trunk: Apt updates for ptys and logs, from Martin Orr.

Changelog

@@ -1,3 +1,4 @@
+- Apt updates for ptys and logs, from Martin Orr.
 - RPC update from Vaclav Ovsik.
 - Exim updates on Debian from Devin Carrawy.
 - Pam and samba updates from Stefan Schulze Frielinghaus.

policy/modules/admin/apt.fc

@@ -11,3 +11,6 @@
 # package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)

policy/modules/admin/apt.if

@@ -109,6 +109,24 @@ interface(`apt_rw_pipes',`
 	# TODO: enforce dpkg_rw_pipes?
 ')
 
+########################################
+## <summary>
+##	Read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`apt_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read the apt package database.

policy/modules/admin/apt.te

@@ -1,5 +1,5 @@
 
-policy_module(apt,1.3.0)
+policy_module(apt,1.3.1)
 
 ########################################
 #
@@ -12,6 +12,10 @@ init_system_domain(apt_t,apt_exec_t)
 domain_system_change_exemption(apt_t)
 role system_r types apt_t;
 
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
 type apt_tmp_t;
 files_tmp_file(apt_tmp_t)
 
@@ -26,6 +30,9 @@ files_type(apt_var_lib_t)
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
+type apt_var_log_t;
+logging_log_file(apt_var_log_t)
+
 ########################################
 #
 # apt Local policy
@@ -97,6 +104,7 @@ files_read_etc_runtime_files(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
+term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
 term_use_all_terms(apt_t)
 

policy/modules/admin/dpkg.te

@@ -1,5 +1,5 @@
 
-policy_module(dpkg,1.4.0)
+policy_module(dpkg,1.4.1)
 
 ########################################
 #
@@ -150,6 +150,7 @@ auth_dontaudit_read_shadow(dpkg_t)
 files_exec_etc_files(dpkg_t)
 
 init_domtrans_script(dpkg_t)
+init_use_script_ptys(dpkg_t)
 
 libs_use_ld_so(dpkg_t)
 libs_use_shared_libs(dpkg_t)
@@ -172,6 +173,10 @@ dpkg_domtrans_script(dpkg_t)
 # since the scripts aren't labeled correctly yet...
 allow dpkg_t dpkg_var_lib_t:file execute;
 
+optional_policy(`
+	apt_use_ptys(dpkg_t)
+')
+
 # TODO: allow?
 #optional_policy(`
 #	cron_system_entry(dpkg_t,dpkg_exec_t)
@@ -290,6 +295,7 @@ auth_dontaudit_getattr_shadow(dpkg_script_t)
 auth_manage_all_files_except_shadow(dpkg_script_t)
 
 init_domtrans_script(dpkg_script_t)
+init_use_script_fds(dpkg_script_t)
 
 libs_use_ld_so(dpkg_script_t)
 libs_use_shared_libs(dpkg_script_t)
@@ -313,6 +319,11 @@ tunable_policy(`allow_execmem',`
 	allow dpkg_script_t self:process execmem;
 ')
 
+optional_policy(`
+	apt_rw_pipes(dpkg_script_t)
+	apt_use_fds(dpkg_script_t)
+')
+
 optional_policy(`
 	bootloader_domtrans(dpkg_script_t)
 ')

policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries,2.0.0)
+policy_module(libraries,2.0.1)
 
 ########################################
 #
@@ -97,6 +97,12 @@ optional_policy(`
 	apache_dontaudit_search_modules(ldconfig_t)
 ')
 
+optional_policy(`
+	apt_rw_pipes(ldconfig_t)
+	apt_use_fds(ldconfig_t)
+	apt_use_ptys(ldconfig_t)
+')
+
 optional_policy(`
 	# When you install a kernel the postinstall builds a initrd image in tmp 
 	# and executes ldconfig on it.  If you dont allow this kernel installs