1 |
commit: 5c0380690178b590981b61a84253b8ca67452d65 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Sat Apr 29 15:13:24 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 14:17:45 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5c038069 |
7 |
|
8 |
apt/dpkg strict patches from Russell Coker. |
9 |
|
10 |
The following are needed for correct operation of apt and dpkg on a "strict" |
11 |
configuration. |
12 |
|
13 |
policy/modules/contrib/apt.te | 6 ++++-- |
14 |
policy/modules/contrib/dpkg.if | 20 ++++++++++++++++++++ |
15 |
policy/modules/contrib/dpkg.te | 5 ++++- |
16 |
policy/modules/contrib/mta.te | 7 ++++++- |
17 |
4 files changed, 34 insertions(+), 4 deletions(-) |
18 |
|
19 |
diff --git a/policy/modules/contrib/apt.te b/policy/modules/contrib/apt.te |
20 |
index dc6f09b1..63b93257 100644 |
21 |
--- a/policy/modules/contrib/apt.te |
22 |
+++ b/policy/modules/contrib/apt.te |
23 |
@@ -1,4 +1,4 @@ |
24 |
-policy_module(apt, 1.10.2) |
25 |
+policy_module(apt, 1.10.3) |
26 |
|
27 |
######################################## |
28 |
# |
29 |
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) |
30 |
# Local policy |
31 |
# |
32 |
|
33 |
-allow apt_t self:capability { chown dac_override fowner fsetid }; |
34 |
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid }; |
35 |
allow apt_t self:process { signal setpgid fork }; |
36 |
allow apt_t self:fd use; |
37 |
allow apt_t self:fifo_file rw_fifo_file_perms; |
38 |
@@ -69,12 +69,14 @@ manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t) |
39 |
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
40 |
|
41 |
manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) |
42 |
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) |
43 |
files_var_filetrans(apt_t, apt_var_cache_t, dir) |
44 |
|
45 |
manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) |
46 |
files_var_lib_filetrans(apt_t, apt_var_lib_t, dir) |
47 |
|
48 |
allow apt_t apt_var_log_t:file manage_file_perms; |
49 |
+allow apt_t apt_var_log_t:dir manage_dir_perms; |
50 |
logging_log_filetrans(apt_t, apt_var_log_t, file) |
51 |
|
52 |
can_exec(apt_t, apt_exec_t) |
53 |
|
54 |
diff --git a/policy/modules/contrib/dpkg.if b/policy/modules/contrib/dpkg.if |
55 |
index 081134f2..c753ad62 100644 |
56 |
--- a/policy/modules/contrib/dpkg.if |
57 |
+++ b/policy/modules/contrib/dpkg.if |
58 |
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',` |
59 |
|
60 |
######################################## |
61 |
## <summary> |
62 |
+## Inherit and use file descriptors |
63 |
+## from dpkg scripts. |
64 |
+## </summary> |
65 |
+## <param name="domain"> |
66 |
+## <summary> |
67 |
+## Domain allowed access. |
68 |
+## </summary> |
69 |
+## </param> |
70 |
+# |
71 |
+interface(`dpkg_script_rw_inherited_pipes',` |
72 |
+ gen_require(` |
73 |
+ type dpkg_script_t; |
74 |
+ ') |
75 |
+ |
76 |
+ allow $1 dpkg_script_t:fd use; |
77 |
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms; |
78 |
+') |
79 |
+ |
80 |
+######################################## |
81 |
+## <summary> |
82 |
## Read dpkg package database content. |
83 |
## </summary> |
84 |
## <param name="domain"> |
85 |
|
86 |
diff --git a/policy/modules/contrib/dpkg.te b/policy/modules/contrib/dpkg.te |
87 |
index a91e4896..e781815d 100644 |
88 |
--- a/policy/modules/contrib/dpkg.te |
89 |
+++ b/policy/modules/contrib/dpkg.te |
90 |
@@ -1,4 +1,4 @@ |
91 |
-policy_module(dpkg, 1.11.6) |
92 |
+policy_module(dpkg, 1.11.7) |
93 |
|
94 |
######################################## |
95 |
# |
96 |
@@ -42,6 +42,8 @@ role dpkg_roles types dpkg_script_t; |
97 |
|
98 |
type dpkg_script_tmp_t; |
99 |
files_tmp_file(dpkg_script_tmp_t) |
100 |
+# out of order to work around compiler issue |
101 |
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t) |
102 |
|
103 |
type dpkg_script_tmpfs_t; |
104 |
files_tmpfs_file(dpkg_script_tmpfs_t) |
105 |
@@ -69,6 +71,7 @@ allow dpkg_t self:msg { send receive }; |
106 |
allow dpkg_t dpkg_lock_t:file manage_file_perms; |
107 |
|
108 |
spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) |
109 |
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t) |
110 |
|
111 |
manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) |
112 |
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) |
113 |
|
114 |
diff --git a/policy/modules/contrib/mta.te b/policy/modules/contrib/mta.te |
115 |
index 2baa07c9..caa21fb9 100644 |
116 |
--- a/policy/modules/contrib/mta.te |
117 |
+++ b/policy/modules/contrib/mta.te |
118 |
@@ -1,4 +1,4 @@ |
119 |
-policy_module(mta, 2.8.5) |
120 |
+policy_module(mta, 2.8.6) |
121 |
|
122 |
######################################## |
123 |
# |
124 |
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t) |
125 |
userdom_use_user_terminals(system_mail_t) |
126 |
|
127 |
optional_policy(` |
128 |
+ apt_use_fds(system_mail_t) |
129 |
+ apt_use_ptys(system_mail_t) |
130 |
+') |
131 |
+ |
132 |
+optional_policy(` |
133 |
apache_read_squirrelmail_data(system_mail_t) |
134 |
apache_append_squirrelmail_data(system_mail_t) |
135 |
apache_dontaudit_append_log(system_mail_t) |