| 1 |
commit: f4fe0ad50474a788016bffa6dfc9afee4a080c8c |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Thu Sep 26 06:34:23 2013 +0000 |
| 4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Mon Sep 30 19:00:56 2013 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f4fe0ad5 |
| 7 |
|
| 8 |
mandb: /etc/cron.daily/man-db executes dpkg, reads dpkg db on Debian |
| 9 |
|
| 10 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 11 |
|
| 12 |
--- |
| 13 |
policy/modules/contrib/dpkg.if | 19 +++++++++++++++++++ |
| 14 |
policy/modules/contrib/mandb.te | 7 ++++++- |
| 15 |
2 files changed, 25 insertions(+), 1 deletion(-) |
| 16 |
|
| 17 |
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if |
| 18 |
index 9aa68a6..fdc06d6 100644 |
| 19 |
--- a/policy/modules/contrib/dpkg.if |
| 20 |
+++ b/policy/modules/contrib/dpkg.if |
| 21 |
@@ -21,6 +21,25 @@ interface(`dpkg_domtrans',` |
| 22 |
|
| 23 |
######################################## |
| 24 |
## <summary> |
| 25 |
+## Execute the dkpg in the caller domain. |
| 26 |
+## </summary> |
| 27 |
+## <param name="domain"> |
| 28 |
+## <summary> |
| 29 |
+## Domain allowed access. |
| 30 |
+## </summary> |
| 31 |
+## </param> |
| 32 |
+# |
| 33 |
+interface(`dpkg_exec',` |
| 34 |
+ gen_require(` |
| 35 |
+ type dpkg_exec_t; |
| 36 |
+ ') |
| 37 |
+ |
| 38 |
+ corecmd_search_bin($1) |
| 39 |
+ can_exec($1, dpkg_exec_t) |
| 40 |
+') |
| 41 |
+ |
| 42 |
+######################################## |
| 43 |
+## <summary> |
| 44 |
## Execute dpkg_script programs in |
| 45 |
## the dpkg_script domain. |
| 46 |
## </summary> |
| 47 |
|
| 48 |
diff --git a/policy/modules/contrib/mandb.te b/policy/modules/contrib/mandb.te |
| 49 |
index 0fb1897..1465f27 100644 |
| 50 |
--- a/policy/modules/contrib/mandb.te |
| 51 |
+++ b/policy/modules/contrib/mandb.te |
| 52 |
@@ -1,4 +1,4 @@ |
| 53 |
-policy_module(mandb, 1.1.0) |
| 54 |
+policy_module(mandb, 1.1.1) |
| 55 |
|
| 56 |
######################################## |
| 57 |
# |
| 58 |
@@ -47,3 +47,8 @@ optional_policy(` |
| 59 |
optional_policy(` |
| 60 |
cron_system_entry(mandb_t, mandb_exec_t) |
| 61 |
') |
| 62 |
+ |
| 63 |
+optional_policy(` |
| 64 |
+ dpkg_exec(mandb_t) |
| 65 |
+ dpkg_read_db(mandb_t) |
| 66 |
+') |
| 67 |
\ No newline at end of file |
Archives