## APT advanced package tool. ######################################## ## ## Execute apt programs in the apt domain. ## ## ## ## Domain allowed access. ## ## # interface(`apt_domtrans',` gen_require(` type apt_t, apt_exec_t; ') files_search_usr($1) corecmd_search_bin($1) domtrans_pattern($1, apt_exec_t, apt_t) ') ######################################## ## ## Execute apt programs in the apt domain. ## ## ## ## Domain allowed access. ## ## ## ## ## The role to allow the apt domain. ## ## ## # interface(`apt_run',` gen_require(` type apt_t; ') apt_domtrans($1) role $2 types apt_t; # TODO: likely have to add dpkg_run here. ') ######################################## ## ## Inherit and use file descriptors from apt. ## ## ## ## Domain allowed access. ## ## # interface(`apt_use_fds',` gen_require(` type apt_t; ') allow $1 apt_t:fd use; # TODO: enforce dpkg_use_fd? ') ######################################## ## ## Do not audit attempts to use file descriptors from apt. ## ## ## ## The type of the process attempting performing this action ## which should not be audited. ## ## # interface(`apt_dontaudit_use_fds',` gen_require(` type apt_t; ') dontaudit $1 apt_t:fd use; ') ######################################## ## ## Read from an unnamed apt pipe. ## ## ## ## Domain allowed access. ## ## # interface(`apt_read_pipes',` gen_require(` type apt_t; ') allow $1 apt_t:fifo_file read_fifo_file_perms; # TODO: enforce dpkg_read_pipes? ') ######################################## ## ## Read and write an unnamed apt pipe. ## ## ## ## Domain allowed access. ## ## # interface(`apt_rw_pipes',` gen_require(` type apt_t; ') allow $1 apt_t:fifo_file rw_file_perms; # TODO: enforce dpkg_rw_pipes? ') ######################################## ## ## Read from and write to apt ptys. ## ## ## ## Domain allowed access. ## ## # interface(`apt_use_ptys',` gen_require(` type apt_devpts_t; ') allow $1 apt_devpts_t:chr_file rw_term_perms; ') ######################################## ## ## Read the apt package cache. ## ## ## ## Domain allowed access. ## ## # interface(`apt_read_cache',` gen_require(` type apt_var_cache_t; ') files_search_var($1) allow $1 apt_var_cache_t:dir list_dir_perms; dontaudit $1 apt_var_cache_t:dir write; allow $1 apt_var_cache_t:file read_file_perms; ') ######################################## ## ## Read the apt package database. ## ## ## ## Domain allowed access. ## ## # interface(`apt_read_db',` gen_require(` type apt_var_lib_t; ') files_search_var_lib($1) allow $1 apt_var_lib_t:dir list_dir_perms; read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) ') ######################################## ## ## Create, read, write, and delete the apt package database. ## ## ## ## Domain allowed access. ## ## # interface(`apt_manage_db',` gen_require(` type apt_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) # cjp: shouldnt this be manage_lnk_files? rw_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) delete_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) ') ######################################## ## ## Do not audit attempts to create, read, ## write, and delete the apt package database. ## ## ## ## Domain to not audit. ## ## # interface(`apt_dontaudit_manage_db',` gen_require(` type apt_var_lib_t; ') dontaudit $1 apt_var_lib_t:dir rw_dir_perms; dontaudit $1 apt_var_lib_t:file manage_file_perms; dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; ')