Chris PeBenito 0fbfa5
#DESC RPM - Red Hat package management
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# X-Debian-Packages: 
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for running the Redhat Package Manager (RPM) tools.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# rpm_t is the domain for rpm and related utilities in /usr/lib/rpm
Chris PeBenito 0fbfa5
# rpm_exec_t is the type of the rpm executables.
Chris PeBenito 2705f9
# rpm_log_t is the type for rpm log files (/var/log/rpmpkgs*)
Chris PeBenito 2705f9
# rpm_var_lib_t is the type for rpm files in /var/lib
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
type rpm_t, domain, admin, etc_writer, privlog, privowner, privmem, priv_system_role, fs_domain, privfd;
Chris PeBenito 0fbfa5
role system_r types rpm_t;
Chris PeBenito 0fbfa5
uses_shlib(rpm_t)
Chris PeBenito 0fbfa5
type rpm_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
general_domain_access(rpm_t)
Chris PeBenito 0fbfa5
can_ps(rpm_t, domain)
Chris PeBenito 0fbfa5
allow rpm_t self:process setrlimit;
Chris PeBenito 0fbfa5
system_crond_entry(rpm_exec_t, rpm_t)
Chris PeBenito 0fbfa5
role sysadm_r types rpm_t;
Chris PeBenito 0fbfa5
domain_auto_trans(sysadm_t, rpm_exec_t, rpm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type rpm_file_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(rpm)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmpfs_domain(rpm)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
log_domain(rpm)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_network(rpm_t)
Chris PeBenito a08248
allow rpm_t port_type:tcp_socket name_connect;
Chris PeBenito 0fbfa5
can_ypbind(rpm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow the rpm domain to execute other programs
Chris PeBenito 0fbfa5
can_exec_any(rpm_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Capabilties needed by rpm utils
Chris PeBenito 0fbfa5
allow rpm_t self:capability { chown dac_override fowner fsetid setgid setuid net_bind_service sys_chroot sys_tty_config mknod };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access /var/lib/rpm files
Chris PeBenito 0fbfa5
var_lib_domain(rpm)
Chris PeBenito 0fbfa5
allow userdomain var_lib_t:dir { getattr search };
Chris PeBenito 0fbfa5
r_dir_file(userdomain, rpm_var_lib_t)
Chris PeBenito 0fbfa5
r_dir_file(rpm_t, proc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_t sysfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow rpm_t usbdevfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for installing kernel packages
Chris PeBenito 0fbfa5
allow rpm_t fixed_disk_device_t:blk_file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access terminals.
Chris PeBenito 0fbfa5
allow rpm_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
ifdef(`gnome-pty-helper.te', `allow rpm_t sysadm_gph_t:fd use;')
Chris PeBenito 0fbfa5
allow rpm_t privfd:fd use;
Chris PeBenito 0fbfa5
allow rpm_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_t, ldconfig_exec_t, ldconfig_t)
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`cups.te', `
Chris PeBenito 0fbfa5
r_dir_file(cupsd_t, rpm_var_lib_t)
Chris PeBenito 0fbfa5
allow cupsd_t initrc_exec_t:file { getattr read };
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, cupsd_exec_t, cupsd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for a bug in rm
Chris PeBenito 0fbfa5
dontaudit initrc_t pidfile:file write;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# bash tries to access a block device in the initrd
Chris PeBenito 0fbfa5
dontaudit initrc_t unlabeled_t:blk_file getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# bash tries ioctl for some reason
Chris PeBenito 0fbfa5
dontaudit initrc_t pidfile:file ioctl;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_t autofs_t:dir { search getattr };
Chris PeBenito 0fbfa5
allow rpm_t autofs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow rpm_script_t autofs_t:dir { search getattr };
Chris PeBenito 0fbfa5
allow rpm_t devpts_t:dir { setattr r_dir_perms };
Chris PeBenito 0fbfa5
allow rpm_t { devpts_t proc_t usbdevfs_t fs_t }:filesystem getattr;
Chris PeBenito 0fbfa5
dontaudit rpm_t security_t:filesystem getattr;
Chris PeBenito 0fbfa5
can_getcon(rpm_t)
Chris PeBenito 0fbfa5
can_setfscreate(rpm_t)
Chris PeBenito 0fbfa5
can_setexec(rpm_t)
Chris PeBenito 0fbfa5
read_sysctl(rpm_t)
Chris PeBenito 0fbfa5
general_domain_access(rpm_script_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read/write/create any files in the system
Chris PeBenito 0fbfa5
allow rpm_t { file_type -shadow_t }:{ file lnk_file dir fifo_file sock_file } { relabelfrom relabelto };
Chris PeBenito 0fbfa5
allow rpm_t { file_type - shadow_t }:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow rpm_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
Chris PeBenito 0fbfa5
allow rpm_t sysfs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow rpm_t tmpfs_t:filesystem getattr;
Chris PeBenito 0fbfa5
dontaudit rpm_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
Chris PeBenito 0fbfa5
# needs rw permission to the directory for an rpm package that includes a mount
Chris PeBenito 0fbfa5
# point
Chris PeBenito 0fbfa5
allow rpm_t fs_type:dir { setattr rw_dir_perms };
Chris PeBenito 0fbfa5
allow rpm_t fs_type:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow compiling and loading new policy
Chris PeBenito 0fbfa5
create_dir_file(rpm_t, { policy_src_t policy_config_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_getsecurity({ rpm_t rpm_script_t })
Chris PeBenito 0fbfa5
dontaudit rpm_t shadow_t:file { getattr read };
Chris PeBenito 0fbfa5
allow rpm_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
allow rpm_t { device_t device_type }:{ chr_file blk_file } { create_file_perms relabelfrom relabelto };
Chris PeBenito 0fbfa5
allow rpm_t ttyfile:chr_file unlink;
Chris PeBenito 0fbfa5
allow rpm_script_t tty_device_t:chr_file getattr;
Chris PeBenito 0fbfa5
allow rpm_script_t devpts_t:dir search;
Chris PeBenito 0fbfa5
allow rpm_script_t {devpts_t devtty_t}:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow { insmod_t depmod_t } rpm_t:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito cf6a7d
type rpm_script_t, domain, admin, etc_writer, privlog, privowner, privmodule, privmem, fs_domain, privfd, privrole, priv_system_role;
Chris PeBenito 0fbfa5
# policy for rpm scriptlet
Chris PeBenito 0fbfa5
role system_r types rpm_script_t;
Chris PeBenito 0fbfa5
uses_shlib(rpm_script_t)
Chris PeBenito 0fbfa5
read_locale(rpm_script_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_ps(rpm_script_t, domain)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`lpd.te', `
Chris PeBenito 0fbfa5
can_exec(rpm_script_t, printconf_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
read_sysctl(rpm_script_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type rpm_script_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
role sysadm_r types rpm_script_t;
Chris PeBenito 0fbfa5
domain_trans(rpm_t, shell_exec_t, rpm_script_t)
Chris PeBenito 0fbfa5
ifdef(`hide_broken_symptoms', `
Chris PeBenito 0fbfa5
ifdef(`pamconsole.te', `
Chris PeBenito 0fbfa5
domain_trans(rpm_t, pam_console_exec_t, rpm_script_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(rpm_script)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmpfs_domain(rpm_script)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Allow the rpm domain to execute other programs
Chris PeBenito 0fbfa5
can_exec_any(rpm_script_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Capabilties needed by rpm scripts utils
Chris PeBenito 0fbfa5
allow rpm_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# ideally we would not need this
Chris PeBenito 0fbfa5
allow rpm_script_t { file_type - shadow_t }:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow rpm_script_t { file_type - shadow_t }:{ file lnk_file fifo_file sock_file } create_file_perms;
Chris PeBenito 0fbfa5
allow rpm_script_t { device_t device_type }:{ chr_file blk_file } create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for kernel package installation
Chris PeBenito 0fbfa5
ifdef(`mount.te', `
Chris PeBenito 0fbfa5
allow mount_t rpm_t:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Commonly used from postinst scripts
Chris PeBenito 0fbfa5
ifdef(`consoletype.te', `
Chris PeBenito 0fbfa5
allow consoletype_t rpm_t:fifo_file r_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
allow crond_t rpm_t:fifo_file r_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_script_t proc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow rpm_script_t proc_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_script_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow rpm_script_t devpts_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow rpm_script_t admin_tty_type:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow rpm_script_t etc_runtime_t:file { getattr read };
Chris PeBenito 0fbfa5
allow rpm_script_t privfd:fd use;
Chris PeBenito 0fbfa5
allow rpm_script_t rpm_tmp_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_script_t urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`ssh-agent.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, ssh_agent_exec_t, sysadm_ssh_agent_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`useradd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, useradd_exec_t, useradd_t)
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, groupadd_exec_t, groupadd_t)
Chris PeBenito 0fbfa5
role system_r types { useradd_t groupadd_t };
Chris PeBenito 0fbfa5
allow { useradd_t groupadd_t } rpm_t:fd use;
Chris PeBenito 0fbfa5
allow { useradd_t groupadd_t } rpm_t:fifo_file { read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, restorecon_exec_t, restorecon_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, ldconfig_exec_t, ldconfig_t)
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, depmod_exec_t, depmod_t)
Chris PeBenito cf6a7d
role sysadm_r types initrc_t;
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
ifdef(`bootloader.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, bootloader_exec_t, bootloader_t)
Chris PeBenito 0fbfa5
allow bootloader_t rpm_t:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_script_t, load_policy_exec_t, load_policy_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
rw_dir_file(rpm_script_t, nfs_t)
Chris PeBenito 0fbfa5
allow rpm_script_t nfs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_script_t fs_t:filesystem { getattr mount unmount };
Chris PeBenito 0fbfa5
allow rpm_script_t rpm_script_tmp_t:dir mounton;
Chris PeBenito 0fbfa5
can_exec(rpm_script_t, usr_t)
Chris PeBenito 0fbfa5
can_exec(rpm_script_t, sbin_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_t mount_t:tcp_socket write;
Chris PeBenito 0fbfa5
create_dir_file(rpm_t, nfs_t)
Chris PeBenito 0fbfa5
allow rpm_t { removable_t nfs_t }:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_script_t userdomain:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow domain rpm_t:fifo_file r_file_perms;
Chris PeBenito 0fbfa5
allow domain rpm_t:fd use;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`ssh.te', `
Chris PeBenito 0fbfa5
allow sshd_t rpm_script_t:fd use;
Chris PeBenito 0fbfa5
allow sshd_t rpm_t:fd use;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit rpm_script_t shadow_t:file getattr;
Chris PeBenito 0fbfa5
allow rpm_script_t sysfs_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`prelink.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(rpm_t, prelink_exec_t, prelink_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_t rpc_pipefs_t:dir search;
Chris PeBenito 0fbfa5
allow rpm_script_t init_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type rpmbuild_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
type rpmbuild_t, domain;
Chris PeBenito 0fbfa5
allow rpmbuild_t policy_config_t:dir search;
Chris PeBenito 0fbfa5
allow rpmbuild_t policy_src_t:dir search;
Chris PeBenito 0fbfa5
allow rpmbuild_t policy_src_t:file { getattr read };
Chris PeBenito 0fbfa5
can_getsecurity(rpmbuild_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow rpm_script_t domain:process { signal signull };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Access /var/lib/rpm.
Chris PeBenito 0fbfa5
allow initrc_t rpm_var_lib_t:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow initrc_t rpm_var_lib_t:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`unlimitedRPM', `
Chris PeBenito 0fbfa5
typeattribute rpm_t auth_write;
Chris PeBenito 0fbfa5
unconfined_domain(rpm_t)
Chris PeBenito 0fbfa5
typeattribute rpm_script_t auth_write;
Chris PeBenito 0fbfa5
unconfined_domain(rpm_script_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 2705f9
if (allow_execmem) {
Chris PeBenito 2705f9
allow rpm_script_t self:process execmem;
Chris PeBenito 2705f9
}
Chris PeBenito 0fbfa5