diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 91054ea..da7184e 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,6 +1,8 @@ - Added modules: amavis (Erich Schubert) + apt (Erich Schubert) clamav (Erich Schubert) + dpkg (Erich Schubert) tor (Erich Schubert) * Tue Mar 07 2006 Chris PeBenito - 20060307 diff --git a/refpolicy/policy/modules/admin/apt.fc b/refpolicy/policy/modules/admin/apt.fc new file mode 100644 index 0000000..d31952b --- /dev/null +++ b/refpolicy/policy/modules/admin/apt.fc @@ -0,0 +1,13 @@ +/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) +# apt-shell is redhat specific +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) +# other package managers +/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) + +# package cache repository +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) + +# package list repository +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) diff --git a/refpolicy/policy/modules/admin/apt.if b/refpolicy/policy/modules/admin/apt.if new file mode 100644 index 0000000..180f05e --- /dev/null +++ b/refpolicy/policy/modules/admin/apt.if @@ -0,0 +1,178 @@ +## APT advanced package toll. + +######################################## +## +## Execute apt programs in the apt domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apt_domtrans',` + gen_require(` + type apt_t, apt_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domain_auto_trans($1,apt_exec_t,apt_t) + + # allow basic communication + allow $1 apt_t:fd use; + allow apt_t $1:fd use; + allow apt_t $1:fifo_file rw_file_perms; + allow apt_t $1:process sigchld; +') + +######################################## +## +## Execute apt programs in the apt domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to allow the apt domain. +## +## +## +## +## The type of the terminal allow the apt domain to use. +## +## +# +interface(`apt_run',` + gen_require(` + type apt_t; + ') + + apt_domtrans($1) + role $2 types apt_t; + allow apt_t $3:chr_file rw_term_perms; + # TODO: likely have to add dpkg_run here. +') + +######################################## +## +## Inherit and use file descriptors from apt. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apt_use_fds',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fd use; + # TODO: enforce dpkg_use_fd? +') + +######################################## +## +## Read from an unnamed apt pipe. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apt_read_pipes',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fifo_file r_file_perms; + # TODO: enforce dpkg_read_pipes? +') + +######################################## +## +## Read and write an unnamed apt pipe. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apt_rw_pipes',` + gen_require(` + type apt_t; + ') + + allow $1 apt_t:fifo_file rw_file_perms; + # TODO: enforce dpkg_rw_pipes? +') + +######################################## +## +## Read the apt package database. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apt_read_db',` + gen_require(` + type apt_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 apt_var_lib_t:dir r_dir_perms; + allow $1 apt_var_lib_t:file { getattr read }; + allow $1 apt_var_lib_t:lnk_file r_file_perms; +') + +######################################## +## +## Create, read, write, and delete the apt package database. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apt_manage_db',` + gen_require(` + type apt_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 apt_var_lib_t:dir rw_dir_perms; + allow $1 apt_var_lib_t:file { getattr create read write append unlink }; + allow $1 apt_var_lib_t:lnk_file { getattr read write unlink }; +') + +######################################## +## +## Do not audit attempts to create, read, +## write, and delete the apt package database. +## +## +## +## Domain to not audit. +## +## +# +interface(`apt_dontaudit_manage_db',` + gen_require(` + type apt_var_lib_t; + ') + + dontaudit $1 apt_var_lib_t:dir rw_dir_perms; + dontaudit $1 apt_var_lib_t:file create_file_perms; + dontaudit $1 apt_var_lib_t:lnk_file create_lnk_perms; +') diff --git a/refpolicy/policy/modules/admin/apt.te b/refpolicy/policy/modules/admin/apt.te new file mode 100644 index 0000000..3a659b6 --- /dev/null +++ b/refpolicy/policy/modules/admin/apt.te @@ -0,0 +1,136 @@ + +policy_module(apt,1.0.0) + +######################################## +# +# Declarations +# + +type apt_t; +type apt_exec_t; +init_system_domain(apt_t,apt_exec_t) +domain_system_change_exemption(apt_t) +domain_getattr_all_domains(apt_t) +role system_r types apt_t; + +type apt_tmp_t; +files_tmp_file(apt_tmp_t) + +type apt_tmpfs_t; +files_tmpfs_file(apt_tmpfs_t) + +# status files +type apt_var_lib_t alias var_lib_apt_t; +files_type(apt_var_lib_t) + +# package cache +type apt_var_cache_t alias var_cache_apt_t; +files_type(apt_var_cache_t) + +######################################## +# +# apt Local policy +# + +allow apt_t self:capability { chown dac_override fowner fsetid }; +allow apt_t self:process { signal setpgid fork }; +allow apt_t self:fd use; +allow apt_t self:fifo_file rw_file_perms; +allow apt_t self:unix_dgram_socket create_socket_perms; +allow apt_t self:unix_stream_socket rw_stream_socket_perms; +allow apt_t self:unix_dgram_socket sendto; +allow apt_t self:unix_stream_socket connectto; +allow apt_t self:udp_socket { connect create_socket_perms }; +allow apt_t self:tcp_socket create_stream_socket_perms; +allow apt_t self:shm create_shm_perms; +allow apt_t self:sem create_sem_perms; +allow apt_t self:msgq create_msgq_perms; +allow apt_t self:msg { send receive }; + +# Access /var/cache/apt files +allow apt_t apt_var_cache_t:file create_file_perms; +allow apt_t apt_var_cache_t:dir rw_dir_perms; +files_var_filetrans(apt_t,apt_var_cache_t,dir) + +allow apt_t apt_tmp_t:dir create_dir_perms; +allow apt_t apt_tmp_t:file create_file_perms; +files_tmp_filetrans(apt_t, apt_tmp_t, { file dir }) + +allow apt_t apt_tmpfs_t:dir create_dir_perms; +allow apt_t apt_tmpfs_t:file create_file_perms; +allow apt_t apt_tmpfs_t:lnk_file create_file_perms; +allow apt_t apt_tmpfs_t:sock_file create_file_perms; +allow apt_t apt_tmpfs_t:fifo_file create_file_perms; +fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +# Access /var/lib/apt files +allow apt_t apt_var_lib_t:file create_file_perms; +allow apt_t apt_var_lib_t:dir rw_dir_perms; +files_var_lib_filetrans(apt_t,apt_var_lib_t,dir) + +kernel_read_system_state(apt_t) +kernel_read_kernel_sysctls(apt_t) + +# to launch dpkg-preconfigure +corecmd_exec_bin(apt_t) +corecmd_exec_shell(apt_t) +corecmd_exec_sbin(apt_t) + +corenet_tcp_sendrecv_all_if(apt_t) +corenet_udp_sendrecv_all_if(apt_t) +corenet_tcp_sendrecv_all_nodes(apt_t) +corenet_udp_sendrecv_all_nodes(apt_t) +corenet_tcp_sendrecv_all_ports(apt_t) +corenet_udp_sendrecv_all_ports(apt_t) +corenet_non_ipsec_sendrecv(apt_t) +# TODO: reall allow all these? +corenet_tcp_bind_all_nodes(apt_t) +corenet_udp_bind_all_nodes(apt_t) +corenet_tcp_connect_all_ports(apt_t) + +dev_read_urand(apt_t) + +files_exec_usr_files(apt_t) +files_read_etc_files(apt_t) +files_read_etc_runtime_files(apt_t) + +term_list_ptys(apt_t) +term_use_all_terms(apt_t) + +libs_use_ld_so(apt_t) +libs_use_shared_libs(apt_t) +libs_exec_ld_so(apt_t) +libs_exec_lib_files(apt_t) + +logging_send_syslog_msg(apt_t) + +miscfiles_read_localization(apt_t) + +seutil_use_newrole_fds(apt_t) + +sysnet_read_config(apt_t) + +ifdef(`targeted_policy',` + unconfined_domain(apt_t) +') + +# with boolean, for cron-apt and such? +#optional_policy(`cron',` +# cron_system_entry(apt_t,apt_exec_t) +#') + +optional_policy(`dpkg',` + # dpkg interaction + dpkg_read_db(apt_t) + dpkg_domtrans(apt_t) + dpkg_lock_db(apt_t) +') + +optional_policy(`nis',` + nis_use_ypbind(apt_t) +') + +optional_policy(`rpm',` + rpm_read_db(apt_t) + rpm_domtrans(apt_t) +') diff --git a/refpolicy/policy/modules/admin/dpkg.fc b/refpolicy/policy/modules/admin/dpkg.fc new file mode 100644 index 0000000..6d0f9ee --- /dev/null +++ b/refpolicy/policy/modules/admin/dpkg.fc @@ -0,0 +1,12 @@ +# Debian package manager +/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) +# not sure if dselect should be in apt instead? +/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) + +/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) +# lockfile is treated specially, since used by apt, too +/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) + +/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) +/usr/sbin/dpkg-reconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) diff --git a/refpolicy/policy/modules/admin/dpkg.if b/refpolicy/policy/modules/admin/dpkg.if new file mode 100644 index 0000000..5d494be --- /dev/null +++ b/refpolicy/policy/modules/admin/dpkg.if @@ -0,0 +1,240 @@ +## Policy for the Debian package manager. +# TODO: need debconf policy +# TODO: need install-menu policy + +######################################## +## +## Execute dpkg programs in the dpkg domain. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_domtrans',` + gen_require(` + type dpkg_t, dpkg_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domain_auto_trans($1,dpkg_exec_t,dpkg_t) + + # allow basic communication + allow $1 dpkg_t:fd use; + allow dpkg_t $1:fd use; + allow dpkg_t $1:fifo_file rw_file_perms; + allow dpkg_t $1:process sigchld; +') + +######################################## +## +## Execute dpkg_script programs in the dpkg_script domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`dpkg_domtrans_script',` + gen_require(` + type dpkg_script_t; + ') + + # transition to dpkg script: + corecmd_shell_domtrans($1,dpkg_script_t) + + allow $1 dpkg_script_t:fd use; + allow dpkg_script_t $1:fd use; + allow dpkg_script_t $1:fifo_file rw_file_perms; + allow dpkg_script_t $1:process sigchld; +') + +######################################## +## +## Execute dpkg programs in the dpkg domain. +## +## +## +## The type of the process performing this action. +## +## +## +## +## The role to allow the dpkg domain. +## +## +## +## +## The type of the terminal allow the dpkg domain to use. +## +## +# +interface(`dpkg_run',` + gen_require(` + type dpkg_t, dpkg_script_t; + ') + + dpkg_domtrans($1) + role $2 types dpkg_t; + role $2 types dpkg_script_t; + seutil_run_loadpolicy(dpkg_script_t,$2,$3) + allow dpkg_t $3:chr_file rw_term_perms; +') + +######################################## +## +## Inherit and use file descriptors from dpkg. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_use_fds',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fd use; +') + +######################################## +## +## Read from an unnamed dpkg pipe. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_read_pipes',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fifo_file r_file_perms; +') + +######################################## +## +## Read and write an unnamed dpkg pipe. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_rw_pipes',` + gen_require(` + type dpkg_t; + ') + + allow $1 dpkg_t:fifo_file rw_file_perms; +') + +######################################## +## +## Inherit and use file descriptors from dpkg scripts. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_use_script_fds',` + gen_require(` + type dpkg_script_t; + ') + + allow $1 dpkg_script_t:fd use; +') + +######################################## +## +## Read the dpkg package database. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_read_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 dpkg_var_lib_t:dir r_dir_perms; + allow $1 dpkg_var_lib_t:file { getattr read }; + allow $1 dpkg_var_lib_t:lnk_file r_file_perms; +') + +######################################## +## +## Create, read, write, and delete the dpkg package database. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_manage_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + files_search_var_lib($1) + allow $1 dpkg_var_lib_t:dir rw_dir_perms; + allow $1 dpkg_var_lib_t:file manage_file_perms; + allow $1 dpkg_var_lib_t:lnk_file { getattr read write unlink }; +') + +######################################## +## +## Do not audit attempts to create, read, +## write, and delete the dpkg package database. +## +## +## +## Domain to not audit. +## +## +# +interface(`dpkg_dontaudit_manage_db',` + gen_require(` + type dpkg_var_lib_t; + ') + + dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms; + dontaudit $1 dpkg_var_lib_t:file manage_file_perms; + dontaudit $1 dpkg_var_lib_t:lnk_file create_lnk_perms; +') + +######################################## +## +## Lock the dpkg package database. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`dpkg_lock_db',` + gen_require(` + type dpkg_lock_t; + ') + + files_search_var_lib($1) + allow $1 dpkg_var_lib_t:dir r_dir_perms; + allow $1 dpkg_lock_t:file { getattr create read write append unlink lock }; +') diff --git a/refpolicy/policy/modules/admin/dpkg.te b/refpolicy/policy/modules/admin/dpkg.te new file mode 100644 index 0000000..14cc4be --- /dev/null +++ b/refpolicy/policy/modules/admin/dpkg.te @@ -0,0 +1,348 @@ + +policy_module(dpkg,1.0.0) + +######################################## +# +# Declarations +# + +type dpkg_t; +type dpkg_exec_t; +# dpkg can start/stop services +init_system_domain(dpkg_t,dpkg_exec_t) +# dpkg can change file labels, roles, IO +domain_obj_id_change_exemption(dpkg_t) +domain_role_change_exemption(dpkg_t) +domain_system_change_exemption(dpkg_t) +domain_interactive_fd(dpkg_t) +role system_r types dpkg_t; + +# lockfile +type dpkg_lock_t; +files_type(dpkg_lock_t) + +type dpkg_tmp_t; +files_tmp_file(dpkg_tmp_t) + +type dpkg_tmpfs_t; +files_tmpfs_file(dpkg_tmpfs_t) + +# status files +type dpkg_var_lib_t alias var_lib_dpkg_t; +files_type(dpkg_var_lib_t) + +# package scripts +type dpkg_script_t; +domain_type(dpkg_script_t) +domain_entry_file(dpkg_t, dpkg_var_lib_t) +corecmd_shell_entry_type(dpkg_script_t) +domain_obj_id_change_exemption(dpkg_script_t) +domain_system_change_exemption(dpkg_script_t) +domain_interactive_fd(dpkg_script_t) +role system_r types dpkg_script_t; + +type dpkg_script_tmp_t; +files_tmp_file(dpkg_script_tmp_t) + +type dpkg_script_tmpfs_t; +files_tmpfs_file(dpkg_script_tmpfs_t) + +######################################## +# +# dpkg Local policy +# + +allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; +allow dpkg_t self:process { setpgid fork getsched setfscreate }; +allow dpkg_t self:fd use; +allow dpkg_t self:fifo_file rw_file_perms; +allow dpkg_t self:unix_dgram_socket create_socket_perms; +allow dpkg_t self:unix_stream_socket rw_stream_socket_perms; +allow dpkg_t self:unix_dgram_socket sendto; +allow dpkg_t self:unix_stream_socket connectto; +allow dpkg_t self:udp_socket { connect create_socket_perms }; +allow dpkg_t self:tcp_socket create_stream_socket_perms; +allow dpkg_t self:shm create_shm_perms; +allow dpkg_t self:sem create_sem_perms; +allow dpkg_t self:msgq create_msgq_perms; +allow dpkg_t self:msg { send receive }; + +allow dpkg_t dpkg_lock_t:file manage_file_perms; + +allow dpkg_t dpkg_tmp_t:dir manage_dir_perms; +allow dpkg_t dpkg_tmp_t:file manage_file_perms; +files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) + +allow dpkg_t dpkg_tmpfs_t:dir manage_dir_perms; +allow dpkg_t dpkg_tmpfs_t:file manage_file_perms; +allow dpkg_t dpkg_tmpfs_t:lnk_file manage_file_perms; +allow dpkg_t dpkg_tmpfs_t:sock_file manage_file_perms; +allow dpkg_t dpkg_tmpfs_t:fifo_file manage_file_perms; +fs_tmpfs_filetrans(dpkg_t,dpkg_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +# Access /var/lib/dpkg files +allow dpkg_t dpkg_var_lib_t:file manage_file_perms; +allow dpkg_t dpkg_var_lib_t:dir rw_dir_perms; +files_var_lib_filetrans(dpkg_t,dpkg_var_lib_t,dir) + +kernel_read_system_state(dpkg_t) +kernel_read_kernel_sysctls(dpkg_t) + +corecmd_exec_bin(dpkg_t) +corecmd_exec_sbin(dpkg_t) + +# TODO: do we really need all networking? +corenet_tcp_sendrecv_all_if(dpkg_t) +corenet_raw_sendrecv_all_if(dpkg_t) +corenet_udp_sendrecv_all_if(dpkg_t) +corenet_tcp_sendrecv_all_nodes(dpkg_t) +corenet_raw_sendrecv_all_nodes(dpkg_t) +corenet_udp_sendrecv_all_nodes(dpkg_t) +corenet_tcp_sendrecv_all_ports(dpkg_t) +corenet_udp_sendrecv_all_ports(dpkg_t) +corenet_non_ipsec_sendrecv(dpkg_t) +corenet_tcp_bind_all_nodes(dpkg_t) +corenet_udp_bind_all_nodes(dpkg_t) +corenet_tcp_connect_all_ports(dpkg_t) + +dev_list_sysfs(dpkg_t) +dev_list_usbfs(dpkg_t) +dev_read_urand(dpkg_t) +#devices_manage_all_device_types(dpkg_t) + +domain_exec_all_entry_files(dpkg_t) +domain_read_all_domains_state(dpkg_t) +domain_getattr_all_domains(dpkg_t) +domain_dontaudit_ptrace_all_domains(dpkg_t) +domain_use_interactive_fds(dpkg_t) +domain_dontaudit_getattr_all_pipes(dpkg_t) +domain_dontaudit_getattr_all_tcp_sockets(dpkg_t) +domain_dontaudit_getattr_all_udp_sockets(dpkg_t) +domain_dontaudit_getattr_all_packet_sockets(dpkg_t) +domain_dontaudit_getattr_all_raw_sockets(dpkg_t) +domain_dontaudit_getattr_all_stream_sockets(dpkg_t) +domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) + +fs_manage_nfs_dirs(dpkg_t) +fs_manage_nfs_files(dpkg_t) +fs_manage_nfs_symlinks(dpkg_t) +fs_getattr_all_fs(dpkg_t) +fs_search_auto_mountpoints(dpkg_t) + +mls_file_read_up(dpkg_t) +mls_file_write_down(dpkg_t) +mls_file_upgrade(dpkg_t) + +selinux_get_fs_mount(dpkg_t) +selinux_validate_context(dpkg_t) +selinux_compute_access_vector(dpkg_t) +selinux_compute_create_context(dpkg_t) +selinux_compute_relabel_context(dpkg_t) +selinux_compute_user_contexts(dpkg_t) + +storage_raw_write_fixed_disk(dpkg_t) +# for installing kernel packages +storage_raw_read_fixed_disk(dpkg_t) + +term_list_ptys(dpkg_t) + +auth_relabel_all_files_except_shadow(dpkg_t) +auth_manage_all_files_except_shadow(dpkg_t) +auth_dontaudit_read_shadow(dpkg_t) + +files_exec_etc_files(dpkg_t) + +init_domtrans_script(dpkg_t) + +libs_use_ld_so(dpkg_t) +libs_use_shared_libs(dpkg_t) +libs_exec_ld_so(dpkg_t) +libs_exec_lib_files(dpkg_t) +libs_domtrans_ldconfig(dpkg_t) + +logging_send_syslog_msg(dpkg_t) + +# allow compiling and loading new policy +seutil_manage_src_policy(dpkg_t) +seutil_manage_bin_policy(dpkg_t) + +sysnet_read_config(dpkg_t) + +userdom_use_unpriv_users_fds(dpkg_t) + +# transition to dpkg script: +dpkg_domtrans_script(dpkg_t) +# since the scripts aren't labeled correctly yet... +allow dpkg_t dpkg_var_lib_t:file execute; + +ifdef(`targeted_policy',` + unconfined_domain(dpkg_t) +') + +# TODO: allow? +#optional_policy(`cron',` +# cron_system_entry(dpkg_t,dpkg_exec_t) +#') + +optional_policy(`mount',` + mount_send_nfs_client_request(dpkg_t) +') + +optional_policy(`nis',` + nis_use_ypbind(dpkg_t) +') + +# TODO: the following was copied from dpkg_script_t, and could probably +# be removed again when dpkg_script_t is actually used... +domain_signal_all_domains(dpkg_t) +domain_signull_all_domains(dpkg_t) +files_read_etc_runtime_files(dpkg_t) +files_exec_usr_files(dpkg_t) +miscfiles_read_localization(dpkg_t) +modutils_domtrans_depmod(dpkg_t) +modutils_domtrans_insmod(dpkg_t) +seutil_domtrans_loadpolicy(dpkg_t) +seutil_domtrans_restorecon(dpkg_t) +userdom_use_all_users_fds(dpkg_t) +optional_policy(`mta',` + mta_send_mail(dpkg_t) +') +optional_policy(`usermanage',` + usermanage_domtrans_groupadd(dpkg_t) + usermanage_domtrans_useradd(dpkg_t) +') + +######################################## +# +# dpkg-script Local policy +# +# TODO: actually use dpkg_script_t + +allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow dpkg_script_t self:fd use; +allow dpkg_script_t self:fifo_file rw_file_perms; +allow dpkg_script_t self:unix_dgram_socket create_socket_perms; +allow dpkg_script_t self:unix_stream_socket rw_stream_socket_perms; +allow dpkg_script_t self:unix_dgram_socket sendto; +allow dpkg_script_t self:unix_stream_socket connectto; +allow dpkg_script_t self:shm create_shm_perms; +allow dpkg_script_t self:sem create_sem_perms; +allow dpkg_script_t self:msgq create_msgq_perms; +allow dpkg_script_t self:msg { send receive }; + +allow dpkg_script_t dpkg_tmp_t:file r_file_perms; + +allow dpkg_script_t dpkg_script_tmp_t:dir { manage_dir_perms mounton }; +allow dpkg_script_t dpkg_script_tmp_t:file manage_file_perms; +files_tmp_filetrans(dpkg_script_t, dpkg_script_tmp_t, { file dir }) + +allow dpkg_script_t dpkg_script_tmpfs_t:dir manage_dir_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:file manage_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:lnk_file create_lnk_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:sock_file manage_file_perms; +allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_file_perms; +fs_tmpfs_filetrans(dpkg_script_t,dpkg_script_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + +kernel_read_kernel_sysctls(dpkg_script_t) +kernel_read_system_state(dpkg_script_t) + +corecmd_exec_bin(dpkg_script_t) +corecmd_exec_sbin(dpkg_script_t) + +dev_list_sysfs(dpkg_script_t) +# ideally we would not need this +dev_manage_generic_blk_files(dpkg_script_t) +dev_manage_generic_chr_files(dpkg_script_t) +dev_manage_all_blk_files(dpkg_script_t) +dev_manage_all_chr_files(dpkg_script_t) + +domain_read_all_domains_state(dpkg_script_t) +domain_getattr_all_domains(dpkg_script_t) +domain_dontaudit_ptrace_all_domains(dpkg_script_t) +domain_use_interactive_fds(dpkg_script_t) +domain_exec_all_entry_files(dpkg_script_t) +domain_signal_all_domains(dpkg_script_t) +domain_signull_all_domains(dpkg_script_t) + +files_exec_etc_files(dpkg_script_t) +files_read_etc_runtime_files(dpkg_script_t) +files_exec_usr_files(dpkg_script_t) + +fs_manage_nfs_files(dpkg_script_t) +fs_getattr_nfs(dpkg_script_t) +# why is this not using mount? +fs_getattr_xattr_fs(dpkg_script_t) +fs_mount_xattr_fs(dpkg_script_t) +fs_unmount_xattr_fs(dpkg_script_t) +fs_search_auto_mountpoints(dpkg_script_t) + +mls_file_read_up(dpkg_script_t) +mls_file_write_down(dpkg_script_t) + +selinux_get_fs_mount(dpkg_script_t) +selinux_validate_context(dpkg_script_t) +selinux_compute_access_vector(dpkg_script_t) +selinux_compute_create_context(dpkg_script_t) +selinux_compute_relabel_context(dpkg_script_t) +selinux_compute_user_contexts(dpkg_script_t) + +storage_raw_read_fixed_disk(dpkg_script_t) +storage_raw_write_fixed_disk(dpkg_script_t) + +term_getattr_unallocated_ttys(dpkg_script_t) +term_list_ptys(dpkg_script_t) +term_use_all_terms(dpkg_script_t) + +auth_dontaudit_getattr_shadow(dpkg_script_t) +# ideally we would not need this +auth_manage_all_files_except_shadow(dpkg_script_t) + +init_domtrans_script(dpkg_script_t) + +libs_use_ld_so(dpkg_script_t) +libs_use_shared_libs(dpkg_script_t) +libs_exec_ld_so(dpkg_script_t) +libs_exec_lib_files(dpkg_script_t) +libs_domtrans_ldconfig(dpkg_script_t) + +logging_send_syslog_msg(dpkg_script_t) + +miscfiles_read_localization(dpkg_script_t) + +modutils_domtrans_depmod(dpkg_script_t) +modutils_domtrans_insmod(dpkg_script_t) + +seutil_domtrans_loadpolicy(dpkg_script_t) +seutil_domtrans_restorecon(dpkg_script_t) + +userdom_use_all_users_fds(dpkg_script_t) + +ifdef(`distro_redhat',` + unconfined_domain(dpkg_script_t) +') + +ifdef(`targeted_policy',` + unconfined_domain(dpkg_script_t) +',` + optional_policy(`bootloader',` + bootloader_domtrans(dpkg_script_t) + ') +') + +tunable_policy(`allow_execmem',` + allow dpkg_script_t self:process execmem; +') + +optional_policy(`mta',` + mta_send_mail(dpkg_script_t) +') + +optional_policy(`nis',` + nis_use_ypbind(dpkg_script_t) +') + +optional_policy(`usermanage',` + usermanage_domtrans_groupadd(dpkg_script_t) + usermanage_domtrans_useradd(dpkg_script_t) +') diff --git a/refpolicy/policy/modules/admin/rpm.fc b/refpolicy/policy/modules/admin/rpm.fc index 4fa7216..186995b 100644 --- a/refpolicy/policy/modules/admin/rpm.fc +++ b/refpolicy/policy/modules/admin/rpm.fc @@ -2,9 +2,6 @@ /bin/rpm -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/smart -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-get -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) -/usr/bin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/yum -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/lib(64)?/rpm/rpmd -- gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/admin/rpm.te b/refpolicy/policy/modules/admin/rpm.te index 57438fb..f9bd40d 100644 --- a/refpolicy/policy/modules/admin/rpm.te +++ b/refpolicy/policy/modules/admin/rpm.te @@ -1,5 +1,5 @@ -policy_module(rpm,1.3.0) +policy_module(rpm,1.3.1) ######################################## # diff --git a/refpolicy/policy/modules/admin/usermanage.te b/refpolicy/policy/modules/admin/usermanage.te index 4bdc793..6d90b56 100644 --- a/refpolicy/policy/modules/admin/usermanage.te +++ b/refpolicy/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.3.0) +policy_module(usermanage,1.3.1) ######################################## # @@ -248,6 +248,11 @@ userdom_use_unpriv_users_fds(groupadd_t) # for when /root is the cwd userdom_dontaudit_search_sysadm_home_dirs(groupadd_t) +optional_policy(`dpkg',` + dpkg_use_fds(groupadd_t) + dpkg_rw_pipes(groupadd_t) +') + optional_policy(`nis',` nis_use_ypbind(groupadd_t) ') @@ -511,6 +516,11 @@ userdom_generic_user_home_dir_filetrans_generic_user_home_content(useradd_t,notd mta_manage_spool(useradd_t) +optional_policy(`dpkg',` + dpkg_use_fds(useradd_t) + dpkg_rw_pipes(useradd_t) +') + optional_policy(`nis',` nis_use_ypbind(useradd_t) ') diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc index 3f79119..9a7ffdf 100644 --- a/refpolicy/policy/modules/kernel/corecommands.fc +++ b/refpolicy/policy/modules/kernel/corecommands.fc @@ -103,9 +103,11 @@ ifdef(`distro_gentoo',` /usr/lib/jvm/java.*/bin -d gen_context(system_u:object_r:bin_t,s0) /usr/lib/jvm/java.*/bin/.* gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/apt/methods.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/cgi-bin/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cups/filter/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/dpkg/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0) /usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0) @@ -133,6 +135,7 @@ ifdef(`distro_gentoo',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) +/usr/share/debconf/.+ -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-check -- gen_context(system_u:object_r:bin_t,s0) /usr/share/gnucash/finance-quote-helper -- gen_context(system_u:object_r:bin_t,s0) /usr/share/hal/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te index 5476cf6..d7cce79 100644 --- a/refpolicy/policy/modules/kernel/corecommands.te +++ b/refpolicy/policy/modules/kernel/corecommands.te @@ -1,5 +1,5 @@ -policy_module(corecommands,1.3.0) +policy_module(corecommands,1.3.1) ######################################## # diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in index 9a74cce..d9ff0ac 100644 --- a/refpolicy/policy/modules/kernel/corenetwork.te.in +++ b/refpolicy/policy/modules/kernel/corenetwork.te.in @@ -121,6 +121,7 @@ network_port(swat, tcp,901,s0) network_port(syslogd, udp,514,s0) network_port(telnetd, tcp,23,s0) network_port(tftp, udp,69,s0) +network_port(tor, tcp,9001,s0, tcp,9030,s0, tcp,9050,s0) network_port(transproxy, tcp,8081,s0) type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon network_port(uucpd, tcp,540,s0) diff --git a/refpolicy/policy/modules/services/apache.if b/refpolicy/policy/modules/services/apache.if index 5437131..288b313 100644 --- a/refpolicy/policy/modules/services/apache.if +++ b/refpolicy/policy/modules/services/apache.if @@ -800,6 +800,7 @@ interface(`apache_read_sys_content',` allow $1 httpd_sys_content_t:dir r_dir_perms; allow $1 httpd_sys_content_t:file { getattr read }; + allow $1 httpd_sys_content_t:lnk_file { getattr read }; ') ######################################## diff --git a/refpolicy/policy/modules/services/apache.te b/refpolicy/policy/modules/services/apache.te index 1de0662..ba388b2 100644 --- a/refpolicy/policy/modules/services/apache.te +++ b/refpolicy/policy/modules/services/apache.te @@ -1,5 +1,5 @@ -policy_module(apache,1.3.0) +policy_module(apache,1.3.1) # # NOTES: @@ -187,6 +187,7 @@ allow httpd_t httpd_suexec_exec_t:file { getattr read }; allow httpd_t httpd_sys_content_t:dir r_dir_perms; allow httpd_t httpd_sys_content_t:file r_file_perms; +allow httpd_t httpd_sys_content_t:lnk_file r_file_perms; allow httpd_t httpd_tmp_t:dir create_dir_perms; allow httpd_t httpd_tmp_t:file create_file_perms; diff --git a/refpolicy/policy/modules/services/tor.te b/refpolicy/policy/modules/services/tor.te index 6da04bc..6bb79af 100644 --- a/refpolicy/policy/modules/services/tor.te +++ b/refpolicy/policy/modules/services/tor.te @@ -1,5 +1,5 @@ -policy_module(tor,1.0.0) +policy_module(tor,1.0.1) ######################################## # @@ -71,8 +71,7 @@ corenet_non_ipsec_sendrecv(tor_t) corenet_tcp_connect_all_ports(tor_t) # ... especially including port 80 and other privileged ports corenet_tcp_connect_all_reserved_ports(tor_t) -# TOR may bind to a non-privileged port -corenet_tcp_bind_all_ports(tor_t) +corenet_tcp_bind_tor_port(tor_t) corenet_tcp_bind_all_nodes(tor_t) # tor uses crypto and needs random diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index 1f39dfb..2dffbc3 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain,1.3.1) +policy_module(userdomain,1.3.2) gen_require(` role sysadm_r, staff_r, user_r; @@ -204,6 +204,10 @@ ifdef(`targeted_policy',` apm_domtrans_client(sysadm_t) ') + optional_policy(`apt',` + apt_run(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`bootloader',` bootloader_run(sysadm_t,sysadm_r,admin_terminal) ') @@ -248,6 +252,10 @@ ifdef(`targeted_policy',` dmidecode_run(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`dpkg',` + dpkg_run(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`firstboot',` firstboot_run(sysadm_t,sysadm_r,sysadm_tty_device_t) ')