+++ /dev/null
-/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-# apt-shell is redhat specific
-/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
-# other package managers
-/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
-
-# package cache repository
-/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
-
-# package list repository
-/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-
-# aptitude lock
-/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
-# aptitude log
-/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
-
-# dpkg terminal log
-/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
+++ /dev/null
-## <summary>APT advanced package tool.</summary>
-
-########################################
-## <summary>
-## Execute apt programs in the apt domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`apt_domtrans',`
- gen_require(`
- type apt_t, apt_exec_t;
- ')
-
- files_search_usr($1)
- corecmd_search_bin($1)
- domtrans_pattern($1, apt_exec_t, apt_t)
-')
-
-########################################
-## <summary>
-## Execute apt programs in the apt domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## The role to allow the apt domain.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`apt_run',`
- gen_require(`
- type apt_t;
- ')
-
- apt_domtrans($1)
- role $2 types apt_t;
- # TODO: likely have to add dpkg_run here.
-')
-
-########################################
-## <summary>
-## Inherit and use file descriptors from apt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apt_use_fds',`
- gen_require(`
- type apt_t;
- ')
-
- allow $1 apt_t:fd use;
- # TODO: enforce dpkg_use_fd?
-')
-
-########################################
-## <summary>
-## Do not audit attempts to use file descriptors from apt.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apt_dontaudit_use_fds',`
- gen_require(`
- type apt_t;
- ')
-
- dontaudit $1 apt_t:fd use;
-')
-
-########################################
-## <summary>
-## Read from an unnamed apt pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apt_read_pipes',`
- gen_require(`
- type apt_t;
- ')
-
- allow $1 apt_t:fifo_file read_fifo_file_perms;
- # TODO: enforce dpkg_read_pipes?
-')
-
-########################################
-## <summary>
-## Read and write an unnamed apt pipe.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apt_rw_pipes',`
- gen_require(`
- type apt_t;
- ')
-
- allow $1 apt_t:fifo_file rw_file_perms;
- # TODO: enforce dpkg_rw_pipes?
-')
-
-########################################
-## <summary>
-## Read from and write to apt ptys.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apt_use_ptys',`
- gen_require(`
- type apt_devpts_t;
- ')
-
- allow $1 apt_devpts_t:chr_file rw_term_perms;
-')
-
-########################################
-## <summary>
-## Read the apt package cache.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apt_read_cache',`
- gen_require(`
- type apt_var_cache_t;
- ')
-
- files_search_var($1)
- allow $1 apt_var_cache_t:dir list_dir_perms;
- dontaudit $1 apt_var_cache_t:dir write;
- allow $1 apt_var_cache_t:file read_file_perms;
-')
-
-########################################
-## <summary>
-## Read the apt package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apt_read_db',`
- gen_require(`
- type apt_var_lib_t;
- ')
-
- files_search_var_lib($1)
- allow $1 apt_var_lib_t:dir list_dir_perms;
- read_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
- read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
-')
-
-########################################
-## <summary>
-## Create, read, write, and delete the apt package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`apt_manage_db',`
- gen_require(`
- type apt_var_lib_t;
- ')
-
- files_search_var_lib($1)
- manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
- # cjp: shouldnt this be manage_lnk_files?
- rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
- delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t)
-')
-
-########################################
-## <summary>
-## Do not audit attempts to create, read,
-## write, and delete the apt package database.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain to not audit.
-## </summary>
-## </param>
-#
-interface(`apt_dontaudit_manage_db',`
- gen_require(`
- type apt_var_lib_t;
- ')
-
- dontaudit $1 apt_var_lib_t:dir rw_dir_perms;
- dontaudit $1 apt_var_lib_t:file manage_file_perms;
- dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms;
-')
+++ /dev/null
-policy_module(apt, 1.6.0)
-
-########################################
-#
-# Declarations
-#
-
-type apt_t;
-type apt_exec_t;
-init_system_domain(apt_t, apt_exec_t)
-domain_system_change_exemption(apt_t)
-role system_r types apt_t;
-
-# pseudo terminal for running dpkg
-type apt_devpts_t;
-term_pty(apt_devpts_t)
-
-# aptitude lock file
-type apt_lock_t;
-files_lock_file(apt_lock_t)
-
-type apt_tmp_t;
-files_tmp_file(apt_tmp_t)
-
-type apt_tmpfs_t;
-files_tmpfs_file(apt_tmpfs_t)
-
-# package cache
-type apt_var_cache_t alias var_cache_apt_t;
-files_type(apt_var_cache_t)
-
-# status files
-type apt_var_lib_t alias var_lib_apt_t;
-files_type(apt_var_lib_t)
-
-# aptitude log file
-type apt_var_log_t;
-logging_log_file(apt_var_log_t)
-
-########################################
-#
-# apt Local policy
-#
-
-allow apt_t self:capability { chown dac_override fowner fsetid };
-allow apt_t self:process { signal setpgid fork };
-allow apt_t self:fd use;
-allow apt_t self:fifo_file rw_fifo_file_perms;
-allow apt_t self:unix_dgram_socket create_socket_perms;
-allow apt_t self:unix_stream_socket rw_stream_socket_perms;
-allow apt_t self:unix_dgram_socket sendto;
-allow apt_t self:unix_stream_socket connectto;
-allow apt_t self:udp_socket { connect create_socket_perms };
-allow apt_t self:tcp_socket create_stream_socket_perms;
-allow apt_t self:shm create_shm_perms;
-allow apt_t self:sem create_sem_perms;
-allow apt_t self:msgq create_msgq_perms;
-allow apt_t self:msg { send receive };
-# Run update
-allow apt_t self:netlink_route_socket r_netlink_socket_perms;
-
-# lock files
-allow apt_t apt_lock_t:dir manage_dir_perms;
-allow apt_t apt_lock_t:file manage_file_perms;
-files_lock_filetrans(apt_t, apt_lock_t, {dir file})
-
-manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
-manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
-files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
-
-manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
-manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
-manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
-manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
-manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
-fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-
-# Access /var/cache/apt files
-manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
-files_var_filetrans(apt_t, apt_var_cache_t, dir)
-
-# Access /var/lib/apt files
-manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
-files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
-
-# log files
-allow apt_t apt_var_log_t:file manage_file_perms;
-logging_log_filetrans(apt_t, apt_var_log_t, file)
-
-kernel_read_system_state(apt_t)
-kernel_read_kernel_sysctls(apt_t)
-
-# to launch dpkg-preconfigure
-corecmd_exec_bin(apt_t)
-corecmd_exec_shell(apt_t)
-
-corenet_all_recvfrom_unlabeled(apt_t)
-corenet_all_recvfrom_netlabel(apt_t)
-corenet_tcp_sendrecv_generic_if(apt_t)
-corenet_udp_sendrecv_generic_if(apt_t)
-corenet_tcp_sendrecv_generic_node(apt_t)
-corenet_udp_sendrecv_generic_node(apt_t)
-corenet_tcp_sendrecv_all_ports(apt_t)
-corenet_udp_sendrecv_all_ports(apt_t)
-# TODO: really allow all these?
-corenet_tcp_bind_generic_node(apt_t)
-corenet_udp_bind_generic_node(apt_t)
-corenet_tcp_connect_all_ports(apt_t)
-corenet_sendrecv_all_client_packets(apt_t)
-
-dev_read_urand(apt_t)
-
-domain_getattr_all_domains(apt_t)
-domain_use_interactive_fds(apt_t)
-
-files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
-files_read_etc_runtime_files(apt_t)
-
-fs_getattr_all_fs(apt_t)
-
-term_create_pty(apt_t, apt_devpts_t)
-term_list_ptys(apt_t)
-term_use_all_inherited_terms(apt_t)
-
-libs_exec_ld_so(apt_t)
-libs_exec_lib_files(apt_t)
-
-logging_send_syslog_msg(apt_t)
-
-miscfiles_read_localization(apt_t)
-
-seutil_use_newrole_fds(apt_t)
-
-sysnet_read_config(apt_t)
-
-userdom_use_inherited_user_terminals(apt_t)
-
-# with boolean, for cron-apt and such?
-#optional_policy(`
-# cron_system_entry(apt_t,apt_exec_t)
-#')
-
-optional_policy(`
- # dpkg interaction
- dpkg_read_db(apt_t)
- dpkg_domtrans(apt_t)
- dpkg_lock_db(apt_t)
-')
-
-optional_policy(`
- nis_use_ypbind(apt_t)
-')
-
-optional_policy(`
- rpm_read_db(apt_t)
- rpm_domtrans(apt_t)
-')
-
-optional_policy(`
- unconfined_domain(apt_t)
-')
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
-optional_policy(`
- apt_use_ptys(dpkg_t)
-')
-
# TODO: allow?
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
allow dpkg_script_t self:process execmem;
')
-optional_policy(`
- apt_rw_pipes(dpkg_script_t)
- apt_use_fds(dpkg_script_t)
-')
-
optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
/usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0)
/usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0)
')
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0)
apm_domtrans_client(sysadm_t)
')
-optional_policy(`
- apt_run(sysadm_t, sysadm_r)
-')
-
optional_policy(`
auditadm_role_change(sysadm_r)
')
apache_dontaudit_search_modules(ldconfig_t)
')
-optional_policy(`
- apt_rw_pipes(ldconfig_t)
- apt_use_fds(ldconfig_t)
- apt_use_ptys(ldconfig_t)
-')
-
optional_policy(`
puppet_rw_tmp(ldconfig_t)
')
projects / people / stevee / selinux-policy.git / commitdiff
