1 |
commit: f4fe0ad50474a788016bffa6dfc9afee4a080c8c |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Thu Sep 26 06:34:23 2013 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Sep 30 19:00:56 2013 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4fe0ad5 |
7 |
|
8 |
mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian |
9 |
|
10 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
11 |
|
12 |
--- |
13 |
policy/modules/contrib/dpkg.if | 19 +++++++++++++++++++ |
14 |
policy/modules/contrib/mandb.te | 7 ++++++- |
15 |
2 files changed, 25 insertions(+), 1 deletion(-) |
16 |
|
17 |
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if |
18 |
index 9aa68a6..fdc06d6 100644 |
19 |
--- a/policy/modules/contrib/dpkg.if |
20 |
+++ b/policy/modules/contrib/dpkg.if |
21 |
@@ -21,6 +21,25 @@ interface(`dpkg_domtrans',` |
22 |
|
23 |
######################################## |
24 |
## <summary> |
25 |
+## Execute the dkpg in the caller domain. |
26 |
+## </summary> |
27 |
+## <param name="domain"> |
28 |
+## <summary> |
29 |
+## Domain allowed access. |
30 |
+## </summary> |
31 |
+## </param> |
32 |
+# |
33 |
+interface(`dpkg_exec',` |
34 |
+ gen_require(` |
35 |
+ type dpkg_exec_t; |
36 |
+ ') |
37 |
+ |
38 |
+ corecmd_search_bin($1) |
39 |
+ can_exec($1, dpkg_exec_t) |
40 |
+') |
41 |
+ |
42 |
+######################################## |
43 |
+## <summary> |
44 |
## Execute dpkg_script programs in |
45 |
## the dpkg_script domain. |
46 |
## </summary> |
47 |
|
48 |
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te |
49 |
index 0fb1897..1465f27 100644 |
50 |
--- a/policy/modules/contrib/mandb.te |
51 |
+++ b/policy/modules/contrib/mandb.te |
52 |
@@ -1,4 +1,4 @@ |
53 |
-policy_module(mandb, 1.1.0) |
54 |
+policy_module(mandb, 1.1.1) |
55 |
|
56 |
######################################## |
57 |
# |
58 |
@@ -47,3 +47,8 @@ optional_policy(` |
59 |
optional_policy(` |
60 |
cron_system_entry(mandb_t, mandb_exec_t) |
61 |
') |
62 |
+ |
63 |
+optional_policy(` |
64 |
+ dpkg_exec(mandb_t) |
65 |
+ dpkg_read_db(mandb_t) |
66 |
+') |
67 |
\ No newline at end of file |