1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
140 lines
3.4 KiB
Plaintext
140 lines
3.4 KiB
Plaintext
|
|
policy_module(apt,1.1.1)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type apt_t;
|
|
type apt_exec_t;
|
|
init_system_domain(apt_t,apt_exec_t)
|
|
domain_system_change_exemption(apt_t)
|
|
role system_r types apt_t;
|
|
|
|
type apt_tmp_t;
|
|
files_tmp_file(apt_tmp_t)
|
|
|
|
type apt_tmpfs_t;
|
|
files_tmpfs_file(apt_tmpfs_t)
|
|
|
|
# status files
|
|
type apt_var_lib_t alias var_lib_apt_t;
|
|
files_type(apt_var_lib_t)
|
|
|
|
# package cache
|
|
type apt_var_cache_t alias var_cache_apt_t;
|
|
files_type(apt_var_cache_t)
|
|
|
|
########################################
|
|
#
|
|
# apt Local policy
|
|
#
|
|
|
|
allow apt_t self:capability { chown dac_override fowner fsetid };
|
|
allow apt_t self:process { signal setpgid fork };
|
|
allow apt_t self:fd use;
|
|
allow apt_t self:fifo_file rw_fifo_file_perms;
|
|
allow apt_t self:unix_dgram_socket create_socket_perms;
|
|
allow apt_t self:unix_stream_socket rw_stream_socket_perms;
|
|
allow apt_t self:unix_dgram_socket sendto;
|
|
allow apt_t self:unix_stream_socket connectto;
|
|
allow apt_t self:udp_socket { connect create_socket_perms };
|
|
allow apt_t self:tcp_socket create_stream_socket_perms;
|
|
allow apt_t self:shm create_shm_perms;
|
|
allow apt_t self:sem create_sem_perms;
|
|
allow apt_t self:msgq create_msgq_perms;
|
|
allow apt_t self:msg { send receive };
|
|
|
|
# Access /var/cache/apt files
|
|
manage_files_pattern(apt_t,apt_var_cache_t,apt_var_cache_t)
|
|
files_var_filetrans(apt_t,apt_var_cache_t,dir)
|
|
|
|
manage_dirs_pattern(apt_t,apt_tmp_t,apt_tmp_t)
|
|
manage_files_pattern(apt_t,apt_tmp_t,apt_tmp_t)
|
|
files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
|
|
|
|
manage_dirs_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
|
|
manage_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
|
|
manage_lnk_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
|
|
manage_fifo_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
|
|
manage_sock_files_pattern(apt_t,apt_tmpfs_t,apt_tmpfs_t)
|
|
fs_tmpfs_filetrans(apt_t,apt_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
|
|
|
# Access /var/lib/apt files
|
|
manage_files_pattern(apt_t,apt_var_lib_t,apt_var_lib_t)
|
|
files_var_lib_filetrans(apt_t,apt_var_lib_t,dir)
|
|
|
|
kernel_read_system_state(apt_t)
|
|
kernel_read_kernel_sysctls(apt_t)
|
|
|
|
# to launch dpkg-preconfigure
|
|
corecmd_exec_bin(apt_t)
|
|
corecmd_exec_shell(apt_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(apt_t)
|
|
corenet_all_recvfrom_netlabel(apt_t)
|
|
corenet_tcp_sendrecv_all_if(apt_t)
|
|
corenet_udp_sendrecv_all_if(apt_t)
|
|
corenet_tcp_sendrecv_all_nodes(apt_t)
|
|
corenet_udp_sendrecv_all_nodes(apt_t)
|
|
corenet_tcp_sendrecv_all_ports(apt_t)
|
|
corenet_udp_sendrecv_all_ports(apt_t)
|
|
# TODO: reall allow all these?
|
|
corenet_tcp_bind_all_nodes(apt_t)
|
|
corenet_udp_bind_all_nodes(apt_t)
|
|
corenet_tcp_connect_all_ports(apt_t)
|
|
corenet_sendrecv_all_client_packets(apt_t)
|
|
|
|
dev_read_urand(apt_t)
|
|
|
|
domain_getattr_all_domains(apt_t)
|
|
domain_use_interactive_fds(apt_t)
|
|
|
|
files_exec_usr_files(apt_t)
|
|
files_read_etc_files(apt_t)
|
|
files_read_etc_runtime_files(apt_t)
|
|
|
|
fs_getattr_all_fs(apt_t)
|
|
|
|
term_list_ptys(apt_t)
|
|
term_use_all_terms(apt_t)
|
|
|
|
libs_use_ld_so(apt_t)
|
|
libs_use_shared_libs(apt_t)
|
|
libs_exec_ld_so(apt_t)
|
|
libs_exec_lib_files(apt_t)
|
|
|
|
logging_send_syslog_msg(apt_t)
|
|
|
|
miscfiles_read_localization(apt_t)
|
|
|
|
seutil_use_newrole_fds(apt_t)
|
|
|
|
sysnet_read_config(apt_t)
|
|
|
|
ifdef(`targeted_policy',`
|
|
unconfined_domain(apt_t)
|
|
')
|
|
|
|
# with boolean, for cron-apt and such?
|
|
#optional_policy(`
|
|
# cron_system_entry(apt_t,apt_exec_t)
|
|
#')
|
|
|
|
optional_policy(`
|
|
# dpkg interaction
|
|
dpkg_read_db(apt_t)
|
|
dpkg_domtrans(apt_t)
|
|
dpkg_lock_db(apt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(apt_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_read_db(apt_t)
|
|
rpm_domtrans(apt_t)
|
|
')
|