diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 926a9e3a..d7fd3519 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add gcc-config domain to portage.
- Add packet object class and support in corenetwork.
- Add a copy of genhomedircon for monolithic policy building, so that a
policycoreutils package update is not required for RHEL4 systems.
diff --git a/refpolicy/policy/modules/admin/portage.fc b/refpolicy/policy/modules/admin/portage.fc
index 9084dd07..76d3408c 100644
--- a/refpolicy/policy/modules/admin/portage.fc
+++ b/refpolicy/policy/modules/admin/portage.fc
@@ -2,7 +2,9 @@
/etc/make.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
-/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+
/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index 80eaca71..8debda6e 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -15,7 +15,7 @@
#
interface(`portage_domtrans',`
gen_require(`
- type portage_t, portage_exec_t;
+ type portage_t, portage_t.merge, portage_exec_t;
')
files_search_usr($1)
@@ -321,6 +321,8 @@ interface(`portage_main_domain',`
# run setfiles -r
seutil_domtrans_setfiles($1)
+ portage_domtrans_gcc_config($1)
+
optional_policy(`
bootloader_domtrans($1)
')
@@ -343,3 +345,60 @@ interface(`portage_main_domain',`
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
')
')
+
+########################################
+##
+## Execute gcc-config in the gcc_config domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_domtrans_gcc_config',`
+ gen_require(`
+ type gcc_config_t, gcc_config_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
+ allow gcc_config_t $1:fd use;
+ allow gcc_config_t $1:fifo_file rw_file_perms;
+ allow gcc_config_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute gcc-config in the gcc_config domain, and
+## allow the specified role the gcc_config domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to allow the gcc_config domain.
+##
+##
+##
+##
+## The type of the terminal allow for gcc_config to use.
+##
+##
+#
+interface(`portage_run_gcc_config',`
+ gen_require(`
+ type gcc_config_t;
+ ')
+
+ portage_domtrans_gcc_config($1)
+
+ # constraining access
+ role $2 types gcc_config_t;
+ allow gcc_config_t $3:chr_file rw_term_perms;
+')
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index 1b12cb64..eff39511 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -1,11 +1,16 @@
-policy_module(portage,1.0.2)
+policy_module(portage,1.0.3)
########################################
#
# Declarations
#
+type gcc_config_t;
+type gcc_config_exec_t;
+domain_type(gcc_config_t)
+domain_entry_file(gcc_config_t,gcc_config_exec_t)
+
# constraining type
type portage_t;
type portage_exec_t;
@@ -62,6 +67,67 @@ files_tmp_file(portage_tmp_t)
type portage_tmpfs_t;
files_tmpfs_file(portage_tmpfs_t)
+########################################
+#
+# gcc-config policy
+#
+
+allow gcc_config_t self:capability { chown fsetid };
+allow gcc_config_t self:fifo_file rw_file_perms;
+
+allow gcc_config_t portage_cache_t:dir rw_dir_perms;
+allow gcc_config_t portage_cache_t:file create_file_perms;
+
+allow gcc_config_t portage_conf_t:dir search_dir_perms;
+allow gcc_config_t portage_conf_t:file read_file_perms;
+
+allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
+allow gcc_config_t portage_ebuild_t:file read_file_perms;
+
+allow gcc_config_t portage_exec_t:file { execute getattr };
+
+kernel_read_system_state(gcc_config_t)
+kernel_read_kernel_sysctls(gcc_config_t)
+
+corecmd_exec_shell(gcc_config_t)
+corecmd_exec_ls(gcc_config_t)
+corecmd_exec_bin(gcc_config_t)
+corecmd_exec_sbin(gcc_config_t)
+corecmd_manage_bin_files(gcc_config_t)
+corecmd_read_sbin_symlinks(gcc_config_t)
+
+files_manage_etc_files(gcc_config_t)
+files_rw_etc_runtime_files(gcc_config_t)
+files_search_var_lib(gcc_config_t)
+files_search_pids(gcc_config_t)
+# complains loudly about not being able to list
+# the directory it is being run from
+files_list_all(gcc_config_t)
+
+term_search_ptys(gcc_config_t)
+
+# seems to be ok without this
+init_dontaudit_read_script_status_files(gcc_config_t)
+
+libs_use_ld_so(gcc_config_t)
+libs_use_shared_libs(gcc_config_t)
+libs_read_lib_files(gcc_config_t)
+libs_domtrans_ldconfig(gcc_config_t)
+libs_manage_shared_libs(gcc_config_t)
+files_lib_filetrans_shared_lib(gcc_config_t,file)
+# gcc-config creates a temp dir for the libs
+libs_manage_lib_dirs(gcc_config_t)
+
+logging_send_syslog_msg(gcc_config_t)
+
+miscfiles_read_localization(gcc_config_t)
+
+consoletype_exec(gcc_config_t)
+
+optional_policy(`
+ seutil_use_newrole_fds(gcc_config_t)
+')
+
########################################
#
# Portage Constraining Rules
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index 0b2dd5a6..4e76bd4b 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -918,6 +918,26 @@ interface(`init_read_script_files',`
allow $1 initrc_exec_t:file r_file_perms;
')
+########################################
+##
+## Do not audit attempts to read init script
+## status files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_dontaudit_read_script_status_files',`
+ gen_require(`
+ type initrc_state_t;
+ ')
+
+ dontaudit $1 initrc_state_t:dir search_dir_perms;
+ dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
########################################
##
## Read and write init script temporary data.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index f7f60896..d3538454 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.3.14)
+policy_module(init,1.3.15)
gen_require(`
class passwd rootok;
diff --git a/refpolicy/policy/modules/system/libraries.if b/refpolicy/policy/modules/system/libraries.if
index 4bcd9380..64e70c84 100644
--- a/refpolicy/policy/modules/system/libraries.if
+++ b/refpolicy/policy/modules/system/libraries.if
@@ -6,7 +6,7 @@
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -30,7 +30,7 @@ interface(`libs_domtrans_ldconfig',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -61,7 +61,7 @@ interface(`libs_run_ldconfig',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -85,7 +85,7 @@ interface(`libs_use_ld_so',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -105,7 +105,7 @@ interface(`libs_legacy_use_ld_so',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -169,7 +169,7 @@ interface(`libs_relabel_ld_so',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -184,11 +184,11 @@ interface(`libs_rw_ld_so_cache',`
########################################
##
-## Search lib directories.
+## Search library directories.
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -200,6 +200,24 @@ interface(`libs_search_lib',`
allow $1 lib_t:dir search;
')
+########################################
+##
+## Create, read, write, and delete library directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`libs_manage_lib_dirs',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir manage_dir_perms;
+')
+
########################################
##
## Read files in the library directories, such
@@ -207,7 +225,7 @@ interface(`libs_search_lib',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -227,7 +245,7 @@ interface(`libs_read_lib_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -249,7 +267,7 @@ interface(`libs_exec_lib_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -291,7 +309,7 @@ interface(`libs_manage_lib_files',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -371,7 +389,7 @@ interface(`libs_manage_shared_libs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -395,7 +413,7 @@ interface(`libs_use_shared_libs',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -428,3 +446,28 @@ interface(`libs_relabel_shared_libs',`
allow $1 lib_t:dir search_dir_perms;
allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
')
+
+########################################
+##
+## Create an object in lib directories, with
+## the shared libraries type using a type transition.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The object class of the object being created.
+##
+##
+#
+interface(`files_lib_filetrans_shared_lib',`
+ gen_require(`
+ type root_t;
+ ')
+
+ allow $1 root_t:dir rw_dir_perms;
+ type_transition $1 root_t:$2 shlib_t;
+')
diff --git a/refpolicy/policy/modules/system/libraries.te b/refpolicy/policy/modules/system/libraries.te
index 3617fc0f..7b12270f 100644
--- a/refpolicy/policy/modules/system/libraries.te
+++ b/refpolicy/policy/modules/system/libraries.te
@@ -1,5 +1,5 @@
-policy_module(libraries,1.3.6)
+policy_module(libraries,1.3.7)
########################################
#
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 48b137cc..db31c674 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.24)
+policy_module(userdomain,1.3.25)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -370,6 +370,7 @@ ifdef(`targeted_policy',`
optional_policy(`
portage_run(sysadm_t,sysadm_r,admin_terminal)
+ portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`