From: bigon@debian.org (Laurent Bigonville) Date: Wed, 5 Dec 2012 23:03:26 +0100 Subject: [refpolicy] [PATCH 3/9] Run packagekit under apt_t context on Debian distribution In-Reply-To: <1354745012-24557-1-git-send-email-bigon@debian.org> References: <1354745012-24557-1-git-send-email-bigon@debian.org> Message-ID: <1354745012-24557-3-git-send-email-bigon@debian.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Laurent Bigonville Properly label the daemon and the needed files and directories Also allow the daemon to transition to its own context when started by the system dbus --- apt.fc | 3 +++ apt.te | 4 ++++ rpm.fc | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/apt.fc b/apt.fc index 93d315c..1fd6888 100644 --- a/apt.fc +++ b/apt.fc @@ -2,7 +2,10 @@ ifndef(`distro_redhat',` /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) ') /var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) diff --git a/apt.te b/apt.te index 5ffc8b8..aaa43cc 100644 --- a/apt.te +++ b/apt.te @@ -125,6 +125,10 @@ optional_policy(` ') optional_policy(` + dbus_system_domain(apt_t, apt_exec_t) +') + +optional_policy(` dpkg_read_db(apt_t) dpkg_domtrans(apt_t) dpkg_lock_db(apt_t) diff --git a/rpm.fc b/rpm.fc index e37a2d5..ebe91fc 100644 --- a/rpm.fc +++ b/rpm.fc @@ -31,17 +31,17 @@ ifdef(`distro_redhat',` /usr/bin/apt-shell -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/bin/aptitude -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/sbin/synaptic -- gen_context(system_u:object_r:rpm_exec_t,s0) +/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) +/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) ') /usr/share/yumex/yumex-yum-backend -- gen_context(system_u:object_r:rpm_exec_t,s0) /usr/share/yumex/yum_childtask\.py -- gen_context(system_u:object_r:rpm_exec_t,s0) /var/cache/bcfg2(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/cache/yum(/.*)? gen_context(system_u:object_r:rpm_var_cache_t,s0) /var/lib/alternatives(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/rpm(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/YaST2(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) /var/lib/yum(/.*)? gen_context(system_u:object_r:rpm_var_lib_t,s0) -- 1.7.10.4