From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 29 Apr 2017 11:14:33 -0400
Subject: [refpolicy] [PATCH] apt/dpkg strict patches
In-Reply-To: <20170427064348.vcd27r4jrgvnuvzz@athena.coker.com.au>
References: <20170427064348.vcd27r4jrgvnuvzz@athena.coker.com.au>
Message-ID: <3166e433-8f43-0c12-2686-77f3f9241a8d@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/27/2017 02:43 AM, Russell Coker via refpolicy wrote:
> The following are needed for correct operation of apt and dpkg on a "strict"
> configuration.
>
> Index: refpolicy-2.20170427/policy/modules/contrib/apt.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/apt.te
> +++ refpolicy-2.20170427/policy/modules/contrib/apt.te
> @@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
>  # Local policy
>  #
>
> -allow apt_t self:capability { chown dac_override fowner fsetid };
> +allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
>  allow apt_t self:process { signal setpgid fork };
>  allow apt_t self:fd use;
>  allow apt_t self:fifo_file rw_fifo_file_perms;
> @@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
>  fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>
>  manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> +manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>  files_var_filetrans(apt_t, apt_var_cache_t, dir)
>
>  manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
> @@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
>
>  allow apt_t apt_var_log_t:file manage_file_perms;
>  logging_log_filetrans(apt_t, apt_var_log_t, file)
> +allow apt_t apt_var_log_t:dir manage_dir_perms;
>
>  can_exec(apt_t, apt_exec_t)
>
> Index: refpolicy-2.20170427/policy/modules/contrib/dpkg.if
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/dpkg.if
> +++ refpolicy-2.20170427/policy/modules/contrib/dpkg.if
> @@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
>
>  ########################################
>  ## <summary>
> +##	Inherit and use file descriptors
> +##	from dpkg scripts.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_script_rw_inherited_fifos',`
> +	gen_require(`
> +		type dpkg_script_t;
> +	')
> +
> +	allow $1 dpkg_script_t:fd use;
> +	allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Read dpkg package database content.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170427/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170427/policy/modules/contrib/dpkg.te
> @@ -33,6 +33,7 @@ type dpkg_script_t;
>  domain_type(dpkg_script_t)
>  domain_entry_file(dpkg_t, dpkg_var_lib_t)
>  domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
> +domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
>  corecmd_shell_entry_type(dpkg_script_t)
>  corecmd_bin_entry_type(dpkg_script_t)
>  domain_obj_id_change_exemption(dpkg_script_t)
> @@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive };
>  allow dpkg_t dpkg_lock_t:file manage_file_perms;
>
>  spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> +spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
>
>  manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
>  manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
> Index: refpolicy-2.20170427/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170427/policy/modules/system/systemd.te
> @@ -854,6 +854,11 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	apt_use_fds(systemd_tmpfiles_t)
> +	dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
>  	xfs_create_tmp_dirs(systemd_tmpfiles_t)
>  ')
>
> Index: refpolicy-2.20170427/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170427/policy/modules/contrib/mta.te
> @@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
>  userdom_use_user_terminals(system_mail_t)
>
>  optional_policy(`
> +	apt_use_fds(system_mail_t)
> +	apt_use_ptys(system_mail_t)
> +')
> +
> +optional_policy(`
>  	apache_read_squirrelmail_data(system_mail_t)
>  	apache_append_squirrelmail_data(system_mail_t)
>  	apache_dontaudit_append_log(system_mail_t)

Merged.



-- 
Chris PeBenito