142 lines
3.4 KiB
Plaintext
142 lines
3.4 KiB
Plaintext
|
|
policy_module(apt,1.0.3)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type apt_t;
|
|
type apt_exec_t;
|
|
init_system_domain(apt_t,apt_exec_t)
|
|
domain_system_change_exemption(apt_t)
|
|
role system_r types apt_t;
|
|
|
|
type apt_tmp_t;
|
|
files_tmp_file(apt_tmp_t)
|
|
|
|
type apt_tmpfs_t;
|
|
files_tmpfs_file(apt_tmpfs_t)
|
|
|
|
# status files
|
|
type apt_var_lib_t alias var_lib_apt_t;
|
|
files_type(apt_var_lib_t)
|
|
|
|
# package cache
|
|
type apt_var_cache_t alias var_cache_apt_t;
|
|
files_type(apt_var_cache_t)
|
|
|
|
########################################
|
|
#
|
|
# apt Local policy
|
|
#
|
|
|
|
allow apt_t self:capability { chown dac_override fowner fsetid };
|
|
allow apt_t self:process { signal setpgid fork };
|
|
allow apt_t self:fd use;
|
|
allow apt_t self:fifo_file rw_file_perms;
|
|
allow apt_t self:unix_dgram_socket create_socket_perms;
|
|
allow apt_t self:unix_stream_socket rw_stream_socket_perms;
|
|
allow apt_t self:unix_dgram_socket sendto;
|
|
allow apt_t self:unix_stream_socket connectto;
|
|
allow apt_t self:udp_socket { connect create_socket_perms };
|
|
allow apt_t self:tcp_socket create_stream_socket_perms;
|
|
allow apt_t self:shm create_shm_perms;
|
|
allow apt_t self:sem create_sem_perms;
|
|
allow apt_t self:msgq create_msgq_perms;
|
|
allow apt_t self:msg { send receive };
|
|
|
|
# Access /var/cache/apt files
|
|
allow apt_t apt_var_cache_t:file create_file_perms;
|
|
allow apt_t apt_var_cache_t:dir rw_dir_perms;
|
|
files_var_filetrans(apt_t,apt_var_cache_t,dir)
|
|
|
|
allow apt_t apt_tmp_t:dir create_dir_perms;
|
|
allow apt_t apt_tmp_t:file create_file_perms;
|
|
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
|
|
|
|
allow apt_t apt_tmpfs_t:dir create_dir_perms;
|
|
allow apt_t apt_tmpfs_t:file create_file_perms;
|
|
allow apt_t apt_tmpfs_t:lnk_file create_file_perms;
|
|
allow apt_t apt_tmpfs_t:sock_file create_file_perms;
|
|
allow apt_t apt_tmpfs_t:fifo_file create_file_perms;
|
|
fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
|
|
|
# Access /var/lib/apt files
|
|
allow apt_t apt_var_lib_t:file create_file_perms;
|
|
allow apt_t apt_var_lib_t:dir rw_dir_perms;
|
|
files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
|
|
|
|
kernel_read_system_state(apt_t)
|
|
kernel_read_kernel_sysctls(apt_t)
|
|
|
|
# to launch dpkg-preconfigure
|
|
corecmd_exec_bin(apt_t)
|
|
corecmd_exec_shell(apt_t)
|
|
corecmd_exec_sbin(apt_t)
|
|
|
|
corenet_non_ipsec_sendrecv(apt_t)
|
|
corenet_tcp_sendrecv_all_if(apt_t)
|
|
corenet_udp_sendrecv_all_if(apt_t)
|
|
corenet_tcp_sendrecv_all_nodes(apt_t)
|
|
corenet_udp_sendrecv_all_nodes(apt_t)
|
|
corenet_tcp_sendrecv_all_ports(apt_t)
|
|
corenet_udp_sendrecv_all_ports(apt_t)
|
|
# TODO: reall allow all these?
|
|
corenet_tcp_bind_all_nodes(apt_t)
|
|
corenet_udp_bind_all_nodes(apt_t)
|
|
corenet_tcp_connect_all_ports(apt_t)
|
|
corenet_sendrecv_all_client_packets(apt_t)
|
|
|
|
dev_read_urand(apt_t)
|
|
|
|
domain_getattr_all_domains(apt_t)
|
|
domain_use_interactive_fds(apt_t)
|
|
|
|
files_exec_usr_files(apt_t)
|
|
files_read_etc_files(apt_t)
|
|
files_read_etc_runtime_files(apt_t)
|
|
|
|
fs_getattr_all_fs(apt_t)
|
|
|
|
term_list_ptys(apt_t)
|
|
term_use_all_terms(apt_t)
|
|
|
|
libs_use_ld_so(apt_t)
|
|
libs_use_shared_libs(apt_t)
|
|
libs_exec_ld_so(apt_t)
|
|
libs_exec_lib_files(apt_t)
|
|
|
|
logging_send_syslog_msg(apt_t)
|
|
|
|
miscfiles_read_localization(apt_t)
|
|
|
|
seutil_use_newrole_fds(apt_t)
|
|
|
|
sysnet_read_config(apt_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
unconfined_domain(apt_t)
|
|
')
|
|
|
|
# with boolean, for cron-apt and such?
|
|
#optional_policy(`
|
|
# cron_system_entry(apt_t,apt_exec_t)
|
|
#')
|
|
|
|
optional_policy(`
|
|
# dpkg interaction
|
|
dpkg_read_db(apt_t)
|
|
dpkg_domtrans(apt_t)
|
|
dpkg_lock_db(apt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(apt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_read_db(apt_t)
|
|
rpm_domtrans(apt_t)
|
|
')
|