selinux-policy/policy/modules/admin/apt.te
2007-03-23 23:24:59 +00:00

139 lines
3.4 KiB
Plaintext

policy_module(apt,1.1.0)
########################################
#
# Declarations
#
type apt_t;
type apt_exec_t;
init_system_domain(apt_t,apt_exec_t)
domain_system_change_exemption(apt_t)
role system_r types apt_t;
type apt_tmp_t;
files_tmp_file(apt_tmp_t)
type apt_tmpfs_t;
files_tmpfs_file(apt_tmpfs_t)
# status files
type apt_var_lib_t alias var_lib_apt_t;
files_type(apt_var_lib_t)
# package cache
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
########################################
#
# apt Local policy
#
allow apt_t self:capability { chown dac_override fowner fsetid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
allow apt_t self:unix_dgram_socket create_socket_perms;
allow apt_t self:unix_stream_socket rw_stream_socket_perms;
allow apt_t self:unix_dgram_socket sendto;
allow apt_t self:unix_stream_socket connectto;
allow apt_t self:udp_socket { connect create_socket_perms };
allow apt_t self:tcp_socket create_stream_socket_perms;
allow apt_t self:shm create_shm_perms;
allow apt_t self:sem create_sem_perms;
allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
# Access /var/cache/apt files
manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t)
files_var_filetrans(apt_t,apt_var_cache_t,dir)
manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t)
manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t)
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# Access /var/lib/apt files
manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
# to launch dpkg-preconfigure
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
corenet_non_ipsec_sendrecv(apt_t)
corenet_tcp_sendrecv_all_if(apt_t)
corenet_udp_sendrecv_all_if(apt_t)
corenet_tcp_sendrecv_all_nodes(apt_t)
corenet_udp_sendrecv_all_nodes(apt_t)
corenet_tcp_sendrecv_all_ports(apt_t)
corenet_udp_sendrecv_all_ports(apt_t)
# TODO: reall allow all these?
corenet_tcp_bind_all_nodes(apt_t)
corenet_udp_bind_all_nodes(apt_t)
corenet_tcp_connect_all_ports(apt_t)
corenet_sendrecv_all_client_packets(apt_t)
dev_read_urand(apt_t)
domain_getattr_all_domains(apt_t)
domain_use_interactive_fds(apt_t)
files_exec_usr_files(apt_t)
files_read_etc_files(apt_t)
files_read_etc_runtime_files(apt_t)
fs_getattr_all_fs(apt_t)
term_list_ptys(apt_t)
term_use_all_terms(apt_t)
libs_use_ld_so(apt_t)
libs_use_shared_libs(apt_t)
libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
miscfiles_read_localization(apt_t)
seutil_use_newrole_fds(apt_t)
sysnet_read_config(apt_t)
ifdef(`targeted_policy',`
unconfined_domain(apt_t)
')
# with boolean, for cron-apt and such?
#optional_policy(`
# cron_system_entry(apt_t,apt_exec_t)
#')
optional_policy(`
# dpkg interaction
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
dpkg_lock_db(apt_t)
')
optional_policy(`
nis_use_ypbind(apt_t)
')
optional_policy(`
rpm_read_db(apt_t)
rpm_domtrans(apt_t)
')