Oreon-Lime-R2/selinux-policy/selinux-policy-d9f4a2b/selinux-policy-d9f4a2bbeb91fd95d0c35a90936efb9ea99d2455/policy/modules/contrib/dpkg.if

244 lines
4.6 KiB
Text

## <summary>Debian package manager.</summary>
########################################
## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dpkg_domtrans',`
gen_require(`
type dpkg_t, dpkg_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, dpkg_exec_t, dpkg_t)
')
########################################
## <summary>
## Execute the dkpg in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_exec',`
gen_require(`
type dpkg_exec_t;
')
corecmd_search_bin($1)
can_exec($1, dpkg_exec_t)
')
########################################
## <summary>
## Execute dpkg_script programs in
## the dpkg_script domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`dpkg_domtrans_script',`
gen_require(`
type dpkg_script_t;
')
corecmd_shell_domtrans($1, dpkg_script_t)
allow dpkg_script_t $1:fd use;
allow dpkg_script_t $1:fifo_file rw_file_perms;
allow dpkg_script_t $1:process sigchld;
')
########################################
## <summary>
## Execute dpkg programs in the dpkg domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`dpkg_run',`
gen_require(`
attribute_role dpkg_roles;
')
dpkg_domtrans($1)
roleattribute $2 dpkg_roles;
')
########################################
## <summary>
## Inherit and use file descriptors from dpkg.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_use_fds',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fd use;
')
########################################
## <summary>
## Read from unnamed dpkg pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_read_pipes',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file read_fifo_file_perms;
')
########################################
## <summary>
## Read and write unnamed dpkg pipes.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_rw_pipes',`
gen_require(`
type dpkg_t;
')
allow $1 dpkg_t:fifo_file rw_fifo_file_perms;
')
########################################
## <summary>
## Inherit and use file descriptors
## from dpkg scripts.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_use_script_fds',`
gen_require(`
type dpkg_script_t;
')
allow $1 dpkg_script_t:fd use;
')
########################################
## <summary>
## Read dpkg package database content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_read_db',`
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
read_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
read_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################
## <summary>
## Create, read, write, and delete
## dpkg package database content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_manage_db',`
gen_require(`
type dpkg_var_lib_t;
')
files_search_var_lib($1)
manage_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
manage_lnk_files_pattern($1, dpkg_var_lib_t, dpkg_var_lib_t)
')
########################################
## <summary>
## Do not audit attempts to create,
## read, write, and delete dpkg
## package database content.
## </summary>
## <param name="domain">
## <summary>
## Domain to not audit.
## </summary>
## </param>
#
interface(`dpkg_dontaudit_manage_db',`
gen_require(`
type dpkg_var_lib_t;
')
dontaudit $1 dpkg_var_lib_t:dir rw_dir_perms;
dontaudit $1 dpkg_var_lib_t:file manage_file_perms;
dontaudit $1 dpkg_var_lib_t:lnk_file manage_lnk_file_perms;
')
########################################
## <summary>
## Create, read, write, and delete
## dpkg lock files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`dpkg_lock_db',`
gen_require(`
type dpkg_lock_t, dpkg_var_lib_t;
')
files_search_var_lib($1)
allow $1 dpkg_var_lib_t:dir list_dir_perms;
allow $1 dpkg_lock_t:file manage_file_perms;
')