Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/contrib/rpm.if

1053 lines
21 KiB
Text
Raw Normal View History

## <summary>Policy for the RPM package manager.</summary>
########################################
## <summary>
## Execute rpm programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans',`
gen_require(`
type rpm_t, rpm_exec_t;
attribute rpm_transition_domain;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpm_exec_t, rpm_t)
typeattribute $1 rpm_transition_domain;
rpm_debuginfo_domtrans($1)
')
########################################
## <summary>
## Execute debuginfo_install programs in the rpm domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_debuginfo_domtrans',`
gen_require(`
type rpm_t, debuginfo_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, debuginfo_exec_t, rpm_t)
read_lnk_files_pattern($1, debuginfo_exec_t, debuginfo_exec_t)
')
########################################
## <summary>
## Execute rpm_script programs in the rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpm_domtrans_script',`
gen_require(`
type rpm_script_t;
')
# transition to rpm script:
corecmd_shell_domtrans($1, rpm_script_t)
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_file_perms;
allow rpm_script_t $1:process sigchld;
')
########################################
## <summary>
## Execute RPM programs in the RPM domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the RPM domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpm_run',`
gen_require(`
type rpm_t, rpm_script_t;
attribute_role rpm_script_roles;
')
rpm_domtrans($1)
roleattribute $2 rpm_script_roles;
domain_system_change_exemption($1)
rpm_transition_script($1, $2)
')
########################################
## <summary>
## Execute the rpm client in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_exec',`
gen_require(`
type rpm_exec_t;
')
corecmd_search_bin($1)
can_exec($1, rpm_exec_t)
')
########################################
## <summary>
## Execute rpmdb in the rpmdb domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`rpmdb_domtrans_rpmdb',`
gen_require(`
type rpmdb_t, rpmdb_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, rpmdb_exec_t, rpmdb_t)
')
########################################
## <summary>
## Execute rpmdb in the rpmdb domain,
## and allow the specified role the rpmdb domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`rpmdb_run_rpmdb',`
gen_require(`
attribute_role rpmdb_roles;
')
rpmdb_domtrans_rpmdb($1)
roleattribute $2 rpmdb_roles;
')
########################################
## <summary>
## Do not audit to execute a rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_exec',`
gen_require(`
type rpm_exec_t;
')
dontaudit $1 rpm_exec_t:file exec_file_perms;
')
########################################
## <summary>
## Send a kill signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_sigkill',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:process sigkill;
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_signull',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:process signull;
')
########################################
## <summary>
## Send a signals to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_script_signal',`
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:process signal;
')
########################################
## <summary>
## Inherit and use file descriptors from RPM.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_fds',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fd use;
')
########################################
## <summary>
## Read from an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write an unnamed RPM pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_rw_pipes',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Read and write an unnamed RPM script pipe.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_rw_script_inherited_pipes',`
gen_require(`
type rpm_script_tmp_t;
')
allow $1 rpm_script_tmp_t:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## dontaudit read and write an leaked file descriptors
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_leaks',`
gen_require(`
type rpm_t, rpm_var_cache_t;
type rpm_script_t, rpm_var_run_t, rpm_tmp_t;
type rpm_tmpfs_t, rpm_script_tmp_t, rpm_var_lib_t;
')
dontaudit $1 rpm_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_t:tcp_socket { read write };
dontaudit $1 rpm_t:unix_dgram_socket { read write };
dontaudit $1 rpm_t:shm rw_shm_perms;
dontaudit $1 rpm_script_t:fd use;
dontaudit $1 rpm_script_t:fifo_file rw_inherited_fifo_file_perms;
dontaudit $1 rpm_var_run_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_tmpfs_t:dir rw_dir_perms;
dontaudit $1 rpm_tmpfs_t:file rw_inherited_file_perms;
dontaudit $1 rpm_script_tmp_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_lib_t:dir getattr;
dontaudit $1 rpm_var_lib_t:file rw_inherited_file_perms;
dontaudit $1 rpm_var_cache_t:file rw_inherited_file_perms;
')
########################################
## <summary>
## Send and receive messages from
## rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
allow $1 rpm_t:dbus send_msg;
allow rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Do not audit attempts to send and
## receive messages from rpm over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_dbus_chat',`
gen_require(`
type rpm_t;
class dbus send_msg;
')
dontaudit $1 rpm_t:dbus send_msg;
dontaudit rpm_t $1:dbus send_msg;
')
########################################
## <summary>
## Send and receive messages from
## rpm_script over dbus.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_script_dbus_chat',`
gen_require(`
type rpm_script_t;
class dbus send_msg;
')
allow $1 rpm_script_t:dbus send_msg;
allow rpm_script_t $1:dbus send_msg;
')
########################################
## <summary>
## Connect to rpm unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_stream_connect',`
gen_require(`
type rpm_t;
')
allow $1 rpm_t:unix_stream_socket connectto;
')
########################################
## <summary>
## Search RPM log directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_search_log',`
gen_require(`
type rpm_log_t;
')
logging_search_logs($1)
allow $1 rpm_log_t:dir search_dir_perms;
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_log',`
gen_require(`
type rpm_log_t;
')
allow $1 rpm_log_t:file append_inherited_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_log',`
gen_require(`
type rpm_log_t;
')
read_files_pattern($1, rpm_log_t, rpm_log_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM log.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_log',`
gen_require(`
type rpm_log_t;
')
logging_rw_generic_log_dirs($1)
allow $1 rpm_log_t:file manage_file_perms;
')
########################################
## <summary>
## Create rpm logs with an correct label.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_named_filetrans',`
gen_require(`
type rpm_log_t;
type rpm_var_cache_t;
type rpm_var_lib_t;
')
logging_log_named_filetrans($1, rpm_log_t, file, "dnf.log")
logging_log_named_filetrans($1, rpm_log_t, file, "dnf.librepo.log")
logging_log_named_filetrans($1, rpm_log_t, file, "dnf.rpm.log")
logging_log_named_filetrans($1, rpm_log_t, file, "yum.log")
logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
logging_log_named_filetrans($1, rpm_log_t, file, "up2date")
files_var_filetrans($1, rpm_var_cache_t, dir, "dnf")
files_var_filetrans($1, rpm_var_cache_t, dir, "yum")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "dnf")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "yum")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpm")
files_var_lib_filetrans($1, rpm_var_lib_t, dir, "rpmrebuilddb")
')
########################################
## <summary>
## Create rpm hawkey logs with an correct label.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_hawkey_named_filetrans',`
gen_require(`
type rpm_log_t;
')
allow $1 rpm_log_t:file manage_file_perms;
logging_log_named_filetrans($1, rpm_log_t, file, "hawkey.log")
')
########################################
## <summary>
## Inherit and use file descriptors from RPM scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_use_script_fds',`
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:fd use;
')
########################################
## <summary>
## Create, read, write, and delete RPM
## script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
manage_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
#####################################
## <summary>
## Allow the specified domain to append
## to rpm tmp files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_append_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
allow $1 rpm_tmp_t:file append_inherited_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete RPM
## temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
manage_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
manage_lnk_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Read rpm temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_tmp_files',`
gen_require(`
type rpm_tmp_t;
')
files_search_tmp($1)
list_dirs_pattern($1, rpm_tmp_t, rpm_tmp_t)
read_files_pattern($1, rpm_tmp_t, rpm_tmp_t)
')
########################################
## <summary>
## Read RPM script temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_script_tmp_files',`
gen_require(`
type rpm_script_tmp_t;
')
files_search_tmp($1)
read_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
read_lnk_files_pattern($1, rpm_script_tmp_t, rpm_script_tmp_t)
')
########################################
## <summary>
## Read the RPM cache.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var($1)
allow $1 rpm_var_cache_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
read_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_cache',`
gen_require(`
type rpm_var_cache_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
manage_lnk_files_pattern($1, rpm_var_cache_t, rpm_var_cache_t)
')
########################################
## <summary>
## Read the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
allow $1 rpm_var_lib_t:dir list_dir_perms;
read_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
read_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
allow $1 rpm_var_lib_t:file map;
rpm_read_cache($1)
')
########################################
## <summary>
## Set the attributes of RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_setattr_db_files',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
setattr_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_delete_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
delete_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
manage_lnk_files_pattern($1, rpm_var_lib_t, rpm_var_lib_t)
allow $1 rpm_var_lib_t:file map;
')
########################################
## <summary>
## Do not audit attempts to create, read,the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_read_db',`
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir list_dir_perms;
dontaudit $1 rpm_var_lib_t:file read_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Do not audit attempts to create, read,
## write, and delete the RPM package database.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`rpm_dontaudit_manage_db',`
gen_require(`
type rpm_var_lib_t;
')
dontaudit $1 rpm_var_lib_t:dir manage_dir_perms;
dontaudit $1 rpm_var_lib_t:file manage_file_perms;
dontaudit $1 rpm_var_lib_t:lnk_file manage_lnk_file_perms;
dontaudit $1 rpm_var_lib_t:file map;
')
#####################################
## <summary>
## Read rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_read_pid_files',`
gen_require(`
type rpm_var_run_t;
')
read_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
#####################################
## <summary>
## Create, read, write, and delete rpm pid files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_manage_pid_files',`
gen_require(`
type rpm_var_run_t;
')
manage_files_pattern($1, rpm_var_run_t, rpm_var_run_t)
files_search_pids($1)
')
######################################
## <summary>
## Create files in /var/run with the rpm pid file type.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_pid_filetrans',`
gen_require(`
type rpm_var_run_t;
')
files_pid_filetrans($1, rpm_var_run_t, file)
')
########################################
## <summary>
## Send a null signal to rpm.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_inherited_fifo',`
gen_require(`
attribute rpm_transition_domain;
')
allow $1 rpm_transition_domain:fifo_file rw_inherited_fifo_file_perms;
')
########################################
## <summary>
## Make rpm_exec_t an entry point for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_entry_type',`
gen_require(`
type rpm_exec_t;
')
domain_entry_file($1, rpm_exec_t)
')
########################################
## <summary>
## Allow application to transition to rpm_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
#
interface(`rpm_transition_script',`
gen_require(`
type rpm_script_t;
attribute rpm_transition_domain;
attribute_role rpm_script_roles;
')
typeattribute $1 rpm_transition_domain;
allow $1 rpm_script_t:process transition;
roleattribute $2 rpm_script_roles;
allow $1 rpm_script_t:fd use;
allow rpm_script_t $1:fd use;
allow rpm_script_t $1:fifo_file rw_fifo_file_perms;
allow rpm_script_t $1:process sigchld;
')
#######################################
## <summary>
## All of the rules required to
## administrate an rpm environment.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`rpm_admin',`
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
type rpm_var_run_t;
')
allow $1 { rpm_t rpm_script_t }:process { ptrace signal_perms };
ps_process_pattern($1, { rpm_t rpm_script_t })
init_labeled_script_domtrans($1, rpm_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpm_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, rpm_file_t)
files_list_tmp($1)
admin_pattern($1, { rpm_tmp_t rpm_script_tmp_t })
files_list_var_lib($1)
admin_pattern($1, rpm_var_lib_t)
files_search_locks($1)
admin_pattern($1, rpm_lock_t)
logging_list_logs($1)
admin_pattern($1, rpm_log_t)
files_list_pids($1)
admin_pattern($1, rpm_var_run_t)
fs_search_tmpfs($1)
admin_pattern($1, { rpm_tmpfs_t rpm_script_tmpfs_t })
rpm_run($1, $2)
')
#######################################
## <summary>
## Allow the specified domain to ioctl rpm_script_t
## with a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_script_ioctl_stream_sockets',`
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:unix_stream_socket ioctl;
')
#######################################
## <summary>
## Allow the specified domain read and write to rpm_script_t
## over a unix domain stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`rpm_script_rw_stream_sockets',`
gen_require(`
type rpm_script_t;
')
allow $1 rpm_script_t:unix_stream_socket { rw_socket_perms };
')