From: srivasta@golden-gryphon.com (Manoj Srivastava) Date: Tue, 14 Jul 2009 14:27:22 -0500 Subject: [refpolicy] [PATCH 2/2] Updated dpkg policy with supoort for debconf in maintainer scripts In-Reply-To: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com> References: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com> Message-ID: <1247599642-22214-2-git-send-email-srivasta@golden-gryphon.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Manoj Srivastava Signed-off-by: Russell Coker Acked-By: Manoj Srivastava --- policy/modules/admin/dpkg.te | 26 ++++++++++++++++++++------ 1 files changed, 20 insertions(+), 6 deletions(-) diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te index 264a0ce..6d4b7a9 100644 --- a/policy/modules/admin/dpkg.te +++ b/policy/modules/admin/dpkg.te @@ -1,5 +1,5 @@ -policy_module(dpkg, 1.6.2) +policy_module(dpkg, 1.6.3) ######################################## # @@ -52,8 +52,8 @@ files_tmpfs_file(dpkg_script_tmpfs_t) # dpkg Local policy # -allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; -allow dpkg_t self:process { setpgid fork getsched setfscreate }; +allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable ipc_lock }; +allow dpkg_t self:process { setrlimit setpgid fork getsched setfscreate }; allow dpkg_t self:fd use; allow dpkg_t self:fifo_file rw_fifo_file_perms; allow dpkg_t self:unix_dgram_socket create_socket_perms; @@ -67,6 +67,16 @@ allow dpkg_t self:sem create_sem_perms; allow dpkg_t self:msgq create_msgq_perms; allow dpkg_t self:msg { send receive }; +# This is for se_aptitude et al, so that maintainer scripts can talk back. +apt_use_fds(dpkg_script_t) +apt_rw_pipes(dpkg_script_t) + +# This is for the maintainer scripts +init_use_script_fds(dpkg_script_t) + +# se_apt-get needs this to run dpkg-preconfigure +init_use_script_ptys(dpkg_t) + allow dpkg_t dpkg_lock_t:file manage_file_perms; manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) @@ -141,6 +151,8 @@ storage_raw_write_fixed_disk(dpkg_t) # for installing kernel packages storage_raw_read_fixed_disk(dpkg_t) +term_list_ptys(dpkg_t) + auth_relabel_all_files_except_shadow(dpkg_t) auth_manage_all_files_except_shadow(dpkg_t) auth_dontaudit_read_shadow(dpkg_t) @@ -148,7 +160,6 @@ auth_dontaudit_read_shadow(dpkg_t) files_exec_etc_files(dpkg_t) init_domtrans_script(dpkg_t) -init_use_script_ptys(dpkg_t) libs_exec_ld_so(dpkg_t) libs_exec_lib_files(dpkg_t) @@ -164,11 +175,15 @@ sysnet_read_config(dpkg_t) userdom_use_user_terminals(dpkg_t) userdom_use_unpriv_users_fds(dpkg_t) +allow userdomain dpkg_var_lib_t:dir list_dir_perms; +allow userdomain dpkg_var_lib_t:file read_file_perms; # transition to dpkg script: dpkg_domtrans_script(dpkg_t) -# since the scripts aren't labeled correctly yet... +# since the scripts are not labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; +# This is used for running config files for debconf interactions +allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans }; optional_policy(` apt_use_ptys(dpkg_t) @@ -290,7 +305,6 @@ auth_dontaudit_getattr_shadow(dpkg_script_t) auth_manage_all_files_except_shadow(dpkg_script_t) init_domtrans_script(dpkg_script_t) -init_use_script_fds(dpkg_script_t) libs_exec_ld_so(dpkg_script_t) libs_exec_lib_files(dpkg_script_t) -- 1.6.3.3