Blob Blame History Raw
#DESC Dpkg - Debian package manager
#
# Author:  Russell Coker <russell@coker.com.au>
# X-Debian-Packages: dpkg
#

#################################
#
# Rules for the dpkg_t domain.
#
type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
type dpkg_exec_t, file_type, sysadmfile, exec_type;
type dpkg_var_lib_t, file_type, sysadmfile;
type dpkg_etc_t, file_type, sysadmfile, usercanread;
typealias dpkg_etc_t alias etc_dpkg_t;
type dpkg_lock_t, file_type, sysadmfile;
type debconf_cache_t, file_type, sysadmfile;

tmp_domain(dpkg)
can_setfscreate(dpkg_t)
can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })

ifdef(`load_policy.te', `
domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
')
ifdef(`rlogind.te', `
# for ssh
can_exec(dpkg_t, rlogind_exec_t)
')
can_exec(dpkg_t, { init_exec_t etc_t })
ifdef(`hostname.te', `
can_exec(dpkg_t, hostname_exec_t)
')
ifdef(`mta.te', `
allow system_mail_t dpkg_tmp_t:file { getattr read };
')
ifdef(`logrotate.te', `
allow logrotate_t dpkg_var_lib_t:file create_file_perms;
')

# for open office
can_exec(dpkg_t, usr_t)

allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read;

# for upgrading policycoreutils and loading policy
allow dpkg_t security_t:dir { getattr search };
allow dpkg_t security_t:file { getattr read };

ifdef(`setfiles.te',
`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)')
ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)')
ifdef(`modutil.te', `
domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)

# for touch
allow initrc_t modules_dep_t:file write;
')
ifdef(`ipsec.te', `
allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
allow ipsec_mgmt_t dpkg_t:fifo_file write;
allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write };
allow ipsec_t dpkg_t:fifo_file { read write };
domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
')
ifdef(`cardmgr.te', `
allow cardmgr_t dpkg_t:fd use;
allow cardmgr_t dpkg_t:fifo_file write;
domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
# for start-stop-daemon
allow dpkg_t cardmgr_t:process signull;
')
ifdef(`mount.te', `
domain_auto_trans(dpkg_t, mount_exec_t, mount_t)
')
ifdef(`mozilla.te', `
# hate to do this, for mozilla install scripts
can_exec(dpkg_t, mozilla_exec_t)
')
ifdef(`postfix.te', `
domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t)
')
ifdef(`apache.te', `
domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t)
')
ifdef(`named.te', `
file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file)
')
ifdef(`nsd.te', `
allow nsd_crond_t initrc_t:fd use;
allow nsd_crond_t initrc_devpts_t:chr_file { read write };
domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t)
')
# because the syslogd package is broken and does not use the start scripts
ifdef(`klogd.te', `
domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t)
')
ifdef(`syslogd.te', `
domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t)
allow system_crond_t syslogd_t:dir search;
allow system_crond_t syslogd_t:file { getattr read };
allow system_crond_t syslogd_t:process signal;
')
# mysqld is broken too
ifdef(`mysqld.te', `
domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t)
can_unix_connect(dpkg_t, mysqld_t)
allow mysqld_t dpkg_tmp_t:file { getattr read };
')
ifdef(`postgresql.te', `
# because postgresql postinst creates scripts in /tmp and then runs them
# also the init scripts do more than they should
allow { initrc_t postgresql_t } dpkg_tmp_t:file write;
# for "touch" when it tries to create the log file
# this works for upgrades, maybe we should allow create access for first install
allow initrc_t postgresql_log_t:file { write setattr };
# for dumpall
can_exec(postgresql_t, postgresql_db_t)
')
ifdef(`sysstat.te', `
domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t)
')
ifdef(`rpcd.te', `
allow rpcd_t dpkg_t:fd use;
allow rpcd_t dpkg_t:fifo_file { read write };
')
ifdef(`load_policy.te', `
allow load_policy_t initrc_t:fifo_file { read write };
')
ifdef(`checkpolicy.te', `
domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
role system_r types checkpolicy_t;
allow checkpolicy_t initrc_t:fd use;
allow checkpolicy_t initrc_t:fifo_file write;
allow checkpolicy_t initrc_devpts_t:chr_file { read write };
')
ifdef(`amavis.te', `
r_dir_file(initrc_t, dpkg_var_lib_t)
')
ifdef(`nessusd.te', `
domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t)
')
ifdef(`crack.te', `
allow crack_t initrc_t:fd use;
domain_auto_trans(dpkg_t, crack_exec_t, crack_t)
')
ifdef(`xdm.te', `
domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t)
')
ifdef(`clamav.te', `
domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t)
')
ifdef(`squid.te', `
domain_auto_trans(dpkg_t, squid_exec_t, squid_t)
')
ifdef(`useradd.te', `
domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t)
domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
role system_r types { useradd_t groupadd_t };
')
ifdef(`passwd.te', `
domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
')
ifdef(`ldconfig.te', `
domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
')
ifdef(`portmap.te', `
# for pmap_dump
domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t)
')

# for apt
type apt_t, domain, admin, privmail, web_client_domain;
type apt_exec_t, file_type, sysadmfile, exec_type;
type apt_var_lib_t, file_type, sysadmfile;
type var_cache_apt_t, file_type, sysadmfile;
etcdir_domain(apt)
typealias apt_etc_t alias etc_apt_t;
type apt_rw_etc_t, file_type, sysadmfile;
typealias apt_rw_etc_t alias etc_apt_rw_t;
tmp_domain(apt, `', `{ dir file lnk_file }')
can_exec(apt_t, apt_tmp_t)

rw_dir_create_file(apt_t, apt_rw_etc_t)

allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search };

dontaudit apt_t var_log_t:dir getattr;
dontaudit apt_t var_run_t:dir search;

# for rc files such as ~/.less
r_dir_file(apt_t, sysadm_home_t)
allow apt_t sysadm_home_dir_t:dir { search getattr };

allow apt_t bin_t:lnk_file r_file_perms;

rw_dir_create_file(apt_t, debconf_cache_t)
r_dir_file(userdomain, debconf_cache_t)

# for python
read_sysctl(apt_t)
read_sysctl(dpkg_t)

allow dpkg_t console_device_t:chr_file rw_file_perms;

allow apt_t self:unix_stream_socket create_socket_perms;

allow dpkg_t domain:dir r_dir_perms;
allow dpkg_t domain:{ file lnk_file } r_file_perms;

# for shared objects that are not yet labelled (upgrades)
allow { apt_t dpkg_t } lib_t:file execute;

# when dpkg runs postinst scripts run them in initrc_t domain so that the
# daemons are started in the correct context
domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t)

ifdef(`bootloader.te', `
domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)
# for mkinitrd
can_exec(bootloader_t, dpkg_exec_t)
# for lilo to run dpkg
allow bootloader_t dpkg_etc_t:file { getattr read };
')

# for kernel-image postinst
dontaudit dpkg_t fixed_disk_device_t:blk_file read;

# for /usr/lib/dpkg/controllib.pl calling getpwnam(3)
dontaudit dpkg_t shadow_t:file { getattr read };

# allow user domains to execute dpkg
allow userdomain dpkg_exec_t:dir r_dir_perms;
can_exec(userdomain, { dpkg_exec_t apt_exec_t })

# allow everyone to read dpkg database
allow userdomain var_lib_t:dir search;
r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t })

# for /var/lib/dpkg/lock
rw_dir_create_file(apt_t, dpkg_var_lib_t)

ifdef(`crond.te', `
rw_dir_create_file(system_crond_t, dpkg_var_lib_t)
allow system_crond_t dpkg_etc_t:file r_file_perms;

# for Debian cron job
create_dir_file(system_crond_t, tetex_data_t)
can_exec(dpkg_t, tetex_data_t)
')

r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t })
allow install_menu_t initrc_t:fifo_file { read write };
allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms;
can_exec(sysadm_t, dpkg_etc_t)

# Inherit and use descriptors from open_init_pty
allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
dontaudit dpkg_t privfd:fd use;
allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;

allow ifconfig_t dpkg_t:fd use;
allow ifconfig_t dpkg_t:fifo_file { read write };

uses_shlib({ dpkg_t apt_t })
allow dpkg_t proc_t:dir r_dir_perms;
allow dpkg_t proc_t:{ file lnk_file } r_file_perms;
allow dpkg_t fs_t:filesystem getattr;

allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable };

# for fgconsole - need policy for it
allow dpkg_t self:capability sys_tty_config;

allow dpkg_t self:unix_dgram_socket create_socket_perms;
allow dpkg_t self:unix_stream_socket create_stream_socket_perms;
can_unix_connect(dpkg_t, self)
allow dpkg_t self:unix_dgram_socket sendto;
allow dpkg_t self:unix_stream_socket connect;

allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms;
allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms;

# dpkg really needs to be able to kill any process, unfortunate but true
allow dpkg_t domain:process signal;
allow dpkg_t sysadm_t:process sigchld;
allow dpkg_t self:process { setpgid signal_perms fork getsched };

# read/write/create any files in the system
allow dpkg_t sysadmfile:dir create_dir_perms;
allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
allow dpkg_t device_type:{ chr_file blk_file } getattr;
dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
allow dpkg_t proc_kmsg_t:file getattr;
allow dpkg_t fs_type:dir getattr;

# allow compiling and loading new policy
create_dir_file(dpkg_t, { policy_src_t policy_config_t })

# change to the apt_t domain on exec from dpkg_t (dselect)
domain_auto_trans(dpkg_t, apt_exec_t, apt_t)

# allow apt to change /var/lib/apt files
allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms;
allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms;

# allow apt to create /usr/lib/site-python/DebianControlParser.pyc
rw_dir_create_file(apt_t, lib_t)

# for apt-listbugs
allow apt_t usr_t:file { getattr read ioctl };
allow apt_t usr_t:lnk_file read;

# allow /var/cache/apt/archives to be owned by non-root
allow apt_t self:capability { chown dac_override fowner fsetid };

can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
allow apt_t { bin_t sbin_t }:dir search;
allow apt_t self:process { signal sigchld fork };
allow apt_t sysadm_t:process sigchld;
can_network({ apt_t dpkg_t })
can_ypbind({ apt_t dpkg_t })

allow { apt_t dpkg_t } var_t:dir { search getattr };
dontaudit apt_t { fs_type file_type }:dir getattr;
allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms;

allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms };

# for /proc/meminfo and for "ps"
allow apt_t { proc_t apt_t }:dir r_dir_perms;
allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms;
allow apt_t self:fifo_file rw_file_perms;
allow dpkg_t self:fifo_file rw_file_perms;

allow apt_t etc_t:dir r_dir_perms;
allow apt_t etc_t:file r_file_perms;
allow apt_t etc_t:lnk_file read;
read_locale(apt_t)
r_dir_file(userdomain, apt_etc_t)

# apt wants to check available disk space
allow apt_t fs_t:filesystem getattr;
allow apt_t etc_runtime_t:file r_file_perms;

# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you
# have apt run dpkg.
# This means that getting apt_t access is almost as good as dpkg_t which has
# as much power as sysadm_t...
domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t)

# hack to allow update-menus/install-menu to manage menus
type install_menu_t, domain, admin, etc_writer;
type install_menu_exec_t, file_type, sysadmfile, exec_type;
var_run_domain(install_menu)

allow install_menu_t self:unix_stream_socket create_socket_perms;

type debian_menu_t, file_type, sysadmfile;

r_dir_file(userdomain, debian_menu_t)
dontaudit install_menu_t sysadm_home_dir_t:dir search;
create_dir_file(install_menu_t, debian_menu_t)
allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
allow install_menu_t self:process signal;
allow install_menu_t proc_t:dir search;
allow install_menu_t proc_t:file r_file_perms;
can_getcon(install_menu_t)
can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t })
allow install_menu_t { bin_t sbin_t }:dir search;
allow install_menu_t bin_t:lnk_file read;

# for menus
allow install_menu_t usr_t:file r_file_perms;

# for /etc/kde3/debian/kde-update-menu.sh
can_exec(install_menu_t, etc_t)

allow install_menu_t var_t:dir search;
tmp_domain(install_menu)

create_dir_file(install_menu_t, var_lib_t)
ifdef(`xdm.te', `
create_dir_file(install_menu_t, xdm_var_lib_t)
')
allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms;
allow install_menu_t { var_spool_t etc_t }:file create_file_perms;
allow install_menu_t self:fifo_file rw_file_perms;
allow install_menu_t etc_runtime_t:file r_file_perms;
allow install_menu_t devtty_t:chr_file rw_file_perms;
allow install_menu_t fs_t:filesystem getattr;

domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
allow dpkg_t install_menu_t:process signal_perms;

allow install_menu_t privfd:fd use;
uses_shlib(install_menu_t)

allow install_menu_t self:process { fork sigchld };

role system_r types { dpkg_t apt_t install_menu_t };

#################################
#
# Rules for the run_deb_t domain.
#
#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t)
#domain_trans(run_deb_t, apt_exec_t, apt_t)
domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t)
domain_auto_trans(initrc_t, apt_exec_t, apt_t)