Written by: Martin Orr
For local use only

Don't make apt_t and dpkg_script_t unconfined domains

In order to confine apt_t, added the following:
  * Access the /var/log/apt directory as well as files
  * Run hostname
  * Dontaudit searching /root (apt-listchanges, python)
  * Dontaudit searching /data (apt-listbugs, ruby)

Index: policy/modules/admin/dpkg.te
===================================================================
--- policy/modules/admin/dpkg.te.orig
+++ policy/modules/admin/dpkg.te
@@ -365,9 +365,9 @@
 	nis_use_ypbind(dpkg_script_t)
 ')
 
-optional_policy(`
-	unconfined_domain(dpkg_script_t)
-')
+#optional_policy(`
+#	unconfined_domain(dpkg_script_t)
+#')
 
 optional_policy(`
 	usermanage_domtrans_groupadd(dpkg_script_t)
Index: policy/modules/admin/apt.te
===================================================================
--- policy/modules/admin/apt.te.orig
+++ policy/modules/admin/apt.te
@@ -85,7 +85,7 @@
 files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
 
 # log files
-allow apt_t apt_var_log_t:file manage_file_perms;
+manage_files_pattern(apt_t, apt_var_log_t, apt_var_log_t)
 logging_log_filetrans(apt_t, apt_var_log_t, file)
 
 kernel_read_system_state(apt_t)
@@ -118,6 +118,7 @@
 files_exec_usr_files(apt_t)
 files_read_etc_files(apt_t)
 files_read_etc_runtime_files(apt_t)
+files_dontaudit_search_default_dirs(apt_t)
 
 fs_getattr_all_fs(apt_t)
 
@@ -136,6 +137,7 @@
 
 sysnet_read_config(apt_t)
 
+userdom_dontaudit_search_user_home_dirs(apt_t)
 userdom_use_user_terminals(apt_t)
 
 # with boolean, for cron-apt and such?
@@ -155,6 +157,10 @@
 ')
 
 optional_policy(`
+	hostname_exec(apt_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(apt_t)
 ')
 
@@ -163,6 +169,7 @@
 	rpm_domtrans(apt_t)
 ')
 
-optional_policy(`
-	unconfined_domain(apt_t)
-')
+#optional_policy(`
+#	unconfined_domain(apt_t)
+#')
+
Index: policy/modules/kernel/files.if
===================================================================
--- policy/modules/kernel/files.if.orig
+++ policy/modules/kernel/files.if
@@ -2119,6 +2119,25 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search the contents of
+##	directories with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_search_default_dirs',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	List contents of directories with the default file type.
 ## </summary>
 ## <param name="domain">