diff --git a/Changelog b/Changelog
index 1d200f1c..10713f2c 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Apt updates for ptys and logs, from Martin Orr.
- RPC update from Vaclav Ovsik.
- Exim updates on Debian from Devin Carrawy.
- Pam and samba updates from Stefan Schulze Frielinghaus.
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index d31952b7..bf14cc00 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -11,3 +11,6 @@
# package list repository
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+
+# dpkg terminal log
+/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 13991f91..53e1c604 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -109,6 +109,24 @@ interface(`apt_rw_pipes',`
# TODO: enforce dpkg_rw_pipes?
')
+########################################
+##
+## Read from and write to apt ptys.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`apt_use_ptys',`
+ gen_require(`
+ type apt_devpts_t;
+ ')
+
+ allow $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
########################################
##
## Read the apt package database.
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 98f1b016..2386a492 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt,1.3.0)
+policy_module(apt,1.3.1)
########################################
#
@@ -12,6 +12,10 @@ init_system_domain(apt_t,apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
+# pseudo terminal for running dpkg
+type apt_devpts_t;
+term_pty(apt_devpts_t)
+
type apt_tmp_t;
files_tmp_file(apt_tmp_t)
@@ -26,6 +30,9 @@ files_type(apt_var_lib_t)
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
+type apt_var_log_t;
+logging_log_file(apt_var_log_t)
+
########################################
#
# apt Local policy
@@ -97,6 +104,7 @@ files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
+term_create_pty(apt_t, apt_devpts_t)
term_list_ptys(apt_t)
term_use_all_terms(apt_t)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 0efc5090..eebcd4f9 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -1,5 +1,5 @@
-policy_module(dpkg,1.4.0)
+policy_module(dpkg,1.4.1)
########################################
#
@@ -150,6 +150,7 @@ auth_dontaudit_read_shadow(dpkg_t)
files_exec_etc_files(dpkg_t)
init_domtrans_script(dpkg_t)
+init_use_script_ptys(dpkg_t)
libs_use_ld_so(dpkg_t)
libs_use_shared_libs(dpkg_t)
@@ -172,6 +173,10 @@ dpkg_domtrans_script(dpkg_t)
# since the scripts aren't labeled correctly yet...
allow dpkg_t dpkg_var_lib_t:file execute;
+optional_policy(`
+ apt_use_ptys(dpkg_t)
+')
+
# TODO: allow?
#optional_policy(`
# cron_system_entry(dpkg_t,dpkg_exec_t)
@@ -290,6 +295,7 @@ auth_dontaudit_getattr_shadow(dpkg_script_t)
auth_manage_all_files_except_shadow(dpkg_script_t)
init_domtrans_script(dpkg_script_t)
+init_use_script_fds(dpkg_script_t)
libs_use_ld_so(dpkg_script_t)
libs_use_shared_libs(dpkg_script_t)
@@ -313,6 +319,11 @@ tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
')
+optional_policy(`
+ apt_rw_pipes(dpkg_script_t)
+ apt_use_fds(dpkg_script_t)
+')
+
optional_policy(`
bootloader_domtrans(dpkg_script_t)
')
diff --git a/policy/modules/system/libraries.te b/policy/modules/system/libraries.te
index a6bc4006..50e7a327 100644
--- a/policy/modules/system/libraries.te
+++ b/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,2.0.0)
+policy_module(libraries,2.0.1)
########################################
#
@@ -97,6 +97,12 @@ optional_policy(`
apache_dontaudit_search_modules(ldconfig_t)
')
+optional_policy(`
+ apt_rw_pipes(ldconfig_t)
+ apt_use_fds(ldconfig_t)
+ apt_use_ptys(ldconfig_t)
+')
+
optional_policy(`
# When you install a kernel the postinstall builds a initrd image in tmp
# and executes ldconfig on it. If you dont allow this kernel installs