[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/, policy/modules/kernel/

Tue, 02 Sep 2025 15:15:26 -0700 

commit:     d4d46d478908380d2e5de9e8b1f052dd6d731033
Author:     Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Tue Jul 22 13:36:11 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 21:59:08 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d4d46d47

apt (#987)

* Apt changes:

Label usr/bin/apt-show-versions as apt_exec_t

Lavel /var/cache/apt-show-versions /usr/lib/apt/apt\.systemd\.daily
/usr/lib/apt/apt-helper /var/cache/apt-xapian-index /var/lib/app-info
/var/lib/swcatalog and /var/lib/unattended-upgrades

Allow apt_t to have dac_read_search capability, getsched process access, more
access to it's tmp files, map access to it's cache files, the ability to
inherit file handles from systemd-logind, and the ability to get systemd
network status.

Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/apt.fc           |  9 +++++++++
 policy/modules/admin/apt.te           | 16 +++++++++++++---
 policy/modules/kernel/corecommands.fc |  2 --
 3 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/policy/modules/admin/apt.fc b/policy/modules/admin/apt.fc
index 456375f99..845400242 100644
--- a/policy/modules/admin/apt.fc
+++ b/policy/modules/admin/apt.fc
@@ -3,9 +3,13 @@
 /usr/bin/apt           --      gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-get       --      gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-shell     --      gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/apt-show-versions --  gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude      --      gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
 
+/usr/lib/apt/apt\.systemd\.daily -- 
gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/lib/apt/apt-helper -- gen_context(system_u:object_r:apt_exec_t,s0)
+
 /usr/sbin/update-apt-xapian-index -- 
gen_context(system_u:object_r:apt_exec_t,s0)
 
 /usr/share/unattended-upgrades/unattended-upgrade-shutdown -- 
gen_context(system_u:object_r:apt_exec_t,s0)
@@ -14,15 +18,20 @@ ifndef(`distro_redhat',`
 /usr/sbin/synaptic     --      gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/lib/packagekit/packagekitd        --      
gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/libexec/packagekitd       --      
gen_context(system_u:object_r:apt_exec_t,s0)
+/var/cache/apt-show-versions(/.*)?     
gen_context(system_u:object_r:apt_var_cache_t,s0)
 /var/cache/PackageKit(/.*)?    
gen_context(system_u:object_r:apt_var_cache_t,s0)
 /var/lib/PackageKit(/.*)?      gen_context(system_u:object_r:apt_var_lib_t,s0)
 ')
 
 /var/cache/apt(/.*)?   gen_context(system_u:object_r:apt_var_cache_t,s0)
+/var/cache/apt-xapian-index`'(/.*)?    
gen_context(system_u:object_r:apt_var_cache_t,s0)
 
 /var/lib/apt(/.*)?     gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/aptitude(/.*)?        gen_context(system_u:object_r:apt_var_lib_t,s0)
 /var/lib/apt-xapian-inde(x)(/.*)?      
gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/app-info(/.*)?        gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/swcatalog(/.*)?       gen_context(system_u:object_r:apt_var_lib_t,s0)
+/var/lib/unattended-upgrades(/.*)?     
gen_context(system_u:object_r:apt_var_lib_t,s0)
 
 /var/lock/aptitude     gen_context(system_u:object_r:apt_lock_t,s0)
 

diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 7aea9c951..46e5d40c3 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -39,8 +39,9 @@ logging_log_file(apt_var_log_t)
 # Local policy
 #
 
-allow apt_t self:capability { chown dac_override fowner fsetid kill setgid 
setuid };
-allow apt_t self:process { fork setpgid signal };
+allow apt_t self:capability { chown dac_override dac_read_search fowner fsetid 
kill setgid setuid };
+dontaudit apt_t self:capability net_admin;
+allow apt_t self:process { fork setpgid signal getsched };
 allow apt_t self:fd use;
 allow apt_t self:fifo_file rw_fifo_file_perms;
 allow apt_t self:unix_dgram_socket sendto;
@@ -59,7 +60,9 @@ files_lock_filetrans(apt_t, apt_lock_t, { dir file })
 
 manage_dirs_pattern(apt_t, apt_tmp_t, apt_tmp_t)
 manage_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
+manage_lnk_files_pattern(apt_t, apt_tmp_t, apt_tmp_t)
 files_tmp_filetrans(apt_t, apt_tmp_t, { file dir })
+allow apt_t apt_tmp_t:file relabel_file_perms;
 
 manage_dirs_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
 manage_files_pattern(apt_t, apt_tmpfs_t, apt_tmpfs_t)
@@ -71,9 +74,12 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file 
sock_file fifo_file }
 manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
 files_var_filetrans(apt_t, apt_var_cache_t, dir)
+allow apt_t apt_var_cache_t:file map;
 
 manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
+allow apt_t apt_var_lib_t:dir setattr;
+manage_lnk_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
 
 allow apt_t apt_var_log_t:file manage_file_perms;
 allow apt_t apt_var_log_t:dir manage_dir_perms;
@@ -101,12 +107,14 @@ domain_getattr_all_domains(apt_t)
 domain_use_interactive_fds(apt_t)
 
 files_exec_usr_files(apt_t)
+files_list_boot(apt_t)
 files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
 init_get_system_status(apt_t)
+init_read_state(apt_t)
 
 term_create_pty(apt_t, apt_devpts_t)
 term_list_ptys(apt_t)
@@ -143,6 +151,8 @@ optional_policy(`
 
        optional_policy(`
                systemd_dbus_chat_logind(apt_t)
+               systemd_use_logind_fds(apt_t)
+               systemd_write_inherited_logind_inhibit_pipes(apt_t)
        ')
 
        optional_policy(`
@@ -180,7 +190,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-       systemd_dbus_chat_logind(apt_t)
+       systemd_status_networkd(apt_t)
 ')
 
 optional_policy(`

diff --git a/policy/modules/kernel/corecommands.fc 
b/policy/modules/kernel/corecommands.fc
index 1a9cb9753..1720a525b 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -193,8 +193,6 @@ ifdef(`distro_gentoo',`
 /usr/lib/pgsql/test/regress/.*\.sh --  gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/qt.*/bin(/.*)?                        
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/wicd/monitor\.py      --      gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/apt/apt-helper                --      
gen_context(system_u:object_r:bin_t,s0)
-/usr/lib/apt/apt\.systemd\.daily       --      
gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/apt/methods.+         --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/.* --      gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/run-seat\.d(/.*)?  gen_context(system_u:object_r:bin_t,s0)

Reply via email to