From: Stefan Schantl Date: Sat, 21 Jan 2012 20:33:31 +0000 (+0100) Subject: Remove module for apt. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fheads%2Funneeded-admin-modules;p=people%2Fstevee%2Fselinux-policy.git Remove module for apt. --- diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc deleted file mode 100644 index e4f48501..00000000 --- a/policy/modules/admin/apt.fc +++ /dev/null @@ -1,21 +0,0 @@ -/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) -# apt-shell is redhat specific -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) -# other package managers -/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) - -# package cache repository -/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) - -# package list repository -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) - -# aptitude lock -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) -# aptitude log -/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0) - -# dpkg terminal log -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if deleted file mode 100644 index e696b80c..00000000 --- a/policy/modules/admin/apt.if +++ /dev/null @@ -1,225 +0,0 @@ -## APT advanced package tool. - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -# -interface(`apt_domtrans',` - gen_require(` - type apt_t, apt_exec_t; - ') - - files_search_usr($1) - corecmd_search_bin($1) - domtrans_pattern($1, apt_exec_t, apt_t) -') - -######################################## -## -## Execute apt programs in the apt domain. -## -## -## -## Domain allowed to transition. -## -## -## -## -## The role to allow the apt domain. -## -## -## -# -interface(`apt_run',` - gen_require(` - type apt_t; - ') - - apt_domtrans($1) - role $2 types apt_t; - # TODO: likely have to add dpkg_run here. -') - -######################################## -## -## Inherit and use file descriptors from apt. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_use_fds',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fd use; - # TODO: enforce dpkg_use_fd? -') - -######################################## -## -## Do not audit attempts to use file descriptors from apt. -## -## -## -## Domain to not audit. -## -## -# -interface(`apt_dontaudit_use_fds',` - gen_require(` - type apt_t; - ') - - dontaudit $1 apt_t:fd use; -') - -######################################## -## -## Read from an unnamed apt pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file read_fifo_file_perms; - # TODO: enforce dpkg_read_pipes? -') - -######################################## -## -## Read and write an unnamed apt pipe. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_rw_pipes',` - gen_require(` - type apt_t; - ') - - allow $1 apt_t:fifo_file rw_file_perms; - # TODO: enforce dpkg_rw_pipes? -') - -######################################## -## -## Read from and write to apt ptys. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_use_ptys',` - gen_require(` - type apt_devpts_t; - ') - - allow $1 apt_devpts_t:chr_file rw_term_perms; -') - -######################################## -## -## Read the apt package cache. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_cache',` - gen_require(` - type apt_var_cache_t; - ') - - files_search_var($1) - allow $1 apt_var_cache_t:dir list_dir_perms; - dontaudit $1 apt_var_cache_t:dir write; - allow $1 apt_var_cache_t:file read_file_perms; -') - -######################################## -## -## Read the apt package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_read_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - allow $1 apt_var_lib_t:dir list_dir_perms; - read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## -## Create, read, write, and delete the apt package database. -## -## -## -## Domain allowed access. -## -## -# -interface(`apt_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - files_search_var_lib($1) - manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - # cjp: shouldnt this be manage_lnk_files? - rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) - delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) -') - -######################################## -## -## Do not audit attempts to create, read, -## write, and delete the apt package database. -## -## -## -## Domain to not audit. -## -## -# -interface(`apt_dontaudit_manage_db',` - gen_require(` - type apt_var_lib_t; - ') - - dontaudit $1 apt_var_lib_t:dir rw_dir_perms; - dontaudit $1 apt_var_lib_t:file manage_file_perms; - dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; -') diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te deleted file mode 100644 index 3491c7f8..00000000 --- a/policy/modules/admin/apt.te +++ /dev/null @@ -1,162 +0,0 @@ -policy_module(apt, 1.6.0) - -######################################## -# -# Declarations -# - -type apt_t; -type apt_exec_t; -init_system_domain(apt_t, apt_exec_t) -domain_system_change_exemption(apt_t) -role system_r types apt_t; - -# pseudo terminal for running dpkg -type apt_devpts_t; -term_pty(apt_devpts_t) - -# aptitude lock file -type apt_lock_t; -files_lock_file(apt_lock_t) - -type apt_tmp_t; -files_tmp_file(apt_tmp_t) - -type apt_tmpfs_t; -files_tmpfs_file(apt_tmpfs_t) - -# package cache -type apt_var_cache_t alias var_cache_apt_t; -files_type(apt_var_cache_t) - -# status files -type apt_var_lib_t alias var_lib_apt_t; -files_type(apt_var_lib_t) - -# aptitude log file -type apt_var_log_t; -logging_log_file(apt_var_log_t) - -######################################## -# -# apt Local policy -# - -allow apt_t self:capability { chown dac_override fowner fsetid }; -allow apt_t self:process { signal setpgid fork }; -allow apt_t self:fd use; -allow apt_t self:fifo_file rw_fifo_file_perms; -allow apt_t self:unix_dgram_socket create_socket_perms; -allow apt_t self:unix_stream_socket rw_stream_socket_perms; -allow apt_t self:unix_dgram_socket sendto; -allow apt_t self:unix_stream_socket connectto; -allow apt_t self:udp_socket { connect create_socket_perms }; -allow apt_t self:tcp_socket create_stream_socket_perms; -allow apt_t self:shm create_shm_perms; -allow apt_t self:sem create_sem_perms; -allow apt_t self:msgq create_msgq_perms; -allow apt_t self:msg { send receive }; -# Run update -allow apt_t self:netlink_route_socket r_netlink_socket_perms; - -# lock files -allow apt_t apt_lock_t:dir manage_dir_perms; -allow apt_t apt_lock_t:file manage_file_perms; -files_lock_filetrans(apt_t, apt_lock_t, {dir file}) - -manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t) -manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t) -files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) - -manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_lnk_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) -fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) - -# Access /var/cache/apt files -manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) -files_var_filetrans(apt_t, apt_var_cache_t, dir) - -# Access /var/lib/apt files -manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) - -# log files -allow apt_t apt_var_log_t:file manage_file_perms; -logging_log_filetrans(apt_t, apt_var_log_t, file) - -kernel_read_system_state(apt_t) -kernel_read_kernel_sysctls(apt_t) - -# to launch dpkg-preconfigure -corecmd_exec_bin(apt_t) -corecmd_exec_shell(apt_t) - -corenet_all_recvfrom_unlabeled(apt_t) -corenet_all_recvfrom_netlabel(apt_t) -corenet_tcp_sendrecv_generic_if(apt_t) -corenet_udp_sendrecv_generic_if(apt_t) -corenet_tcp_sendrecv_generic_node(apt_t) -corenet_udp_sendrecv_generic_node(apt_t) -corenet_tcp_sendrecv_all_ports(apt_t) -corenet_udp_sendrecv_all_ports(apt_t) -# TODO: really allow all these? -corenet_tcp_bind_generic_node(apt_t) -corenet_udp_bind_generic_node(apt_t) -corenet_tcp_connect_all_ports(apt_t) -corenet_sendrecv_all_client_packets(apt_t) - -dev_read_urand(apt_t) - -domain_getattr_all_domains(apt_t) -domain_use_interactive_fds(apt_t) - -files_exec_usr_files(apt_t) -files_read_etc_files(apt_t) -files_read_etc_runtime_files(apt_t) - -fs_getattr_all_fs(apt_t) - -term_create_pty(apt_t, apt_devpts_t) -term_list_ptys(apt_t) -term_use_all_inherited_terms(apt_t) - -libs_exec_ld_so(apt_t) -libs_exec_lib_files(apt_t) - -logging_send_syslog_msg(apt_t) - -miscfiles_read_localization(apt_t) - -seutil_use_newrole_fds(apt_t) - -sysnet_read_config(apt_t) - -userdom_use_inherited_user_terminals(apt_t) - -# with boolean, for cron-apt and such? -#optional_policy(` -# cron_system_entry(apt_t,apt_exec_t) -#') - -optional_policy(` - # dpkg interaction - dpkg_read_db(apt_t) - dpkg_domtrans(apt_t) - dpkg_lock_db(apt_t) -') - -optional_policy(` - nis_use_ypbind(apt_t) -') - -optional_policy(` - rpm_read_db(apt_t) - rpm_domtrans(apt_t) -') - -optional_policy(` - unconfined_domain(apt_t) -') diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index cae6e969..7eb5bcb9 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -169,10 +169,6 @@ dpkg_domtrans_script(dpkg_t) # since the scripts aren't labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; -optional_policy(` - apt_use_ptys(dpkg_t) -') - # TODO: allow? #optional_policy(` # cron_system_entry(dpkg_t,dpkg_exec_t) @@ -313,11 +309,6 @@ tunable_policy(`allow_execmem',` allow dpkg_script_t self:process execmem; ') -optional_policy(` - apt_rw_pipes(dpkg_script_t) - apt_use_fds(dpkg_script_t) -') - optional_policy(` bootloader_domtrans(dpkg_script_t) ') diff --git a/policy/modules/admin/rpm.fc b/policy/modules/admin/rpm.fc index 2ba67e76..40819758 100644 --- a/policy/modules/admin/rpm.fc +++ b/policy/modules/admin/rpm.fc @@ -29,9 +29,6 @@ ifdef(`distro_redhat', ` /usr/sbin/rhn_check -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/rhnreg_ks -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/up2date -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) ') /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index ad25549f..393287f5 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -103,10 +103,6 @@ optional_policy(` apm_domtrans_client(sysadm_t) ') -optional_policy(` - apt_run(sysadm_t, sysadm_r) -') - optional_policy(` auditadm_role_change(sysadm_r) ') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index 48c21c3a..0656550b 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -135,12 +135,6 @@ optional_policy(` apache_dontaudit_search_modules(ldconfig_t) ') -optional_policy(` - apt_rw_pipes(ldconfig_t) - apt_use_fds(ldconfig_t) - apt_use_ptys(ldconfig_t) -') - optional_policy(` puppet_rw_tmp(ldconfig_t) ')