role_change_exemption(rpm_t)
  17 domain_system_change_exemption(rpm_t)
  18 domain_interactive_fd(rpm_t)
  19
  20 type rpm_file_t;
  21 files_type(rpm_file_t)
  22
  23 type rpm_tmp_t;
  24 files_tmp_file(rpm_tmp_t)
  25
  26 type rpm_tmpfs_t;
  27 files_tmpfs_file(rpm_tmpfs_t)
  28
  29 type rpm_log_t;
  30 logging_log_file(rpm_log_t)
  31
  32 type rpm_var_lib_t;
  33 files_type(rpm_var_lib_t)
  34 typealias rpm_var_lib_t alias var_lib_rpm_t;
  35
  36 type rpm_var_cache_t;
  37 files_type(rpm_var_cache_t)
  38
  39 type rpm_var_run_t;
  40 files_pid_file(rpm_var_run_t)
  41
  42 type rpm_script_t;
  43 type rpm_script_exec_t;
  44 domain_obj_id_change_exemption(rpm_script_t)
  45 domain_system_change_exemption(rpm_script_t)
  46 corecmd_shell_entry_type(rpm_script_t)
  47 corecmd_bin_entry_type(rpm_script_t)
  48 domain_type(rpm_script_t)
  49 domain_entry_file(rpm_t, rpm_script_exec_t)
  50 domain_interactive_fd(rpm_script_t)
  51 role system_r types rpm_script_t;
  52
  53 type rpm_script_tmp_t;
  54 files_tmp_file(rpm_script_tmp_t)
  55
  56 type rpm_script_tmpfs_t;
  57 files_tmpfs_file(rpm_script_tmpfs_t)
  58
  59 ########################################
  60 #
  61 # rpm Local policy
  62 #
  63
  64 allow rpm_t self:capability { chown dac_override fowner setfcap fsetid ipc_lock setgid setuid sys_chroot sys_nice sys_tty_config mknod };
  65 allow rpm_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execstack execheap };
  66 allow rpm_t self:process { getattr setexec setfscreate setrlimit };
  67 allow rpm_t self:fd use;
  68 allow rpm_t self:fifo_file rw_fifo_file_perms;
  69 allow rpm_t self:unix_dgram_socket create_socket_perms;
  70 allow rpm_t self:unix_stream_socket rw_stream_socket_perms;
  71 allow rpm_t self:unix_dgram_socket sendto;
  72 allow rpm_t self:unix_stream_socket connectto;
  73 allow rpm_t self:udp_socket { connect };
  74 allow rpm_t self:udp_socket create_socket_perms;
  75 allow rpm_t self:tcp_socket create_stream_socket_perms;
  76 allow rpm_t self:shm create_shm_perms;
  77 allow rpm_t self:sem create_sem_perms;
  78 allow rpm_t self:msgq create_msgq_perms;
  79 allow rpm_t self:msg { send receive };
  80 allow rpm_t self:dir search;
  81 allow rpm_t self:file rw_file_perms;;
  82 allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
  83
  84 allow rpm_t rpm_log_t:file manage_file_perms;
  85 logging_log_filetrans(rpm_t, rpm_log_t, file)
  86
  87 manage_dirs_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
  88 manage_files_pattern(rpm_t, rpm_tmp_t, rpm_tmp_t)
  89 files_tmp_filetrans(rpm_t, rpm_tmp_t, { file dir })
  90 can_exec(rpm_t, rpm_tmp_t)
  91
  92 manage_dirs_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
  93 manage_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
  94 manage_lnk_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
  95 manage_fifo_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
  96 manage_sock_files_pattern(rpm_t, rpm_tmpfs_t, rpm_tmpfs_t)
  97 fs_tmpfs_filetrans(rpm_t, rpm_tmpfs_t, { dir file lnk_file sock_file fifo_file })
  98 can_exec(rpm_t, rpm_tmpfs_t)
  99
 100 manage_dirs_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 101 manage_files_pattern(rpm_t, rpm_var_cache_t, rpm_var_cache_t)
 102 files_var_filetrans(rpm_t, rpm_var_cache_t, dir)
 103
 104 # Access /var/lib/rpm files
 105 manage_files_pattern(rpm_t, rpm_var_lib_t, rpm_var_lib_t)
 106 files_var_lib_filetrans(rpm_t, rpm_var_lib_t, dir)
 107
 108 manage_dirs_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
 109 manage_files_pattern(rpm_t, rpm_var_run_t, rpm_var_run_t)
 110 files_pid_filetrans(rpm_t, rpm_var_run_t, { file dir })
 111
 112 kernel_read_crypto_sysctls(rpm_t)
 113 kernel_read_network_state(rpm_t)
 114 kernel_read_system_state(rpm_t)
 115 kernel_read_kernel_sysctls(rpm_t)
 116 kernel_read_network_state_symlinks(rpm_t)
 117 kernel_rw_irq_sysctls(rpm_t)
 118
 119 corecmd_exec_all_executables(rpm_t)
 120
 121 corenet_all_recvfrom_unlabeled(rpm_t)
 122 corenet_all_recvfrom_netlabel(rpm_t)
 123 corenet_tcp_sendrecv_generic_if(rpm_t)
 124 corenet_raw_sendrecv_generic_if(rpm_t)
 125 corenet_udp_sendrecv_generic_if(rpm_t)
 126 corenet_tcp_sendrecv_generic_node(rpm_t)
 127 corenet_raw_sendrecv_generic_node(rpm_t)
 128 corenet_udp_sendrecv_generic_node(rpm_t)
 129 corenet_tcp_sendrecv_all_ports(rpm_t)
 130 corenet_udp_sendrecv_all_ports(rpm_t)
 131 corenet_tcp_connect_all_ports(rpm_t)
 132 corenet_sendrecv_all_client_packets(rpm_t)
 133
 134 dev_list_sysfs(rpm_t)
 135 dev_list_usbfs(rpm_t)
 136 dev_read_urand(rpm_t)
 137 dev_read_raw_memory(rpm_t)
 138 dev_manage_all_dev_nodes(rpm_t)
 139
 140 #devices_manage_all_device_types(rpm_t)
 141 dev_create_generic_blk_files(rpm_t)
 142 dev_create_generic_chr_files(rpm_t)
 143 dev_delete_all_blk_files(rpm_t)
 144 dev_delete_all_chr_files(rpm_t)
 145 dev_relabel_all_dev_nodes(rpm_t)
 146 dev_rename_generic_blk_files(rpm_t)
 147 dev_rename_generic_chr_files(rpm_t)
 148 dev_setattr_all_blk_files(rpm_t)
 149 dev_setattr_all_chr_files(rpm_t)
 150
 151 fs_getattr_all_dirs(rpm_t)
 152 fs_list_inotifyfs(rpm_t)
 153 fs_manage_nfs_dirs(rpm_t)
 154 fs_manage_nfs_files(rpm_t)
 155 fs_manage_nfs_symlinks(rpm_t)
 156 fs_getattr_all_fs(rpm_t)
 157 fs_search_auto_mountpoints(rpm_t)
 158
 159 mls_file_read_all_levels(rpm_t)
 160 mls_file_write_all_levels(rpm_t)
 161 mls_file_upgrade(rpm_t)
 162 mls_file_downgrade(rpm_t)
 163
 164 selinux_get_fs_mount(rpm_t)
 165 selinux_validate_context(rpm_t)
 166 selinux_compute_access_vector(rpm_t)
 167 selinux_compute_create_context(rpm_t)
 168 selinux_compute_relabel_context(rpm_t)
 169 selinux_compute_user_contexts(rpm_t)
 170
 171 storage_raw_write_fixed_disk(rpm_t)
 172 # for installing kernel packages
 173 storage_raw_read_fixed_disk(rpm_t)
 174
 175 term_list_ptys(rpm_t)
 176
 177 files_relabel_all_files(rpm_t)
 178 files_manage_all_files(rpm_t)
 179 auth_dontaudit_read_shadow(rpm_t)
 180 auth_use_nsswitch(rpm_t)
 181
 182 # transition to rpm script:
 183 rpm_domtrans_script(rpm_t)
 184
 185 domain_read_all_domains_state(rpm_t)
 186 domain_getattr_all_domains(rpm_t)
 187 domain_dontaudit_ptrace_all_domains(rpm_t)
 188 domain_use_interactive_fds(rpm_t)
 189 domain_dontaudit_getattr_all_pipes(rpm_t)
 190 domain_dontaudit_getattr_all_tcp_sockets(rpm_t)
 191 domain_dontaudit_getattr_all_udp_sockets(rpm_t)
 192 domain_dontaudit_getattr_all_packet_sockets(rpm_t)
 193 domain_dontaudit_getattr_all_raw_sockets(rpm_t)
 194 domain_dontaudit_getattr_all_stream_sockets(rpm_t)
 195 domain_dontaudit_getattr_all_dgram_sockets(rpm_t)
 196 domain_signull_all_domains(rpm_t)
 197
 198 files_exec_etc_files(rpm_t)
 199
 200 init_domtrans_script(rpm_t)
 201 init_use_script_ptys(rpm_t)
 202 init_signull_script(rpm_t)
 203
 204 libs_exec_ld_so(rpm_t)
 205 libs_exec_lib_files(rpm_t)
 206 libs_domtrans_ldconfig(rpm_t)
 207
 208 logging_send_syslog_msg(rpm_t)
 209
 210 miscfiles_filetrans_named_content(rpm_t)
 211
 212 # allow compiling and loading new policy
 213 seutil_manage_src_policy(rpm_t)
 214 seutil_manage_bin_policy(rpm_t)
 215
 216 userdom_use_inherited_user_terminals(rpm_t)
 217 userdom_use_unpriv_users_fds(rpm_t)
 218
 219 optional_policy(`
 220         cron_system_entry(rpm_t, rpm_exec_t)
 221 ')
 222
 223 optional_policy(`
 224         dbus_system_domain(rpm_t, rpm_exec_t)
 225         dbus_system_domain(rpm_t, debuginfo_exec_t)
 226
 227         optional_policy(`
 228                 hal_dbus_chat(rpm_t)
 229         ')
 230
 231         optional_policy(`
 232                 networkmanager_dbus_chat(rpm_t)
 233         ')
 234
 235 ')
 236
 237 optional_policy(`
 238         prelink_domtrans(rpm_t)
 239 ')
 240
 241 optional_policy(`
 242         unconfined_domain_noaudit(rpm_t)
 243         # yum-updatesd requires this
 244         unconfined_dbus_chat(rpm_t)
 245         unconfined_dbus_chat(rpm_script_t)
 246 ')
 247
 248 ########################################
 249 #
 250 # rpm-script Local policy
 251 #
 252
 253 allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_admin sys_chroot sys_rawio sys_nice mknod kill net_admin };
 254
 255 allow rpm_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execheap };
 256 allow rpm_script_t self:fd use;
 257 allow rpm_script_t self:fifo_file rw_fifo_file_perms;
 258 allow rpm_script_t self:unix_dgram_socket create_socket_perms;
 259 allow rpm_script_t self:unix_stream_socket rw_stream_socket_perms;
 260 allow rpm_script_t self:unix_dgram_socket sendto;
 261 allow rpm_script_t self:unix_stream_socket connectto;
 262 allow rpm_script_t self:shm create_shm_perms;
 263 allow rpm_script_t self:sem create_sem_perms;
 264 allow rpm_script_t self:msgq create_msgq_perms;
 265 allow rpm_script_t self:msg { send receive };
 266 allow rpm_script_t self:netlink_kobject_uevent_socket create_socket_perms;
 267
 268 allow rpm_script_t rpm_tmp_t:file read_file_perms;
 269
 270 allow rpm_script_t rpm_script_tmp_t:dir mounton;
 271 manage_dirs_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 272 manage_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 273 manage_blk_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 274 manage_chr_files_pattern(rpm_script_t, rpm_script_tmp_t, rpm_script_tmp_t)
 275 files_tmp_filetrans(rpm_script_t, rpm_script_tmp_t, { file dir })
 276 can_exec(rpm_script_t, rpm_script_tmp_t)
 277
 278 manage_dirs_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 279 manage_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 280 manage_lnk_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 281 manage_fifo_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 282 manage_sock_files_pattern(rpm_script_t, rpm_script_tmpfs_t, rpm_script_tmpfs_t)
 283 fs_tmpfs_filetrans(rpm_script_t, rpm_script_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 284 can_exec(rpm_script_t, rpm_script_tmpfs_t)
 285
 286 allow rpm_script_t rpm_t:netlink_route_socket { read write };
 287
 288 kernel_read_crypto_sysctls(rpm_script_t)
 289 kernel_read_kernel_sysctls(rpm_script_t)
 290 kernel_read_system_state(rpm_script_t)
 291 kernel_read_network_state(rpm_script_t)
 292 kernel_list_all_proc(rpm_script_t)
 293 kernel_read_software_raid_state(rpm_script_t)
 294
 295 # needed by rhn_check
 296 corenet_tcp_connect_http_port(rpm_script_t)
 297
 298 dev_list_sysfs(rpm_script_t)
 299
 300 # ideally we would not need this
 301 dev_manage_generic_blk_files(rpm_script_t)
 302 dev_manage_generic_chr_files(rpm_script_t)
 303 dev_manage_all_blk_files(rpm_script_t)
 304 dev_manage_all_chr_files(rpm_script_t)
 305
 306 fs_manage_nfs_files(rpm_script_t)
 307 fs_getattr_nfs(rpm_script_t)
 308 fs_search_all(rpm_script_t)
 309 fs_getattr_all_fs(rpm_script_t)
 310 # why is this not using mount?
 311 fs_getattr_xattr_fs(rpm_script_t)
 312 fs_mount_xattr_fs(rpm_script_t)
 313 fs_unmount_xattr_fs(rpm_script_t)
 314 fs_search_auto_mountpoints(rpm_script_t)
 315
 316 mcs_killall(rpm_script_t)
 317 mcs_ptrace_all(rpm_script_t)
 318
 319 mls_file_read_all_levels(rpm_script_t)
 320 mls_file_write_all_levels(rpm_script_t)
 321
 322 selinux_get_fs_mount(rpm_script_t)
 323 selinux_validate_context(rpm_script_t)
 324 selinux_compute_access_vector(rpm_script_t)
 325 selinux_compute_create_context(rpm_script_t)
 326 selinux_compute_relabel_context(rpm_script_t)
 327 selinux_compute_user_contexts(rpm_script_t)
 328
 329 storage_raw_read_fixed_disk(rpm_script_t)
 330 storage_raw_write_fixed_disk(rpm_script_t)
 331
 332 term_getattr_unallocated_ttys(rpm_script_t)
 333 term_list_ptys(rpm_script_t)
 334 term_use_all_inherited_terms(rpm_script_t)
 335
 336 auth_dontaudit_getattr_shadow(rpm_script_t)
 337 auth_use_nsswitch(rpm_script_t)
 338 # ideally we would not need this
 339 files_manage_all_files(rpm_script_t)
 340 files_relabel_all_files(rpm_script_t)
 341
 342 corecmd_exec_all_executables(rpm_script_t)
 343 can_exec(rpm_script_t, rpm_script_tmp_t)
 344 can_exec(rpm_script_t, rpm_script_tmpfs_t)
 345
 346 domain_read_all_domains_state(rpm_script_t)
 347 domain_getattr_all_domains(rpm_script_t)
 348 domain_dontaudit_ptrace_all_domains(rpm_script_t)
 349 domain_use_interactive_fds(rpm_script_t)
 350 domain_signal_all_domains(rpm_script_t)
 351 domain_signull_all_domains(rpm_script_t)
 352
 353 files_exec_etc_files(rpm_script_t)
 354 files_read_etc_runtime_files(rpm_script_t)
 355 files_exec_usr_files(rpm_script_t)
 356 files_relabel_all_files(rpm_script_t)
 357
 358 init_domtrans_script(rpm_script_t)
 359 init_telinit(rpm_script_t)
 360
 361 libs_exec_ld_so(rpm_script_t)
 362 libs_exec_lib_files(rpm_script_t)
 363 libs_domtrans_ldconfig(rpm_script_t)
 364
 365 logging_send_syslog_msg(rpm_script_t)
 366
 367 miscfiles_read_localization(rpm_script_t)
 368 miscfiles_filetrans_named_content(rpm_script_t)
 369
 370 seutil_domtrans_loadpolicy(rpm_script_t)
 371 seutil_domtrans_setfiles(rpm_script_t)
 372 seutil_domtrans_semanage(rpm_script_t)
 373 seutil_domtrans_setsebool(rpm_script_t)
 374
 375 userdom_use_all_users_fds(rpm_script_t)
 376 userdom_exec_admin_home_files(rpm_script_t)
 377
 378 ifdef(`distro_redhat',`
 379         optional_policy(`
 380                 mta_send_mail(rpm_script_t)
 381                 mta_system_content(rpm_var_run_t)
 382         ')
 383 ')
 384
 385 tunable_policy(`deny_execmem',`',`
 386         allow rpm_script_t self:process execmem;
 387 ')
 388
 389 optional_policy(`
 390         bootloader_domtrans(rpm_script_t)
 391 ')
 392
 393 optional_policy(`
 394         dbus_system_bus_client(rpm_script_t)
 395 ')
 396
 397 optional_policy(`
 398         lvm_domtrans(rpm_script_t)
 399 ')
 400
 401 optional_policy(`
 402         ntp_domtrans(rpm_script_t)
 403 ')
 404
 405 optional_policy(`
 406         modutils_domtrans_depmod(rpm_script_t)
 407         modutils_domtrans_insmod(rpm_script_t)
 408 ')
 409
 410 optional_policy(`
 411         tzdata_domtrans(rpm_t)
 412         tzdata_domtrans(rpm_script_t)
 413 ')
 414
 415 optional_policy(`
 416         udev_domtrans(rpm_script_t)
 417 ')
 418
 419 optional_policy(`
 420         unconfined_domain_noaudit(rpm_script_t)
 421         unconfined_domtrans(rpm_script_t)
 422
 423         optional_policy(`
 424                 java_domtrans_unconfined(rpm_script_t)
 425         ')
 426 ')
 427
 428 optional_policy(`
 429         usermanage_domtrans_groupadd(rpm_script_t)
 430         usermanage_domtrans_useradd(rpm_script_t)
 431 ')