414 lines
13 KiB
Plaintext
414 lines
13 KiB
Plaintext
#DESC Dpkg - Debian package manager
|
|
#
|
|
# Author: Russell Coker <russell@coker.com.au>
|
|
# X-Debian-Packages: dpkg
|
|
#
|
|
|
|
#################################
|
|
#
|
|
# Rules for the dpkg_t domain.
|
|
#
|
|
type dpkg_t, domain, admin, privlog, privmail, etc_writer, privmodule;
|
|
type dpkg_exec_t, file_type, sysadmfile, exec_type;
|
|
type dpkg_var_lib_t, file_type, sysadmfile;
|
|
type dpkg_etc_t, file_type, sysadmfile, usercanread;
|
|
typealias dpkg_etc_t alias etc_dpkg_t;
|
|
type dpkg_lock_t, file_type, sysadmfile;
|
|
type debconf_cache_t, file_type, sysadmfile;
|
|
|
|
tmp_domain(dpkg)
|
|
can_setfscreate(dpkg_t)
|
|
can_exec(dpkg_t, { dpkg_exec_t bin_t shell_exec_t dpkg_tmp_t ls_exec_t dpkg_var_lib_t dpkg_etc_t sbin_t lib_t fsadm_exec_t })
|
|
|
|
ifdef(`load_policy.te', `
|
|
domain_auto_trans(dpkg_t, load_policy_exec_t, load_policy_t)
|
|
')
|
|
ifdef(`rlogind.te', `
|
|
# for ssh
|
|
can_exec(dpkg_t, rlogind_exec_t)
|
|
')
|
|
can_exec(dpkg_t, { init_exec_t etc_t })
|
|
ifdef(`hostname.te', `
|
|
can_exec(dpkg_t, hostname_exec_t)
|
|
')
|
|
ifdef(`mta.te', `
|
|
allow system_mail_t dpkg_tmp_t:file { getattr read };
|
|
')
|
|
ifdef(`logrotate.te', `
|
|
allow logrotate_t dpkg_var_lib_t:file create_file_perms;
|
|
')
|
|
|
|
# for open office
|
|
can_exec(dpkg_t, usr_t)
|
|
|
|
allow { dpkg_t apt_t install_menu_t } urandom_device_t:chr_file read;
|
|
|
|
# for upgrading policycoreutils and loading policy
|
|
allow dpkg_t security_t:dir { getattr search };
|
|
allow dpkg_t security_t:file { getattr read };
|
|
|
|
ifdef(`setfiles.te',
|
|
`domain_auto_trans(dpkg_t, setfiles_exec_t, setfiles_t)')
|
|
ifdef(`nscd.te', `domain_auto_trans(dpkg_t, nscd_exec_t, nscd_t)')
|
|
ifdef(`modutil.te', `
|
|
domain_auto_trans(dpkg_t, update_modules_exec_t, update_modules_t)
|
|
domain_auto_trans(dpkg_t, depmod_exec_t, depmod_t)
|
|
|
|
# for touch
|
|
allow initrc_t modules_dep_t:file write;
|
|
')
|
|
ifdef(`ipsec.te', `
|
|
allow { ipsec_mgmt_t ipsec_t } dpkg_t:fd use;
|
|
allow ipsec_mgmt_t dpkg_t:fifo_file write;
|
|
allow ipsec_mgmt_t dpkg_tmp_t:file { getattr write };
|
|
allow ipsec_t dpkg_t:fifo_file { read write };
|
|
domain_auto_trans(dpkg_t, ipsec_mgmt_exec_t, ipsec_mgmt_t)
|
|
')
|
|
ifdef(`cardmgr.te', `
|
|
allow cardmgr_t dpkg_t:fd use;
|
|
allow cardmgr_t dpkg_t:fifo_file write;
|
|
domain_auto_trans(dpkg_t, { cardctl_exec_t cardmgr_exec_t }, cardmgr_t)
|
|
# for start-stop-daemon
|
|
allow dpkg_t cardmgr_t:process signull;
|
|
')
|
|
ifdef(`mount.te', `
|
|
domain_auto_trans(dpkg_t, mount_exec_t, mount_t)
|
|
')
|
|
ifdef(`mozilla.te', `
|
|
# hate to do this, for mozilla install scripts
|
|
can_exec(dpkg_t, mozilla_exec_t)
|
|
')
|
|
ifdef(`postfix.te', `
|
|
domain_auto_trans(dpkg_t, postfix_master_exec_t, postfix_master_t)
|
|
')
|
|
ifdef(`apache.te', `
|
|
domain_auto_trans(dpkg_t, httpd_exec_t, httpd_t)
|
|
')
|
|
ifdef(`named.te', `
|
|
file_type_auto_trans(dpkg_t, named_zone_t, named_conf_t, file)
|
|
')
|
|
ifdef(`nsd.te', `
|
|
allow nsd_crond_t initrc_t:fd use;
|
|
allow nsd_crond_t initrc_devpts_t:chr_file { read write };
|
|
domain_auto_trans(dpkg_t, nsd_exec_t, nsd_crond_t)
|
|
')
|
|
# because the syslogd package is broken and does not use the start scripts
|
|
ifdef(`klogd.te', `
|
|
domain_auto_trans(dpkg_t, klogd_exec_t, klogd_t)
|
|
')
|
|
ifdef(`syslogd.te', `
|
|
domain_auto_trans(dpkg_t, syslogd_exec_t, syslogd_t)
|
|
allow system_crond_t syslogd_t:dir search;
|
|
allow system_crond_t syslogd_t:file { getattr read };
|
|
allow system_crond_t syslogd_t:process signal;
|
|
')
|
|
# mysqld is broken too
|
|
ifdef(`mysqld.te', `
|
|
domain_auto_trans(dpkg_t, mysqld_exec_t, mysqld_t)
|
|
can_unix_connect(dpkg_t, mysqld_t)
|
|
allow mysqld_t dpkg_tmp_t:file { getattr read };
|
|
')
|
|
ifdef(`postgresql.te', `
|
|
# because postgresql postinst creates scripts in /tmp and then runs them
|
|
# also the init scripts do more than they should
|
|
allow { initrc_t postgresql_t } dpkg_tmp_t:file write;
|
|
# for "touch" when it tries to create the log file
|
|
# this works for upgrades, maybe we should allow create access for first install
|
|
allow initrc_t postgresql_log_t:file { write setattr };
|
|
# for dumpall
|
|
can_exec(postgresql_t, postgresql_db_t)
|
|
')
|
|
ifdef(`sysstat.te', `
|
|
domain_auto_trans(dpkg_t, sysstat_exec_t, sysstat_t)
|
|
')
|
|
ifdef(`rpcd.te', `
|
|
allow rpcd_t dpkg_t:fd use;
|
|
allow rpcd_t dpkg_t:fifo_file { read write };
|
|
')
|
|
ifdef(`load_policy.te', `
|
|
allow load_policy_t initrc_t:fifo_file { read write };
|
|
')
|
|
ifdef(`checkpolicy.te', `
|
|
domain_auto_trans(dpkg_t, checkpolicy_exec_t, checkpolicy_t)
|
|
role system_r types checkpolicy_t;
|
|
allow checkpolicy_t initrc_t:fd use;
|
|
allow checkpolicy_t initrc_t:fifo_file write;
|
|
allow checkpolicy_t initrc_devpts_t:chr_file { read write };
|
|
')
|
|
ifdef(`amavis.te', `
|
|
r_dir_file(initrc_t, dpkg_var_lib_t)
|
|
')
|
|
ifdef(`nessusd.te', `
|
|
domain_auto_trans(dpkg_t, nessusd_exec_t, nessusd_t)
|
|
')
|
|
ifdef(`crack.te', `
|
|
allow crack_t initrc_t:fd use;
|
|
domain_auto_trans(dpkg_t, crack_exec_t, crack_t)
|
|
')
|
|
ifdef(`xdm.te', `
|
|
domain_auto_trans(dpkg_t, xserver_exec_t, xdm_xserver_t)
|
|
')
|
|
ifdef(`clamav.te', `
|
|
domain_auto_trans(dpkg_t, freshclam_exec_t, freshclam_t)
|
|
')
|
|
ifdef(`squid.te', `
|
|
domain_auto_trans(dpkg_t, squid_exec_t, squid_t)
|
|
')
|
|
ifdef(`useradd.te', `
|
|
domain_auto_trans(dpkg_t, useradd_exec_t, useradd_t)
|
|
domain_auto_trans(dpkg_t, groupadd_exec_t, groupadd_t)
|
|
role system_r types { useradd_t groupadd_t };
|
|
')
|
|
ifdef(`passwd.te', `
|
|
domain_auto_trans(dpkg_t, chfn_exec_t, chfn_t)
|
|
')
|
|
ifdef(`ldconfig.te', `
|
|
domain_auto_trans(dpkg_t, ldconfig_exec_t, ldconfig_t)
|
|
')
|
|
ifdef(`portmap.te', `
|
|
# for pmap_dump
|
|
domain_auto_trans(dpkg_t, portmap_exec_t, portmap_t)
|
|
')
|
|
|
|
# for apt
|
|
type apt_t, domain, admin, privmail, web_client_domain;
|
|
type apt_exec_t, file_type, sysadmfile, exec_type;
|
|
type apt_var_lib_t, file_type, sysadmfile;
|
|
type var_cache_apt_t, file_type, sysadmfile;
|
|
etcdir_domain(apt)
|
|
typealias apt_etc_t alias etc_apt_t;
|
|
type apt_rw_etc_t, file_type, sysadmfile;
|
|
typealias apt_rw_etc_t alias etc_apt_rw_t;
|
|
tmp_domain(apt, `', `{ dir file lnk_file }')
|
|
can_exec(apt_t, apt_tmp_t)
|
|
|
|
rw_dir_create_file(apt_t, apt_rw_etc_t)
|
|
|
|
allow { apt_t dpkg_t install_menu_t } device_t:dir { getattr search };
|
|
|
|
dontaudit apt_t var_log_t:dir getattr;
|
|
dontaudit apt_t var_run_t:dir search;
|
|
|
|
# for rc files such as ~/.less
|
|
r_dir_file(apt_t, sysadm_home_t)
|
|
allow apt_t sysadm_home_dir_t:dir { search getattr };
|
|
|
|
allow apt_t bin_t:lnk_file r_file_perms;
|
|
|
|
rw_dir_create_file(apt_t, debconf_cache_t)
|
|
r_dir_file(userdomain, debconf_cache_t)
|
|
|
|
# for python
|
|
read_sysctl(apt_t)
|
|
read_sysctl(dpkg_t)
|
|
|
|
allow dpkg_t console_device_t:chr_file rw_file_perms;
|
|
|
|
allow apt_t self:unix_stream_socket create_socket_perms;
|
|
|
|
allow dpkg_t domain:dir r_dir_perms;
|
|
allow dpkg_t domain:{ file lnk_file } r_file_perms;
|
|
|
|
# for shared objects that are not yet labelled (upgrades)
|
|
allow { apt_t dpkg_t } lib_t:file execute;
|
|
|
|
# when dpkg runs postinst scripts run them in initrc_t domain so that the
|
|
# daemons are started in the correct context
|
|
domain_auto_trans(dpkg_t, initrc_exec_t, initrc_t)
|
|
|
|
ifdef(`bootloader.te', `
|
|
domain_auto_trans(dpkg_t, bootloader_exec_t, bootloader_t)
|
|
# for mkinitrd
|
|
can_exec(bootloader_t, dpkg_exec_t)
|
|
# for lilo to run dpkg
|
|
allow bootloader_t dpkg_etc_t:file { getattr read };
|
|
')
|
|
|
|
# for kernel-image postinst
|
|
dontaudit dpkg_t fixed_disk_device_t:blk_file read;
|
|
|
|
# for /usr/lib/dpkg/controllib.pl calling getpwnam(3)
|
|
dontaudit dpkg_t shadow_t:file { getattr read };
|
|
|
|
# allow user domains to execute dpkg
|
|
allow userdomain dpkg_exec_t:dir r_dir_perms;
|
|
can_exec(userdomain, { dpkg_exec_t apt_exec_t })
|
|
|
|
# allow everyone to read dpkg database
|
|
allow userdomain var_lib_t:dir search;
|
|
r_dir_file({ apt_t userdomain }, { dpkg_var_lib_t apt_var_lib_t var_cache_apt_t })
|
|
|
|
# for /var/lib/dpkg/lock
|
|
rw_dir_create_file(apt_t, dpkg_var_lib_t)
|
|
|
|
ifdef(`crond.te', `
|
|
rw_dir_create_file(system_crond_t, dpkg_var_lib_t)
|
|
allow system_crond_t dpkg_etc_t:file r_file_perms;
|
|
|
|
# for Debian cron job
|
|
create_dir_file(system_crond_t, tetex_data_t)
|
|
can_exec(dpkg_t, tetex_data_t)
|
|
')
|
|
|
|
r_dir_file(install_menu_t, { var_lib_t dpkg_var_lib_t lib_t })
|
|
allow install_menu_t initrc_t:fifo_file { read write };
|
|
allow { apt_t install_menu_t userdomain } dpkg_etc_t:file r_file_perms;
|
|
can_exec(sysadm_t, dpkg_etc_t)
|
|
|
|
# Inherit and use descriptors from open_init_pty
|
|
allow { apt_t dpkg_t install_menu_t } initrc_t:fd use;
|
|
dontaudit dpkg_t privfd:fd use;
|
|
allow { apt_t dpkg_t install_menu_t } devpts_t:dir search;
|
|
allow { apt_t dpkg_t install_menu_t } initrc_devpts_t:chr_file rw_file_perms;
|
|
|
|
allow ifconfig_t dpkg_t:fd use;
|
|
allow ifconfig_t dpkg_t:fifo_file { read write };
|
|
|
|
uses_shlib({ dpkg_t apt_t })
|
|
allow dpkg_t proc_t:dir r_dir_perms;
|
|
allow dpkg_t proc_t:{ file lnk_file } r_file_perms;
|
|
allow dpkg_t fs_t:filesystem getattr;
|
|
|
|
allow dpkg_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource mknod linux_immutable };
|
|
|
|
# for fgconsole - need policy for it
|
|
allow dpkg_t self:capability sys_tty_config;
|
|
|
|
allow dpkg_t self:unix_dgram_socket create_socket_perms;
|
|
allow dpkg_t self:unix_stream_socket create_stream_socket_perms;
|
|
can_unix_connect(dpkg_t, self)
|
|
allow dpkg_t self:unix_dgram_socket sendto;
|
|
allow dpkg_t self:unix_stream_socket connect;
|
|
|
|
allow { dpkg_t apt_t } devtty_t:chr_file rw_file_perms;
|
|
allow { dpkg_t apt_t } sysadm_tty_device_t:chr_file rw_file_perms;
|
|
|
|
# dpkg really needs to be able to kill any process, unfortunate but true
|
|
allow dpkg_t domain:process signal;
|
|
allow dpkg_t sysadm_t:process sigchld;
|
|
allow dpkg_t self:process { setpgid signal_perms fork getsched };
|
|
|
|
# read/write/create any files in the system
|
|
allow dpkg_t sysadmfile:dir create_dir_perms;
|
|
allow dpkg_t sysadmfile:{ file fifo_file sock_file } create_file_perms;
|
|
allow dpkg_t sysadmfile:lnk_file create_lnk_perms;
|
|
allow dpkg_t device_type:{ chr_file blk_file } getattr;
|
|
dontaudit dpkg_t domain:{ socket unix_dgram_socket udp_socket unix_stream_socket tcp_socket fifo_file rawip_socket packet_socket } getattr;
|
|
allow dpkg_t proc_kmsg_t:file getattr;
|
|
allow dpkg_t fs_type:dir getattr;
|
|
|
|
# allow compiling and loading new policy
|
|
create_dir_file(dpkg_t, { policy_src_t policy_config_t })
|
|
|
|
# change to the apt_t domain on exec from dpkg_t (dselect)
|
|
domain_auto_trans(dpkg_t, apt_exec_t, apt_t)
|
|
|
|
# allow apt to change /var/lib/apt files
|
|
allow apt_t { apt_var_lib_t var_cache_apt_t }:dir rw_dir_perms;
|
|
allow apt_t { apt_var_lib_t var_cache_apt_t }:file create_file_perms;
|
|
|
|
# allow apt to create /usr/lib/site-python/DebianControlParser.pyc
|
|
rw_dir_create_file(apt_t, lib_t)
|
|
|
|
# for apt-listbugs
|
|
allow apt_t usr_t:file { getattr read ioctl };
|
|
allow apt_t usr_t:lnk_file read;
|
|
|
|
# allow /var/cache/apt/archives to be owned by non-root
|
|
allow apt_t self:capability { chown dac_override fowner fsetid };
|
|
|
|
can_exec(apt_t, { apt_exec_t bin_t sbin_t shell_exec_t })
|
|
allow apt_t { bin_t sbin_t }:dir search;
|
|
allow apt_t self:process { signal sigchld fork };
|
|
allow apt_t sysadm_t:process sigchld;
|
|
can_network({ apt_t dpkg_t })
|
|
can_ypbind({ apt_t dpkg_t })
|
|
|
|
allow { apt_t dpkg_t } var_t:dir { search getattr };
|
|
dontaudit apt_t { fs_type file_type }:dir getattr;
|
|
allow { apt_t dpkg_t } { var_lib_t bin_t }:dir r_dir_perms;
|
|
|
|
allow { apt_t dpkg_t } dpkg_lock_t:file { setattr rw_file_perms };
|
|
|
|
# for /proc/meminfo and for "ps"
|
|
allow apt_t { proc_t apt_t }:dir r_dir_perms;
|
|
allow apt_t { proc_t apt_t }:{ file lnk_file } r_file_perms;
|
|
allow apt_t self:fifo_file rw_file_perms;
|
|
allow dpkg_t self:fifo_file rw_file_perms;
|
|
|
|
allow apt_t etc_t:dir r_dir_perms;
|
|
allow apt_t etc_t:file r_file_perms;
|
|
allow apt_t etc_t:lnk_file read;
|
|
read_locale(apt_t)
|
|
r_dir_file(userdomain, apt_etc_t)
|
|
|
|
# apt wants to check available disk space
|
|
allow apt_t fs_t:filesystem getattr;
|
|
allow apt_t etc_runtime_t:file r_file_perms;
|
|
|
|
# auto transition from apt_t to dpkg_t because for 99% of Debian upgrades you
|
|
# have apt run dpkg.
|
|
# This means that getting apt_t access is almost as good as dpkg_t which has
|
|
# as much power as sysadm_t...
|
|
domain_auto_trans(apt_t, dpkg_exec_t, dpkg_t)
|
|
|
|
# hack to allow update-menus/install-menu to manage menus
|
|
type install_menu_t, domain, admin, etc_writer;
|
|
type install_menu_exec_t, file_type, sysadmfile, exec_type;
|
|
var_run_domain(install_menu)
|
|
|
|
allow install_menu_t self:unix_stream_socket create_socket_perms;
|
|
|
|
type debian_menu_t, file_type, sysadmfile;
|
|
|
|
r_dir_file(userdomain, debian_menu_t)
|
|
dontaudit install_menu_t sysadm_home_dir_t:dir search;
|
|
create_dir_file(install_menu_t, debian_menu_t)
|
|
allow install_menu_t dpkg_lock_t:file { setattr rw_file_perms };
|
|
allow install_menu_t self:process signal;
|
|
allow install_menu_t proc_t:dir search;
|
|
allow install_menu_t proc_t:file r_file_perms;
|
|
can_getcon(install_menu_t)
|
|
can_exec(install_menu_t, { bin_t sbin_t shell_exec_t install_menu_exec_t dpkg_exec_t })
|
|
allow install_menu_t { bin_t sbin_t }:dir search;
|
|
allow install_menu_t bin_t:lnk_file read;
|
|
|
|
# for menus
|
|
allow install_menu_t usr_t:file r_file_perms;
|
|
|
|
# for /etc/kde3/debian/kde-update-menu.sh
|
|
can_exec(install_menu_t, etc_t)
|
|
|
|
allow install_menu_t var_t:dir search;
|
|
tmp_domain(install_menu)
|
|
|
|
create_dir_file(install_menu_t, var_lib_t)
|
|
ifdef(`xdm.te', `
|
|
create_dir_file(install_menu_t, xdm_var_lib_t)
|
|
')
|
|
allow install_menu_t { var_spool_t etc_t }:dir rw_dir_perms;
|
|
allow install_menu_t { var_spool_t etc_t }:file create_file_perms;
|
|
allow install_menu_t self:fifo_file rw_file_perms;
|
|
allow install_menu_t etc_runtime_t:file r_file_perms;
|
|
allow install_menu_t devtty_t:chr_file rw_file_perms;
|
|
allow install_menu_t fs_t:filesystem getattr;
|
|
|
|
domain_auto_trans(dpkg_t, install_menu_exec_t, install_menu_t)
|
|
allow dpkg_t install_menu_t:process signal_perms;
|
|
|
|
allow install_menu_t privfd:fd use;
|
|
uses_shlib(install_menu_t)
|
|
|
|
allow install_menu_t self:process { fork sigchld };
|
|
|
|
role system_r types { dpkg_t apt_t install_menu_t };
|
|
|
|
#################################
|
|
#
|
|
# Rules for the run_deb_t domain.
|
|
#
|
|
#run_program(sysadm_t, sysadm_r, deb, dpkg_exec_t, dpkg_t)
|
|
#domain_trans(run_deb_t, apt_exec_t, apt_t)
|
|
domain_auto_trans(initrc_t, dpkg_exec_t, dpkg_t)
|
|
domain_auto_trans(initrc_t, apt_exec_t, apt_t)
|