Signed-off-by: Dominick Grift <[email protected]>
---
:100644 100644 e4f4850... 1f65fbe... M policy/modules/admin/apt.fc
:100644 100644 e696b80... eaf17d0... M policy/modules/admin/apt.if
:100644 100644 4044710... 9a37f79... M policy/modules/admin/apt.te
policy/modules/admin/apt.fc | 9 +--------
policy/modules/admin/apt.if | 35 ++++++++++++++++++++---------------
policy/modules/admin/apt.te | 9 ---------
3 files changed, 21 insertions(+), 32 deletions(-)
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index e4f4850..1f65fbe 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -1,21 +1,14 @@
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-# apt-shell is redhat specific
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
-# other package managers
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
-# package cache repository
/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
-# package list repository
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-# aptitude lock
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
-# aptitude log
-/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
-# dpkg terminal log
+/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index e696b80..eaf17d0 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -2,7 +2,7 @@
########################################
## <summary>
-## Execute apt programs in the apt domain.
+## Execute a domain transition to run Apt.
## </summary>
## <param name="domain">
## <summary>
@@ -15,14 +15,19 @@ interface(`apt_domtrans',`
type apt_t, apt_exec_t;
')
- files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, apt_exec_t, apt_t)
+
+ ifndef(`distro_redhat',`
+ files_search_usr($1)
+ ')
')
########################################
## <summary>
-## Execute apt programs in the apt domain.
+## Execute a domain transition to run
+## Apt, and allow the specified role
+## the Apt domain.
## </summary>
## <param name="domain">
## <summary>
@@ -31,7 +36,7 @@ interface(`apt_domtrans',`
## </param>
## <param name="role">
## <summary>
-## The role to allow the apt domain.
+## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
@@ -43,12 +48,11 @@ interface(`apt_run',`
apt_domtrans($1)
role $2 types apt_t;
- # TODO: likely have to add dpkg_run here.
')
########################################
## <summary>
-## Inherit and use file descriptors from apt.
+## Inherit and use file descriptors from Apt.
## </summary>
## <param name="domain">
## <summary>
@@ -67,7 +71,8 @@ interface(`apt_use_fds',`
########################################
## <summary>
-## Do not audit attempts to use file descriptors from apt.
+## Do not audit attempts to use file
+## descriptors from Apt.
## </summary>
## <param name="domain">
## <summary>
@@ -85,7 +90,7 @@ interface(`apt_dontaudit_use_fds',`
########################################
## <summary>
-## Read from an unnamed apt pipe.
+## Read from an unnamed Apt pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -104,7 +109,7 @@ interface(`apt_read_pipes',`
########################################
## <summary>
-## Read and write an unnamed apt pipe.
+## Read and write an unnamed Apt pipe.
## </summary>
## <param name="domain">
## <summary>
@@ -123,7 +128,7 @@ interface(`apt_rw_pipes',`
########################################
## <summary>
-## Read from and write to apt ptys.
+## Read from and write to Apt ptys.
## </summary>
## <param name="domain">
## <summary>
@@ -141,7 +146,7 @@ interface(`apt_use_ptys',`
########################################
## <summary>
-## Read the apt package cache.
+## Read the Apt package cache.
## </summary>
## <param name="domain">
## <summary>
@@ -162,7 +167,7 @@ interface(`apt_read_cache',`
########################################
## <summary>
-## Read the apt package database.
+## Read the Apt package database.
## </summary>
## <param name="domain">
## <summary>
@@ -183,7 +188,7 @@ interface(`apt_read_db',`
########################################
## <summary>
-## Create, read, write, and delete the apt package database.
+## Manage the Apt package database.
## </summary>
## <param name="domain">
## <summary>
@@ -205,8 +210,8 @@ interface(`apt_manage_db',`
########################################
## <summary>
-## Do not audit attempts to create, read,
-## write, and delete the apt package database.
+## Do not audit attempts manage
+## the Apt package database.
## </summary>
## <param name="domain">
## <summary>
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 4044710..9a37f79 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -11,11 +11,9 @@ init_system_domain(apt_t, apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
-# pseudo terminal for running dpkg
type apt_devpts_t;
term_pty(apt_devpts_t)
-# aptitude lock file
type apt_lock_t;
files_lock_file(apt_lock_t)
@@ -25,15 +23,12 @@ files_tmp_file(apt_tmp_t)
type apt_tmpfs_t;
files_tmpfs_file(apt_tmpfs_t)
-# package cache
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
-# status files
type apt_var_lib_t alias var_lib_apt_t;
files_type(apt_var_lib_t)
-# aptitude log file
type apt_var_log_t;
logging_log_file(apt_var_log_t)
@@ -59,7 +54,6 @@ allow apt_t self:msg { send receive };
# Run update
allow apt_t self:netlink_route_socket r_netlink_socket_perms;
-# lock files
allow apt_t apt_lock_t:dir manage_dir_perms;
allow apt_t apt_lock_t:file manage_file_perms;
files_lock_filetrans(apt_t, apt_lock_t, {dir file})
@@ -75,15 +69,12 @@ manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
-# Access /var/cache/apt files
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
-# Access /var/lib/apt files
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
-# log files
allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
--
1.7.2.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/fc6c4f65/attachment.bin