Chris PeBenito 0fbfa5
#DESC Dpkg - Debian package manager
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Author:  Russell Coker <russell@coker.com.au>
Chris PeBenito 0fbfa5
# X-Debian-Packages: dpkg
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the dpkg_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
Chris PeBenito 0fbfa5
type dpkg_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
type dpkg_var_lib_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
type dpkg_etc_t, file_type, sysadmfile, usercanread;
Chris PeBenito 0fbfa5
type dpkg_lock_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
type debconf_cache_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
tmp_domain(dpkg)
Chris PeBenito 0fbfa5
can_setfscreate(dpkg_t)
Chris PeBenito 0fbfa5
can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`load_policy.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`rlogind.te', `
Chris PeBenito 0fbfa5
# for ssh
Chris PeBenito 0fbfa5
can_exec(dpkg_t, rlogind_exec_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
can_exec(dpkg_t, { init_exec_t etc_t })
Chris PeBenito 0fbfa5
ifdef(`hostname.te', `
Chris PeBenito 0fbfa5
can_exec(dpkg_t, hostname_exec_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`mta.te', `
Chris PeBenito 0fbfa5
allow system_mail_t dpkg_tmp_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`logrotate.te', `
Chris PeBenito 0fbfa5
allow logrotate_t dpkg_var_lib_t:file create_file_perms;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for open office
Chris PeBenito 0fbfa5
can_exec(dpkg_t, usr_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for upgrading policycoreutils and loading policy
Chris PeBenito 0fbfa5
allow dpkg_t security_t:dir { getattr search };
Chris PeBenito 0fbfa5
allow dpkg_t security_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`setfiles.te',
Chris PeBenito 0fbfa5
`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)')
Chris PeBenito 0fbfa5
ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)')
Chris PeBenito 0fbfa5
ifdef(`modutil.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for touch
Chris PeBenito 0fbfa5
allow initrc_t modules_dep_t:file write;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`ipsec.te', `
Chris PeBenito 0fbfa5
allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t dpkg_t:fifo_file write;
Chris PeBenito 0fbfa5
allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write };
Chris PeBenito 0fbfa5
allow ipsec_t dpkg_t:fifo_file { read write };
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`cardmgr.te', `
Chris PeBenito 0fbfa5
allow cardmgr_t dpkg_t:fd use;
Chris PeBenito 0fbfa5
allow cardmgr_t dpkg_t:fifo_file write;
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
Chris PeBenito 0fbfa5
# for start-stop-daemon
Chris PeBenito 0fbfa5
allow dpkg_t cardmgr_t:process signull;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`mount.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, mount_exec_t, mount_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`mozilla.te', `
Chris PeBenito 0fbfa5
# hate to do this, for mozilla install scripts
Chris PeBenito 0fbfa5
can_exec(dpkg_t, mozilla_exec_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`postfix.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`apache.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`named.te', `
Chris PeBenito 0fbfa5
file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`nsd.te', `
Chris PeBenito 0fbfa5
allow nsd_crond_t initrc_t:fd use;
Chris PeBenito 0fbfa5
allow nsd_crond_t initrc_devpts_t:chr_file { read write };
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
# because the syslogd package is broken and does not use the start scripts
Chris PeBenito 0fbfa5
ifdef(`klogd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`syslogd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t)
Chris PeBenito 0fbfa5
allow system_crond_t syslogd_t:dir search;
Chris PeBenito 0fbfa5
allow system_crond_t syslogd_t:file { getattr read };
Chris PeBenito 0fbfa5
allow system_crond_t syslogd_t:process signal;
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
# mysqld is broken too
Chris PeBenito 0fbfa5
ifdef(`mysqld.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t)
Chris PeBenito 0fbfa5
can_unix_connect(dpkg_t, mysqld_t)
Chris PeBenito 0fbfa5
allow mysqld_t dpkg_tmp_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`postgresql.te', `
Chris PeBenito 0fbfa5
# because postgresql postinst creates scripts in /tmp and then runs them
Chris PeBenito 0fbfa5
# also the init scripts do more than they should
Chris PeBenito 0fbfa5
allow { initrc_t postgresql_t } dpkg_tmp_t:file write;
Chris PeBenito 0fbfa5
# for "touch" when it tries to create the log file
Chris PeBenito 0fbfa5
# this works for upgrades, maybe we should allow create access for first install
Chris PeBenito 0fbfa5
allow initrc_t postgresql_log_t:file { write setattr };
Chris PeBenito 0fbfa5
# for dumpall
Chris PeBenito 0fbfa5
can_exec(postgresql_t, postgresql_db_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`sysstat.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`rpcd.te', `
Chris PeBenito 0fbfa5
allow rpcd_t dpkg_t:fd use;
Chris PeBenito 0fbfa5
allow rpcd_t dpkg_t:fifo_file { read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`load_policy.te', `
Chris PeBenito 0fbfa5
allow load_policy_t initrc_t:fifo_file { read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`checkpolicy.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
Chris PeBenito 0fbfa5
role system_r types checkpolicy_t;
Chris PeBenito 0fbfa5
allow checkpolicy_t initrc_t:fd use;
Chris PeBenito 0fbfa5
allow checkpolicy_t initrc_t:fifo_file write;
Chris PeBenito 0fbfa5
allow checkpolicy_t initrc_devpts_t:chr_file { read write };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`amavis.te', `
Chris PeBenito 0fbfa5
r_dir_file(initrc_t, dpkg_var_lib_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`nessusd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`crack.te', `
Chris PeBenito 0fbfa5
allow crack_t initrc_t:fd use;
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, crack_exec_t, crack_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`xdm.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`clamav.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`squid.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, squid_exec_t, squid_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`useradd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t)
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
Chris PeBenito 0fbfa5
role system_r types { useradd_t groupadd_t };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`passwd.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`ldconfig.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
ifdef(`portmap.te', `
Chris PeBenito 0fbfa5
# for pmap_dump
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for apt
Chris PeBenito 0fbfa5
type apt_t, domain, admin, privmail, web_client_domain;
Chris PeBenito 0fbfa5
type apt_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
type apt_var_lib_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
type var_cache_apt_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
etcdir_domain(apt)
Chris PeBenito 0fbfa5
type apt_rw_etc_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
tmp_domain(apt, `', `{ dir file lnk_file }')
Chris PeBenito 0fbfa5
can_exec(apt_t, apt_tmp_t)
Chris PeBenito a08248
ifdef(`crond.te', `
Chris PeBenito a08248
allow system_crond_t apt_etc_t:file { getattr read };
Chris PeBenito a08248
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
rw_dir_create_file(apt_t, apt_rw_etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
dontaudit apt_t var_log_t:dir getattr;
Chris PeBenito 0fbfa5
dontaudit apt_t var_run_t:dir search;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for rc files such as ~/.less
Chris PeBenito 0fbfa5
r_dir_file(apt_t, sysadm_home_t)
Chris PeBenito 0fbfa5
allow apt_t sysadm_home_dir_t:dir { search getattr };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow apt_t bin_t:lnk_file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
rw_dir_create_file(apt_t, debconf_cache_t)
Chris PeBenito 0fbfa5
r_dir_file(userdomain, debconf_cache_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for python
Chris PeBenito 0fbfa5
read_sysctl(apt_t)
Chris PeBenito 0fbfa5
read_sysctl(dpkg_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dpkg_t console_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow apt_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dpkg_t domain:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow dpkg_t domain:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for shared objects that are not yet labelled (upgrades)
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t } lib_t:file execute;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# when dpkg runs postinst scripts run them in initrc_t domain so that the
Chris PeBenito 0fbfa5
# daemons are started in the correct context
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`bootloader.te', `
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)
Chris PeBenito 0fbfa5
# for mkinitrd
Chris PeBenito 0fbfa5
can_exec(bootloader_t, dpkg_exec_t)
Chris PeBenito 0fbfa5
# for lilo to run dpkg
Chris PeBenito 0fbfa5
allow bootloader_t dpkg_etc_t:file { getattr read };
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for kernel-image postinst
Chris PeBenito 0fbfa5
dontaudit dpkg_t fixed_disk_device_t:blk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /usr/lib/dpkg/controllib.pl calling getpwnam(3)
Chris PeBenito 0fbfa5
dontaudit dpkg_t shadow_t:file { getattr read };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow user domains to execute dpkg
Chris PeBenito 0fbfa5
allow userdomain dpkg_exec_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
can_exec(userdomain, { dpkg_exec_t apt_exec_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow everyone to read dpkg database
Chris PeBenito 0fbfa5
allow userdomain var_lib_t:dir search;
Chris PeBenito 0fbfa5
r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /var/lib/dpkg/lock
Chris PeBenito 0fbfa5
rw_dir_create_file(apt_t, dpkg_var_lib_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
ifdef(`crond.te', `
Chris PeBenito 0fbfa5
rw_dir_create_file(system_crond_t, dpkg_var_lib_t)
Chris PeBenito 0fbfa5
allow system_crond_t dpkg_etc_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for Debian cron job
Chris PeBenito 0fbfa5
create_dir_file(system_crond_t, tetex_data_t)
Chris PeBenito 0fbfa5
can_exec(dpkg_t, tetex_data_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t })
Chris PeBenito 0fbfa5
allow install_menu_t initrc_t:fifo_file { read write };
Chris PeBenito 0fbfa5
allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms;
Chris PeBenito 0fbfa5
can_exec(sysadm_t, dpkg_etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# Inherit and use descriptors from open_init_pty
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
Chris PeBenito 0fbfa5
dontaudit dpkg_t privfd:fd use;
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow ifconfig_t dpkg_t:fd use;
Chris PeBenito 0fbfa5
allow ifconfig_t dpkg_t:fifo_file { read write };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
uses_shlib({ dpkg_t apt_t })
Chris PeBenito 0fbfa5
allow dpkg_t proc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow dpkg_t proc_t:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
allow dpkg_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for fgconsole - need policy for it
Chris PeBenito 0fbfa5
allow dpkg_t self:capability sys_tty_config;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow dpkg_t self:unix_dgram_socket create_socket_perms;
Chris PeBenito 0fbfa5
allow dpkg_t self:unix_stream_socket create_stream_socket_perms;
Chris PeBenito 0fbfa5
can_unix_connect(dpkg_t, self)
Chris PeBenito 0fbfa5
allow dpkg_t self:unix_dgram_socket sendto;
Chris PeBenito 0fbfa5
allow dpkg_t self:unix_stream_socket connect;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# dpkg really needs to be able to kill any process, unfortunate but true
Chris PeBenito 0fbfa5
allow dpkg_t domain:process signal;
Chris PeBenito 0fbfa5
allow dpkg_t sysadm_t:process sigchld;
Chris PeBenito 0fbfa5
allow dpkg_t self:process { setpgid signal_perms fork getsched };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# read/write/create any files in the system
Chris PeBenito 0fbfa5
allow dpkg_t sysadmfile:dir create_dir_perms;
Chris PeBenito 0fbfa5
allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
Chris PeBenito 0fbfa5
allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
Chris PeBenito 0fbfa5
allow dpkg_t device_type:{ chr_file blk_file } getattr;
Chris PeBenito 0fbfa5
dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
Chris PeBenito 0fbfa5
allow dpkg_t proc_kmsg_t:file getattr;
Chris PeBenito 0fbfa5
allow dpkg_t fs_type:dir getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow compiling and loading new policy
Chris PeBenito 0fbfa5
create_dir_file(dpkg_t, { policy_src_t policy_config_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# change to the apt_t domain on exec from dpkg_t (dselect)
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, apt_exec_t, apt_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow apt to change /var/lib/apt files
Chris PeBenito 0fbfa5
allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow apt to create /usr/lib/site-python/DebianControlParser.pyc
Chris PeBenito 0fbfa5
rw_dir_create_file(apt_t, lib_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for apt-listbugs
Chris PeBenito 0fbfa5
allow apt_t usr_t:file { getattr read ioctl };
Chris PeBenito 0fbfa5
allow apt_t usr_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# allow /var/cache/apt/archives to be owned by non-root
Chris PeBenito 0fbfa5
allow apt_t self:capability { chown dac_override fowner fsetid };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
Chris PeBenito 0fbfa5
allow apt_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow apt_t self:process { signal sigchld fork };
Chris PeBenito 0fbfa5
allow apt_t sysadm_t:process sigchld;
Chris PeBenito 0fbfa5
can_network({ apt_t dpkg_t })
Chris PeBenito 2705f9
allow { apt_t dpkg_t } port_type:tcp_socket name_connect;
Chris PeBenito 0fbfa5
can_ypbind({ apt_t dpkg_t })
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t } var_t:dir { search getattr };
Chris PeBenito 0fbfa5
dontaudit apt_t { fs_type file_type }:dir getattr;
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /proc/meminfo and for "ps"
Chris PeBenito 0fbfa5
allow apt_t { proc_t apt_t }:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms;
Chris PeBenito 0fbfa5
allow apt_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow dpkg_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow apt_t etc_t:dir r_dir_perms;
Chris PeBenito 0fbfa5
allow apt_t etc_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow apt_t etc_t:lnk_file read;
Chris PeBenito 0fbfa5
read_locale(apt_t)
Chris PeBenito 0fbfa5
r_dir_file(userdomain, apt_etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# apt wants to check available disk space
Chris PeBenito 0fbfa5
allow apt_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
allow apt_t etc_runtime_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you
Chris PeBenito 0fbfa5
# have apt run dpkg.
Chris PeBenito 0fbfa5
# This means that getting apt_t access is almost as good as dpkg_t which has
Chris PeBenito 0fbfa5
# as much power as sysadm_t...
Chris PeBenito 0fbfa5
domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# hack to allow update-menus/install-menu to manage menus
Chris PeBenito 0fbfa5
type install_menu_t, domain, admin, etc_writer;
Chris PeBenito 0fbfa5
type install_menu_exec_t, file_type, sysadmfile, exec_type;
Chris PeBenito 0fbfa5
var_run_domain(install_menu)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow install_menu_t self:unix_stream_socket create_socket_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
type debian_menu_t, file_type, sysadmfile;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
r_dir_file(userdomain, debian_menu_t)
Chris PeBenito 0fbfa5
dontaudit install_menu_t sysadm_home_dir_t:dir search;
Chris PeBenito 0fbfa5
create_dir_file(install_menu_t, debian_menu_t)
Chris PeBenito 0fbfa5
allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
Chris PeBenito 0fbfa5
allow install_menu_t self:process signal;
Chris PeBenito 0fbfa5
allow install_menu_t proc_t:dir search;
Chris PeBenito 0fbfa5
allow install_menu_t proc_t:file r_file_perms;
Chris PeBenito 0fbfa5
can_getcon(install_menu_t)
Chris PeBenito 0fbfa5
can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t })
Chris PeBenito 0fbfa5
allow install_menu_t { bin_t sbin_t }:dir search;
Chris PeBenito 0fbfa5
allow install_menu_t bin_t:lnk_file read;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for menus
Chris PeBenito 0fbfa5
allow install_menu_t usr_t:file r_file_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
# for /etc/kde3/debian/kde-update-menu.sh
Chris PeBenito 0fbfa5
can_exec(install_menu_t, etc_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow install_menu_t var_t:dir search;
Chris PeBenito 0fbfa5
tmp_domain(install_menu)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
create_dir_file(install_menu_t, var_lib_t)
Chris PeBenito 0fbfa5
ifdef(`xdm.te', `
Chris PeBenito 0fbfa5
create_dir_file(install_menu_t, xdm_var_lib_t)
Chris PeBenito 0fbfa5
')
Chris PeBenito 0fbfa5
allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms;
Chris PeBenito 0fbfa5
allow install_menu_t { var_spool_t etc_t }:file create_file_perms;
Chris PeBenito 0fbfa5
allow install_menu_t self:fifo_file rw_file_perms;
Chris PeBenito 0fbfa5
allow install_menu_t etc_runtime_t:file r_file_perms;
Chris PeBenito 0fbfa5
allow install_menu_t devtty_t:chr_file rw_file_perms;
Chris PeBenito 0fbfa5
allow install_menu_t fs_t:filesystem getattr;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
Chris PeBenito 0fbfa5
allow dpkg_t install_menu_t:process signal_perms;
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow install_menu_t privfd:fd use;
Chris PeBenito 0fbfa5
uses_shlib(install_menu_t)
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
allow install_menu_t self:process { fork sigchld };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
role system_r types { dpkg_t apt_t install_menu_t };
Chris PeBenito 0fbfa5
Chris PeBenito 0fbfa5
#################################
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
# Rules for the run_deb_t domain.
Chris PeBenito 0fbfa5
#
Chris PeBenito 0fbfa5
#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t)
Chris PeBenito 0fbfa5
#domain_trans(run_deb_t, apt_exec_t, apt_t)
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t)
Chris PeBenito 0fbfa5
domain_auto_trans(initrc_t, apt_exec_t, apt_t)