From: srivasta@golden-gryphon.com (Manoj Srivastava)
Date: Tue, 14 Jul 2009 14:27:21 -0500
Subject: [refpolicy] [PATCH 1/2] Update apt/aptitude policy to add support
	for lock/log files
Message-ID: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

From: Manoj Srivastava <srivasta@debian.org>

Signed-off-by: Russell Coker <russell@coker.com.au>
Acked-By: Manoj Srivastava <srivasta@debian.org>
---
 policy/modules/admin/apt.fc |    5 +++++
 policy/modules/admin/apt.if |   40 ++++++++++++++++++++++++++++++++++++++++
 policy/modules/admin/apt.te |   19 ++++++++++++++++++-
 3 files changed, 63 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index bf14cc0..e4f4850 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -12,5 +12,10 @@
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
 
+# aptitude lock
+/var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
+
 # dpkg terminal log
 /var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 68ecf71..aaa4153 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -67,6 +67,25 @@ interface(`apt_use_fds',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process attempting performing this action
+##      which should not be audited.
+##	</summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
 ##	Read from an unnamed apt pipe.
 ## </summary>
 ## <param name="domain">
@@ -123,6 +142,27 @@ interface(`apt_use_ptys',`
 
 ########################################
 ## <summary>
+##	Read the apt package cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`apt_read_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir list_dir_perms;
+	dontaudit $1 apt_var_cache_t:dir write;
+	allow $1 apt_var_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read the apt package database.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index c79157a..48afcda 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
 
-policy_module(apt, 1.5.2)
+policy_module(apt, 1.5.3)
 
 ########################################
 #
@@ -30,6 +30,11 @@ files_type(apt_var_lib_t)
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
+# aptitude log file
 type apt_var_log_t;
 logging_log_file(apt_var_log_t)
 
@@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms;
 allow apt_t self:msgq create_msgq_perms;
 allow apt_t self:msg { send receive };
 
+# Run update
+allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
 # Access /var/cache/apt files
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
@@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
 
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t,apt_lock_t,{dir file})
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+
 kernel_read_system_state(apt_t)
 kernel_read_kernel_sysctls(apt_t)
 
@@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t)
 libs_exec_lib_files(apt_t)
 
 logging_send_syslog_msg(apt_t)
+logging_log_filetrans(apt_t, apt_var_log_t, file)
 
 miscfiles_read_localization(apt_t)
 
-- 
1.6.3.3