diff --git a/Changelog b/Changelog index 1d200f1..10713f2 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Apt updates for ptys and logs, from Martin Orr. - RPC update from Vaclav Ovsik. - Exim updates on Debian from Devin Carrawy. - Pam and samba updates from Stefan Schulze Frielinghaus. diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc index d31952b..bf14cc0 100644 --- a/policy/modules/admin/apt.fc +++ b/policy/modules/admin/apt.fc @@ -11,3 +11,6 @@ # package list repository /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + +# dpkg terminal log +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if index 13991f9..53e1c60 100644 --- a/policy/modules/admin/apt.if +++ b/policy/modules/admin/apt.if @@ -111,6 +111,24 @@ interface(`apt_rw_pipes',` ######################################## ## <summary> +## Read from and write to apt ptys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_ptys',` + gen_require(` + type apt_devpts_t; + ') + + allow $1 apt_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> ## Read the apt package database. ## </summary> ## <param name="domain"> diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index 98f1b01..2386a49 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -1,5 +1,5 @@ -policy_module(apt,1.3.0) +policy_module(apt,1.3.1) ######################################## # @@ -12,6 +12,10 @@ init_system_domain(apt_t,apt_exec_t) domain_system_change_exemption(apt_t) role system_r types apt_t; +# pseudo terminal for running dpkg +type apt_devpts_t; +term_pty(apt_devpts_t) + type apt_tmp_t; files_tmp_file(apt_tmp_t) @@ -26,6 +30,9 @@ files_type(apt_var_lib_t) type apt_var_cache_t alias var_cache_apt_t; files_type(apt_var_cache_t) +type apt_var_log_t; +logging_log_file(apt_var_log_t) + ######################################## # # apt Local policy @@ -97,6 +104,7 @@ files_read_etc_runtime_files(apt_t) fs_getattr_all_fs(apt_t) +term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) term_use_all_terms(apt_t) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 0efc509..eebcd4f 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -1,5 +1,5 @@ -policy_module(dpkg,1.4.0) +policy_module(dpkg,1.4.1) ######################################## # @@ -150,6 +150,7 @@ auth_dontaudit_read_shadow(dpkg_t) files_exec_etc_files(dpkg_t) init_domtrans_script(dpkg_t) +init_use_script_ptys(dpkg_t) libs_use_ld_so(dpkg_t) libs_use_shared_libs(dpkg_t) @@ -172,6 +173,10 @@ dpkg_domtrans_script(dpkg_t) # since the scripts aren't labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file execute; +optional_policy(` + apt_use_ptys(dpkg_t) +') + # TODO: allow? #optional_policy(` # cron_system_entry(dpkg_t,dpkg_exec_t) @@ -290,6 +295,7 @@ auth_dontaudit_getattr_shadow(dpkg_script_t) auth_manage_all_files_except_shadow(dpkg_script_t) init_domtrans_script(dpkg_script_t) +init_use_script_fds(dpkg_script_t) libs_use_ld_so(dpkg_script_t) libs_use_shared_libs(dpkg_script_t) @@ -314,6 +320,11 @@ tunable_policy(`allow_execmem',` ') optional_policy(` + apt_rw_pipes(dpkg_script_t) + apt_use_fds(dpkg_script_t) +') + +optional_policy(` bootloader_domtrans(dpkg_script_t) ') diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te index a6bc400..50e7a32 100644 --- a/policy/modules/system/libraries.te +++ b/policy/modules/system/libraries.te @@ -1,5 +1,5 @@ -policy_module(libraries,2.0.0) +policy_module(libraries,2.0.1) ######################################## # @@ -98,6 +98,12 @@ optional_policy(` ') optional_policy(` + apt_rw_pipes(ldconfig_t) + apt_use_fds(ldconfig_t) + apt_use_ptys(ldconfig_t) +') + +optional_policy(` # When you install a kernel the postinstall builds a initrd image in tmp # and executes ldconfig on it. If you dont allow this kernel installs # blow up.