From: srivasta@golden-gryphon.com (Manoj Srivastava) Date: Tue, 14 Jul 2009 14:27:21 -0500 Subject: [refpolicy] [PATCH 1/2] Update apt/aptitude policy to add support for lock/log files Message-ID: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Manoj Srivastava Signed-off-by: Russell Coker Acked-By: Manoj Srivastava --- policy/modules/admin/apt.fc | 5 +++++ policy/modules/admin/apt.if | 40 ++++++++++++++++++++++++++++++++++++++++ policy/modules/admin/apt.te | 19 ++++++++++++++++++- 3 files changed, 63 insertions(+), 1 deletions(-) diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc index bf14cc0..e4f4850 100644 --- a/policy/modules/admin/apt.fc +++ b/policy/modules/admin/apt.fc @@ -12,5 +12,10 @@ /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) +# aptitude lock +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) +# aptitude log +/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0) + # dpkg terminal log /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if index 68ecf71..aaa4153 100644 --- a/policy/modules/admin/apt.if +++ b/policy/modules/admin/apt.if @@ -67,6 +67,25 @@ interface(`apt_use_fds',` ######################################## ## +## Do not audit attempts to use file descriptors from apt. +## +## +## +## The type of the process attempting performing this action +## which should not be audited. +## +## +# +interface(`apt_dontaudit_use_fds',` + gen_require(` + type apt_t; + ') + + dontaudit $1 apt_t:fd use; +') + +######################################## +## ## Read from an unnamed apt pipe. ## ## @@ -123,6 +142,27 @@ interface(`apt_use_ptys',` ######################################## ## +## Read the apt package cache. +## +## +## +## The type of the process performing this action. +## +## +# +interface(`apt_read_cache',` + gen_require(` + type apt_var_cache_t; + ') + + files_search_var($1) + allow $1 apt_var_cache_t:dir list_dir_perms; + dontaudit $1 apt_var_cache_t:dir write; + allow $1 apt_var_cache_t:file read_file_perms; +') + +######################################## +## ## Read the apt package database. ## ## diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index c79157a..48afcda 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -1,5 +1,5 @@ -policy_module(apt, 1.5.2) +policy_module(apt, 1.5.3) ######################################## # @@ -30,6 +30,11 @@ files_type(apt_var_lib_t) type apt_var_cache_t alias var_cache_apt_t; files_type(apt_var_cache_t) +# aptitude lock file +type apt_lock_t; +files_lock_file(apt_lock_t) + +# aptitude log file type apt_var_log_t; logging_log_file(apt_var_log_t) @@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms; allow apt_t self:msgq create_msgq_perms; allow apt_t self:msg { send receive }; +# Run update +allow apt_t self:netlink_route_socket r_netlink_socket_perms; + # Access /var/cache/apt files manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) files_var_filetrans(apt_t, apt_var_cache_t, dir) @@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file } manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) +# lock files +allow apt_t apt_lock_t:dir manage_dir_perms; +allow apt_t apt_lock_t:file manage_file_perms; +files_lock_filetrans(apt_t,apt_lock_t,{dir file}) + +# log files +allow apt_t apt_var_log_t:file manage_file_perms; + kernel_read_system_state(apt_t) kernel_read_kernel_sysctls(apt_t) @@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t) libs_exec_lib_files(apt_t) logging_send_syslog_msg(apt_t) +logging_log_filetrans(apt_t, apt_var_log_t, file) miscfiles_read_localization(apt_t) -- 1.6.3.3