rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Misc portage fixes.

Browse Source
This commit is contained in:
Chris PeBenito 2010-02-17 20:25:39 -05:00
parent 05bd2f9837
commit 15d80e3646
2 changed files with 49 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
policy/modules/admin/portage.if
View File

@ -243,3 +243,41 @@ interface(`portage_run_gcc_config',`
portage_domtrans_gcc_config($1) portage_domtrans_gcc_config($1)
role $2 types gcc_config_t; role $2 types gcc_config_t;
') ')
########################################
## <summary>
## Do not audit attempts to search the
## portage temporary directories.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`portage_dontaudit_search_tmp',`
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:dir search_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to read and write
## the portage temporary files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`portage_dontaudit_rw_tmp_files',`
gen_require(`
type portage_tmp_t;
')
dontaudit $1 portage_tmp_t:file rw_file_perms;
')

13
policy/modules/admin/portage.te
View File

@ -1,5 +1,5 @@
policy_module(portage, 1.9.0) policy_module(portage, 1.9.1)
######################################## ########################################
# #
@ -82,8 +82,11 @@ corecmd_exec_shell(gcc_config_t)
corecmd_exec_bin(gcc_config_t) corecmd_exec_bin(gcc_config_t)
corecmd_manage_bin_files(gcc_config_t) corecmd_manage_bin_files(gcc_config_t)
domain_use_interactive_fds(gcc_config_t)
files_manage_etc_files(gcc_config_t) files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t) files_rw_etc_runtime_files(gcc_config_t)
files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t) files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t) files_search_pids(gcc_config_t)
# complains loudly about not being able to list # complains loudly about not being able to list
@ -119,7 +122,11 @@ optional_policy(`
# - setfscreate for merging to live fs # - setfscreate for merging to live fs
# - setexec to run portage fetch # - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec }; allow portage_t self:process { setfscreate setexec };
allow portage_t self:capability sys_nice; # - kill for mysql merging, at least
allow portage_t self:capability { sys_nice kill };
# user post-sync scripts
can_exec(portage_t, portage_conf_t)
allow portage_t portage_log_t:file manage_file_perms; allow portage_t portage_log_t:file manage_file_perms;
logging_log_filetrans(portage_t, portage_log_t, file) logging_log_filetrans(portage_t, portage_log_t, file)
@ -214,6 +221,8 @@ files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
# portage makes home dir the portage tmp dir, so # portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there # wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
# rsync server timestamp check
allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
kernel_read_system_state(portage_fetch_t) kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t) kernel_read_kernel_sysctls(portage_fetch_t)