The following are needed for correct operation of apt and dpkg on a "strict"
configuration.
Index: refpolicy-2.20170427/policy/modules/contrib/apt.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/contrib/apt.te
+++ refpolicy-2.20170427/policy/modules/contrib/apt.te
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#
-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_var_log_t:dir manage_dir_perms;
can_exec(apt_t, apt_exec_t)
Index: refpolicy-2.20170427/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20170427/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
########################################
## <summary>
+## Inherit and use file descriptors
+## from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_fifos',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read dpkg package database content.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170427/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170427/policy/modules/contrib/dpkg.te
@@ -33,6 +33,7 @@ type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
corecmd_shell_entry_type(dpkg_script_t)
corecmd_bin_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
@@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
Index: refpolicy-2.20170427/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170427/policy/modules/system/systemd.te
@@ -854,6 +854,11 @@ optional_policy(`
')
optional_policy(`
+ apt_use_fds(systemd_tmpfiles_t)
+ dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t)
+')
+
+optional_policy(`
xfs_create_tmp_dirs(systemd_tmpfiles_t)
')
Index: refpolicy-2.20170427/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170427.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170427/policy/modules/contrib/mta.te
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)
optional_policy(`
+ apt_use_fds(system_mail_t)
+ apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
apache_dontaudit_append_log(system_mail_t)
On 04/27/2017 02:43 AM, Russell Coker via refpolicy wrote:
> The following are needed for correct operation of apt and dpkg on a "strict"
> configuration.
>
> Index: refpolicy-2.20170427/policy/modules/contrib/apt.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/apt.te
> +++ refpolicy-2.20170427/policy/modules/contrib/apt.te
> @@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
> # Local policy
> #
>
> -allow apt_t self:capability { chown dac_override fowner fsetid };
> +allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
> allow apt_t self:process { signal setpgid fork };
> allow apt_t self:fd use;
> allow apt_t self:fifo_file rw_fifo_file_perms;
> @@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
> fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>
> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> +manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> files_var_filetrans(apt_t, apt_var_cache_t, dir)
>
> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
> @@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
>
> allow apt_t apt_var_log_t:file manage_file_perms;
> logging_log_filetrans(apt_t, apt_var_log_t, file)
> +allow apt_t apt_var_log_t:dir manage_dir_perms;
>
> can_exec(apt_t, apt_exec_t)
>
> Index: refpolicy-2.20170427/policy/modules/contrib/dpkg.if
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/dpkg.if
> +++ refpolicy-2.20170427/policy/modules/contrib/dpkg.if
> @@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
>
> ########################################
> ## <summary>
> +## Inherit and use file descriptors
> +## from dpkg scripts.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_script_rw_inherited_fifos',`
> + gen_require(`
> + type dpkg_script_t;
> + ')
> +
> + allow $1 dpkg_script_t:fd use;
> + allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read dpkg package database content.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170427/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170427/policy/modules/contrib/dpkg.te
> @@ -33,6 +33,7 @@ type dpkg_script_t;
> domain_type(dpkg_script_t)
> domain_entry_file(dpkg_t, dpkg_var_lib_t)
> domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
> +domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
> corecmd_shell_entry_type(dpkg_script_t)
> corecmd_bin_entry_type(dpkg_script_t)
> domain_obj_id_change_exemption(dpkg_script_t)
> @@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive };
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
>
> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> +spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
>
> manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
> manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
> Index: refpolicy-2.20170427/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170427/policy/modules/system/systemd.te
> @@ -854,6 +854,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + apt_use_fds(systemd_tmpfiles_t)
> + dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t)
> +')
> +
> +optional_policy(`
> xfs_create_tmp_dirs(systemd_tmpfiles_t)
> ')
>
> Index: refpolicy-2.20170427/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170427.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170427/policy/modules/contrib/mta.te
> @@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
> userdom_use_user_terminals(system_mail_t)
>
> optional_policy(`
> + apt_use_fds(system_mail_t)
> + apt_use_ptys(system_mail_t)
> +')
> +
> +optional_policy(`
> apache_read_squirrelmail_data(system_mail_t)
> apache_append_squirrelmail_data(system_mail_t)
> apache_dontaudit_append_log(system_mail_t)
Merged.
--
Chris PeBenito