From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 29 Jul 2009 15:14:22 -0400
Subject: [refpolicy] [PATCH 1/2] Update apt/aptitude policy to add
 support for lock/log files
In-Reply-To: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com>
References: <1247599642-22214-1-git-send-email-srivasta@golden-gryphon.com>
Message-ID: <1248894864.24705.0.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2009-07-14 at 14:27 -0500, Manoj Srivastava wrote:
> From: Manoj Srivastava <srivasta@debian.org>

Merged.  In the future, please do not bump the module version number.

> Signed-off-by: Russell Coker <russell@coker.com.au>
> Acked-By: Manoj Srivastava <srivasta@debian.org>
> ---
>  policy/modules/admin/apt.fc |    5 +++++
>  policy/modules/admin/apt.if |   40 ++++++++++++++++++++++++++++++++++++++++
>  policy/modules/admin/apt.te |   19 ++++++++++++++++++-
>  3 files changed, 63 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
> index bf14cc0..e4f4850 100644
> --- a/policy/modules/admin/apt.fc
> +++ b/policy/modules/admin/apt.fc
> @@ -12,5 +12,10 @@
>  /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
>  /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
>  
> +# aptitude lock
> +/var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
> +# aptitude log
> +/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
> +
>  # dpkg terminal log
>  /var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
> diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
> index 68ecf71..aaa4153 100644
> --- a/policy/modules/admin/apt.if
> +++ b/policy/modules/admin/apt.if
> @@ -67,6 +67,25 @@ interface(`apt_use_fds',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit attempts to use file descriptors from apt.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process attempting performing this action
> +##      which should not be audited.
> +##	</summary>
> +## </param>
> +#
> +interface(`apt_dontaudit_use_fds',`
> +	gen_require(`
> +		type apt_t;
> +	')
> +
> +	dontaudit $1 apt_t:fd use;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read from an unnamed apt pipe.
>  ## </summary>
>  ## <param name="domain">
> @@ -123,6 +142,27 @@ interface(`apt_use_ptys',`
>  
>  ########################################
>  ## <summary>
> +##	Read the apt package cache.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	The type of the process performing this action.
> +##	</summary>
> +## </param>
> +#
> +interface(`apt_read_cache',`
> +	gen_require(`
> +		type apt_var_cache_t;
> +	')
> +
> +	files_search_var($1)
> +	allow $1 apt_var_cache_t:dir list_dir_perms;
> +	dontaudit $1 apt_var_cache_t:dir write;
> +	allow $1 apt_var_cache_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read the apt package database.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
> index c79157a..48afcda 100644
> --- a/policy/modules/admin/apt.te
> +++ b/policy/modules/admin/apt.te
> @@ -1,5 +1,5 @@
>  
> -policy_module(apt, 1.5.2)
> +policy_module(apt, 1.5.3)
>  
>  ########################################
>  #
> @@ -30,6 +30,11 @@ files_type(apt_var_lib_t)
>  type apt_var_cache_t alias var_cache_apt_t;
>  files_type(apt_var_cache_t)
>  
> +# aptitude lock file
> +type apt_lock_t;
> +files_lock_file(apt_lock_t)
> +
> +# aptitude log file
>  type apt_var_log_t;
>  logging_log_file(apt_var_log_t)
>  
> @@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms;
>  allow apt_t self:msgq create_msgq_perms;
>  allow apt_t self:msg { send receive };
>  
> +# Run update
> +allow apt_t self:netlink_route_socket r_netlink_socket_perms;
> +
>  # Access /var/cache/apt files
>  manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>  files_var_filetrans(apt_t, apt_var_cache_t, dir)
> @@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }
>  manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
>  files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
>  
> +# lock files
> +allow apt_t apt_lock_t:dir manage_dir_perms;
> +allow apt_t apt_lock_t:file manage_file_perms;
> +files_lock_filetrans(apt_t,apt_lock_t,{dir file})
> +
> +# log files
> +allow apt_t apt_var_log_t:file manage_file_perms;
> +
>  kernel_read_system_state(apt_t)
>  kernel_read_kernel_sysctls(apt_t)
>  
> @@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t)
>  libs_exec_lib_files(apt_t)
>  
>  logging_send_syslog_msg(apt_t)
> +logging_log_filetrans(apt_t, apt_var_log_t, file)
>  
>  miscfiles_read_localization(apt_t)
>  
> -- 
> 1.6.3.3
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150