trunk: Apt updates for ptys and logs, from Martin Orr.
This commit is contained in:
parent
01e8ff4ab3
commit
e065ac8ab5
|
@ -1,3 +1,4 @@
|
||||||
|
- Apt updates for ptys and logs, from Martin Orr.
|
||||||
- RPC update from Vaclav Ovsik.
|
- RPC update from Vaclav Ovsik.
|
||||||
- Exim updates on Debian from Devin Carrawy.
|
- Exim updates on Debian from Devin Carrawy.
|
||||||
- Pam and samba updates from Stefan Schulze Frielinghaus.
|
- Pam and samba updates from Stefan Schulze Frielinghaus.
|
||||||
|
|
|
@ -11,3 +11,6 @@
|
||||||
# package list repository
|
# package list repository
|
||||||
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
|
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
|
||||||
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
|
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
|
||||||
|
|
||||||
|
# dpkg terminal log
|
||||||
|
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
|
||||||
|
|
|
@ -109,6 +109,24 @@ interface(`apt_rw_pipes',`
|
||||||
# TODO: enforce dpkg_rw_pipes?
|
# TODO: enforce dpkg_rw_pipes?
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Read from and write to apt ptys.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`apt_use_ptys',`
|
||||||
|
gen_require(`
|
||||||
|
type apt_devpts_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 apt_devpts_t:chr_file rw_term_perms;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Read the apt package database.
|
## Read the apt package database.
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(apt,1.3.0)
|
policy_module(apt,1.3.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -12,6 +12,10 @@ init_system_domain(apt_t,apt_exec_t)
|
||||||
domain_system_change_exemption(apt_t)
|
domain_system_change_exemption(apt_t)
|
||||||
role system_r types apt_t;
|
role system_r types apt_t;
|
||||||
|
|
||||||
|
# pseudo terminal for running dpkg
|
||||||
|
type apt_devpts_t;
|
||||||
|
term_pty(apt_devpts_t)
|
||||||
|
|
||||||
type apt_tmp_t;
|
type apt_tmp_t;
|
||||||
files_tmp_file(apt_tmp_t)
|
files_tmp_file(apt_tmp_t)
|
||||||
|
|
||||||
|
@ -26,6 +30,9 @@ files_type(apt_var_lib_t)
|
||||||
type apt_var_cache_t alias var_cache_apt_t;
|
type apt_var_cache_t alias var_cache_apt_t;
|
||||||
files_type(apt_var_cache_t)
|
files_type(apt_var_cache_t)
|
||||||
|
|
||||||
|
type apt_var_log_t;
|
||||||
|
logging_log_file(apt_var_log_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# apt Local policy
|
# apt Local policy
|
||||||
|
@ -97,6 +104,7 @@ files_read_etc_runtime_files(apt_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(apt_t)
|
fs_getattr_all_fs(apt_t)
|
||||||
|
|
||||||
|
term_create_pty(apt_t, apt_devpts_t)
|
||||||
term_list_ptys(apt_t)
|
term_list_ptys(apt_t)
|
||||||
term_use_all_terms(apt_t)
|
term_use_all_terms(apt_t)
|
||||||
|
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(dpkg,1.4.0)
|
policy_module(dpkg,1.4.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -150,6 +150,7 @@ auth_dontaudit_read_shadow(dpkg_t)
|
||||||
files_exec_etc_files(dpkg_t)
|
files_exec_etc_files(dpkg_t)
|
||||||
|
|
||||||
init_domtrans_script(dpkg_t)
|
init_domtrans_script(dpkg_t)
|
||||||
|
init_use_script_ptys(dpkg_t)
|
||||||
|
|
||||||
libs_use_ld_so(dpkg_t)
|
libs_use_ld_so(dpkg_t)
|
||||||
libs_use_shared_libs(dpkg_t)
|
libs_use_shared_libs(dpkg_t)
|
||||||
|
@ -172,6 +173,10 @@ dpkg_domtrans_script(dpkg_t)
|
||||||
# since the scripts aren't labeled correctly yet...
|
# since the scripts aren't labeled correctly yet...
|
||||||
allow dpkg_t dpkg_var_lib_t:file execute;
|
allow dpkg_t dpkg_var_lib_t:file execute;
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
apt_use_ptys(dpkg_t)
|
||||||
|
')
|
||||||
|
|
||||||
# TODO: allow?
|
# TODO: allow?
|
||||||
#optional_policy(`
|
#optional_policy(`
|
||||||
# cron_system_entry(dpkg_t,dpkg_exec_t)
|
# cron_system_entry(dpkg_t,dpkg_exec_t)
|
||||||
|
@ -290,6 +295,7 @@ auth_dontaudit_getattr_shadow(dpkg_script_t)
|
||||||
auth_manage_all_files_except_shadow(dpkg_script_t)
|
auth_manage_all_files_except_shadow(dpkg_script_t)
|
||||||
|
|
||||||
init_domtrans_script(dpkg_script_t)
|
init_domtrans_script(dpkg_script_t)
|
||||||
|
init_use_script_fds(dpkg_script_t)
|
||||||
|
|
||||||
libs_use_ld_so(dpkg_script_t)
|
libs_use_ld_so(dpkg_script_t)
|
||||||
libs_use_shared_libs(dpkg_script_t)
|
libs_use_shared_libs(dpkg_script_t)
|
||||||
|
@ -313,6 +319,11 @@ tunable_policy(`allow_execmem',`
|
||||||
allow dpkg_script_t self:process execmem;
|
allow dpkg_script_t self:process execmem;
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
apt_rw_pipes(dpkg_script_t)
|
||||||
|
apt_use_fds(dpkg_script_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
bootloader_domtrans(dpkg_script_t)
|
bootloader_domtrans(dpkg_script_t)
|
||||||
')
|
')
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
|
|
||||||
policy_module(libraries,2.0.0)
|
policy_module(libraries,2.0.1)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -97,6 +97,12 @@ optional_policy(`
|
||||||
apache_dontaudit_search_modules(ldconfig_t)
|
apache_dontaudit_search_modules(ldconfig_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
optional_policy(`
|
||||||
|
apt_rw_pipes(ldconfig_t)
|
||||||
|
apt_use_fds(ldconfig_t)
|
||||||
|
apt_use_ptys(ldconfig_t)
|
||||||
|
')
|
||||||
|
|
||||||
optional_policy(`
|
optional_policy(`
|
||||||
# When you install a kernel the postinstall builds a initrd image in tmp
|
# When you install a kernel the postinstall builds a initrd image in tmp
|
||||||
# and executes ldconfig on it. If you dont allow this kernel installs
|
# and executes ldconfig on it. If you dont allow this kernel installs
|
||||||
|
|
Loading…
Reference in New Issue