## Advanced package tool. ######################################## ## ## Execute apt programs in the apt domain. ## ## ## ## Domain allowed to transition. ## ## # interface(`apt_domtrans',` gen_require(` type apt_t, apt_exec_t; ') corecmd_search_bin($1) domtrans_pattern($1, apt_exec_t, apt_t) ') ######################################## ## ## Execute the apt in the caller domain. ## ## ## ## Domain allowed access. ## ## # interface(`apt_exec',` gen_require(` type apt_exec_t; ') corecmd_search_bin($1) can_exec($1, apt_exec_t) ') ######################################## ## ## Execute apt programs in the apt domain. ## ## ## ## Domain allowed to transition. ## ## ## ## ## Role allowed access. ## ## ## # interface(`apt_run',` gen_require(` attribute_role apt_roles; ') apt_domtrans($1) roleattribute $2 apt_roles; ') ######################################## ## ## Use apt file descriptors. ## ## ## ## Domain allowed access. ## ## # interface(`apt_use_fds',` gen_require(` type apt_t; ') allow $1 apt_t:fd use; ') ######################################## ## ## Do not audit attempts to use ## apt file descriptors. ## ## ## ## Domain to not audit. ## ## # interface(`apt_dontaudit_use_fds',` gen_require(` type apt_t; ') dontaudit $1 apt_t:fd use; ') ######################################## ## ## Read apt unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`apt_read_pipes',` gen_require(` type apt_t; ') allow $1 apt_t:fifo_file read_fifo_file_perms; ') ######################################## ## ## Read and write apt unnamed pipes. ## ## ## ## Domain allowed access. ## ## # interface(`apt_rw_pipes',` gen_require(` type apt_t; ') allow $1 apt_t:fifo_file rw_file_perms; ') ######################################## ## ## Read and write apt ptys. ## ## ## ## Domain allowed access. ## ## # interface(`apt_use_ptys',` gen_require(` type apt_devpts_t; ') allow $1 apt_devpts_t:chr_file rw_term_perms; ') ######################################## ## ## Read apt package cache content. ## ## ## ## Domain allowed access. ## ## # interface(`apt_read_cache',` gen_require(` type apt_var_cache_t; ') files_search_var($1) allow $1 apt_var_cache_t:dir list_dir_perms; dontaudit $1 apt_var_cache_t:dir rw_dir_perms; allow $1 apt_var_cache_t:file read_file_perms; ') ######################################## ## ## Read apt package database content. ## ## ## ## Domain allowed access. ## ## # interface(`apt_read_db',` gen_require(` type apt_var_lib_t; ') files_search_var_lib($1) allow $1 apt_var_lib_t:dir list_dir_perms; read_files_pattern($1, apt_var_lib_t, apt_var_lib_t) read_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) ') ######################################## ## ## Create, read, write, and delete ## apt package database content. ## ## ## ## Domain allowed access. ## ## # interface(`apt_manage_db',` gen_require(` type apt_var_lib_t; ') files_search_var_lib($1) manage_files_pattern($1, apt_var_lib_t, apt_var_lib_t) manage_lnk_files_pattern($1, apt_var_lib_t, apt_var_lib_t) ') ######################################## ## ## Do not audit attempts to create, ## read, write, and delete apt ## package database content. ## ## ## ## Domain to not audit. ## ## # interface(`apt_dontaudit_manage_db',` gen_require(` type apt_var_lib_t; ') dontaudit $1 apt_var_lib_t:dir rw_dir_perms; dontaudit $1 apt_var_lib_t:file manage_file_perms; dontaudit $1 apt_var_lib_t:lnk_file manage_lnk_file_perms; ')