Update apt/aptitude policy to add support for lock/log files

Signed-off-by: Russell Coker <russell@coker.com.au>
Acked-By: Manoj Srivastava <srivasta@debian.org>

policy/modules/admin/apt.fc

@@ -12,5 +12,10 @@
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
 
+# aptitude lock
+/var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
+
 # dpkg terminal log
 /var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)

policy/modules/admin/apt.if

@@ -65,6 +65,25 @@ interface(`apt_use_fds',`
 	# TODO: enforce dpkg_use_fd?
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process attempting performing this action
+##      which should not be audited.
+##	</summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+	gen_require(`
+		type apt_t;
+	')
+
+	dontaudit $1 apt_t:fd use;
+')
+
 ########################################
 ## <summary>
 ##	Read from an unnamed apt pipe.
@@ -121,6 +140,27 @@ interface(`apt_use_ptys',`
 	allow $1 apt_devpts_t:chr_file rw_term_perms;
 ')
 
+########################################
+## <summary>
+##	Read the apt package cache.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The type of the process performing this action.
+##	</summary>
+## </param>
+#
+interface(`apt_read_cache',`
+	gen_require(`
+		type apt_var_cache_t;
+	')
+
+	files_search_var($1)
+	allow $1 apt_var_cache_t:dir list_dir_perms;
+	dontaudit $1 apt_var_cache_t:dir write;
+	allow $1 apt_var_cache_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the apt package database.

policy/modules/admin/apt.te

@@ -1,5 +1,5 @@
 
-policy_module(apt, 1.5.2)
+policy_module(apt, 1.5.3)
 
 ########################################
 #
@@ -30,6 +30,11 @@ files_type(apt_var_lib_t)
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
+# aptitude log file
 type apt_var_log_t;
 logging_log_file(apt_var_log_t)
 
@@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms;
 allow apt_t self:msgq create_msgq_perms;
 allow apt_t self:msg { send receive };
 
+# Run update
+allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
 # Access /var/cache/apt files
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
@@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
 
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t,apt_lock_t,{dir file})
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+
 kernel_read_system_state(apt_t)
 kernel_read_kernel_sysctls(apt_t)
 
@@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t)
 libs_exec_lib_files(apt_t)
 
 logging_send_syslog_msg(apt_t)
+logging_log_filetrans(apt_t, apt_var_log_t, file)
 
 miscfiles_read_localization(apt_t)