selinux-policy/policy/modules/admin/rpm.if
2010-08-26 09:41:21 -04:00

691 lines
14 KiB
Plaintext

## <summary>Policy for the RPM package manager.</summary>
########################################
## <summary>
## Execute rpm programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
attribute rpm_transition_domain;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
typeattribute $1 rpm_transition_domain;
rpm_debuginfo_domtrans($1)
')
########################################
## <summary>
## Execute debuginfo_install programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_debuginfo_domtrans',`
gen_require(`
type rpm_t;
type debuginfo_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1, debuginfo_exec_t, rpm_t)
')
########################################
## <summary>
## Execute rpm_script programs in the rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans_script',`
gen_require(`
type rpm_script_t;
')
# transition to rpm script:
corecmd_shell_domtrans($1, rpm_script_t)
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
')
########################################
## <summary>
## Execute RPM programs in the RPM domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the RPM domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpm_run',`
gen_require(`
type rpm_t, rpm_script_t;
')
rpm_domtrans($1)
role $2 types rpm_t;
role $2 types rpm_script_t;
domain_system_change_exemption($1)
role_transition $2 rpm_exec_t system_r;
allow $2 system_r;
seutil_run_loadpolicy(rpm_script_t, $2)
seutil_run_semanage(rpm_script_t, $2)
seutil_run_setfiles(rpm_script_t, $2)
')
########################################
## <summary>
## Execute the rpm client in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_exec',`
gen_require(`
type rpm_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rpm_exec_t)
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_signull',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:process signull;
')
########################################
## <summary>
## Inherit and use file descriptors from RPM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_fds',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fd use;
')
########################################
## <summary>
## Read from an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_rw_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## dontaudit read and write an leaked file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_dontaudit_leaks',`
gen_require(`
type rpm_t, rpm_var_cache_t;
type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
')
dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_t:tcp_socket { read write };
dontaudit $1 rpm_t:unix_dgram_socket { read write };
dontaudit $1 rpm_t:shm rw_shm_perms;
dontaudit $1 rpm_script_t:fd use;
dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
allow $1 rpm_t:dbus send_msg;
allow rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Do not audit attempts to send and
## receive messages from rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
dontaudit $1 rpm_t:dbus send_msg;
dontaudit rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## rpm_script over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_script_dbus_chat',`
gen_require(`
type rpm_script_t;
class dbus send_msg;
')
allow $1 rpm_script_t:dbus send_msg;
allow rpm_script_t $1:dbus send_msg;
')
########################################
## <summary>
## Search RPM log directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_search_log',`
gen_require(`
type rpm_log_t;
')
allow $1 rpm_log_t:dir search_dir_perms;
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_log',`
gen_require(`
type rpm_log_t;
')
logging_search_logs($1)
append_files_pattern($1, rpm_log_t, rpm_log_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_log',`
gen_require(`
type rpm_log_t;
')
logging_rw_generic_log_dirs($1)
allow $1 rpm_log_t:file manage_file_perms;
')
########################################
## <summary>
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_script_fds',`
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:fd use;
')
########################################
## <summary>
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
append_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Create, read, write, and delete RPM
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Read RPM script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
########################################
## <summary>
## Read the RPM cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var($1)
allow $1 rpm_var_cache_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Read the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
rpm_read_cache($1)
')
########################################
## <summary>
## Delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_delete_db',`
gen_require(`
type rpm_var_lib_t;
')
delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir rw_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
')
#####################################
## <summary>
## Read rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pid_files',`
gen_require(`
type rpm_var_run_t;
')
read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
#####################################
## <summary>
## Create, read, write, and delete rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_pid_files',`
gen_require(`
type rpm_var_run_t;
')
manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
######################################
## <summary>
## Create files in /var/run with the rpm pid file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_pid_filetrans',`
gen_require(`
type rpm_var_run_t;
')
files_pid_filetrans($1, rpm_var_run_t, file)
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_inherited_fifo',`
gen_require(`
attribute rpm_transition_domain;
')
allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## Make rpm_exec_t an entry point for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_entry_type',`
gen_require(`
type rpm_exec_t;
')
domain_entry_file($1, rpm_exec_t)
')
########################################
## <summary>
## Allow application to transition to rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_transition_script',`
gen_require(`
type rpm_script_t;
attribute rpm_transition_domain;
')
typeattribute $1 rpm_transition_domain;
allow $1 rpm_script_t:process transition;
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
allow rpm_script_t $1:process sigchld;
')