commit: c5bcefb771f18fd43258aff78f807607e705b173
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Feb 19 21:12:33 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Feb 21 07:06:20 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5bcefb7
dpkg: Updates from Russell Coker.
policy/modules/contrib/dpkg.te | 57 ++++++++++++++++++++++++++----------------
1 file changed, 36 insertions(+), 21 deletions(-)
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te
index 84dd6ba1..cc7f9dbb 100644
--- a/policy/modules/contrib/dpkg.te
+++ b/policy/modules/contrib/dpkg.te
@@ -1,4 +1,4 @@
-policy_module(dpkg, 1.11.0)
+policy_module(dpkg, 1.11.1)
########################################
#
@@ -32,6 +32,7 @@ files_type(dpkg_var_lib_t)
type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
corecmd_shell_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
domain_system_change_exemption(dpkg_script_t)
@@ -66,6 +67,8 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;
+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir })
@@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir)
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)
-corecmd_exec_all_executables(dpkg_t)
-
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)
userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)
dpkg_domtrans_script(dpkg_t)
@@ -176,18 +178,10 @@ optional_policy(`
unconfined_domain(dpkg_t)
')
-# TODO: the following was copied from dpkg_script_t, and could probably
-# be removed again when dpkg_script_t is actually used...
-domain_signal_all_domains(dpkg_t)
-domain_signull_all_domains(dpkg_t)
-files_read_etc_runtime_files(dpkg_t)
-files_exec_usr_files(dpkg_t)
-miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
-userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+ modutils_run_depmod(dpkg_t, dpkg_roles)
+ modutils_run_insmod(dpkg_t, dpkg_roles)
+')
optional_policy(`
mta_send_mail(dpkg_t)
@@ -202,8 +196,8 @@ optional_policy(`
# Script Local policy
#
-allow dpkg_script_t self:capability { chown dac_override dac_read_search
fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { audit_write chown dac_override
dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid
setuid sys_chroot sys_nice sys_ptrace };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit
execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_perms;
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms
nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;
allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
@@ -233,6 +229,7 @@ kernel_read_system_state(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)
+dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -267,17 +264,28 @@ selinux_compute_access_vector(dpkg_script_t)
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)
storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)
term_use_all_terms(dpkg_script_t)
-auth_dontaudit_getattr_shadow(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
+auth_manage_shadow(dpkg_script_t)
+
init_all_labeled_script_domtrans(dpkg_script_t)
+init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
+init_get_system_status(dpkg_script_t)
+init_start_generic_units(dpkg_script_t)
+init_stop_generic_units(dpkg_script_t)
+init_reload(dpkg_script_t)
+init_stop_system(dpkg_script_t)
+init_telinit(dpkg_script_t)
+init_manage_script_service(dpkg_script_t)
+init_startstop_all_script_services(dpkg_script_t)
libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
@@ -287,9 +295,6 @@ logging_send_syslog_msg(dpkg_script_t)
miscfiles_read_localization(dpkg_script_t)
-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
-
seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
seutil_run_setfiles(dpkg_script_t, dpkg_roles)
@@ -309,6 +314,11 @@ optional_policy(`
')
optional_policy(`
+ modutils_run_depmod(dpkg_script_t, dpkg_roles)
+ modutils_run_insmod(dpkg_script_t, dpkg_roles)
+')
+
+optional_policy(`
mta_send_mail(dpkg_script_t)
')
@@ -317,6 +327,11 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_state(dpkg_script_t)
+ systemd_dbus_chat_logind(dpkg_script_t)
+')
+
+optional_policy(`
unconfined_domain(dpkg_script_t)
')
