1 |
commit: 230f3c1f0daf0682377820e7e50cc25c1178fbca |
2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
3 |
AuthorDate: Sat Sep 29 09:43:30 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 2 18:04:12 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=230f3c1f |
7 |
|
8 |
Changes to the dpkg policy module |
9 |
|
10 |
Module clean up |
11 |
|
12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
13 |
|
14 |
--- |
15 |
policy/modules/contrib/dpkg.fc | 11 +++----- |
16 |
policy/modules/contrib/dpkg.if | 31 ++++++++++++----------- |
17 |
policy/modules/contrib/dpkg.te | 53 +++++++++++++--------------------------- |
18 |
3 files changed, 37 insertions(+), 58 deletions(-) |
19 |
|
20 |
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc |
21 |
index 6d0f9ee..751c251 100644 |
22 |
--- a/policy/modules/contrib/dpkg.fc |
23 |
+++ b/policy/modules/contrib/dpkg.fc |
24 |
@@ -1,11 +1,8 @@ |
25 |
-# Debian package manager |
26 |
-/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
27 |
-/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
28 |
-# not sure if dselect should be in apt instead? |
29 |
-/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
30 |
+/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
31 |
+/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
32 |
+/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
33 |
|
34 |
-/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) |
35 |
-# lockfile is treated specially, since used by apt, too |
36 |
+/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) |
37 |
/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) |
38 |
|
39 |
/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
40 |
|
41 |
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if |
42 |
index 4d32b42..9aa68a6 100644 |
43 |
--- a/policy/modules/contrib/dpkg.if |
44 |
+++ b/policy/modules/contrib/dpkg.if |
45 |
@@ -1,6 +1,4 @@ |
46 |
-## <summary>Policy for the Debian package manager.</summary> |
47 |
-# TODO: need debconf policy |
48 |
-# TODO: need install-menu policy |
49 |
+## <summary>Debian package manager.</summary> |
50 |
|
51 |
######################################## |
52 |
## <summary> |
53 |
@@ -17,14 +15,14 @@ interface(`dpkg_domtrans',` |
54 |
type dpkg_t, dpkg_exec_t; |
55 |
') |
56 |
|
57 |
- files_search_usr($1) |
58 |
corecmd_search_bin($1) |
59 |
domtrans_pattern($1, dpkg_exec_t, dpkg_t) |
60 |
') |
61 |
|
62 |
######################################## |
63 |
## <summary> |
64 |
-## Execute dpkg_script programs in the dpkg_script domain. |
65 |
+## Execute dpkg_script programs in |
66 |
+## the dpkg_script domain. |
67 |
## </summary> |
68 |
## <param name="domain"> |
69 |
## <summary> |
70 |
@@ -37,7 +35,6 @@ interface(`dpkg_domtrans_script',` |
71 |
type dpkg_script_t; |
72 |
') |
73 |
|
74 |
- # transition to dpkg script: |
75 |
corecmd_shell_domtrans($1, dpkg_script_t) |
76 |
allow dpkg_script_t $1:fd use; |
77 |
allow dpkg_script_t $1:fifo_file rw_file_perms; |
78 |
@@ -55,7 +52,7 @@ interface(`dpkg_domtrans_script',` |
79 |
## </param> |
80 |
## <param name="role"> |
81 |
## <summary> |
82 |
-## The role to allow the dpkg domain. |
83 |
+## Role allowed access. |
84 |
## </summary> |
85 |
## </param> |
86 |
## <rolecap/> |
87 |
@@ -89,7 +86,7 @@ interface(`dpkg_use_fds',` |
88 |
|
89 |
######################################## |
90 |
## <summary> |
91 |
-## Read from an unnamed dpkg pipe. |
92 |
+## Read from unnamed dpkg pipes. |
93 |
## </summary> |
94 |
## <param name="domain"> |
95 |
## <summary> |
96 |
@@ -107,7 +104,7 @@ interface(`dpkg_read_pipes',` |
97 |
|
98 |
######################################## |
99 |
## <summary> |
100 |
-## Read and write an unnamed dpkg pipe. |
101 |
+## Read and write unnamed dpkg pipes. |
102 |
## </summary> |
103 |
## <param name="domain"> |
104 |
## <summary> |
105 |
@@ -125,7 +122,8 @@ interface(`dpkg_rw_pipes',` |
106 |
|
107 |
######################################## |
108 |
## <summary> |
109 |
-## Inherit and use file descriptors from dpkg scripts. |
110 |
+## Inherit and use file descriptors |
111 |
+## from dpkg scripts. |
112 |
## </summary> |
113 |
## <param name="domain"> |
114 |
## <summary> |
115 |
@@ -143,7 +141,7 @@ interface(`dpkg_use_script_fds',` |
116 |
|
117 |
######################################## |
118 |
## <summary> |
119 |
-## Read the dpkg package database. |
120 |
+## Read dpkg package database content. |
121 |
## </summary> |
122 |
## <param name="domain"> |
123 |
## <summary> |
124 |
@@ -164,7 +162,8 @@ interface(`dpkg_read_db',` |
125 |
|
126 |
######################################## |
127 |
## <summary> |
128 |
-## Create, read, write, and delete the dpkg package database. |
129 |
+## Create, read, write, and delete |
130 |
+## dpkg package database content. |
131 |
## </summary> |
132 |
## <param name="domain"> |
133 |
## <summary> |
134 |
@@ -184,8 +183,9 @@ interface(`dpkg_manage_db',` |
135 |
|
136 |
######################################## |
137 |
## <summary> |
138 |
-## Do not audit attempts to create, read, |
139 |
-## write, and delete the dpkg package database. |
140 |
+## Do not audit attempts to create, |
141 |
+## read, write, and delete dpkg |
142 |
+## package database content. |
143 |
## </summary> |
144 |
## <param name="domain"> |
145 |
## <summary> |
146 |
@@ -205,7 +205,8 @@ interface(`dpkg_dontaudit_manage_db',` |
147 |
|
148 |
######################################## |
149 |
## <summary> |
150 |
-## Lock the dpkg package database. |
151 |
+## Create, read, write, and delete |
152 |
+## dpkg lock files. |
153 |
## </summary> |
154 |
## <param name="domain"> |
155 |
## <summary> |
156 |
|
157 |
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te |
158 |
index 52725c4..998d765 100644 |
159 |
--- a/policy/modules/contrib/dpkg.te |
160 |
+++ b/policy/modules/contrib/dpkg.te |
161 |
@@ -10,18 +10,15 @@ roleattribute system_r dpkg_roles; |
162 |
|
163 |
type dpkg_t; |
164 |
type dpkg_exec_t; |
165 |
-# dpkg can start/stop services |
166 |
init_system_domain(dpkg_t, dpkg_exec_t) |
167 |
-# dpkg can change file labels, roles, IO |
168 |
domain_obj_id_change_exemption(dpkg_t) |
169 |
domain_role_change_exemption(dpkg_t) |
170 |
domain_system_change_exemption(dpkg_t) |
171 |
domain_interactive_fd(dpkg_t) |
172 |
role dpkg_roles types dpkg_t; |
173 |
|
174 |
-# lockfile |
175 |
type dpkg_lock_t; |
176 |
-files_type(dpkg_lock_t) |
177 |
+files_lock_file(dpkg_lock_t) |
178 |
|
179 |
type dpkg_tmp_t; |
180 |
files_tmp_file(dpkg_tmp_t) |
181 |
@@ -29,11 +26,9 @@ files_tmp_file(dpkg_tmp_t) |
182 |
type dpkg_tmpfs_t; |
183 |
files_tmpfs_file(dpkg_tmpfs_t) |
184 |
|
185 |
-# status files |
186 |
type dpkg_var_lib_t alias var_lib_dpkg_t; |
187 |
files_type(dpkg_var_lib_t) |
188 |
|
189 |
-# package scripts |
190 |
type dpkg_script_t; |
191 |
domain_type(dpkg_script_t) |
192 |
domain_entry_file(dpkg_t, dpkg_var_lib_t) |
193 |
@@ -51,7 +46,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) |
194 |
|
195 |
######################################## |
196 |
# |
197 |
-# dpkg Local policy |
198 |
+# Local policy |
199 |
# |
200 |
|
201 |
allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; |
202 |
@@ -82,7 +77,7 @@ manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) |
203 |
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) |
204 |
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
205 |
|
206 |
-# Access /var/lib/dpkg files |
207 |
+allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; |
208 |
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) |
209 |
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) |
210 |
|
211 |
@@ -91,24 +86,18 @@ kernel_read_kernel_sysctls(dpkg_t) |
212 |
|
213 |
corecmd_exec_all_executables(dpkg_t) |
214 |
|
215 |
-# TODO: do we really need all networking? |
216 |
corenet_all_recvfrom_unlabeled(dpkg_t) |
217 |
corenet_all_recvfrom_netlabel(dpkg_t) |
218 |
corenet_tcp_sendrecv_generic_if(dpkg_t) |
219 |
-corenet_raw_sendrecv_generic_if(dpkg_t) |
220 |
-corenet_udp_sendrecv_generic_if(dpkg_t) |
221 |
corenet_tcp_sendrecv_generic_node(dpkg_t) |
222 |
-corenet_raw_sendrecv_generic_node(dpkg_t) |
223 |
-corenet_udp_sendrecv_generic_node(dpkg_t) |
224 |
corenet_tcp_sendrecv_all_ports(dpkg_t) |
225 |
-corenet_udp_sendrecv_all_ports(dpkg_t) |
226 |
-corenet_tcp_connect_all_ports(dpkg_t) |
227 |
+ |
228 |
corenet_sendrecv_all_client_packets(dpkg_t) |
229 |
+corenet_tcp_connect_all_ports(dpkg_t) |
230 |
|
231 |
dev_list_sysfs(dpkg_t) |
232 |
dev_list_usbfs(dpkg_t) |
233 |
dev_read_urand(dpkg_t) |
234 |
-#devices_manage_all_device_types(dpkg_t) |
235 |
|
236 |
domain_read_all_domains_state(dpkg_t) |
237 |
domain_getattr_all_domains(dpkg_t) |
238 |
@@ -122,6 +111,10 @@ domain_dontaudit_getattr_all_raw_sockets(dpkg_t) |
239 |
domain_dontaudit_getattr_all_stream_sockets(dpkg_t) |
240 |
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) |
241 |
|
242 |
+files_exec_etc_files(dpkg_t) |
243 |
+files_relabel_non_auth_files(dpkg_t) |
244 |
+files_manage_non_auth_files(dpkg_t) |
245 |
+ |
246 |
fs_manage_nfs_dirs(dpkg_t) |
247 |
fs_manage_nfs_files(dpkg_t) |
248 |
fs_manage_nfs_symlinks(dpkg_t) |
249 |
@@ -140,15 +133,10 @@ selinux_compute_relabel_context(dpkg_t) |
250 |
selinux_compute_user_contexts(dpkg_t) |
251 |
|
252 |
storage_raw_write_fixed_disk(dpkg_t) |
253 |
-# for installing kernel packages |
254 |
storage_raw_read_fixed_disk(dpkg_t) |
255 |
|
256 |
-files_relabel_non_auth_files(dpkg_t) |
257 |
-files_manage_non_auth_files(dpkg_t) |
258 |
auth_dontaudit_read_shadow(dpkg_t) |
259 |
|
260 |
-files_exec_etc_files(dpkg_t) |
261 |
- |
262 |
init_domtrans_script(dpkg_t) |
263 |
init_use_script_ptys(dpkg_t) |
264 |
|
265 |
@@ -158,7 +146,6 @@ libs_run_ldconfig(dpkg_t, dpkg_roles) |
266 |
|
267 |
logging_send_syslog_msg(dpkg_t) |
268 |
|
269 |
-# allow compiling and loading new policy |
270 |
seutil_manage_src_policy(dpkg_t) |
271 |
seutil_manage_bin_policy(dpkg_t) |
272 |
|
273 |
@@ -167,19 +154,15 @@ sysnet_read_config(dpkg_t) |
274 |
userdom_use_user_terminals(dpkg_t) |
275 |
userdom_use_unpriv_users_fds(dpkg_t) |
276 |
|
277 |
-# transition to dpkg script: |
278 |
dpkg_domtrans_script(dpkg_t) |
279 |
-# since the scripts aren't labeled correctly yet... |
280 |
-allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; |
281 |
|
282 |
optional_policy(` |
283 |
apt_use_ptys(dpkg_t) |
284 |
') |
285 |
|
286 |
-# TODO: allow? |
287 |
-#optional_policy(` |
288 |
-# cron_system_entry(dpkg_t,dpkg_exec_t) |
289 |
-#') |
290 |
+optional_policy(` |
291 |
+ cron_system_entry(dpkg_t, dpkg_exec_t) |
292 |
+') |
293 |
|
294 |
optional_policy(` |
295 |
nis_use_ypbind(dpkg_t) |
296 |
@@ -201,6 +184,7 @@ modutils_run_insmod(dpkg_t, dpkg_roles) |
297 |
seutil_run_loadpolicy(dpkg_t, dpkg_roles) |
298 |
seutil_run_setfiles(dpkg_t, dpkg_roles) |
299 |
userdom_use_all_users_fds(dpkg_t) |
300 |
+ |
301 |
optional_policy(` |
302 |
mta_send_mail(dpkg_t) |
303 |
') |
304 |
@@ -211,9 +195,8 @@ optional_policy(` |
305 |
|
306 |
######################################## |
307 |
# |
308 |
-# dpkg-script Local policy |
309 |
+# Script Local policy |
310 |
# |
311 |
-# TODO: actually use dpkg_script_t |
312 |
|
313 |
allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; |
314 |
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
315 |
@@ -247,9 +230,9 @@ kernel_read_system_state(dpkg_script_t) |
316 |
corecmd_exec_all_executables(dpkg_script_t) |
317 |
|
318 |
dev_list_sysfs(dpkg_script_t) |
319 |
-# ideally we would not need this |
320 |
-dev_manage_generic_blk_files(dpkg_script_t) |
321 |
-dev_manage_generic_chr_files(dpkg_script_t) |
322 |
+# Use named file transition to fix this |
323 |
+# dev_manage_generic_blk_files(dpkg_script_t) |
324 |
+# dev_manage_generic_chr_files(dpkg_script_t) |
325 |
dev_manage_all_blk_files(dpkg_script_t) |
326 |
dev_manage_all_chr_files(dpkg_script_t) |
327 |
|
328 |
@@ -266,7 +249,6 @@ files_exec_usr_files(dpkg_script_t) |
329 |
|
330 |
fs_manage_nfs_files(dpkg_script_t) |
331 |
fs_getattr_nfs(dpkg_script_t) |
332 |
-# why is this not using mount? |
333 |
fs_getattr_xattr_fs(dpkg_script_t) |
334 |
fs_mount_xattr_fs(dpkg_script_t) |
335 |
fs_unmount_xattr_fs(dpkg_script_t) |
336 |
@@ -288,7 +270,6 @@ storage_raw_write_fixed_disk(dpkg_script_t) |
337 |
term_use_all_terms(dpkg_script_t) |
338 |
|
339 |
auth_dontaudit_getattr_shadow(dpkg_script_t) |
340 |
-# ideally we would not need this |
341 |
files_manage_non_auth_files(dpkg_script_t) |
342 |
|
343 |
init_domtrans_script(dpkg_script_t) |