commit: c5bcefb771f18fd43258aff78f807607e705b173 Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> AuthorDate: Sun Feb 19 21:12:33 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Feb 21 07:06:20 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c5bcefb7
dpkg: Updates from Russell Coker. policy/modules/contrib/dpkg.te | 57 ++++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te index 84dd6ba1..cc7f9dbb 100644 --- a/policy/modules/contrib/dpkg.te +++ b/policy/modules/contrib/dpkg.te @@ -1,4 +1,4 @@ -policy_module(dpkg, 1.11.0) +policy_module(dpkg, 1.11.1) ######################################## # @@ -32,6 +32,7 @@ files_type(dpkg_var_lib_t) type dpkg_script_t; domain_type(dpkg_script_t) domain_entry_file(dpkg_t, dpkg_var_lib_t) +domain_entry_file(dpkg_script_t, dpkg_var_lib_t) corecmd_shell_entry_type(dpkg_script_t) domain_obj_id_change_exemption(dpkg_script_t) domain_system_change_exemption(dpkg_script_t) @@ -66,6 +67,8 @@ allow dpkg_t self:msg { send receive }; allow dpkg_t dpkg_lock_t:file manage_file_perms; +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) + manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) @@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) kernel_read_system_state(dpkg_t) kernel_read_kernel_sysctls(dpkg_t) -corecmd_exec_all_executables(dpkg_t) - corenet_all_recvfrom_unlabeled(dpkg_t) corenet_all_recvfrom_netlabel(dpkg_t) corenet_tcp_sendrecv_generic_if(dpkg_t) @@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t) userdom_use_user_terminals(dpkg_t) userdom_use_unpriv_users_fds(dpkg_t) +userdom_use_all_users_fds(dpkg_t) dpkg_domtrans_script(dpkg_t) @@ -176,18 +178,10 @@ optional_policy(` unconfined_domain(dpkg_t) ') -# TODO: the following was copied from dpkg_script_t, and could probably -# be removed again when dpkg_script_t is actually used... -domain_signal_all_domains(dpkg_t) -domain_signull_all_domains(dpkg_t) -files_read_etc_runtime_files(dpkg_t) -files_exec_usr_files(dpkg_t) -miscfiles_read_localization(dpkg_t) -modutils_run_depmod(dpkg_t, dpkg_roles) -modutils_run_insmod(dpkg_t, dpkg_roles) -seutil_run_loadpolicy(dpkg_t, dpkg_roles) -seutil_run_setfiles(dpkg_t, dpkg_roles) -userdom_use_all_users_fds(dpkg_t) +optional_policy(` + modutils_run_depmod(dpkg_t, dpkg_roles) + modutils_run_insmod(dpkg_t, dpkg_roles) +') optional_policy(` mta_send_mail(dpkg_t) @@ -202,8 +196,8 @@ optional_policy(` # Script Local policy # -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice }; -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace }; +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; allow dpkg_script_t self:fd use; allow dpkg_script_t self:fifo_file rw_fifo_file_perms; allow dpkg_script_t self:unix_dgram_socket create_socket_perms; @@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_perms; allow dpkg_script_t self:sem create_sem_perms; allow dpkg_script_t self:msgq create_msgq_perms; allow dpkg_script_t self:msg { send receive }; +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow dpkg_script_t self:udp_socket create_socket_perms; allow dpkg_script_t dpkg_tmp_t:file read_file_perms; @@ -233,6 +229,7 @@ kernel_read_system_state(dpkg_script_t) corecmd_exec_all_executables(dpkg_script_t) +dev_manage_null_service(dpkg_script_t) dev_list_sysfs(dpkg_script_t) # Use named file transition to fix this # dev_manage_generic_blk_files(dpkg_script_t) @@ -267,17 +264,28 @@ selinux_compute_access_vector(dpkg_script_t) selinux_compute_create_context(dpkg_script_t) selinux_compute_relabel_context(dpkg_script_t) selinux_compute_user_contexts(dpkg_script_t) +selinux_read_policy(dpkg_script_t) storage_raw_read_fixed_disk(dpkg_script_t) storage_raw_write_fixed_disk(dpkg_script_t) term_use_all_terms(dpkg_script_t) -auth_dontaudit_getattr_shadow(dpkg_script_t) files_manage_non_auth_files(dpkg_script_t) +auth_manage_shadow(dpkg_script_t) + init_all_labeled_script_domtrans(dpkg_script_t) +init_get_generic_units_status(dpkg_script_t) init_use_script_fds(dpkg_script_t) +init_get_system_status(dpkg_script_t) +init_start_generic_units(dpkg_script_t) +init_stop_generic_units(dpkg_script_t) +init_reload(dpkg_script_t) +init_stop_system(dpkg_script_t) +init_telinit(dpkg_script_t) +init_manage_script_service(dpkg_script_t) +init_startstop_all_script_services(dpkg_script_t) libs_exec_ld_so(dpkg_script_t) libs_exec_lib_files(dpkg_script_t) @@ -287,9 +295,6 @@ logging_send_syslog_msg(dpkg_script_t) miscfiles_read_localization(dpkg_script_t) -modutils_run_depmod(dpkg_script_t, dpkg_roles) -modutils_run_insmod(dpkg_script_t, dpkg_roles) - seutil_run_loadpolicy(dpkg_script_t, dpkg_roles) seutil_run_setfiles(dpkg_script_t, dpkg_roles) @@ -309,6 +314,11 @@ optional_policy(` ') optional_policy(` + modutils_run_depmod(dpkg_script_t, dpkg_roles) + modutils_run_insmod(dpkg_script_t, dpkg_roles) +') + +optional_policy(` mta_send_mail(dpkg_script_t) ') @@ -317,6 +327,11 @@ optional_policy(` ') optional_policy(` + systemd_read_logind_state(dpkg_script_t) + systemd_dbus_chat_logind(dpkg_script_t) +') + +optional_policy(` unconfined_domain(dpkg_script_t) ')