| 1 |
commit: 5c0380690178b590981b61a84253b8ca67452d65 |
| 2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
| 3 |
AuthorDate: Sat Apr 29 15:13:24 2017 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Apr 30 14:17:45 2017 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c038069 |
| 7 |
|
| 8 |
apt/dpkg strict patches from Russell Coker. |
| 9 |
|
| 10 |
The following are needed for correct operation of apt and dpkg on a "strict" |
| 11 |
configuration. |
| 12 |
|
| 13 |
policy/modules/contrib/apt.te | 6 ++++-- |
| 14 |
policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++ |
| 15 |
policy/modules/contrib/dpkg.te | 5 ++++- |
| 16 |
policy/modules/contrib/mta.te | 7 ++++++- |
| 17 |
4 files changed, 34 insertions(+), 4 deletions(-) |
| 18 |
|
| 19 |
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te |
| 20 |
index dc6f09b1..63b93257 100644 |
| 21 |
--- a/policy/modules/contrib/apt.te |
| 22 |
+++ b/policy/modules/contrib/apt.te |
| 23 |
@@ -1,4 +1,4 @@ |
| 24 |
-policy_module(apt, 1.10.2) |
| 25 |
+policy_module(apt, 1.10.3) |
| 26 |
|
| 27 |
######################################## |
| 28 |
# |
| 29 |
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) |
| 30 |
# Local policy |
| 31 |
# |
| 32 |
|
| 33 |
-allow apt_t self:capability { chown dac_override fowner fsetid }; |
| 34 |
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; |
| 35 |
allow apt_t self:process { signal setpgid fork }; |
| 36 |
allow apt_t self:fd use; |
| 37 |
allow apt_t self:fifo_file rw_fifo_file_perms; |
| 38 |
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) |
| 39 |
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
| 40 |
|
| 41 |
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) |
| 42 |
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) |
| 43 |
files_var_filetrans(apt_t, apt_var_cache_t, dir) |
| 44 |
|
| 45 |
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) |
| 46 |
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) |
| 47 |
|
| 48 |
allow apt_t apt_var_log_t:file manage_file_perms; |
| 49 |
+allow apt_t apt_var_log_t:dir manage_dir_perms; |
| 50 |
logging_log_filetrans(apt_t, apt_var_log_t, file) |
| 51 |
|
| 52 |
can_exec(apt_t, apt_exec_t) |
| 53 |
|
| 54 |
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if |
| 55 |
index 081134f2..c753ad62 100644 |
| 56 |
--- a/policy/modules/contrib/dpkg.if |
| 57 |
+++ b/policy/modules/contrib/dpkg.if |
| 58 |
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',` |
| 59 |
|
| 60 |
######################################## |
| 61 |
## <summary> |
| 62 |
+## Inherit and use file descriptors |
| 63 |
+## from dpkg scripts. |
| 64 |
+## </summary> |
| 65 |
+## <param name="domain"> |
| 66 |
+## <summary> |
| 67 |
+## Domain allowed access. |
| 68 |
+## </summary> |
| 69 |
+## </param> |
| 70 |
+# |
| 71 |
+interface(`dpkg_script_rw_inherited_pipes',` |
| 72 |
+ gen_require(` |
| 73 |
+ type dpkg_script_t; |
| 74 |
+ ') |
| 75 |
+ |
| 76 |
+ allow $1 dpkg_script_t:fd use; |
| 77 |
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms; |
| 78 |
+') |
| 79 |
+ |
| 80 |
+######################################## |
| 81 |
+## <summary> |
| 82 |
## Read dpkg package database content. |
| 83 |
## </summary> |
| 84 |
## <param name="domain"> |
| 85 |
|
| 86 |
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te |
| 87 |
index a91e4896..e781815d 100644 |
| 88 |
--- a/policy/modules/contrib/dpkg.te |
| 89 |
+++ b/policy/modules/contrib/dpkg.te |
| 90 |
@@ -1,4 +1,4 @@ |
| 91 |
-policy_module(dpkg, 1.11.6) |
| 92 |
+policy_module(dpkg, 1.11.7) |
| 93 |
|
| 94 |
######################################## |
| 95 |
# |
| 96 |
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t; |
| 97 |
|
| 98 |
type dpkg_script_tmp_t; |
| 99 |
files_tmp_file(dpkg_script_tmp_t) |
| 100 |
+# out of order to work around compiler issue |
| 101 |
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t) |
| 102 |
|
| 103 |
type dpkg_script_tmpfs_t; |
| 104 |
files_tmpfs_file(dpkg_script_tmpfs_t) |
| 105 |
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive }; |
| 106 |
allow dpkg_t dpkg_lock_t:file manage_file_perms; |
| 107 |
|
| 108 |
spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) |
| 109 |
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t) |
| 110 |
|
| 111 |
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) |
| 112 |
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) |
| 113 |
|
| 114 |
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te |
| 115 |
index 2baa07c9..caa21fb9 100644 |
| 116 |
--- a/policy/modules/contrib/mta.te |
| 117 |
+++ b/policy/modules/contrib/mta.te |
| 118 |
@@ -1,4 +1,4 @@ |
| 119 |
-policy_module(mta, 2.8.5) |
| 120 |
+policy_module(mta, 2.8.6) |
| 121 |
|
| 122 |
######################################## |
| 123 |
# |
| 124 |
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t) |
| 125 |
userdom_use_user_terminals(system_mail_t) |
| 126 |
|
| 127 |
optional_policy(` |
| 128 |
+ apt_use_fds(system_mail_t) |
| 129 |
+ apt_use_ptys(system_mail_t) |
| 130 |
+') |
| 131 |
+ |
| 132 |
+optional_policy(` |
| 133 |
apache_read_squirrelmail_data(system_mail_t) |
| 134 |
apache_append_squirrelmail_data(system_mail_t) |
| 135 |
apache_dontaudit_append_log(system_mail_t) |
Archives