[refpolicy] [Apt 1/1] Clean up Apt module.

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [Apt 1/1] Clean up Apt module.
@ 2010-09-03 15:50 Dominick Grift
  0 siblings, 0 replies; only message in thread
From: Dominick Grift @ 2010-09-03 15:50 UTC (permalink / raw)
  To: refpolicy

Signed-off-by: Dominick Grift <domg472@gmail.com>
---
:100644 100644 e4f4850... 1f65fbe... M	policy/modules/admin/apt.fc
:100644 100644 e696b80... eaf17d0... M	policy/modules/admin/apt.if
:100644 100644 4044710... 9a37f79... M	policy/modules/admin/apt.te
 policy/modules/admin/apt.fc |    9 +--------
 policy/modules/admin/apt.if |   35 ++++++++++++++++++++---------------
 policy/modules/admin/apt.te |    9 ---------
 3 files changed, 21 insertions(+), 32 deletions(-)

diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index e4f4850..1f65fbe 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -1,21 +1,14 @@
 /usr/bin/apt-get		--	gen_context(system_u:object_r:apt_exec_t,s0)
-# apt-shell is redhat specific
 /usr/bin/apt-shell		--	gen_context(system_u:object_r:apt_exec_t,s0)
-# other package managers
 /usr/bin/aptitude		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/synaptic		--	gen_context(system_u:object_r:apt_exec_t,s0)
 
-# package cache repository
 /var/cache/apt(/.*)?			gen_context(system_u:object_r:apt_var_cache_t,s0)
 
-# package list repository
 /var/lib/apt(/.*)?			gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?		gen_context(system_u:object_r:apt_var_lib_t,s0)
 
-# aptitude lock
 /var/lock/aptitude			gen_context(system_u:object_r:apt_lock_t,s0)
-# aptitude log
-/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
 
-# dpkg terminal log
+/var/log/aptitude			gen_context(system_u:object_r:apt_var_log_t,s0)
 /var/log/apt(/.*)?			gen_context(system_u:object_r:apt_var_log_t,s0)
diff --git a/policy/modules/admin/apt.if b/policy/modules/admin/apt.if
index e696b80..eaf17d0 100644
--- a/policy/modules/admin/apt.if
+++ b/policy/modules/admin/apt.if
@@ -2,7 +2,7 @@
 
 ########################################
 ## <summary>
-##	Execute apt programs in the apt domain.
+##	Execute a domain transition to run Apt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -15,14 +15,19 @@ interface(`apt_domtrans',`
 		type apt_t, apt_exec_t;
 	')
 
-	files_search_usr($1)
 	corecmd_search_bin($1)
 	domtrans_pattern($1, apt_exec_t, apt_t)
+
+	ifndef(`distro_redhat',`
+		files_search_usr($1)
+	')
 ')
 
 ########################################
 ## <summary>
-##	Execute apt programs in the apt domain.
+##	Execute a domain transition to run
+##	Apt, and allow the specified role
+##	the Apt domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -31,7 +36,7 @@ interface(`apt_domtrans',`
 ## </param>
 ## <param name="role">
 ##	<summary>
-##	The role to allow the apt domain.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
@@ -43,12 +48,11 @@ interface(`apt_run',`
 
 	apt_domtrans($1)
 	role $2 types apt_t;
-	# TODO: likely have to add dpkg_run here.
 ')
 
 ########################################
 ## <summary>
-##	Inherit and use file descriptors from apt.
+##	Inherit and use file descriptors from Apt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -67,7 +71,8 @@ interface(`apt_use_fds',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to use file descriptors from apt.
+##	Do not audit attempts to use file
+##	descriptors from Apt.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -85,7 +90,7 @@ interface(`apt_dontaudit_use_fds',`
 
 ########################################
 ## <summary>
-##	Read from an unnamed apt pipe.
+##	Read from an unnamed Apt pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -104,7 +109,7 @@ interface(`apt_read_pipes',`
 
 ########################################
 ## <summary>
-##	Read and write an unnamed apt pipe.
+##	Read and write an unnamed Apt pipe.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -123,7 +128,7 @@ interface(`apt_rw_pipes',`
 
 ########################################
 ## <summary>
-##	Read from and write to apt ptys.
+##	Read from and write to Apt ptys.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -141,7 +146,7 @@ interface(`apt_use_ptys',`
 
 ########################################
 ## <summary>
-##	Read the apt package cache.
+##	Read the Apt package cache.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -162,7 +167,7 @@ interface(`apt_read_cache',`
 
 ########################################
 ## <summary>
-##	Read the apt package database.
+##	Read the Apt package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -183,7 +188,7 @@ interface(`apt_read_db',`
 
 ########################################
 ## <summary>
-##	Create, read, write, and delete the apt package database.
+##	Manage the Apt package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -205,8 +210,8 @@ interface(`apt_manage_db',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to create, read, 
-##	write, and delete the apt package database.
+##	Do not audit attempts manage
+##	the Apt package database.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 4044710..9a37f79 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -11,11 +11,9 @@ init_system_domain(apt_t, apt_exec_t)
 domain_system_change_exemption(apt_t)
 role system_r types apt_t;
 
-# pseudo terminal for running dpkg
 type apt_devpts_t;
 term_pty(apt_devpts_t)
 
-# aptitude lock file
 type apt_lock_t;
 files_lock_file(apt_lock_t)
 
@@ -25,15 +23,12 @@ files_tmp_file(apt_tmp_t)
 type apt_tmpfs_t;
 files_tmpfs_file(apt_tmpfs_t)
 
-# package cache
 type apt_var_cache_t alias var_cache_apt_t;
 files_type(apt_var_cache_t)
 
-# status files
 type apt_var_lib_t alias var_lib_apt_t;
 files_type(apt_var_lib_t)
 
-# aptitude log file
 type apt_var_log_t;
 logging_log_file(apt_var_log_t)
 
@@ -59,7 +54,6 @@ allow apt_t self:msg { send receive };
 # Run update
 allow apt_t self:netlink_route_socket r_netlink_socket_perms;
 
-# lock files
 allow apt_t apt_lock_t:dir manage_dir_perms;
 allow apt_t apt_lock_t:file manage_file_perms;
 files_lock_filetrans(apt_t, apt_lock_t, {dir file})
@@ -75,15 +69,12 @@ manage_fifo_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
 manage_sock_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
 fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
-# Access /var/cache/apt files
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
 
-# Access /var/lib/apt files
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
 
-# log files
 allow apt_t apt_var_log_t:file manage_file_perms;
 logging_log_filetrans(apt_t, apt_var_log_t, file)
 
-- 
1.7.2.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100903/fc6c4f65/attachment.bin 

^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2010-09-03 15:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-09-03 15:50 [refpolicy] [Apt 1/1] Clean up Apt module Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.