From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 29 Jul 2009 15:14:22 -0400 Subject: [refpolicy] [PATCH 1/2] Update apt/aptitude policy to add support for lock/log files In-Reply-To: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com> References: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com> Message-ID: <1248894864.24705.0.camel@gorn> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2009-07-14 at 14:27 -0500, Manoj Srivastava wrote: > From: Manoj Srivastava Merged. In the future, please do not bump the module version number. > Signed-off-by: Russell Coker > Acked-By: Manoj Srivastava > --- > policy/modules/admin/apt.fc | 5 +++++ > policy/modules/admin/apt.if | 40 ++++++++++++++++++++++++++++++++++++++++ > policy/modules/admin/apt.te | 19 ++++++++++++++++++- > 3 files changed, 63 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc > index bf14cc0..e4f4850 100644 > --- a/policy/modules/admin/apt.fc > +++ b/policy/modules/admin/apt.fc > @@ -12,5 +12,10 @@ > /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) > /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) > > +# aptitude lock > +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) > +# aptitude log > +/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0) > + > # dpkg terminal log > /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) > diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if > index 68ecf71..aaa4153 100644 > --- a/policy/modules/admin/apt.if > +++ b/policy/modules/admin/apt.if > @@ -67,6 +67,25 @@ interface(`apt_use_fds',` > > ######################################## > ## > +## Do not audit attempts to use file descriptors from apt. > +## > +## > +## > +## The type of the process attempting performing this action > +## which should not be audited. > +## > +## > +# > +interface(`apt_dontaudit_use_fds',` > + gen_require(` > + type apt_t; > + ') > + > + dontaudit $1 apt_t:fd use; > +') > + > +######################################## > +## > ## Read from an unnamed apt pipe. > ## > ## > @@ -123,6 +142,27 @@ interface(`apt_use_ptys',` > > ######################################## > ## > +## Read the apt package cache. > +## > +## > +## > +## The type of the process performing this action. > +## > +## > +# > +interface(`apt_read_cache',` > + gen_require(` > + type apt_var_cache_t; > + ') > + > + files_search_var($1) > + allow $1 apt_var_cache_t:dir list_dir_perms; > + dontaudit $1 apt_var_cache_t:dir write; > + allow $1 apt_var_cache_t:file read_file_perms; > +') > + > +######################################## > +## > ## Read the apt package database. > ## > ## > diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te > index c79157a..48afcda 100644 > --- a/policy/modules/admin/apt.te > +++ b/policy/modules/admin/apt.te > @@ -1,5 +1,5 @@ > > -policy_module(apt, 1.5.2) > +policy_module(apt, 1.5.3) > > ######################################## > # > @@ -30,6 +30,11 @@ files_type(apt_var_lib_t) > type apt_var_cache_t alias var_cache_apt_t; > files_type(apt_var_cache_t) > > +# aptitude lock file > +type apt_lock_t; > +files_lock_file(apt_lock_t) > + > +# aptitude log file > type apt_var_log_t; > logging_log_file(apt_var_log_t) > > @@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms; > allow apt_t self:msgq create_msgq_perms; > allow apt_t self:msg { send receive }; > > +# Run update > +allow apt_t self:netlink_route_socket r_netlink_socket_perms; > + > # Access /var/cache/apt files > manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) > files_var_filetrans(apt_t, apt_var_cache_t, dir) > @@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file } > manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) > files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) > > +# lock files > +allow apt_t apt_lock_t:dir manage_dir_perms; > +allow apt_t apt_lock_t:file manage_file_perms; > +files_lock_filetrans(apt_t,apt_lock_t,{dir file}) > + > +# log files > +allow apt_t apt_var_log_t:file manage_file_perms; > + > kernel_read_system_state(apt_t) > kernel_read_kernel_sysctls(apt_t) > > @@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t) > libs_exec_lib_files(apt_t) > > logging_send_syslog_msg(apt_t) > +logging_log_filetrans(apt_t, apt_var_log_t, file) > > miscfiles_read_localization(apt_t) > > -- > 1.6.3.3 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150