Written by: Martin Orr

Make apt_t fds widely inheritable
Allow apt ptys to be used by insmod (oss-compat.postinst)
Allow apt ptys to be used by lvm
Allow apt ptys to be used by bootloader (update-grub trigger)
Allow udev to use interactive fds, in particular apt

Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig
+++ policy/modules/admin/apt.te
@@ -9,6 +9,7 @@
 type apt_exec_t;
 init_system_domain(apt_t, apt_exec_t)
 domain_system_change_exemption(apt_t)
+domain_interactive_fd(apt_t)
 role system_r types apt_t;
 
 # pseudo terminal for running dpkg
Index: policy/modules/system/modutils.te
===================================================================
--- policy/modules/system/modutils.te.orig
+++ policy/modules/system/modutils.te
@@ -90,6 +90,10 @@
 ')
 
 optional_policy(`
+	apt_use_ptys(depmod_t)
+')
+
+optional_policy(`
 	rpm_rw_pipes(depmod_t)
 	rpm_manage_script_tmp_files(depmod_t)
 ')
@@ -196,6 +200,10 @@
 ')
 
 optional_policy(`
+	apt_use_ptys(insmod_t)
+')
+
+optional_policy(`
 	hotplug_search_config(insmod_t)
 ')
 
Index: policy/modules/system/lvm.te
===================================================================
--- policy/modules/system/lvm.te.orig
+++ policy/modules/system/lvm.te
@@ -311,6 +311,10 @@
 ')
 
 optional_policy(`
+	apt_use_ptys(lvm_t)
+')
+
+optional_policy(`
 	bootloader_rw_tmp_files(lvm_t)
 ')
 
Index: policy/modules/admin/apt.if
===================================================================
--- policy/modules/admin/apt.if.orig
+++ policy/modules/admin/apt.if
@@ -162,6 +162,24 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read from and write to apt ptys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`apt_dontaudit_use_ptys',`
+	gen_require(`
+		type apt_devpts_t;
+	')
+
+	dontaudit $1 apt_devpts_t:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
 ##	Read the apt package database.
 ## </summary>
 ## <param name="domain">
Index: policy/modules/services/hal.te
===================================================================
--- policy/modules/services/hal.te.orig
+++ policy/modules/services/hal.te
@@ -225,6 +225,10 @@
 ')
 
 optional_policy(`
+	apt_dontaudit_use_ptys(hald_t)
+')
+
+optional_policy(`
 	bootloader_domtrans(hald_t)
 ')
 
Index: policy/modules/system/udev.te
===================================================================
--- policy/modules/system/udev.te.orig
+++ policy/modules/system/udev.te
@@ -108,6 +108,7 @@
 
 domain_read_all_domains_state(udev_t)
 domain_dontaudit_ptrace_all_domains(udev_t) #pidof triggers these
+domain_use_interactive_fds(udev_t)
 
 files_read_usr_files(udev_t)
 files_read_etc_runtime_files(udev_t)
Index: policy/modules/admin/bootloader.te
===================================================================
--- policy/modules/admin/bootloader.te.orig
+++ policy/modules/admin/bootloader.te
@@ -171,6 +171,11 @@
 ')
 
 optional_policy(`
+	apt_use_fds(bootloader_t)
+	apt_use_ptys(bootloader_t)
+')
+
+optional_policy(`
 	fstools_exec(bootloader_t)
 ')
 
Index: policy/modules/services/clamav.te
===================================================================
--- policy/modules/services/clamav.te.orig
+++ policy/modules/services/clamav.te
@@ -142,6 +142,10 @@
 ')
 
 optional_policy(`
+	apt_use_ptys(clamd_t)
+')
+
+optional_policy(`
 	exim_read_spool_files(clamd_t)
 ')
 
Index: policy/modules/system/logging.te
===================================================================
--- policy/modules/system/logging.te.orig
+++ policy/modules/system/logging.te
@@ -484,6 +484,10 @@
 ')
 
 optional_policy(`
+	apt_use_ptys(syslogd_t)
+')
+
+optional_policy(`
 	bind_search_cache(syslogd_t)
 ')