On 29/02/08 16:32, Christopher J. PeBenito wrote: > On Fri, 2008-02-29 at 15:29 +0000, Martin Orr wrote: >> The attached patch is what I am using to deal with this. (I'm not sure if >> it should be apt_dontaudit_use_fds(ldconfig_t) or apt_use_fds(ldconfig_t) >> but dontaudit is what the Debian policy package uses.) > > You probably want to allow it otherwise ldconfig won't inherit the fds > that point to the apt pty. By denying the inheritance on an enforcing > system, fd 0,1,2 will be closed and reopened to /dev/null, so you lose > any ldconfig output. Here's an updated patch, with apt_use_fds(ldconfig_t). This also lets dpkg_t and dpkg_script_t use initrc ptys, so that se_dpkg works. Best wishes, -- Martin Orr
Written by: Martin Orr with bits from: srivasta@xxxxxxxxxxxxxxxxx/refpolicy--debian--0.0--patch-12 srivasta@xxxxxxxxxxxxxxxxx/refpolicy--debian--0.0--patch-13 Combines 501_apt_create_pty 365_apt_fixes Cope with apt creating a new pty to run dpkg Also let dpkg use initrc ptys for se_dpkg Index: policy/modules/admin/apt.fc =================================================================== --- policy/modules/admin/apt.fc.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/apt.fc 2008-03-01 13:38:16.000000000 +0000 @@ -11,3 +11,6 @@ # package list repository /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) + +# dpkg terminal log +/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) Index: policy/modules/admin/apt.if =================================================================== --- policy/modules/admin/apt.if.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/apt.if 2008-03-01 13:38:16.000000000 +0000 @@ -111,6 +111,24 @@ ######################################## ## <summary> +## Read from and write to apt ptys. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`apt_use_ptys',` + gen_require(` + type apt_devpts_t; + ') + + allow $1 apt_devpts_t:chr_file rw_term_perms; +') + +######################################## +## <summary> ## Read the apt package database. ## </summary> ## <param name="domain"> Index: policy/modules/admin/apt.te =================================================================== --- policy/modules/admin/apt.te.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/apt.te 2008-03-01 14:53:50.000000000 +0000 @@ -1,5 +1,5 @@ -policy_module(apt,1.3.0) +policy_module(apt,1.3.1) ######################################## # @@ -26,6 +26,13 @@ type apt_var_cache_t alias var_cache_apt_t; files_type(apt_var_cache_t) +type apt_var_log_t alias var_log_apt_t; +logging_log_file(apt_var_log_t) + +# pseudo terminal for running dpkg +type apt_devpts_t; +term_pty(apt_devpts_t) + ######################################## # # apt Local policy @@ -97,6 +104,7 @@ fs_getattr_all_fs(apt_t) +term_create_pty(apt_t, apt_devpts_t) term_list_ptys(apt_t) term_use_all_terms(apt_t) Index: policy/modules/admin/dpkg.te =================================================================== --- policy/modules/admin/dpkg.te.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/admin/dpkg.te 2008-03-01 14:53:48.000000000 +0000 @@ -150,6 +150,7 @@ files_exec_etc_files(dpkg_t) init_domtrans_script(dpkg_t) +init_use_script_ptys(dpkg_t) libs_use_ld_so(dpkg_t) libs_use_shared_libs(dpkg_t) @@ -172,6 +173,10 @@ # since the scripts aren't labeled correctly yet... allow dpkg_t dpkg_var_lib_t:file execute; +optional_policy(` + apt_use_ptys(dpkg_t) +') + # TODO: allow? #optional_policy(` # cron_system_entry(dpkg_t,dpkg_exec_t) @@ -290,6 +295,7 @@ auth_manage_all_files_except_shadow(dpkg_script_t) init_domtrans_script(dpkg_script_t) +init_use_script_fds(dpkg_script_t) libs_use_ld_so(dpkg_script_t) libs_use_shared_libs(dpkg_script_t) @@ -314,6 +320,11 @@ ') optional_policy(` + apt_rw_pipes(dpkg_script_t) + apt_use_fds(dpkg_script_t) +') + +optional_policy(` bootloader_domtrans(dpkg_script_t) ') Index: policy/modules/system/libraries.te =================================================================== --- policy/modules/system/libraries.te.orig 2008-03-01 13:38:13.000000000 +0000 +++ policy/modules/system/libraries.te 2008-03-01 14:48:40.000000000 +0000 @@ -98,6 +98,12 @@ ') optional_policy(` + apt_rw_pipes(ldconfig_t) + apt_use_fds(ldconfig_t) + apt_use_ptys(ldconfig_t) +') + +optional_policy(` # When you install a kernel the postinstall builds a initrd image in tmp # and executes ldconfig on it. If you dont allow this kernel installs # blow up.
