add gcc-config to portage

refpolicy/Changelog

@@ -1,3 +1,4 @@
+- Add gcc-config domain to portage.
 - Add packet object class and support in corenetwork.
 - Add a copy of genhomedircon for monolithic policy building, so that a
   policycoreutils package update is not required for RHEL4 systems.

refpolicy/policy/modules/admin/portage.fc

@@ -2,7 +2,9 @@
 /etc/make.globals		--	gen_context(system_u:object_r:portage_conf_t,s0)
 /etc/portage(/.*)?			gen_context(system_u:object_r:portage_conf_t,s0)
 
-/usr/bin/sandbox			--	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/bin/gcc-config		--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/sandbox		--	gen_context(system_u:object_r:portage_exec_t,s0)
+
 /usr/lib(64)?/portage/bin/ebuild --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/emerge --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/quickpkg --	gen_context(system_u:object_r:portage_exec_t,s0)

refpolicy/policy/modules/admin/portage.if

@@ -15,7 +15,7 @@
 #
 interface(`portage_domtrans',`
 	gen_require(`
-		type portage_t, portage_exec_t;
+		type portage_t, portage_t.merge, portage_exec_t;
 	')
 
 	files_search_usr($1)
@@ -321,6 +321,8 @@ interface(`portage_main_domain',`
 	# run setfiles -r
 	seutil_domtrans_setfiles($1)
 
+	portage_domtrans_gcc_config($1)
+
 	optional_policy(`
 		bootloader_domtrans($1)
 	')
@@ -343,3 +345,60 @@ interface(`portage_main_domain',`
 	dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
 	')
 ')
+
+########################################
+## <summary>
+##	Execute gcc-config in the gcc_config domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portage_domtrans_gcc_config',`
+	gen_require(`
+		type gcc_config_t, gcc_config_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+
+	domain_auto_trans($1,gcc_config_exec_t,gcc_config_t)
+	allow gcc_config_t $1:fd use;
+	allow gcc_config_t $1:fifo_file rw_file_perms;
+	allow gcc_config_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute gcc-config in the gcc_config domain, and
+##	allow the specified role the gcc_config domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to allow the gcc_config domain.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	The type of the terminal allow for gcc_config to use.
+##	</summary>
+## </param>
+#
+interface(`portage_run_gcc_config',`
+	gen_require(`
+		type gcc_config_t;
+	')
+
+	portage_domtrans_gcc_config($1)
+
+	# constraining access
+	role $2 types gcc_config_t;
+	allow gcc_config_t $3:chr_file rw_term_perms;
+')

refpolicy/policy/modules/admin/portage.te

@@ -1,11 +1,16 @@
 
-policy_module(portage,1.0.2)
+policy_module(portage,1.0.3)
 
 ########################################
 #
 # Declarations
 #
 
+type gcc_config_t;
+type gcc_config_exec_t;
+domain_type(gcc_config_t)
+domain_entry_file(gcc_config_t,gcc_config_exec_t)
+
 # constraining type
 type portage_t;
 type portage_exec_t;
@@ -62,6 +67,67 @@ files_tmp_file(portage_tmp_t)
 type portage_tmpfs_t;
 files_tmpfs_file(portage_tmpfs_t)
 
+########################################
+#
+# gcc-config policy
+#
+
+allow gcc_config_t self:capability { chown fsetid };
+allow gcc_config_t self:fifo_file rw_file_perms;
+
+allow gcc_config_t portage_cache_t:dir rw_dir_perms;
+allow gcc_config_t portage_cache_t:file create_file_perms;
+
+allow gcc_config_t portage_conf_t:dir search_dir_perms;
+allow gcc_config_t portage_conf_t:file read_file_perms;
+
+allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
+allow gcc_config_t portage_ebuild_t:file read_file_perms;
+
+allow gcc_config_t portage_exec_t:file { execute getattr };
+
+kernel_read_system_state(gcc_config_t)
+kernel_read_kernel_sysctls(gcc_config_t)
+
+corecmd_exec_shell(gcc_config_t)
+corecmd_exec_ls(gcc_config_t)
+corecmd_exec_bin(gcc_config_t)
+corecmd_exec_sbin(gcc_config_t)
+corecmd_manage_bin_files(gcc_config_t)
+corecmd_read_sbin_symlinks(gcc_config_t)
+
+files_manage_etc_files(gcc_config_t)
+files_rw_etc_runtime_files(gcc_config_t)
+files_search_var_lib(gcc_config_t)
+files_search_pids(gcc_config_t)
+# complains loudly about not being able to list
+# the directory it is being run from
+files_list_all(gcc_config_t)
+
+term_search_ptys(gcc_config_t)
+
+# seems to be ok without this
+init_dontaudit_read_script_status_files(gcc_config_t)
+
+libs_use_ld_so(gcc_config_t)
+libs_use_shared_libs(gcc_config_t)
+libs_read_lib_files(gcc_config_t)
+libs_domtrans_ldconfig(gcc_config_t)
+libs_manage_shared_libs(gcc_config_t)
+files_lib_filetrans_shared_lib(gcc_config_t,file)
+# gcc-config creates a temp dir for the libs
+libs_manage_lib_dirs(gcc_config_t)
+
+logging_send_syslog_msg(gcc_config_t)
+
+miscfiles_read_localization(gcc_config_t)
+
+consoletype_exec(gcc_config_t)
+
+optional_policy(`
+	seutil_use_newrole_fds(gcc_config_t)
+')
+
 ########################################
 #
 # Portage Constraining Rules

refpolicy/policy/modules/system/init.if

@@ -918,6 +918,26 @@ interface(`init_read_script_files',`
 	allow $1 initrc_exec_t:file r_file_perms;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read init script
+##	status files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_dontaudit_read_script_status_files',`
+	gen_require(`
+		type initrc_state_t;
+	')
+
+	dontaudit $1 initrc_state_t:dir search_dir_perms;
+	dontaudit $1 initrc_state_t:file read_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write init script temporary data.

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.14)
+policy_module(init,1.3.15)
 
 gen_require(`
 	class passwd rootok;

refpolicy/policy/modules/system/libraries.if

@@ -6,7 +6,7 @@
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -30,7 +30,7 @@ interface(`libs_domtrans_ldconfig',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
@@ -61,7 +61,7 @@ interface(`libs_run_ldconfig',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -85,7 +85,7 @@ interface(`libs_use_ld_so',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -105,7 +105,7 @@ interface(`libs_legacy_use_ld_so',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -169,7 +169,7 @@ interface(`libs_relabel_ld_so',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -184,11 +184,11 @@ interface(`libs_rw_ld_so_cache',`
 
 ########################################
 ## <summary>
-##	Search lib directories.
+##	Search library directories.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -200,6 +200,24 @@ interface(`libs_search_lib',`
 	allow $1 lib_t:dir search;
 ')
 
+########################################
+## <summary>
+##	Create, read, write, and delete library directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`libs_manage_lib_dirs',`
+	gen_require(`
+		type lib_t;
+	')
+
+	allow $1 lib_t:dir manage_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read files in the library directories, such
@@ -207,7 +225,7 @@ interface(`libs_search_lib',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -227,7 +245,7 @@ interface(`libs_read_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -249,7 +267,7 @@ interface(`libs_exec_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -291,7 +309,7 @@ interface(`libs_manage_lib_files',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -371,7 +389,7 @@ interface(`libs_manage_shared_libs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -395,7 +413,7 @@ interface(`libs_use_shared_libs',`
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	The type of the process performing this action.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
@@ -428,3 +446,28 @@ interface(`libs_relabel_shared_libs',`
 	allow $1 lib_t:dir search_dir_perms;
 	allow $1 { shlib_t textrel_shlib_t }:file { relabelfrom relabelto };
 ')
+
+########################################
+## <summary>
+##	Create an object in lib directories, with
+##	the shared libraries type using a type transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="object">
+##	<summary>
+##	The object class of the object being created.
+##	</summary>
+## </param>
+#
+interface(`files_lib_filetrans_shared_lib',`
+	gen_require(`
+		type root_t;
+	')
+
+	allow $1 root_t:dir rw_dir_perms;
+	type_transition $1 root_t:$2 shlib_t;
+')

refpolicy/policy/modules/system/libraries.te

@@ -1,5 +1,5 @@
 
-policy_module(libraries,1.3.6)
+policy_module(libraries,1.3.7)
 
 ########################################
 #

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.24)
+policy_module(userdomain,1.3.25)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;
@@ -370,6 +370,7 @@ ifdef(`targeted_policy',`
 
 	optional_policy(`
 		portage_run(sysadm_t,sysadm_r,admin_terminal)
+		portage_run_gcc_config(sysadm_t,sysadm_r,admin_terminal)
 	')
 
 	optional_policy(`