+##
+## Allow apt to manage user home content.
+## Needed for apt-get source foo
+##
+##
+gen_tunable(apt_manage_user_home, false)
+
attribute_role apt_roles;
type apt_t;
type apt_exec_t;
init_system_domain(apt_t, apt_exec_t)
-domain_system_change_exemption(apt_t)
role apt_roles types apt_t;
+type apt_conf_t;
+files_config_file(apt_conf_t)
+
type apt_devpts_t;
term_pty(apt_devpts_t)
@@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t)
type apt_tmpfs_t;
files_tmpfs_file(apt_tmpfs_t)
-type apt_var_cache_t alias var_cache_apt_t;
+type apt_var_cache_t;
files_type(apt_var_cache_t)
-type apt_var_lib_t alias var_lib_apt_t;
+type apt_var_lib_t;
files_type(apt_var_lib_t)
-type apt_var_log_t;
-logging_log_file(apt_var_log_t)
+type apt_log_t alias apt_var_log_t;
+logging_log_file(apt_log_t)
+
+type apt_rw_log_t;
+logging_log_file(apt_rw_log_t)
+
+type apt_unit_t;
+init_unit_file(apt_unit_t)
########################################
#
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
-allow apt_t self:process { signal setpgid fork };
-allow apt_t self:fd use;
+# chown dac_override fowner : /var/lib/apt/lists/partial
+# fsetid : chmod /var/log/apt/term.log
+# sys_chroot: aptitude
+allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid sys_chroot };
+# kill : gpgv /usr/lib/apt/methods/http
+# net_admin : setsockopt
+dontaudit apt_t self:capability { kill net_admin };
+
+allow apt_t self:process { getsched setfscreate signal };
allow apt_t self:fifo_file rw_fifo_file_perms;
-allow apt_t self:unix_dgram_socket sendto;
-allow apt_t self:unix_stream_socket { accept connectto listen };
-allow apt_t self:udp_socket { connect create_socket_perms };
-allow apt_t self:tcp_socket create_stream_socket_perms;
-allow apt_t self:shm create_shm_perms;
-allow apt_t self:sem create_sem_perms;
-allow apt_t self:msgq create_msgq_perms;
-allow apt_t self:msg { send receive };
-allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow apt_t apt_conf_t:dir list_dir_perms;
+allow apt_t apt_conf_t:file read_file_perms;
+
+allow apt_t apt_devpts_t:chr_file rw_term_perms;
allow apt_t apt_lock_t:dir manage_dir_perms;
allow apt_t apt_lock_t:file manage_file_perms;
@@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })
manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms;
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
@@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
-manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+allow apt_t apt_var_cache_t:dir setattr;
files_var_filetrans(apt_t, apt_var_cache_t, dir)
+allow apt_t apt_var_lib_t:dir manage_dir_perms;
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
-files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms;
+
+allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms };
+allow apt_t apt_log_t:file { append_file_perms create_file_perms setattr };
+logging_log_filetrans(apt_t, apt_log_t, file)
-allow apt_t apt_var_log_t:file manage_file_perms;
-allow apt_t apt_var_log_t:dir manage_dir_perms;
-logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_rw_log_t:file manage_file_perms;
+filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz")
can_exec(apt_t, apt_exec_t)
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
+kernel_read_crypto_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_all_recvfrom_unlabeled(apt_t)
-corenet_all_recvfrom_netlabel(apt_t)
-corenet_tcp_sendrecv_generic_if(apt_t)
-corenet_tcp_sendrecv_generic_node(apt_t)
-corenet_tcp_sendrecv_all_ports(apt_t)
+corenet_tcp_connect_http_port(apt_t)
-corenet_sendrecv_all_client_packets(apt_t)
-corenet_tcp_connect_all_ports(apt_t)
-
-dev_list_sysfs(apt_t)
dev_read_urand(apt_t)
-domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
-files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
-files_read_etc_runtime_files(apt_t)
+# /usr/share/dpkg/cputable
+files_read_usr_files(apt_t)
+files_search_var_lib(apt_t)
-fs_getattr_all_fs(apt_t)
+fs_getattr_xattr_fs(apt_t)
term_create_pty(apt_t, apt_devpts_t)
-term_list_ptys(apt_t)
-term_use_all_terms(apt_t)
-libs_exec_ld_so(apt_t)
-libs_exec_lib_files(apt_t)
+auth_use_nsswitch(apt_t)
logging_send_syslog_msg(apt_t)
miscfiles_read_localization(apt_t)
-seutil_use_newrole_fds(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
+userdom_search_user_runtime_root(apt_t)
+# chdir from user directory
+userdom_search_user_home_content(apt_t)
-sysnet_read_config(apt_t)
+tunable_policy(`apt_manage_user_home',`
+ # apt-get source foo
+ userdom_manage_user_home_content_dirs(apt_t)
+ userdom_manage_user_home_content_files(apt_t)
+')
-userdom_use_user_terminals(apt_t)
+optional_policy(`
+ # apt-listchanges
+
+ # ~/.lesshst
+ userdom_read_user_home_content_files(apt_t)
+
+ hostname_exec(apt_t)
+ mta_send_mail(apt_t)
+')
optional_policy(`
backup_manage_store_files(apt_t)
@@ -141,10 +168,9 @@ optional_policy(`
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
-')
-optional_policy(`
- nis_use_ypbind(apt_t)
+ # exec in unpriviledged NONEWPRIV mode
+ dpkg_exec(apt_t)
')
optional_policy(`
@@ -156,7 +182,3 @@ optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
-
-optional_policy(`
- unconfined_domain(apt_t)
-')
--
2.14.1