From: Manoj Srivastava <[email protected]>
Signed-off-by: Russell Coker <[email protected]>
Acked-By: Manoj Srivastava <[email protected]>
---
policy/modules/admin/apt.fc | 5 +++++
policy/modules/admin/apt.if | 40 ++++++++++++++++++++++++++++++++++++++++
policy/modules/admin/apt.te | 19 ++++++++++++++++++-
3 files changed, 63 insertions(+), 1 deletions(-)
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index bf14cc0..e4f4850 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -12,5 +12,10 @@
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+# aptitude lock
+/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
+
# dpkg terminal log
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 68ecf71..aaa4153 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -67,6 +67,25 @@ interface(`apt_use_fds',`
########################################
## <summary>
+## Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process attempting performing this action
+## which should not be audited.
+## </summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
## Read from an unnamed apt pipe.
## </summary>
## <param name="domain">
@@ -123,6 +142,27 @@ interface(`apt_use_ptys',`
########################################
## <summary>
+## Read the apt package cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_read_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir list_dir_perms;
+ dontaudit $1 apt_var_cache_t:dir write;
+ allow $1 apt_var_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read the apt package database.
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index c79157a..48afcda 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt, 1.5.2)
+policy_module(apt, 1.5.3)
########################################
#
@@ -30,6 +30,11 @@ files_type(apt_var_lib_t)
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
+# aptitude log file
type apt_var_log_t;
logging_log_file(apt_var_log_t)
@@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms;
allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
+# Run update
+allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
# Access /var/cache/apt files
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
@@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t,apt_lock_t,{dir file})
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
@@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
+logging_log_filetrans(apt_t, apt_var_log_t, file)
miscfiles_read_localization(apt_t)
--
1.6.3.3
From: Manoj Srivastava <[email protected]>
Signed-off-by: Russell Coker <[email protected]>
Acked-By: Manoj Srivastava <[email protected]>
---
policy/modules/admin/dpkg.te | 26 ++++++++++++++++++++------
1 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 264a0ce..6d4b7a9 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -1,5 +1,5 @@
-policy_module(dpkg, 1.6.2)
+policy_module(dpkg, 1.6.3)
########################################
#
@@ -52,8 +52,8 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
# dpkg Local policy
#
-allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
-allow dpkg_t self:process { setpgid fork getsched setfscreate };
+allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable ipc_lock };
+allow dpkg_t self:process { setrlimit setpgid fork getsched setfscreate };
allow dpkg_t self:fd use;
allow dpkg_t self:fifo_file rw_fifo_file_perms;
allow dpkg_t self:unix_dgram_socket create_socket_perms;
@@ -67,6 +67,16 @@ allow dpkg_t self:sem create_sem_perms;
allow dpkg_t self:msgq create_msgq_perms;
allow dpkg_t self:msg { send receive };
+# This is for se_aptitude et al, so that maintainer scripts can talk back.
+apt_use_fds(dpkg_script_t)
+apt_rw_pipes(dpkg_script_t)
+
+# This is for the maintainer scripts
+init_use_script_fds(dpkg_script_t)
+
+# se_apt-get needs this to run dpkg-preconfigure
+init_use_script_ptys(dpkg_t)
+
allow dpkg_t dpkg_lock_t:file manage_file_perms;
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
@@ -141,6 +151,8 @@ storage_raw_write_fixed_disk(dpkg_t)
# for installing kernel packages
storage_raw_read_fixed_disk(dpkg_t)
+term_list_ptys(dpkg_t)
+
auth_relabel_all_files_except_shadow(dpkg_t)
auth_manage_all_files_except_shadow(dpkg_t)
auth_dontaudit_read_shadow(dpkg_t)
@@ -148,7 +160,6 @@ auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
init_domtrans_script(dpkg_t)
-init_use_script_ptys(dpkg_t)
libs_exec_ld_so(dpkg_t)
libs_exec_lib_files(dpkg_t)
@@ -164,11 +175,15 @@ sysnet_read_config(dpkg_t)
userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
+allow userdomain dpkg_var_lib_t:dir list_dir_perms;
+allow userdomain dpkg_var_lib_t:file read_file_perms;
# transition to dpkg script:
dpkg_domtrans_script(dpkg_t)
-# since the scripts aren't labeled correctly yet...
+# since the scripts are not labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
+# This is used for running config files for debconf interactions
+allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans };
optional_policy(`
apt_use_ptys(dpkg_t)
@@ -290,7 +305,6 @@ auth_dontaudit_getattr_shadow(dpkg_script_t)
auth_manage_all_files_except_shadow(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
-init_use_script_fds(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
--
1.6.3.3
On Tue, 2009-07-14 at 14:27 -0500, Manoj Srivastava wrote:
> From: Manoj Srivastava <[email protected]>
Merged. In the future, please do not bump the module version number.
> Signed-off-by: Russell Coker <[email protected]>
> Acked-By: Manoj Srivastava <[email protected]>
> ---
> policy/modules/admin/apt.fc | 5 +++++
> policy/modules/admin/apt.if | 40 ++++++++++++++++++++++++++++++++++++++++
> policy/modules/admin/apt.te | 19 ++++++++++++++++++-
> 3 files changed, 63 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
> index bf14cc0..e4f4850 100644
> --- a/policy/modules/admin/apt.fc
> +++ b/policy/modules/admin/apt.fc
> @@ -12,5 +12,10 @@
> /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>
> +# aptitude lock
> +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
> +# aptitude log
> +/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
> +
> # dpkg terminal log
> /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
> diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
> index 68ecf71..aaa4153 100644
> --- a/policy/modules/admin/apt.if
> +++ b/policy/modules/admin/apt.if
> @@ -67,6 +67,25 @@ interface(`apt_use_fds',`
>
> ########################################
> ## <summary>
> +## Do not audit attempts to use file descriptors from apt.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process attempting performing this action
> +## which should not be audited.
> +## </summary>
> +## </param>
> +#
> +interface(`apt_dontaudit_use_fds',`
> + gen_require(`
> + type apt_t;
> + ')
> +
> + dontaudit $1 apt_t:fd use;
> +')
> +
> +########################################
> +## <summary>
> ## Read from an unnamed apt pipe.
> ## </summary>
> ## <param name="domain">
> @@ -123,6 +142,27 @@ interface(`apt_use_ptys',`
>
> ########################################
> ## <summary>
> +## Read the apt package cache.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`apt_read_cache',`
> + gen_require(`
> + type apt_var_cache_t;
> + ')
> +
> + files_search_var($1)
> + allow $1 apt_var_cache_t:dir list_dir_perms;
> + dontaudit $1 apt_var_cache_t:dir write;
> + allow $1 apt_var_cache_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read the apt package database.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
> index c79157a..48afcda 100644
> --- a/policy/modules/admin/apt.te
> +++ b/policy/modules/admin/apt.te
> @@ -1,5 +1,5 @@
>
> -policy_module(apt, 1.5.2)
> +policy_module(apt, 1.5.3)
>
> ########################################
> #
> @@ -30,6 +30,11 @@ files_type(apt_var_lib_t)
> type apt_var_cache_t alias var_cache_apt_t;
> files_type(apt_var_cache_t)
>
> +# aptitude lock file
> +type apt_lock_t;
> +files_lock_file(apt_lock_t)
> +
> +# aptitude log file
> type apt_var_log_t;
> logging_log_file(apt_var_log_t)
>
> @@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms;
> allow apt_t self:msgq create_msgq_perms;
> allow apt_t self:msg { send receive };
>
> +# Run update
> +allow apt_t self:netlink_route_socket r_netlink_socket_perms;
> +
> # Access /var/cache/apt files
> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> files_var_filetrans(apt_t, apt_var_cache_t, dir)
> @@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }
> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
> files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
>
> +# lock files
> +allow apt_t apt_lock_t:dir manage_dir_perms;
> +allow apt_t apt_lock_t:file manage_file_perms;
> +files_lock_filetrans(apt_t,apt_lock_t,{dir file})
> +
> +# log files
> +allow apt_t apt_var_log_t:file manage_file_perms;
> +
> kernel_read_system_state(apt_t)
> kernel_read_kernel_sysctls(apt_t)
>
> @@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t)
> libs_exec_lib_files(apt_t)
>
> logging_send_syslog_msg(apt_t)
> +logging_log_filetrans(apt_t, apt_var_log_t, file)
>
> miscfiles_read_localization(apt_t)
>
> --
> 1.6.3.3
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
On Tue, 2009-07-14 at 14:27 -0500, Manoj Srivastava wrote:
> From: Manoj Srivastava <[email protected]>
Comments inline.
> Signed-off-by: Russell Coker <[email protected]>
> Acked-By: Manoj Srivastava <[email protected]>
> ---
> policy/modules/admin/dpkg.te | 26 ++++++++++++++++++++------
> 1 files changed, 20 insertions(+), 6 deletions(-)
>
> diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
> index 264a0ce..6d4b7a9 100644
> --- a/policy/modules/admin/dpkg.te
> +++ b/policy/modules/admin/dpkg.te
> @@ -1,5 +1,5 @@
>
> -policy_module(dpkg, 1.6.2)
> +policy_module(dpkg, 1.6.3)
>
> ########################################
> #
> @@ -52,8 +52,8 @@ files_tmpfs_file(dpkg_script_tmpfs_t)
> # dpkg Local policy
> #
>
> -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable };
> -allow dpkg_t self:process { setpgid fork getsched setfscreate };
> +allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable ipc_lock };
> +allow dpkg_t self:process { setrlimit setpgid fork getsched setfscreate };
> allow dpkg_t self:fd use;
> allow dpkg_t self:fifo_file rw_fifo_file_perms;
> allow dpkg_t self:unix_dgram_socket create_socket_perms;
> @@ -67,6 +67,16 @@ allow dpkg_t self:sem create_sem_perms;
> allow dpkg_t self:msgq create_msgq_perms;
> allow dpkg_t self:msg { send receive };
>
> +# This is for se_aptitude et al, so that maintainer scripts can talk back.
> +apt_use_fds(dpkg_script_t)
> +apt_rw_pipes(dpkg_script_t)
Should be moved down with the other apt rules.
> +# This is for the maintainer scripts
> +init_use_script_fds(dpkg_script_t)
> +
> +# se_apt-get needs this to run dpkg-preconfigure
> +init_use_script_ptys(dpkg_t)
Should be moved down with the other init_* rules for each respective
type.
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
>
> manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
> @@ -141,6 +151,8 @@ storage_raw_write_fixed_disk(dpkg_t)
> # for installing kernel packages
> storage_raw_read_fixed_disk(dpkg_t)
>
> +term_list_ptys(dpkg_t)
> +
> auth_relabel_all_files_except_shadow(dpkg_t)
> auth_manage_all_files_except_shadow(dpkg_t)
> auth_dontaudit_read_shadow(dpkg_t)
> @@ -148,7 +160,6 @@ auth_dontaudit_read_shadow(dpkg_t)
> files_exec_etc_files(dpkg_t)
>
> init_domtrans_script(dpkg_t)
> -init_use_script_ptys(dpkg_t)
>
> libs_exec_ld_so(dpkg_t)
> libs_exec_lib_files(dpkg_t)
> @@ -164,11 +175,15 @@ sysnet_read_config(dpkg_t)
>
> userdom_use_user_terminals(dpkg_t)
> userdom_use_unpriv_users_fds(dpkg_t)
> +allow userdomain dpkg_var_lib_t:dir list_dir_perms;
> +allow userdomain dpkg_var_lib_t:file read_file_perms;
This is not allowed since dpkg doesn't own userdomain.
> # transition to dpkg script:
> dpkg_domtrans_script(dpkg_t)
> -# since the scripts aren't labeled correctly yet...
> +# since the scripts are not labeled correctly yet...
> allow dpkg_t dpkg_var_lib_t:file mmap_file_perms;
> +# This is used for running config files for debconf interactions
> +allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans };
>
> optional_policy(`
> apt_use_ptys(dpkg_t)
> @@ -290,7 +305,6 @@ auth_dontaudit_getattr_shadow(dpkg_script_t)
> auth_manage_all_files_except_shadow(dpkg_script_t)
>
> init_domtrans_script(dpkg_script_t)
> -init_use_script_fds(dpkg_script_t)
>
> libs_exec_ld_so(dpkg_script_t)
> libs_exec_lib_files(dpkg_script_t)
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150