| 1 |
commit: 230f3c1f0daf0682377820e7e50cc25c1178fbca |
| 2 |
Author: Dominick Grift <dominick.grift <AT> gmail <DOT> com> |
| 3 |
AuthorDate: Sat Sep 29 09:43:30 2012 +0000 |
| 4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
| 5 |
CommitDate: Tue Oct 2 18:04:12 2012 +0000 |
| 6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=230f3c1f |
| 7 |
|
| 8 |
Changes to the dpkg policy module |
| 9 |
|
| 10 |
Module clean up |
| 11 |
|
| 12 |
Signed-off-by: Dominick Grift <dominick.grift <AT> gmail.com> |
| 13 |
|
| 14 |
--- |
| 15 |
policy/modules/contrib/dpkg.fc | 11 +++----- |
| 16 |
policy/modules/contrib/dpkg.if | 31 ++++++++++++----------- |
| 17 |
policy/modules/contrib/dpkg.te | 53 +++++++++++++--------------------------- |
| 18 |
3 files changed, 37 insertions(+), 58 deletions(-) |
| 19 |
|
| 20 |
diff --git a/policy/modules/contrib/dpkg.fc b/policy/modules/contrib/dpkg.fc |
| 21 |
index 6d0f9ee..751c251 100644 |
| 22 |
--- a/policy/modules/contrib/dpkg.fc |
| 23 |
+++ b/policy/modules/contrib/dpkg.fc |
| 24 |
@@ -1,11 +1,8 @@ |
| 25 |
-# Debian package manager |
| 26 |
-/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
| 27 |
-/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
| 28 |
-# not sure if dselect should be in apt instead? |
| 29 |
-/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
| 30 |
+/usr/bin/debsums -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
| 31 |
+/usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
| 32 |
+/usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
| 33 |
|
| 34 |
-/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) |
| 35 |
-# lockfile is treated specially, since used by apt, too |
| 36 |
+/var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) |
| 37 |
/var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) |
| 38 |
|
| 39 |
/usr/sbin/dpkg-preconfigure -- gen_context(system_u:object_r:dpkg_exec_t,s0) |
| 40 |
|
| 41 |
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if |
| 42 |
index 4d32b42..9aa68a6 100644 |
| 43 |
--- a/policy/modules/contrib/dpkg.if |
| 44 |
+++ b/policy/modules/contrib/dpkg.if |
| 45 |
@@ -1,6 +1,4 @@ |
| 46 |
-## <summary>Policy for the Debian package manager.</summary> |
| 47 |
-# TODO: need debconf policy |
| 48 |
-# TODO: need install-menu policy |
| 49 |
+## <summary>Debian package manager.</summary> |
| 50 |
|
| 51 |
######################################## |
| 52 |
## <summary> |
| 53 |
@@ -17,14 +15,14 @@ interface(`dpkg_domtrans',` |
| 54 |
type dpkg_t, dpkg_exec_t; |
| 55 |
') |
| 56 |
|
| 57 |
- files_search_usr($1) |
| 58 |
corecmd_search_bin($1) |
| 59 |
domtrans_pattern($1, dpkg_exec_t, dpkg_t) |
| 60 |
') |
| 61 |
|
| 62 |
######################################## |
| 63 |
## <summary> |
| 64 |
-## Execute dpkg_script programs in the dpkg_script domain. |
| 65 |
+## Execute dpkg_script programs in |
| 66 |
+## the dpkg_script domain. |
| 67 |
## </summary> |
| 68 |
## <param name="domain"> |
| 69 |
## <summary> |
| 70 |
@@ -37,7 +35,6 @@ interface(`dpkg_domtrans_script',` |
| 71 |
type dpkg_script_t; |
| 72 |
') |
| 73 |
|
| 74 |
- # transition to dpkg script: |
| 75 |
corecmd_shell_domtrans($1, dpkg_script_t) |
| 76 |
allow dpkg_script_t $1:fd use; |
| 77 |
allow dpkg_script_t $1:fifo_file rw_file_perms; |
| 78 |
@@ -55,7 +52,7 @@ interface(`dpkg_domtrans_script',` |
| 79 |
## </param> |
| 80 |
## <param name="role"> |
| 81 |
## <summary> |
| 82 |
-## The role to allow the dpkg domain. |
| 83 |
+## Role allowed access. |
| 84 |
## </summary> |
| 85 |
## </param> |
| 86 |
## <rolecap/> |
| 87 |
@@ -89,7 +86,7 @@ interface(`dpkg_use_fds',` |
| 88 |
|
| 89 |
######################################## |
| 90 |
## <summary> |
| 91 |
-## Read from an unnamed dpkg pipe. |
| 92 |
+## Read from unnamed dpkg pipes. |
| 93 |
## </summary> |
| 94 |
## <param name="domain"> |
| 95 |
## <summary> |
| 96 |
@@ -107,7 +104,7 @@ interface(`dpkg_read_pipes',` |
| 97 |
|
| 98 |
######################################## |
| 99 |
## <summary> |
| 100 |
-## Read and write an unnamed dpkg pipe. |
| 101 |
+## Read and write unnamed dpkg pipes. |
| 102 |
## </summary> |
| 103 |
## <param name="domain"> |
| 104 |
## <summary> |
| 105 |
@@ -125,7 +122,8 @@ interface(`dpkg_rw_pipes',` |
| 106 |
|
| 107 |
######################################## |
| 108 |
## <summary> |
| 109 |
-## Inherit and use file descriptors from dpkg scripts. |
| 110 |
+## Inherit and use file descriptors |
| 111 |
+## from dpkg scripts. |
| 112 |
## </summary> |
| 113 |
## <param name="domain"> |
| 114 |
## <summary> |
| 115 |
@@ -143,7 +141,7 @@ interface(`dpkg_use_script_fds',` |
| 116 |
|
| 117 |
######################################## |
| 118 |
## <summary> |
| 119 |
-## Read the dpkg package database. |
| 120 |
+## Read dpkg package database content. |
| 121 |
## </summary> |
| 122 |
## <param name="domain"> |
| 123 |
## <summary> |
| 124 |
@@ -164,7 +162,8 @@ interface(`dpkg_read_db',` |
| 125 |
|
| 126 |
######################################## |
| 127 |
## <summary> |
| 128 |
-## Create, read, write, and delete the dpkg package database. |
| 129 |
+## Create, read, write, and delete |
| 130 |
+## dpkg package database content. |
| 131 |
## </summary> |
| 132 |
## <param name="domain"> |
| 133 |
## <summary> |
| 134 |
@@ -184,8 +183,9 @@ interface(`dpkg_manage_db',` |
| 135 |
|
| 136 |
######################################## |
| 137 |
## <summary> |
| 138 |
-## Do not audit attempts to create, read, |
| 139 |
-## write, and delete the dpkg package database. |
| 140 |
+## Do not audit attempts to create, |
| 141 |
+## read, write, and delete dpkg |
| 142 |
+## package database content. |
| 143 |
## </summary> |
| 144 |
## <param name="domain"> |
| 145 |
## <summary> |
| 146 |
@@ -205,7 +205,8 @@ interface(`dpkg_dontaudit_manage_db',` |
| 147 |
|
| 148 |
######################################## |
| 149 |
## <summary> |
| 150 |
-## Lock the dpkg package database. |
| 151 |
+## Create, read, write, and delete |
| 152 |
+## dpkg lock files. |
| 153 |
## </summary> |
| 154 |
## <param name="domain"> |
| 155 |
## <summary> |
| 156 |
|
| 157 |
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te |
| 158 |
index 52725c4..998d765 100644 |
| 159 |
--- a/policy/modules/contrib/dpkg.te |
| 160 |
+++ b/policy/modules/contrib/dpkg.te |
| 161 |
@@ -10,18 +10,15 @@ roleattribute system_r dpkg_roles; |
| 162 |
|
| 163 |
type dpkg_t; |
| 164 |
type dpkg_exec_t; |
| 165 |
-# dpkg can start/stop services |
| 166 |
init_system_domain(dpkg_t, dpkg_exec_t) |
| 167 |
-# dpkg can change file labels, roles, IO |
| 168 |
domain_obj_id_change_exemption(dpkg_t) |
| 169 |
domain_role_change_exemption(dpkg_t) |
| 170 |
domain_system_change_exemption(dpkg_t) |
| 171 |
domain_interactive_fd(dpkg_t) |
| 172 |
role dpkg_roles types dpkg_t; |
| 173 |
|
| 174 |
-# lockfile |
| 175 |
type dpkg_lock_t; |
| 176 |
-files_type(dpkg_lock_t) |
| 177 |
+files_lock_file(dpkg_lock_t) |
| 178 |
|
| 179 |
type dpkg_tmp_t; |
| 180 |
files_tmp_file(dpkg_tmp_t) |
| 181 |
@@ -29,11 +26,9 @@ files_tmp_file(dpkg_tmp_t) |
| 182 |
type dpkg_tmpfs_t; |
| 183 |
files_tmpfs_file(dpkg_tmpfs_t) |
| 184 |
|
| 185 |
-# status files |
| 186 |
type dpkg_var_lib_t alias var_lib_dpkg_t; |
| 187 |
files_type(dpkg_var_lib_t) |
| 188 |
|
| 189 |
-# package scripts |
| 190 |
type dpkg_script_t; |
| 191 |
domain_type(dpkg_script_t) |
| 192 |
domain_entry_file(dpkg_t, dpkg_var_lib_t) |
| 193 |
@@ -51,7 +46,7 @@ files_tmpfs_file(dpkg_script_tmpfs_t) |
| 194 |
|
| 195 |
######################################## |
| 196 |
# |
| 197 |
-# dpkg Local policy |
| 198 |
+# Local policy |
| 199 |
# |
| 200 |
|
| 201 |
allow dpkg_t self:capability { chown dac_override fowner fsetid setgid setuid kill sys_tty_config sys_nice sys_resource mknod linux_immutable }; |
| 202 |
@@ -82,7 +77,7 @@ manage_sock_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) |
| 203 |
manage_fifo_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) |
| 204 |
fs_tmpfs_filetrans(dpkg_t, dpkg_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
| 205 |
|
| 206 |
-# Access /var/lib/dpkg files |
| 207 |
+allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; |
| 208 |
manage_files_pattern(dpkg_t, dpkg_var_lib_t, dpkg_var_lib_t) |
| 209 |
files_var_lib_filetrans(dpkg_t, dpkg_var_lib_t, dir) |
| 210 |
|
| 211 |
@@ -91,24 +86,18 @@ kernel_read_kernel_sysctls(dpkg_t) |
| 212 |
|
| 213 |
corecmd_exec_all_executables(dpkg_t) |
| 214 |
|
| 215 |
-# TODO: do we really need all networking? |
| 216 |
corenet_all_recvfrom_unlabeled(dpkg_t) |
| 217 |
corenet_all_recvfrom_netlabel(dpkg_t) |
| 218 |
corenet_tcp_sendrecv_generic_if(dpkg_t) |
| 219 |
-corenet_raw_sendrecv_generic_if(dpkg_t) |
| 220 |
-corenet_udp_sendrecv_generic_if(dpkg_t) |
| 221 |
corenet_tcp_sendrecv_generic_node(dpkg_t) |
| 222 |
-corenet_raw_sendrecv_generic_node(dpkg_t) |
| 223 |
-corenet_udp_sendrecv_generic_node(dpkg_t) |
| 224 |
corenet_tcp_sendrecv_all_ports(dpkg_t) |
| 225 |
-corenet_udp_sendrecv_all_ports(dpkg_t) |
| 226 |
-corenet_tcp_connect_all_ports(dpkg_t) |
| 227 |
+ |
| 228 |
corenet_sendrecv_all_client_packets(dpkg_t) |
| 229 |
+corenet_tcp_connect_all_ports(dpkg_t) |
| 230 |
|
| 231 |
dev_list_sysfs(dpkg_t) |
| 232 |
dev_list_usbfs(dpkg_t) |
| 233 |
dev_read_urand(dpkg_t) |
| 234 |
-#devices_manage_all_device_types(dpkg_t) |
| 235 |
|
| 236 |
domain_read_all_domains_state(dpkg_t) |
| 237 |
domain_getattr_all_domains(dpkg_t) |
| 238 |
@@ -122,6 +111,10 @@ domain_dontaudit_getattr_all_raw_sockets(dpkg_t) |
| 239 |
domain_dontaudit_getattr_all_stream_sockets(dpkg_t) |
| 240 |
domain_dontaudit_getattr_all_dgram_sockets(dpkg_t) |
| 241 |
|
| 242 |
+files_exec_etc_files(dpkg_t) |
| 243 |
+files_relabel_non_auth_files(dpkg_t) |
| 244 |
+files_manage_non_auth_files(dpkg_t) |
| 245 |
+ |
| 246 |
fs_manage_nfs_dirs(dpkg_t) |
| 247 |
fs_manage_nfs_files(dpkg_t) |
| 248 |
fs_manage_nfs_symlinks(dpkg_t) |
| 249 |
@@ -140,15 +133,10 @@ selinux_compute_relabel_context(dpkg_t) |
| 250 |
selinux_compute_user_contexts(dpkg_t) |
| 251 |
|
| 252 |
storage_raw_write_fixed_disk(dpkg_t) |
| 253 |
-# for installing kernel packages |
| 254 |
storage_raw_read_fixed_disk(dpkg_t) |
| 255 |
|
| 256 |
-files_relabel_non_auth_files(dpkg_t) |
| 257 |
-files_manage_non_auth_files(dpkg_t) |
| 258 |
auth_dontaudit_read_shadow(dpkg_t) |
| 259 |
|
| 260 |
-files_exec_etc_files(dpkg_t) |
| 261 |
- |
| 262 |
init_domtrans_script(dpkg_t) |
| 263 |
init_use_script_ptys(dpkg_t) |
| 264 |
|
| 265 |
@@ -158,7 +146,6 @@ libs_run_ldconfig(dpkg_t, dpkg_roles) |
| 266 |
|
| 267 |
logging_send_syslog_msg(dpkg_t) |
| 268 |
|
| 269 |
-# allow compiling and loading new policy |
| 270 |
seutil_manage_src_policy(dpkg_t) |
| 271 |
seutil_manage_bin_policy(dpkg_t) |
| 272 |
|
| 273 |
@@ -167,19 +154,15 @@ sysnet_read_config(dpkg_t) |
| 274 |
userdom_use_user_terminals(dpkg_t) |
| 275 |
userdom_use_unpriv_users_fds(dpkg_t) |
| 276 |
|
| 277 |
-# transition to dpkg script: |
| 278 |
dpkg_domtrans_script(dpkg_t) |
| 279 |
-# since the scripts aren't labeled correctly yet... |
| 280 |
-allow dpkg_t dpkg_var_lib_t:file mmap_file_perms; |
| 281 |
|
| 282 |
optional_policy(` |
| 283 |
apt_use_ptys(dpkg_t) |
| 284 |
') |
| 285 |
|
| 286 |
-# TODO: allow? |
| 287 |
-#optional_policy(` |
| 288 |
-# cron_system_entry(dpkg_t,dpkg_exec_t) |
| 289 |
-#') |
| 290 |
+optional_policy(` |
| 291 |
+ cron_system_entry(dpkg_t, dpkg_exec_t) |
| 292 |
+') |
| 293 |
|
| 294 |
optional_policy(` |
| 295 |
nis_use_ypbind(dpkg_t) |
| 296 |
@@ -201,6 +184,7 @@ modutils_run_insmod(dpkg_t, dpkg_roles) |
| 297 |
seutil_run_loadpolicy(dpkg_t, dpkg_roles) |
| 298 |
seutil_run_setfiles(dpkg_t, dpkg_roles) |
| 299 |
userdom_use_all_users_fds(dpkg_t) |
| 300 |
+ |
| 301 |
optional_policy(` |
| 302 |
mta_send_mail(dpkg_t) |
| 303 |
') |
| 304 |
@@ -211,9 +195,8 @@ optional_policy(` |
| 305 |
|
| 306 |
######################################## |
| 307 |
# |
| 308 |
-# dpkg-script Local policy |
| 309 |
+# Script Local policy |
| 310 |
# |
| 311 |
-# TODO: actually use dpkg_script_t |
| 312 |
|
| 313 |
allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; |
| 314 |
allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
| 315 |
@@ -247,9 +230,9 @@ kernel_read_system_state(dpkg_script_t) |
| 316 |
corecmd_exec_all_executables(dpkg_script_t) |
| 317 |
|
| 318 |
dev_list_sysfs(dpkg_script_t) |
| 319 |
-# ideally we would not need this |
| 320 |
-dev_manage_generic_blk_files(dpkg_script_t) |
| 321 |
-dev_manage_generic_chr_files(dpkg_script_t) |
| 322 |
+# Use named file transition to fix this |
| 323 |
+# dev_manage_generic_blk_files(dpkg_script_t) |
| 324 |
+# dev_manage_generic_chr_files(dpkg_script_t) |
| 325 |
dev_manage_all_blk_files(dpkg_script_t) |
| 326 |
dev_manage_all_chr_files(dpkg_script_t) |
| 327 |
|
| 328 |
@@ -266,7 +249,6 @@ files_exec_usr_files(dpkg_script_t) |
| 329 |
|
| 330 |
fs_manage_nfs_files(dpkg_script_t) |
| 331 |
fs_getattr_nfs(dpkg_script_t) |
| 332 |
-# why is this not using mount? |
| 333 |
fs_getattr_xattr_fs(dpkg_script_t) |
| 334 |
fs_mount_xattr_fs(dpkg_script_t) |
| 335 |
fs_unmount_xattr_fs(dpkg_script_t) |
| 336 |
@@ -288,7 +270,6 @@ storage_raw_write_fixed_disk(dpkg_script_t) |
| 337 |
term_use_all_terms(dpkg_script_t) |
| 338 |
|
| 339 |
auth_dontaudit_getattr_shadow(dpkg_script_t) |
| 340 |
-# ideally we would not need this |
| 341 |
files_manage_non_auth_files(dpkg_script_t) |
| 342 |
|
| 343 |
init_domtrans_script(dpkg_script_t) |
Archives