rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

first cut of hierarchical policy

Browse Source
This commit is contained in:
Chris PeBenito 2006-04-21 15:08:21 +00:00
parent fb63d0b537
commit 02f9b21e8c
4 changed files with 392 additions and 240 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

338
refpolicy/policy/modules/admin/portage.if
View File

@ -20,12 +20,18 @@ interface(`portage_domtrans',`
files_search_usr($1) files_search_usr($1)
corecmd_search_bin($1) corecmd_search_bin($1)
domain_auto_trans($1,portage_exec_t,portage_t)
allow $1 portage_t:fd use; # constraining domain
domain_trans($1,portage_exec_t,portage_t)
allow portage_t $1:fd use; allow portage_t $1:fd use;
allow portage_t $1:fifo_file rw_file_perms; allow portage_t $1:fifo_file rw_file_perms;
allow portage_t $1:process sigchld; allow portage_t $1:process sigchld;
# main portage process
domain_auto_trans($1,portage_exec_t,portage_t.merge)
allow portage_t.merge $1:fd use;
allow portage_t.merge $1:fifo_file rw_file_perms;
allow portage_t.merge $1:process sigchld;
') ')
######################################## ########################################
@ -51,22 +57,21 @@ interface(`portage_domtrans',`
# #
interface(`portage_run',` interface(`portage_run',`
gen_require(` gen_require(`
type portage_t, portage_fetch_t, portage_sandbox_t; type portage_t;
type portage_t.merge, portage_t.fetch, portage_t.sandbox;
') ')
portage_domtrans($1) portage_domtrans($1)
# constraining access
role $2 types portage_t; role $2 types portage_t;
role $2 types portage_fetch_t;
role $2 types portage_sandbox_t;
allow portage_t $3:chr_file rw_term_perms; allow portage_t $3:chr_file rw_term_perms;
allow portage_fetch_t $3:chr_file rw_term_perms;
allow portage_sandbox_t $3:chr_file rw_term_perms;
# not sure about this one, may be stray fds # specific access
allow portage_t $1:udp_socket write; role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
allow $1 portage_t:udp_socket write; allow portage_t.merge $3:chr_file rw_term_perms;
allow portage_t.fetch $3:chr_file rw_term_perms;
allow portage_t.sandbox $3:chr_file rw_term_perms;
') ')
######################################## ########################################
@ -79,129 +84,258 @@ interface(`portage_run',`
## does all compiling in the sandbox. ## does all compiling in the sandbox.
## </p> ## </p>
## </desc> ## </desc>
## <param name="prefix"> ## <param name="domain">
## <summary> ## <summary>
## Name to be used to derive types. ## Domain Allowed Access
## </summary> ## </summary>
## </param> ## </param>
# #
template(`portage_compile_domain_template',` interface(`portage_compile_domain',`
type $1_t;
domain_type($1_t)
domain_entry_file($1_t,portage_exec_t)
type $1_devpts_t; allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
term_pty($1_devpts_t) allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
type $1_tmp_t; allow $1 self:fd use;
files_tmp_file($1_tmp_t) allow $1 self:fifo_file rw_file_perms;
allow $1 self:shm create_shm_perms;
type $1_tmpfs_t; allow $1 self:sem create_sem_perms;
files_tmpfs_file($1_tmpfs_t) allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; allow $1 self:unix_dgram_socket create_socket_perms;
allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem }; allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow $1 self:unix_dgram_socket sendto;
allow $1_t self:fd use; allow $1 self:unix_stream_socket connectto;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
# really shouldnt need this # really shouldnt need this
allow $1_t self:tcp_socket create_stream_socket_perms; allow $1 self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms; allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl): # misc networking stuff (esp needed for compiling perl):
allow $1_t self:rawip_socket { create ioctl }; allow $1 self:rawip_socket { create ioctl };
allow $1_t self:udp_socket recvfrom; allow $1 self:udp_socket recvfrom;
# needed for merging dbus: # needed for merging dbus:
allow $1_t self:netlink_selinux_socket { bind create read }; allow $1 self:netlink_selinux_socket { bind create read };
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr }; allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_t,$1_devpts_t) term_create_pty($1,portage_devpts_t)
allow $1_t $1_tmp_t:dir manage_dir_perms; # write compile logs
allow $1_t $1_tmp_t:file manage_file_perms; allow $1 portage_log_t:dir setattr;
allow $1_t $1_tmp_t:lnk_file create_lnk_perms; allow $1 portage_log_t:file { append write setattr };
allow $1_t $1_tmp_t:fifo_file manage_file_perms;
allow $1_t $1_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; # run scripts out of the build directory
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; can_exec(portage_sandbox_t,portage_tmp_t)
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# write merge logs allow $1 portage_tmp_t:dir manage_dir_perms;
allow $1_t portage_log_t:dir setattr; allow $1 portage_tmp_t:file manage_file_perms;
allow $1_t portage_log_t:file { append write setattr }; allow $1 portage_tmp_t:lnk_file create_lnk_perms;
allow $1 portage_tmp_t:fifo_file manage_file_perms;
allow $1 portage_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1_t) allow $1 portage_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
kernel_read_network_state($1_t) allow $1 portage_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
kernel_read_software_raid_state($1_t) allow $1 portage_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
kernel_getattr_core_if($1_t) allow $1 portage_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
kernel_getattr_message_if($1_t) allow $1 portage_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
kernel_read_kernel_sysctls($1_t) fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
corecmd_exec_all_executables($1_t) kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
kernel_getattr_core_if($1)
kernel_getattr_message_if($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_all_executables($1)
# really shouldnt need this # really shouldnt need this
corenet_non_ipsec_sendrecv($1_t) corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_generic_if($1_t) corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1_t) corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1_t) corenet_raw_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1_t) corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1_t) corenet_udp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1_t) corenet_raw_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1_t) corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1_t) corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1_t) corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1_t) corenet_tcp_connect_distccd_port($1)
dev_read_sysfs($1_t) dev_read_sysfs($1)
dev_read_rand($1_t) dev_read_rand($1)
dev_read_urand($1_t) dev_read_urand($1)
domain_use_interactive_fds($1_t) domain_use_interactive_fds($1)
files_exec_etc_files($1_t) files_exec_etc_files($1)
files_exec_usr_src_files($1_t) files_exec_usr_src_files($1)
fs_getattr_xattr_fs($1_t) fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1_t) fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1_t) fs_read_noxattr_fs_files($1)
fs_read_noxattr_fs_symlinks($1_t) fs_read_noxattr_fs_symlinks($1)
fs_search_auto_mountpoints($1_t) fs_search_auto_mountpoints($1)
# needed for merging dbus: # needed for merging dbus:
selinux_compute_access_vector($1_t) selinux_compute_access_vector($1)
auth_read_all_dirs_except_shadow($1_t) auth_read_all_dirs_except_shadow($1)
auth_read_all_files_except_shadow($1_t) auth_read_all_files_except_shadow($1)
auth_read_all_symlinks_except_shadow($1_t) auth_read_all_symlinks_except_shadow($1)
libs_use_ld_so($1_t) libs_use_ld_so($1)
libs_use_shared_libs($1_t) libs_use_shared_libs($1)
libs_exec_lib_files($1_t) libs_exec_lib_files($1)
# some config scripts use ldd # some config scripts use ldd
libs_exec_ld_so($1_t) libs_exec_ld_so($1)
# this violates the idea of sandbox, but # this violates the idea of sandbox, but
# regular sandbox allows it # regular sandbox allows it
libs_domtrans_ldconfig($1_t) libs_domtrans_ldconfig($1)
logging_send_syslog_msg($1_t) logging_send_syslog_msg($1)
ifdef(`TODO',` ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv # some gui ebuilds want to interact with X server, like xawtv
optional_policy(` optional_policy(`
allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write }; allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write }; allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
') ')
') dnl end TODO ') dnl end TODO
') ')
########################################
## <summary>
## Template for portage fetch.
## </summary>
## <param name="domain">
## <summary>
## Domain Allowed Access
## </summary>
## </param>
#
interface(`portage_fetch_domain',`
allow $1 self:capability dac_override;
dontaudit $1 self:capability { fowner fsetid };
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 portage_conf_t:dir list_dir_perms;
allow $1 portage_conf_t:file r_file_perms;
allow $1 portage_ebuild_t:dir manage_dir_perms;
allow $1 portage_ebuild_t:file manage_file_perms;
allow $1 portage_fetch_tmp_t:dir create_dir_perms;
allow $1 portage_fetch_tmp_t:file create_file_perms;
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit $1 portage_tmp_t:dir search_dir_perms;
kernel_read_system_state($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_bin($1)
corecmd_exec_sbin($1)
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
dev_dontaudit_read_rand($1)
domain_use_interactive_fds($1)
files_read_etc_files($1)
files_read_etc_runtime_files($1)
files_search_var($1)
files_dontaudit_search_pids($1)
term_search_ptys($1)
libs_use_ld_so($1)
libs_use_shared_libs($1)
miscfiles_read_localization($1)
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
userdom_dontaudit_read_sysadm_home_content_files($1)
ifdef(`hide_broken_symptoms',`
dontaudit $1 portage_cache_t:file read;
')
')
########################################
## <summary>
## Template for portage main.
## </summary>
## <param name="domain">
## <summary>
## Domain Allowed Access
## </summary>
## </param>
#
interface(`portage_main_domain',`
# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow $1 self:process { setfscreate setexec };
# if sesandbox is disabled, compiles are
# performed in the main domain
portage_compile_domain($1)
allow $1 portage_log_t:file create_file_perms;
logging_log_filetrans($1,portage_log_t,file)
# run scripts out of the build directory
can_exec($1,portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files($1)
domain_dontaudit_read_all_domains_state($1)
# modify any files in the system
files_manage_all_files($1)
selinux_get_fs_mount($1)
auth_manage_shadow($1)
# merging baselayout will need this:
init_exec($1)
# run setfiles -r
seutil_domtrans_setfiles($1)
optional_policy(`
bootloader_domtrans($1)
')
optional_policy(`
modutils_domtrans_depmod($1)
modutils_domtrans_update_mods($1)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
usermanage_domtrans_groupadd($1)
usermanage_domtrans_useradd($1)
')
ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
')
')

207
refpolicy/policy/modules/admin/portage.te
View File

@ -1,29 +1,46 @@
policy_module(portage,1.0.1) policy_module(portage,1.0.2)
######################################## ########################################
# #
# Declarations # Declarations
# #
# constraining domain
type portage_t;
type portage_exec_t; type portage_exec_t;
files_type(portage_exec_t) domain_type(portage_t)
domain_entry_file(portage_t,portage_exec_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
domain_entry_file(portage_t,portage_exec_t)
portage_compile_domain_template(portage) # main portage domain
domain_obj_id_change_exemption(portage_t) type portage_t.merge;
domain_type(portage_t.merge)
domain_entry_file(portage_t.merge,portage_exec_t)
domain_obj_id_change_exemption(portage_t.merge)
portage_compile_domain_template(portage_sandbox) # portage compile sandbox domain
type portage_t.sandbox alias portage_sandbox_t;
domain_type(portage_t.sandbox)
# the shell is the entrypoint if regular sandbox is disabled # the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled # portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t) corecmd_shell_entry_type(portage_t.sandbox)
domain_entry_file(portage_sandbox_t,portage_exec_t) domain_entry_file(portage_t.sandbox,portage_exec_t)
# portage package fetching domain
type portage_t.fetch alias portage_fetch_t;
domain_type(portage_t.fetch)
corecmd_shell_entry_type(portage_t.fetch)
rsync_entry_type(portage_t.fetch)
type portage_devpts_t;
term_pty(portage_devpts_t)
type portage_ebuild_t; type portage_ebuild_t;
files_type(portage_ebuild_t) files_type(portage_ebuild_t)
type portage_fetch_t;
domain_type(portage_fetch_t)
type portage_fetch_tmp_t; type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t) files_tmp_file(portage_fetch_tmp_t)
@ -39,73 +56,48 @@ files_type(portage_cache_t)
type portage_log_t; type portage_log_t;
logging_log_file(portage_log_t) logging_log_file(portage_log_t)
type portage_tmp_t;
files_tmp_file(portage_tmp_t)
type portage_tmpfs_t;
files_tmpfs_file(portage_tmpfs_t)
######################################## ########################################
# #
# Portage Rules # Portage Constraining Rules
# #
# - setfscreate for merging to live fs portage_main_domain(portage_t)
# - setexec to run portage fetch portage_compile_domain(portage_t)
allow portage_t self:process { setfscreate setexec }; portage_fetch_domain(portage_t)
# transition between child domains on shells and rsync
corecmd_shell_spec_domtrans(portage_t,portage_t)
rsync_entry_spec_domtrans(portage_t,portage_t)
########################################
#
# Portage Merging Rules
#
portage_main_domain(portage_t.merge)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t.merge)
# transition for rsync and wget # transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t,portage_fetch_t) corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
allow portage_fetch_t portage_t:fd use; rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
allow portage_fetch_t portage_t:fifo_file rw_file_perms; allow portage_t.fetch portage_t.merge:fd use;
allow portage_fetch_t portage_t:process sigchld; allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
allow portage_t.fetch portage_t.merge:process sigchld;
allow portage_t portage_log_t:file create_file_perms;
logging_log_filetrans(portage_t,portage_log_t,file)
# transition to sandbox for compiling # transition to sandbox for compiling
domain_trans(portage_t,portage_exec_t,portage_sandbox_t) domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t) corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
allow portage_sandbox_t portage_t:fd use; allow portage_t.sandbox portage_t.merge:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms; allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld; allow portage_t.sandbox portage_t.merge:process sigchld;
# run scripts out of the build directory
can_exec(portage_t,portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files(portage_t)
domain_dontaudit_read_all_domains_state(portage_t)
# modify any files in the system
files_manage_all_files(portage_t)
selinux_get_fs_mount(portage_t)
auth_manage_shadow(portage_t)
# merging baselayout will need this:
init_exec(portage_t)
# run setfiles -r
seutil_domtrans_setfiles(portage_t)
optional_policy(`
bootloader_domtrans(portage_t)
')
optional_policy(`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_mods(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
usermanage_domtrans_groupadd(portage_t)
usermanage_domtrans_useradd(portage_t)
')
ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
')
########################################## ##########################################
# #
@ -113,67 +105,10 @@ dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
# - for rsync and distfile fetching # - for rsync and distfile fetching
# #
allow portage_fetch_t self:capability dac_override; portage_fetch_domain(portage_t.fetch)
dontaudit portage_fetch_t self:capability { fowner fsetid };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
allow portage_fetch_t portage_conf_t:dir list_dir_perms; # rule outside of the above macro to fix conflicting type transitions
allow portage_fetch_t portage_conf_t:file r_file_perms; files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)
corecmd_exec_bin(portage_fetch_t)
corecmd_exec_sbin(portage_fetch_t)
corenet_non_ipsec_sendrecv(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
domain_use_interactive_fds(portage_fetch_t)
files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_search_var(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
term_search_ptys(portage_fetch_t)
libs_use_ld_so(portage_fetch_t)
libs_use_shared_libs(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
userdom_dontaudit_read_sysadm_home_content_files(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
# TODO:
#domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
########################################## ##########################################
# #
@ -181,12 +116,10 @@ ifdef(`hide_broken_symptoms',`
# - SELinux-enforced sandbox # - SELinux-enforced sandbox
# #
# seems ok w/o this portage_compile_domain(portage_t.sandbox)
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms; ifdef(`hide_broken_symptoms',`
allow portage_sandbox_t portage_tmp_t:file manage_file_perms; # leaked descriptors
allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms; dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
# run scripts out of the build directory dontaudit portage_t.sandbox portage_cache_t:file { setattr write };
can_exec(portage_sandbox_t,portage_tmp_t) ')

85
refpolicy/policy/modules/services/rsync.if
View File

@ -1 +1,86 @@
## <summary>Fast incremental file transfer for synchronization</summary> ## <summary>Fast incremental file transfer for synchronization</summary>
########################################
## <summary>
## Make rsync an entry point for
## the specified domain.
## </summary>
## <param name="domain">
## <summary>
## The domain for which init scripts are an entrypoint.
## </summary>
## </param>
# cjp: added for portage
interface(`rsync_entry_type',`
gen_require(`
type rsync_exec_t;
')
domain_entry_file($1,rsync_exec_t)
')
########################################
## <summary>
## Execute a rsync in a specified domain.
## </summary>
## <desc>
## <p>
## Execute a rsync in a specified domain.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Domain to transition from.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
# cjp: added for portage
interface(`rsync_entry_spec_domtrans',`
gen_require(`
type rsync_exec_t;
')
domain_trans($1,rsync_exec_t,$2)
')
########################################
## <summary>
## Execute a rsync in a specified domain.
## </summary>
## <desc>
## <p>
## Execute a rsync in a specified domain.
## </p>
## <p>
## No interprocess communication (signals, pipes,
## etc.) is provided by this interface since
## the domains are not owned by this module.
## </p>
## </desc>
## <param name="source_domain">
## <summary>
## Domain to transition from.
## </summary>
## </param>
## <param name="target_domain">
## <summary>
## Domain to transition to.
## </summary>
## </param>
# cjp: added for portage
interface(`rsync_entry_domtrans',`
gen_require(`
type rsync_exec_t;
')
domain_auto_trans($1,rsync_exec_t,$2)
')

2
refpolicy/policy/modules/services/rsync.te
View File

@ -1,5 +1,5 @@
policy_module(rsync,1.2.1) policy_module(rsync,1.2.2)
######################################## ########################################
# #