summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManoj Srivastava <srivasta@debian.org>2009-07-14 14:27:21 -0500
committerChris PeBenito <cpebenito@tresys.com>2009-07-29 15:00:39 -0400
commit6a192f70d42013fcbd4eefe1f35cab3de313cedb (patch)
tree147299cd14b97e438ef993d010d583354ffc8059
parent50458c8bb734ae242f1fb718f83f8167f75d7912 (diff)
Update apt/aptitude policy to add support for lock/log files
Signed-off-by: Russell Coker <russell@coker.com.au> Acked-By: Manoj Srivastava <srivasta@debian.org>
-rw-r--r--policy/modules/admin/apt.fc5
-rw-r--r--policy/modules/admin/apt.if40
-rw-r--r--policy/modules/admin/apt.te19
3 files changed, 63 insertions, 1 deletions
diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index bf14cc00..e4f48501 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -12,5 +12,10 @@
/var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
/var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
+# aptitude lock
+/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
+# aptitude log
+/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
+
# dpkg terminal log
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index 68ecf718..aaa4153b 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -67,6 +67,25 @@ interface(`apt_use_fds',`
########################################
## <summary>
+## Do not audit attempts to use file descriptors from apt.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process attempting performing this action
+## which should not be audited.
+## </summary>
+## </param>
+#
+interface(`apt_dontaudit_use_fds',`
+ gen_require(`
+ type apt_t;
+ ')
+
+ dontaudit $1 apt_t:fd use;
+')
+
+########################################
+## <summary>
## Read from an unnamed apt pipe.
## </summary>
## <param name="domain">
@@ -123,6 +142,27 @@ interface(`apt_use_ptys',`
########################################
## <summary>
+## Read the apt package cache.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`apt_read_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir list_dir_perms;
+ dontaudit $1 apt_var_cache_t:dir write;
+ allow $1 apt_var_cache_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Read the apt package database.
## </summary>
## <param name="domain">
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index c79157aa..48afcdab 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt, 1.5.2)
+policy_module(apt, 1.5.3)
########################################
#
@@ -30,6 +30,11 @@ files_type(apt_var_lib_t)
type apt_var_cache_t alias var_cache_apt_t;
files_type(apt_var_cache_t)
+# aptitude lock file
+type apt_lock_t;
+files_lock_file(apt_lock_t)
+
+# aptitude log file
type apt_var_log_t;
logging_log_file(apt_var_log_t)
@@ -53,6 +58,9 @@ allow apt_t self:sem create_sem_perms;
allow apt_t self:msgq create_msgq_perms;
allow apt_t self:msg { send receive };
+# Run update
+allow apt_t self:netlink_route_socket r_netlink_socket_perms;
+
# Access /var/cache/apt files
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)
@@ -72,6 +80,14 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+# lock files
+allow apt_t apt_lock_t:dir manage_dir_perms;
+allow apt_t apt_lock_t:file manage_file_perms;
+files_lock_filetrans(apt_t,apt_lock_t,{dir file})
+
+# log files
+allow apt_t apt_var_log_t:file manage_file_perms;
+
kernel_read_system_state(apt_t)
kernel_read_kernel_sysctls(apt_t)
@@ -112,6 +128,7 @@ libs_exec_ld_so(apt_t)
libs_exec_lib_files(apt_t)
logging_send_syslog_msg(apt_t)
+logging_log_filetrans(apt_t, apt_var_log_t, file)
miscfiles_read_localization(apt_t)