From: domg472@gmail.com (Dominick Grift)
Date: Fri, 3 Sep 2010 17:50:14 +0200
Subject: [refpolicy] [Apt 1/1] Clean up Apt module.
Message-ID: <20100903155010.GA27711@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 e4f4850... 1f65fbe... M	policy/modules/admin/apt.fc
:100644 100644 e696b80... eaf17d0... M	policy/modules/admin/apt.if
:100644 100644 4044710... 9a37f79... M	policy/modules/admin/apt.te
 policy/modules/admin/apt.fc |    9 +--------
 policy/modules/admin/apt.if |   35 ++++++++++++++++++++---------------
 policy/modules/admin/apt.te |    9 ---------
 3 files changed, 21 insertions(+), 32 deletions(-)

diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index e4f4850..1f65fbe 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -1,21 +1,14 @@
 /usr/bin/apt-get		--	gen_context(system_u:object_r:apt_exec_t,s0)
-# apt-shell is redhat specific
 /usr/bin/apt-shell		--	gen_context(system_u:object_r:apt_exec_t,s0)
-# other package managers
 /usr/bin/aptitude		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/synaptic		--	gen_context(system_u:object_r:apt_exec_t,s0)
 
-# package cache repository
 /var/cache/apt(/.*)?			gen_context(system_u:object_r:apt_var_cache_t,s0)
 
-# package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
 
-# aptitude lock
 /var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
-# aptitude log
-/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
 
-# dpkg terminal log
+/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
 /var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index e696b80..eaf17d0 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute apt programs in the apt domain.
+##	Execute a domain transition to run Apt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,14 +15,19 @@ interface(`apt_domtrans',`
 		type apt_t, apt_exec_t;
 	')
 
-	files_search_usr($1)
 	corecmd_search_bin($1)
 	domtrans_pattern($1, apt_exec_t, apt_t)
+
+	ifndef(`distro_redhat',`
+		files_search_usr($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Execute apt programs in the apt domain.
+##	Execute a domain transition to run
+##	Apt, and allow the specified role
+##	the Apt domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,7 +36,7 @@ interface(`apt_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to allow the apt domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -43,12 +48,11 @@ interface(`apt_run',`
 
 	apt_domtrans($1)
 	role $2 types apt_t;
-	# TODO: likely have to add dpkg_run here.
 ')
 
 ########################################
 ## <summary>
-##	Inherit and use file descriptors from apt.
+##	Inherit and use file descriptors from Apt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +71,8 @@ interface(`apt_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use file descriptors from apt.
+##	Do not audit attempts to use file
+##	descriptors from Apt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85,7 +90,7 @@ interface(`apt_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Read from an unnamed apt pipe.
+##	Read from an unnamed Apt pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -104,7 +109,7 @@ interface(`apt_read_pipes',`
 
 ########################################
 ## <summary>
-##	Read and write an unnamed apt pipe.
+##	Read and write an unnamed Apt pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -123,7 +128,7 @@ interface(`apt_rw_pipes',`
 
 ########################################
 ## <summary>
-##	Read from and write to apt ptys.
+##	Read from and write to Apt ptys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -141,7 +146,7 @@ interface(`apt_use_ptys',`
 
 ########################################
 ## <summary>
-##	Read the apt package cache.
+##	Read the Apt package cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -162,7 +167,7 @@ interface(`apt_read_cache',`
 
 ########################################
 ## <summary>
-##	Read the apt package database.
+##	Read the Apt package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -183,7 +188,7 @@ interface(`apt_read_db',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete the apt package database.
+##	Manage the Apt package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -205,8 +210,8 @@ interface(`apt_manage_db',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to create, read, 
-##	write, and delete the apt package database.
+##	Do not audit attempts manage
+##	the Apt package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 4044710..9a37f79 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -11,11 +11,9 @@ init_system_domain(apt_t, apt_exec_t)
 domain_system_change_exemption(apt_t)
 role system_r types apt_t;
 
-# pseudo terminal for running dpkg
 type apt_devpts_t;
 term_pty(apt_devpts_t)
 
-# aptitude lock file
 type apt_lock_t;
 files_lock_file(apt_lock_t)
 
@@ -25,15 +23,12 @@ files_tmp_file(apt_tmp_t)
 type apt_tmpfs_t;
 files_tmpfs_file(apt_tmpfs_t)
 
-# package cache
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
-# status files
 type apt_var_lib_t alias var_lib_apt_t;
 files_type(apt_var_lib_t)
 
-# aptitude log file
 type apt_var_log_t;
 logging_log_file(apt_var_log_t)
 
@@ -59,7 +54,6 @@ allow apt_t self:msg { send receive };
 # Run update
 allow apt_t self:netlink_route_socket r_netlink_socket_perms;
 
-# lock files
 allow apt_t apt_lock_t:dir manage_dir_perms;
 allow apt_t apt_lock_t:file manage_file_perms;
 files_lock_filetrans(apt_t, apt_lock_t, {dir file})
@@ -75,15 +69,12 @@ manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
 manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
 fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
-# Access /var/cache/apt files
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
 
-# Access /var/lib/apt files
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
 
-# log files
 allow apt_t apt_var_log_t:file manage_file_perms;
 logging_log_filetrans(apt_t, apt_var_log_t, file)
 
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/fc6c4f65/attachment.bin