2017-09-21 16:01:54

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update

Currently the main apt binaries `/usr/bin/apt` and `/usr/bin/aptitude-curses` are labeled as `bin_t`.
Label them and confine the `apt_t` domain.
Also drop the packagekit part, cause this long running daemon should not run under the apt domain.
---
apt.fc | 37 +++++++++++---------
apt.if | 9 ++---
apt.te | 124 ++++++++++++++++++++++++++++++++++++++---------------------------
3 files changed, 98 insertions(+), 72 deletions(-)

diff --git a/apt.fc b/apt.fc
index 92db84d..d1af12f 100644
--- a/apt.fc
+++ b/apt.fc
@@ -1,23 +1,26 @@
-/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
+/etc/apt(/.*)? gen_context(system_u:object_r:apt_conf_t,s0)

-ifndef(`distro_redhat',`
-/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
-/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
-/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-')
+/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)

-/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/aptitude-curses -- gen_context(system_u:object_r:apt_exec_t,s0)

-/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
-/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+/usr/lib/apt/apt\.systemd\.daily -- gen_context(system_u:object_r:apt_exec_t,s0)

-/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+/usr/lib/systemd/system/apt-daily\.timer -- gen_context(system_u:object_r:apt_unit_t,s0)

-/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
+/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)

-/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
+/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
+
+/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+
+/var/log/aptitude.* gen_context(system_u:object_r:apt_log_t,s0)
+/var/log/apt(/.*)? gen_context(system_u:object_r:apt_log_t,s0)
+/var/log/apt/eipp\.log\.xz -- gen_context(system_u:object_r:apt_rw_log_t,s0)
diff --git a/apt.if b/apt.if
index 568aa97..b2adffe 100644
--- a/apt.if
+++ b/apt.if
@@ -133,12 +133,12 @@ interface(`apt_rw_pipes',`
type apt_t;
')

- allow $1 apt_t:fifo_file rw_file_perms;
+ allow $1 apt_t:fifo_file rw_fifo_file_perms;
')

########################################
## <summary>
-## Read and write apt ptys.
+## Read and write inherited apt ptys.
## </summary>
## <param name="domain">
## <summary>
@@ -148,10 +148,11 @@ interface(`apt_rw_pipes',`
#
interface(`apt_use_ptys',`
gen_require(`
- type apt_devpts_t;
+ type apt_t, apt_devpts_t;
')

- allow $1 apt_devpts_t:chr_file rw_term_perms;
+ allow $1 apt_t:fd use;
+ allow $1 apt_devpts_t:chr_file rw_inherited_term_perms;
')

########################################
diff --git a/apt.te b/apt.te
index c54e212..249fd87 100644
--- a/apt.te
+++ b/apt.te
@@ -1,18 +1,28 @@
-policy_module(apt, 1.11.0)
+policy_module(apt, 1.11.0, checked)

########################################
#
# Declarations
#

+## <desc>
+## <p>
+## Allow apt to manage user home content.
+## Needed for apt-get source foo
+## </p>
+## </desc>
+gen_tunable(apt_manage_user_home, false)
+
attribute_role apt_roles;

type apt_t;
type apt_exec_t;
init_system_domain(apt_t, apt_exec_t)
-domain_system_change_exemption(apt_t)
role apt_roles types apt_t;

+type apt_conf_t;
+files_config_file(apt_conf_t)
+
type apt_devpts_t;
term_pty(apt_devpts_t)

@@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t)
type apt_tmpfs_t;
files_tmpfs_file(apt_tmpfs_t)

-type apt_var_cache_t alias var_cache_apt_t;
+type apt_var_cache_t;
files_type(apt_var_cache_t)

-type apt_var_lib_t alias var_lib_apt_t;
+type apt_var_lib_t;
files_type(apt_var_lib_t)

-type apt_var_log_t;
-logging_log_file(apt_var_log_t)
+type apt_log_t alias apt_var_log_t;
+logging_log_file(apt_log_t)
+
+type apt_rw_log_t;
+logging_log_file(apt_rw_log_t)
+
+type apt_unit_t;
+init_unit_file(apt_unit_t)

########################################
#
# Local policy
#

-allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
-allow apt_t self:process { signal setpgid fork };
-allow apt_t self:fd use;
+# chown dac_override fowner : /var/lib/apt/lists/partial
+# fsetid : chmod /var/log/apt/term.log
+# sys_chroot: aptitude
+allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid sys_chroot };
+# kill : gpgv /usr/lib/apt/methods/http
+# net_admin : setsockopt
+dontaudit apt_t self:capability { kill net_admin };
+
+allow apt_t self:process { getsched setfscreate signal };
allow apt_t self:fifo_file rw_fifo_file_perms;
-allow apt_t self:unix_dgram_socket sendto;
-allow apt_t self:unix_stream_socket { accept connectto listen };
-allow apt_t self:udp_socket { connect create_socket_perms };
-allow apt_t self:tcp_socket create_stream_socket_perms;
-allow apt_t self:shm create_shm_perms;
-allow apt_t self:sem create_sem_perms;
-allow apt_t self:msgq create_msgq_perms;
-allow apt_t self:msg { send receive };
-allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
+allow apt_t apt_conf_t:dir list_dir_perms;
+allow apt_t apt_conf_t:file read_file_perms;
+
+allow apt_t apt_devpts_t:chr_file rw_term_perms;

allow apt_t apt_lock_t:dir manage_dir_perms;
allow apt_t apt_lock_t:file manage_file_perms;
@@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })

manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms;
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })

manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
@@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
-manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+allow apt_t apt_var_cache_t:dir setattr;
files_var_filetrans(apt_t, apt_var_cache_t, dir)

+allow apt_t apt_var_lib_t:dir manage_dir_perms;
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
-files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms;
+
+allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms };
+allow apt_t apt_log_t:file { append_file_perms create_file_perms setattr };
+logging_log_filetrans(apt_t, apt_log_t, file)

-allow apt_t apt_var_log_t:file manage_file_perms;
-allow apt_t apt_var_log_t:dir manage_dir_perms;
-logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_rw_log_t:file manage_file_perms;
+filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz")

can_exec(apt_t, apt_exec_t)

kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
+kernel_read_crypto_sysctls(apt_t)

corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)

-corenet_all_recvfrom_unlabeled(apt_t)
-corenet_all_recvfrom_netlabel(apt_t)
-corenet_tcp_sendrecv_generic_if(apt_t)
-corenet_tcp_sendrecv_generic_node(apt_t)
-corenet_tcp_sendrecv_all_ports(apt_t)
+corenet_tcp_connect_http_port(apt_t)

-corenet_sendrecv_all_client_packets(apt_t)
-corenet_tcp_connect_all_ports(apt_t)
-
-dev_list_sysfs(apt_t)
dev_read_urand(apt_t)

-domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)

-files_exec_usr_files(apt_t)
-files_read_etc_files(apt_t)
-files_read_etc_runtime_files(apt_t)
+# /usr/share/dpkg/cputable
+files_read_usr_files(apt_t)
+files_search_var_lib(apt_t)

-fs_getattr_all_fs(apt_t)
+fs_getattr_xattr_fs(apt_t)

term_create_pty(apt_t, apt_devpts_t)
-term_list_ptys(apt_t)
-term_use_all_terms(apt_t)

-libs_exec_ld_so(apt_t)
-libs_exec_lib_files(apt_t)
+auth_use_nsswitch(apt_t)

logging_send_syslog_msg(apt_t)

miscfiles_read_localization(apt_t)

-seutil_use_newrole_fds(apt_t)
+userdom_use_inherited_user_terminals(apt_t)
+userdom_search_user_runtime_root(apt_t)
+# chdir from user directory
+userdom_search_user_home_content(apt_t)

-sysnet_read_config(apt_t)
+tunable_policy(`apt_manage_user_home',`
+ # apt-get source foo
+ userdom_manage_user_home_content_dirs(apt_t)
+ userdom_manage_user_home_content_files(apt_t)
+')

-userdom_use_user_terminals(apt_t)
+optional_policy(`
+ # apt-listchanges
+
+ # ~/.lesshst
+ userdom_read_user_home_content_files(apt_t)
+
+ hostname_exec(apt_t)
+ mta_send_mail(apt_t)
+')

optional_policy(`
backup_manage_store_files(apt_t)
@@ -141,10 +168,9 @@ optional_policy(`
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
-')

-optional_policy(`
- nis_use_ypbind(apt_t)
+ # exec in unpriviledged NONEWPRIV mode
+ dpkg_exec(apt_t)
')

optional_policy(`
@@ -156,7 +182,3 @@ optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')
-
-optional_policy(`
- unconfined_domain(apt_t)
-')
--
2.14.1


2017-09-21 16:24:05

by Dominick Grift

[permalink] [raw]
Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update

On Thu, Sep 21, 2017 at 06:01:54PM +0200, Christian G?ttsche via refpolicy wrote:
> Currently the main apt binaries `/usr/bin/apt` and `/usr/bin/aptitude-curses` are labeled as `bin_t`.
> Label them and confine the `apt_t` domain.
> Also drop the packagekit part, cause this long running daemon should not run under the apt domain.
> ---
> apt.fc | 37 +++++++++++---------
> apt.if | 9 ++---
> apt.te | 124 ++++++++++++++++++++++++++++++++++++++---------------------------
> 3 files changed, 98 insertions(+), 72 deletions(-)
>
> diff --git a/apt.fc b/apt.fc
> index 92db84d..d1af12f 100644
> --- a/apt.fc
> +++ b/apt.fc
> @@ -1,23 +1,26 @@
> -/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/etc/apt(/.*)? gen_context(system_u:object_r:apt_conf_t,s0)
>
> -ifndef(`distro_redhat',`
> -/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> -')
> +/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> +/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/aptitude-curses -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> -/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/usr/lib/apt/apt\.systemd\.daily -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
> +/usr/lib/systemd/system/apt-daily\.timer -- gen_context(system_u:object_r:apt_unit_t,s0)
>
> -/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
> +/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
> +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> +
> +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> +
> +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
> +
> +/var/log/aptitude.* gen_context(system_u:object_r:apt_log_t,s0)
> +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_log_t,s0)
> +/var/log/apt/eipp\.log\.xz -- gen_context(system_u:object_r:apt_rw_log_t,s0)
> diff --git a/apt.if b/apt.if
> index 568aa97..b2adffe 100644
> --- a/apt.if
> +++ b/apt.if
> @@ -133,12 +133,12 @@ interface(`apt_rw_pipes',`
> type apt_t;
> ')
>
> - allow $1 apt_t:fifo_file rw_file_perms;
> + allow $1 apt_t:fifo_file rw_fifo_file_perms;
> ')
>
> ########################################
> ## <summary>
> -## Read and write apt ptys.
> +## Read and write inherited apt ptys.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -148,10 +148,11 @@ interface(`apt_rw_pipes',`
> #
> interface(`apt_use_ptys',`
> gen_require(`
> - type apt_devpts_t;
> + type apt_t, apt_devpts_t;
> ')
>
> - allow $1 apt_devpts_t:chr_file rw_term_perms;
> + allow $1 apt_t:fd use;
> + allow $1 apt_devpts_t:chr_file rw_inherited_term_perms;
> ')
>
> ########################################
> diff --git a/apt.te b/apt.te
> index c54e212..249fd87 100644
> --- a/apt.te
> +++ b/apt.te
> @@ -1,18 +1,28 @@
> -policy_module(apt, 1.11.0)
> +policy_module(apt, 1.11.0, checked)
>
> ########################################
> #
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allow apt to manage user home content.
> +## Needed for apt-get source foo
> +## </p>
> +## </desc>
> +gen_tunable(apt_manage_user_home, false)
> +
> attribute_role apt_roles;
>
> type apt_t;
> type apt_exec_t;
> init_system_domain(apt_t, apt_exec_t)
> -domain_system_change_exemption(apt_t)

I suspect that this is needed. apt is selinux aware and will try to install files with setfscreatecon, so its going to want to associate system_u with system files it installs

> role apt_roles types apt_t;
>
> +type apt_conf_t;
> +files_config_file(apt_conf_t)
> +
> type apt_devpts_t;
> term_pty(apt_devpts_t)
>
> @@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t)
> type apt_tmpfs_t;
> files_tmpfs_file(apt_tmpfs_t)
>
> -type apt_var_cache_t alias var_cache_apt_t;
> +type apt_var_cache_t;
> files_type(apt_var_cache_t)
>
> -type apt_var_lib_t alias var_lib_apt_t;
> +type apt_var_lib_t;
> files_type(apt_var_lib_t)
>
> -type apt_var_log_t;
> -logging_log_file(apt_var_log_t)
> +type apt_log_t alias apt_var_log_t;
> +logging_log_file(apt_log_t)
> +
> +type apt_rw_log_t;
> +logging_log_file(apt_rw_log_t)
> +
> +type apt_unit_t;
> +init_unit_file(apt_unit_t)
>
> ########################################
> #
> # Local policy
> #
>
> -allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
> -allow apt_t self:process { signal setpgid fork };
> -allow apt_t self:fd use;
> +# chown dac_override fowner : /var/lib/apt/lists/partial
> +# fsetid : chmod /var/log/apt/term.log
> +# sys_chroot: aptitude
> +allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid sys_chroot };
> +# kill : gpgv /usr/lib/apt/methods/http
> +# net_admin : setsockopt
> +dontaudit apt_t self:capability { kill net_admin };
> +
> +allow apt_t self:process { getsched setfscreate signal };

here its doing that setfscreate i mentioned above

> allow apt_t self:fifo_file rw_fifo_file_perms;
> -allow apt_t self:unix_dgram_socket sendto;
> -allow apt_t self:unix_stream_socket { accept connectto listen };
> -allow apt_t self:udp_socket { connect create_socket_perms };
> -allow apt_t self:tcp_socket create_stream_socket_perms;
> -allow apt_t self:shm create_shm_perms;
> -allow apt_t self:sem create_sem_perms;
> -allow apt_t self:msgq create_msgq_perms;
> -allow apt_t self:msg { send receive };
> -allow apt_t self:netlink_route_socket r_netlink_socket_perms;
> +
> +allow apt_t apt_conf_t:dir list_dir_perms;
> +allow apt_t apt_conf_t:file read_file_perms;
> +
> +allow apt_t apt_devpts_t:chr_file rw_term_perms;
>
> allow apt_t apt_lock_t:dir manage_dir_perms;
> allow apt_t apt_lock_t:file manage_file_perms;
> @@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })
>
> manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
> manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
> +allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms;
> files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
>
> manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
> @@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
> fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>
> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> -manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> +allow apt_t apt_var_cache_t:dir setattr;
> files_var_filetrans(apt_t, apt_var_cache_t, dir)

the transition rule implies that apt_t creates a apt_var_cache_t dir, if it just setattr then the transition rule can do otherwise the manage_dirs_pattern should stay

>
> +allow apt_t apt_var_lib_t:dir manage_dir_perms;
> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
> -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
> +allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms;
> +
> +allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms };
> +allow apt_t apt_log_t:file { append_file_perms create_file_perms setattr };
> +logging_log_filetrans(apt_t, apt_log_t, file)
>
> -allow apt_t apt_var_log_t:file manage_file_perms;
> -allow apt_t apt_var_log_t:dir manage_dir_perms;
> -logging_log_filetrans(apt_t, apt_var_log_t, file)
> +allow apt_t apt_rw_log_t:file manage_file_perms;
> +filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz")
>
> can_exec(apt_t, apt_exec_t)
>
> kernel_read_system_state(apt_t)
> kernel_read_kernel_sysctls(apt_t)
> +kernel_read_crypto_sysctls(apt_t)
>
> corecmd_exec_bin(apt_t)
> corecmd_exec_shell(apt_t)
>
> -corenet_all_recvfrom_unlabeled(apt_t)
> -corenet_all_recvfrom_netlabel(apt_t)
> -corenet_tcp_sendrecv_generic_if(apt_t)
> -corenet_tcp_sendrecv_generic_node(apt_t)
> -corenet_tcp_sendrecv_all_ports(apt_t)
> +corenet_tcp_connect_http_port(apt_t)
>
> -corenet_sendrecv_all_client_packets(apt_t)
> -corenet_tcp_connect_all_ports(apt_t)
> -
> -dev_list_sysfs(apt_t)
> dev_read_urand(apt_t)
>
> -domain_getattr_all_domains(apt_t)
> domain_use_interactive_fds(apt_t)
>
> -files_exec_usr_files(apt_t)
> -files_read_etc_files(apt_t)
> -files_read_etc_runtime_files(apt_t)
> +# /usr/share/dpkg/cputable
> +files_read_usr_files(apt_t)
> +files_search_var_lib(apt_t)
>
> -fs_getattr_all_fs(apt_t)
> +fs_getattr_xattr_fs(apt_t)
>
> term_create_pty(apt_t, apt_devpts_t)
> -term_list_ptys(apt_t)
> -term_use_all_terms(apt_t)
>
> -libs_exec_ld_so(apt_t)
> -libs_exec_lib_files(apt_t)
> +auth_use_nsswitch(apt_t)
>
> logging_send_syslog_msg(apt_t)
>
> miscfiles_read_localization(apt_t)
>
> -seutil_use_newrole_fds(apt_t)
> +userdom_use_inherited_user_terminals(apt_t)
> +userdom_search_user_runtime_root(apt_t)
> +# chdir from user directory
> +userdom_search_user_home_content(apt_t)
>
> -sysnet_read_config(apt_t)
> +tunable_policy(`apt_manage_user_home',`
> + # apt-get source foo
> + userdom_manage_user_home_content_dirs(apt_t)
> + userdom_manage_user_home_content_files(apt_t)
> +')
>
> -userdom_use_user_terminals(apt_t)
> +optional_policy(`
> + # apt-listchanges
> +
> + # ~/.lesshst
> + userdom_read_user_home_content_files(apt_t)
> +
> + hostname_exec(apt_t)
> + mta_send_mail(apt_t)
> +')
>
> optional_policy(`
> backup_manage_store_files(apt_t)
> @@ -141,10 +168,9 @@ optional_policy(`
> dpkg_read_db(apt_t)
> dpkg_domtrans(apt_t)
> dpkg_lock_db(apt_t)
> -')
>
> -optional_policy(`
> - nis_use_ypbind(apt_t)
> + # exec in unpriviledged NONEWPRIV mode
> + dpkg_exec(apt_t)
> ')
>
> optional_policy(`
> @@ -156,7 +182,3 @@ optional_policy(`
> rpm_read_db(apt_t)
> rpm_domtrans(apt_t)
> ')
> -
> -optional_policy(`
> - unconfined_domain(apt_t)
> -')

That's bold. Pretty sure that the module isnt ready for this yet

> --
> 2.14.1
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170921/b9923812/attachment.bin

2017-09-23 18:22:31

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update

On 09/21/2017 12:01 PM, Christian G?ttsche via refpolicy wrote:
> Currently the main apt binaries `/usr/bin/apt` and `/usr/bin/aptitude-curses` are labeled as `bin_t`.
> Label them and confine the `apt_t` domain.
> Also drop the packagekit part, cause this long running daemon should not run under the apt domain.

Since I don't use Debian, I'm hoping for feedback from others. Russell
and/or Laurent?

One comment below.


> ---
> apt.fc | 37 +++++++++++---------
> apt.if | 9 ++---
> apt.te | 124 ++++++++++++++++++++++++++++++++++++++---------------------------
> 3 files changed, 98 insertions(+), 72 deletions(-)
>
> diff --git a/apt.fc b/apt.fc
> index 92db84d..d1af12f 100644
> --- a/apt.fc
> +++ b/apt.fc
> @@ -1,23 +1,26 @@
> -/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/etc/apt(/.*)? gen_context(system_u:object_r:apt_conf_t,s0)
>
> -ifndef(`distro_redhat',`
> -/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> -/var/lib/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> -')
> +/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> +/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/aptitude-curses -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> -/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/usr/lib/apt/apt\.systemd\.daily -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
> +/usr/lib/systemd/system/apt-daily\.timer -- gen_context(system_u:object_r:apt_unit_t,s0)
>
> -/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
> +/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
> +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
> +
> +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> +
> +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
> +
> +/var/log/aptitude.* gen_context(system_u:object_r:apt_log_t,s0)
> +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_log_t,s0)
> +/var/log/apt/eipp\.log\.xz -- gen_context(system_u:object_r:apt_rw_log_t,s0)
> diff --git a/apt.if b/apt.if
> index 568aa97..b2adffe 100644
> --- a/apt.if
> +++ b/apt.if
> @@ -133,12 +133,12 @@ interface(`apt_rw_pipes',`
> type apt_t;
> ')
>
> - allow $1 apt_t:fifo_file rw_file_perms;
> + allow $1 apt_t:fifo_file rw_fifo_file_perms;
> ')
>
> ########################################
> ## <summary>
> -## Read and write apt ptys.
> +## Read and write inherited apt ptys.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -148,10 +148,11 @@ interface(`apt_rw_pipes',`
> #
> interface(`apt_use_ptys',`
> gen_require(`
> - type apt_devpts_t;
> + type apt_t, apt_devpts_t;
> ')
>
> - allow $1 apt_devpts_t:chr_file rw_term_perms;
> + allow $1 apt_t:fd use;
> + allow $1 apt_devpts_t:chr_file rw_inherited_term_perms;
> ')
>
> ########################################
> diff --git a/apt.te b/apt.te
> index c54e212..249fd87 100644
> --- a/apt.te
> +++ b/apt.te
> @@ -1,18 +1,28 @@
> -policy_module(apt, 1.11.0)
> +policy_module(apt, 1.11.0, checked)
>
> ########################################
> #
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allow apt to manage user home content.
> +## Needed for apt-get source foo
> +## </p>
> +## </desc>
> +gen_tunable(apt_manage_user_home, false)
> +
> attribute_role apt_roles;
>
> type apt_t;
> type apt_exec_t;
> init_system_domain(apt_t, apt_exec_t)
> -domain_system_change_exemption(apt_t)
> role apt_roles types apt_t;
>
> +type apt_conf_t;
> +files_config_file(apt_conf_t)
> +
> type apt_devpts_t;
> term_pty(apt_devpts_t)
>
> @@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t)
> type apt_tmpfs_t;
> files_tmpfs_file(apt_tmpfs_t)
>
> -type apt_var_cache_t alias var_cache_apt_t;
> +type apt_var_cache_t;
> files_type(apt_var_cache_t)
>
> -type apt_var_lib_t alias var_lib_apt_t;
> +type apt_var_lib_t;
> files_type(apt_var_lib_t)
>
> -type apt_var_log_t;
> -logging_log_file(apt_var_log_t)
> +type apt_log_t alias apt_var_log_t;
> +logging_log_file(apt_log_t)
> +
> +type apt_rw_log_t;
> +logging_log_file(apt_rw_log_t)
> +
> +type apt_unit_t;
> +init_unit_file(apt_unit_t)
>
> ########################################
> #
> # Local policy
> #
>
> -allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
> -allow apt_t self:process { signal setpgid fork };
> -allow apt_t self:fd use;
> +# chown dac_override fowner : /var/lib/apt/lists/partial
> +# fsetid : chmod /var/log/apt/term.log
> +# sys_chroot: aptitude
> +allow apt_t self:capability { chown dac_read_search dac_override fowner fsetid setgid setuid sys_chroot };
> +# kill : gpgv /usr/lib/apt/methods/http
> +# net_admin : setsockopt
> +dontaudit apt_t self:capability { kill net_admin };
> +
> +allow apt_t self:process { getsched setfscreate signal };
> allow apt_t self:fifo_file rw_fifo_file_perms;
> -allow apt_t self:unix_dgram_socket sendto;
> -allow apt_t self:unix_stream_socket { accept connectto listen };
> -allow apt_t self:udp_socket { connect create_socket_perms };
> -allow apt_t self:tcp_socket create_stream_socket_perms;
> -allow apt_t self:shm create_shm_perms;
> -allow apt_t self:sem create_sem_perms;
> -allow apt_t self:msgq create_msgq_perms;
> -allow apt_t self:msg { send receive };
> -allow apt_t self:netlink_route_socket r_netlink_socket_perms;
> +
> +allow apt_t apt_conf_t:dir list_dir_perms;
> +allow apt_t apt_conf_t:file read_file_perms;
> +
> +allow apt_t apt_devpts_t:chr_file rw_term_perms;
>
> allow apt_t apt_lock_t:dir manage_dir_perms;
> allow apt_t apt_lock_t:file manage_file_perms;
> @@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })
>
> manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
> manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
> +allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms;
> files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
>
> manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
> @@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
> fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>
> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> -manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> +allow apt_t apt_var_cache_t:dir setattr;
> files_var_filetrans(apt_t, apt_var_cache_t, dir)
>
> +allow apt_t apt_var_lib_t:dir manage_dir_perms;
> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
> -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
> +allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms;
> +
> +allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms };
> +allow apt_t apt_log_t:file { append_file_perms create_file_perms setattr };
> +logging_log_filetrans(apt_t, apt_log_t, file)
>
> -allow apt_t apt_var_log_t:file manage_file_perms;
> -allow apt_t apt_var_log_t:dir manage_dir_perms;
> -logging_log_filetrans(apt_t, apt_var_log_t, file)
> +allow apt_t apt_rw_log_t:file manage_file_perms;
> +filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz")
>
> can_exec(apt_t, apt_exec_t)
>
> kernel_read_system_state(apt_t)
> kernel_read_kernel_sysctls(apt_t)
> +kernel_read_crypto_sysctls(apt_t)
>
> corecmd_exec_bin(apt_t)
> corecmd_exec_shell(apt_t)
>
> -corenet_all_recvfrom_unlabeled(apt_t)
> -corenet_all_recvfrom_netlabel(apt_t)

I'm ok with removing the below if, node, all_ports, but the above
shouldn't be removed.

> -corenet_tcp_sendrecv_generic_if(apt_t)
> -corenet_tcp_sendrecv_generic_node(apt_t)
> -corenet_tcp_sendrecv_all_ports(apt_t)
> +corenet_tcp_connect_http_port(apt_t)
>
> -corenet_sendrecv_all_client_packets(apt_t)
> -corenet_tcp_connect_all_ports(apt_t)
> -
> -dev_list_sysfs(apt_t)
> dev_read_urand(apt_t)
>
> -domain_getattr_all_domains(apt_t)
> domain_use_interactive_fds(apt_t)
>
> -files_exec_usr_files(apt_t)
> -files_read_etc_files(apt_t)
> -files_read_etc_runtime_files(apt_t)
> +# /usr/share/dpkg/cputable
> +files_read_usr_files(apt_t)
> +files_search_var_lib(apt_t)
>
> -fs_getattr_all_fs(apt_t)
> +fs_getattr_xattr_fs(apt_t)
>
> term_create_pty(apt_t, apt_devpts_t)
> -term_list_ptys(apt_t)
> -term_use_all_terms(apt_t)
>
> -libs_exec_ld_so(apt_t)
> -libs_exec_lib_files(apt_t)
> +auth_use_nsswitch(apt_t)
>
> logging_send_syslog_msg(apt_t)
>
> miscfiles_read_localization(apt_t)
>
> -seutil_use_newrole_fds(apt_t)
> +userdom_use_inherited_user_terminals(apt_t)
> +userdom_search_user_runtime_root(apt_t)
> +# chdir from user directory
> +userdom_search_user_home_content(apt_t)
>
> -sysnet_read_config(apt_t)
> +tunable_policy(`apt_manage_user_home',`
> + # apt-get source foo
> + userdom_manage_user_home_content_dirs(apt_t)
> + userdom_manage_user_home_content_files(apt_t)
> +')
>
> -userdom_use_user_terminals(apt_t)
> +optional_policy(`
> + # apt-listchanges
> +
> + # ~/.lesshst
> + userdom_read_user_home_content_files(apt_t)
> +
> + hostname_exec(apt_t)
> + mta_send_mail(apt_t)
> +')
>
> optional_policy(`
> backup_manage_store_files(apt_t)
> @@ -141,10 +168,9 @@ optional_policy(`
> dpkg_read_db(apt_t)
> dpkg_domtrans(apt_t)
> dpkg_lock_db(apt_t)
> -')
>
> -optional_policy(`
> - nis_use_ypbind(apt_t)
> + # exec in unpriviledged NONEWPRIV mode
> + dpkg_exec(apt_t)
> ')
>
> optional_policy(`
> @@ -156,7 +182,3 @@ optional_policy(`
> rpm_read_db(apt_t)
> rpm_domtrans(apt_t)
> ')
> -
> -optional_policy(`
> - unconfined_domain(apt_t)
> -')
>


--
Chris PeBenito

2017-09-25 08:36:47

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH FOR DISCUSSION] apt: confine and update

Le 23/09/17 ? 20:22, Chris PeBenito a ?crit?:
> On 09/21/2017 12:01 PM, Christian G?ttsche via refpolicy wrote:
>> Currently the main apt binaries `/usr/bin/apt` and
>> `/usr/bin/aptitude-curses` are labeled as `bin_t`.
>> Label them and confine the `apt_t` domain.
>> Also drop the packagekit part, cause this long running daemon should
>> not run under the apt domain.
>
> Since I don't use Debian, I'm hoping for feedback from others. Russell
> and/or Laurent?

I didn't look at the complete patch, but a quick remarks.

Isn't that patch mean that packagekit will not be transitioned to any
domain.

If I'm not wrong, on RHEL/Fedora packagekit is also running in the rpm
domain.

>
> One comment below.
>
>
>> ---
>> ? apt.fc |? 37 +++++++++++---------
>> ? apt.if |?? 9 ++---
>> ? apt.te | 124
>> ++++++++++++++++++++++++++++++++++++++---------------------------
>> ? 3 files changed, 98 insertions(+), 72 deletions(-)
>>
>> diff --git a/apt.fc b/apt.fc
>> index 92db84d..d1af12f 100644
>> --- a/apt.fc
>> +++ b/apt.fc
>> @@ -1,23 +1,26 @@
>> -/etc/cron\.daily/apt??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> +/etc/apt(/.*)? gen_context(system_u:object_r:apt_conf_t,s0)
>> ? -ifndef(`distro_redhat',`
>> -/usr/bin/apt-get??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/bin/apt-shell??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/bin/aptitude??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/sbin/synaptic??? -- gen_context(system_u:object_r:apt_exec_t,s0)
>> -/usr/lib/packagekit/packagekitd??? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> -/var/cache/PackageKit(/.*)?
>> gen_context(system_u:object_r:apt_var_cache_t,s0)
>> -/var/lib/PackageKit(/.*)?
>> gen_context(system_u:object_r:apt_var_lib_t,s0)
>> -')
>> +/etc/cron\.daily/apt??????????? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/cache/apt(/.*)?
>> gen_context(system_u:object_r:apt_var_cache_t,s0)
>> +/usr/bin/apt??????????????? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/apt-get??????????? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/apt-shell??????????? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/aptitude??????????? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> +/usr/bin/aptitude-curses??????? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> -/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> -/var/lib/apt-xapian-inde(x)(/.*)?
>> gen_context(system_u:object_r:apt_var_lib_t,s0)
>> +/usr/lib/apt/apt\.systemd\.daily??? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
>> +/usr/lib/systemd/system/apt-daily\.timer --
>> gen_context(system_u:object_r:apt_unit_t,s0)
>> ? -/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
>> +/usr/sbin/synaptic??????????? --
>> gen_context(system_u:object_r:apt_exec_t,s0)
>> ? -/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
>> +/var/cache/apt(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
>> +
>> +/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> +/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>> +
>> +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
>> +
>> +/var/log/aptitude.* gen_context(system_u:object_r:apt_log_t,s0)
>> +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_log_t,s0)
>> +/var/log/apt/eipp\.log\.xz??????? --
>> gen_context(system_u:object_r:apt_rw_log_t,s0)
>> diff --git a/apt.if b/apt.if
>> index 568aa97..b2adffe 100644
>> --- a/apt.if
>> +++ b/apt.if
>> @@ -133,12 +133,12 @@ interface(`apt_rw_pipes',`
>> ????????? type apt_t;
>> ????? ')
>> ? -??? allow $1 apt_t:fifo_file rw_file_perms;
>> +??? allow $1 apt_t:fifo_file rw_fifo_file_perms;
>> ? ')
>> ? ? ########################################
>> ? ## <summary>
>> -##??? Read and write apt ptys.
>> +##??? Read and write inherited apt ptys.
>> ? ## </summary>
>> ? ## <param name="domain">
>> ? ##??? <summary>
>> @@ -148,10 +148,11 @@ interface(`apt_rw_pipes',`
>> ? #
>> ? interface(`apt_use_ptys',`
>> ????? gen_require(`
>> -??????? type apt_devpts_t;
>> +??????? type apt_t, apt_devpts_t;
>> ????? ')
>> ? -??? allow $1 apt_devpts_t:chr_file rw_term_perms;
>> +??? allow $1 apt_t:fd use;
>> +??? allow $1 apt_devpts_t:chr_file rw_inherited_term_perms;
>> ? ')
>> ? ? ########################################
>> diff --git a/apt.te b/apt.te
>> index c54e212..249fd87 100644
>> --- a/apt.te
>> +++ b/apt.te
>> @@ -1,18 +1,28 @@
>> -policy_module(apt, 1.11.0)
>> +policy_module(apt, 1.11.0, checked)
>> ? ? ########################################
>> ? #
>> ? # Declarations
>> ? #
>> ? +## <desc>
>> +##??? <p>
>> +##??? Allow apt to manage user home content.
>> +##??? Needed for apt-get source foo
>> +##??? </p>
>> +## </desc>
>> +gen_tunable(apt_manage_user_home, false)
>> +
>> ? attribute_role apt_roles;
>> ? ? type apt_t;
>> ? type apt_exec_t;
>> ? init_system_domain(apt_t, apt_exec_t)
>> -domain_system_change_exemption(apt_t)
>> ? role apt_roles types apt_t;
>> ? +type apt_conf_t;
>> +files_config_file(apt_conf_t)
>> +
>> ? type apt_devpts_t;
>> ? term_pty(apt_devpts_t)
>> ? @@ -25,33 +35,41 @@ files_tmp_file(apt_tmp_t)
>> ? type apt_tmpfs_t;
>> ? files_tmpfs_file(apt_tmpfs_t)
>> ? -type apt_var_cache_t alias var_cache_apt_t;
>> +type apt_var_cache_t;
>> ? files_type(apt_var_cache_t)
>> ? -type apt_var_lib_t alias var_lib_apt_t;
>> +type apt_var_lib_t;
>> ? files_type(apt_var_lib_t)
>> ? -type apt_var_log_t;
>> -logging_log_file(apt_var_log_t)
>> +type apt_log_t alias apt_var_log_t;
>> +logging_log_file(apt_log_t)
>> +
>> +type apt_rw_log_t;
>> +logging_log_file(apt_rw_log_t)
>> +
>> +type apt_unit_t;
>> +init_unit_file(apt_unit_t)
>> ? ? ########################################
>> ? #
>> ? # Local policy
>> ? #
>> ? -allow apt_t self:capability { chown dac_override fowner fsetid
>> kill setgid setuid };
>> -allow apt_t self:process { signal setpgid fork };
>> -allow apt_t self:fd use;
>> +# chown dac_override fowner : /var/lib/apt/lists/partial
>> +# fsetid : chmod /var/log/apt/term.log
>> +# sys_chroot: aptitude
>> +allow apt_t self:capability { chown dac_read_search dac_override
>> fowner fsetid setgid setuid sys_chroot };
>> +# kill : gpgv /usr/lib/apt/methods/http
>> +# net_admin : setsockopt
>> +dontaudit apt_t self:capability { kill net_admin };
>> +
>> +allow apt_t self:process { getsched setfscreate signal };
>> ? allow apt_t self:fifo_file rw_fifo_file_perms;
>> -allow apt_t self:unix_dgram_socket sendto;
>> -allow apt_t self:unix_stream_socket { accept connectto listen };
>> -allow apt_t self:udp_socket { connect create_socket_perms };
>> -allow apt_t self:tcp_socket create_stream_socket_perms;
>> -allow apt_t self:shm create_shm_perms;
>> -allow apt_t self:sem create_sem_perms;
>> -allow apt_t self:msgq create_msgq_perms;
>> -allow apt_t self:msg { send receive };
>> -allow apt_t self:netlink_route_socket r_netlink_socket_perms;
>> +
>> +allow apt_t apt_conf_t:dir list_dir_perms;
>> +allow apt_t apt_conf_t:file read_file_perms;
>> +
>> +allow apt_t apt_devpts_t:chr_file rw_term_perms;
>> ? ? allow apt_t apt_lock_t:dir manage_dir_perms;
>> ? allow apt_t apt_lock_t:file manage_file_perms;
>> @@ -59,6 +77,7 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })
>> ? ? manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
>> ? manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
>> +allow apt_t apt_tmp_t:lnk_file manage_lnk_file_perms;
>> ? files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
>> ? ? manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
>> @@ -69,61 +88,69 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t,
>> apt_tmpfs_t)
>> ? fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file
>> sock_file fifo_file })
>> ? ? manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>> -manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>> +allow apt_t apt_var_cache_t:dir setattr;
>> ? files_var_filetrans(apt_t, apt_var_cache_t, dir)
>> ? +allow apt_t apt_var_lib_t:dir manage_dir_perms;
>> ? manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
>> -files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
>> +allow apt_t apt_var_lib_t:lnk_file manage_lnk_file_perms;
>> +
>> +allow apt_t apt_log_t:dir { rw_dir_perms search_dir_perms };
>> +allow apt_t apt_log_t:file { append_file_perms create_file_perms
>> setattr };
>> +logging_log_filetrans(apt_t, apt_log_t, file)
>> ? -allow apt_t apt_var_log_t:file manage_file_perms;
>> -allow apt_t apt_var_log_t:dir manage_dir_perms;
>> -logging_log_filetrans(apt_t, apt_var_log_t, file)
>> +allow apt_t apt_rw_log_t:file manage_file_perms;
>> +filetrans_pattern(apt_t, apt_log_t, apt_rw_log_t, file, "eipp.log.xz")
>> ? ? can_exec(apt_t, apt_exec_t)
>> ? ? kernel_read_system_state(apt_t)
>> ? kernel_read_kernel_sysctls(apt_t)
>> +kernel_read_crypto_sysctls(apt_t)
>> ? ? corecmd_exec_bin(apt_t)
>> ? corecmd_exec_shell(apt_t)
>> ? -corenet_all_recvfrom_unlabeled(apt_t)
>> -corenet_all_recvfrom_netlabel(apt_t)
>
> I'm ok with removing the below if, node, all_ports, but the above
> shouldn't be removed.
>
>> -corenet_tcp_sendrecv_generic_if(apt_t)
>> -corenet_tcp_sendrecv_generic_node(apt_t)
>> -corenet_tcp_sendrecv_all_ports(apt_t)
>> +corenet_tcp_connect_http_port(apt_t)
>> ? -corenet_sendrecv_all_client_packets(apt_t)
>> -corenet_tcp_connect_all_ports(apt_t)
>> -
>> -dev_list_sysfs(apt_t)
>> ? dev_read_urand(apt_t)
>> ? -domain_getattr_all_domains(apt_t)
>> ? domain_use_interactive_fds(apt_t)
>> ? -files_exec_usr_files(apt_t)
>> -files_read_etc_files(apt_t)
>> -files_read_etc_runtime_files(apt_t)
>> +# /usr/share/dpkg/cputable
>> +files_read_usr_files(apt_t)
>> +files_search_var_lib(apt_t)
>> ? -fs_getattr_all_fs(apt_t)
>> +fs_getattr_xattr_fs(apt_t)
>> ? ? term_create_pty(apt_t, apt_devpts_t)
>> -term_list_ptys(apt_t)
>> -term_use_all_terms(apt_t)
>> ? -libs_exec_ld_so(apt_t)
>> -libs_exec_lib_files(apt_t)
>> +auth_use_nsswitch(apt_t)
>> ? ? logging_send_syslog_msg(apt_t)
>> ? ? miscfiles_read_localization(apt_t)
>> ? -seutil_use_newrole_fds(apt_t)
>> +userdom_use_inherited_user_terminals(apt_t)
>> +userdom_search_user_runtime_root(apt_t)
>> +# chdir from user directory
>> +userdom_search_user_home_content(apt_t)
>> ? -sysnet_read_config(apt_t)
>> +tunable_policy(`apt_manage_user_home',`
>> +??? # apt-get source foo
>> +??? userdom_manage_user_home_content_dirs(apt_t)
>> +??? userdom_manage_user_home_content_files(apt_t)
>> +')
>> ? -userdom_use_user_terminals(apt_t)
>> +optional_policy(`
>> +??? # apt-listchanges
>> +
>> +??? # ~/.lesshst
>> +??? userdom_read_user_home_content_files(apt_t)
>> +
>> +??? hostname_exec(apt_t)
>> +??? mta_send_mail(apt_t)
>> +')
>> ? ? optional_policy(`
>> ????? backup_manage_store_files(apt_t)
>> @@ -141,10 +168,9 @@ optional_policy(`
>> ????? dpkg_read_db(apt_t)
>> ????? dpkg_domtrans(apt_t)
>> ????? dpkg_lock_db(apt_t)
>> -')
>> ? -optional_policy(`
>> -??? nis_use_ypbind(apt_t)
>> +??? # exec in unpriviledged NONEWPRIV mode
>> +??? dpkg_exec(apt_t)
>> ? ')
>> ? ? optional_policy(`
>> @@ -156,7 +182,3 @@ optional_policy(`
>> ????? rpm_read_db(apt_t)
>> ????? rpm_domtrans(apt_t)
>> ? ')
>> -
>> -optional_policy(`
>> -??? unconfined_domain(apt_t)
>> -')
>>
>
>