trunk: Remove hierarchy from portage module as it is not a good example of hieararchy.
This commit is contained in:
Chris PeBenito
parent
b19f862271
commit
aea3f28e40
|
|
@ -1,3 +1,5 @@
|
|||
- Remove hierarchy from portage module as it is not a good example of
|
||||
hieararchy.
|
||||
- Remove enableaudit target from modular build as semodule -DB supplants it.
|
||||
|
||||
* Tue Oct 14 2008 Chris PeBenito <selinux@tresys.com> - 20081014
|
||||
|
|
|
|||
|
|
@ -15,20 +15,14 @@
|
|||
#
|
||||
interface(`portage_domtrans',`
|
||||
gen_require(`
|
||||
type portage_t, portage_t.merge, portage_exec_t;
|
||||
type portage_t, portage_exec_t;
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_bin($1)
|
||||
|
||||
# constraining domain
|
||||
domain_trans($1,portage_exec_t,portage_t)
|
||||
allow portage_t $1:fd use;
|
||||
allow portage_t $1:fifo_file rw_fifo_file_perms;
|
||||
allow portage_t $1:process sigchld;
|
||||
|
||||
# transition to portage
|
||||
domtrans_pattern($1, portage_exec_t, portage_t.merge)
|
||||
domtrans_pattern($1, portage_exec_t, portage_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -55,21 +49,14 @@ interface(`portage_domtrans',`
|
|||
#
|
||||
interface(`portage_run',`
|
||||
gen_require(`
|
||||
type portage_t;
|
||||
type portage_t.merge, portage_t.fetch, portage_t.sandbox;
|
||||
type portage_t, portage_fetch_t, portage_sandbox_t;
|
||||
')
|
||||
|
||||
portage_domtrans($1)
|
||||
|
||||
# constraining access
|
||||
role $2 types portage_t;
|
||||
role $2 types { portage_t portage_fetch_t portage_sandbox_t };
|
||||
allow portage_t $3:chr_file rw_term_perms;
|
||||
|
||||
# specific access
|
||||
role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
|
||||
allow portage_t.merge $3:chr_file rw_term_perms;
|
||||
allow portage_t.fetch $3:chr_file rw_term_perms;
|
||||
allow portage_t.sandbox $3:chr_file rw_term_perms;
|
||||
allow portage_fetch_t $3:chr_file rw_term_perms;
|
||||
allow portage_sandbox_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
@ -210,156 +197,6 @@ interface(`portage_compile_domain',`
|
|||
') dnl end TODO
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Template for portage fetch.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain Allowed Access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`portage_fetch_domain',`
|
||||
gen_require(`
|
||||
type portage_cache_t, portage_conf_t, portage_ebuild_t;
|
||||
type portage_tmp_t, portage_fetch_tmp_t;
|
||||
')
|
||||
|
||||
allow $1 self:capability { dac_override fowner fsetid };
|
||||
allow $1 self:process signal;
|
||||
allow $1 self:unix_stream_socket create_socket_perms;
|
||||
allow $1 self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow $1 portage_conf_t:dir list_dir_perms;
|
||||
read_files_pattern($1, portage_conf_t, portage_conf_t)
|
||||
|
||||
manage_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t)
|
||||
manage_files_pattern($1, portage_ebuild_t, portage_ebuild_t)
|
||||
|
||||
manage_dirs_pattern($1, portage_fetch_tmp_t, portage_fetch_tmp_t)
|
||||
manage_files_pattern($1, portage_fetch_tmp_t, portage_fetch_tmp_t)
|
||||
|
||||
# portage makes home dir the portage tmp dir, so
|
||||
# wget looks for .wgetrc there
|
||||
dontaudit $1 portage_tmp_t:dir search_dir_perms;
|
||||
|
||||
kernel_read_system_state($1)
|
||||
kernel_read_kernel_sysctls($1)
|
||||
|
||||
corecmd_exec_bin($1)
|
||||
|
||||
corenet_all_recvfrom_unlabeled($1)
|
||||
corenet_all_recvfrom_netlabel($1)
|
||||
corenet_tcp_sendrecv_generic_if($1)
|
||||
corenet_tcp_sendrecv_all_nodes($1)
|
||||
corenet_tcp_sendrecv_all_ports($1)
|
||||
# would rather not connect to unspecified ports, but
|
||||
# it occasionally comes up
|
||||
corenet_tcp_connect_all_reserved_ports($1)
|
||||
corenet_tcp_connect_generic_port($1)
|
||||
|
||||
dev_dontaudit_read_rand($1)
|
||||
|
||||
domain_use_interactive_fds($1)
|
||||
|
||||
files_read_etc_files($1)
|
||||
files_read_etc_runtime_files($1)
|
||||
files_search_var($1)
|
||||
files_dontaudit_search_pids($1)
|
||||
|
||||
term_search_ptys($1)
|
||||
|
||||
libs_use_ld_so($1)
|
||||
libs_use_shared_libs($1)
|
||||
|
||||
miscfiles_read_localization($1)
|
||||
|
||||
sysnet_read_config($1)
|
||||
sysnet_dns_name_resolve($1)
|
||||
|
||||
sysadm_dontaudit_read_home_content_files($1)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit $1 portage_cache_t:file read;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Template for portage main.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain Allowed Access
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`portage_main_domain',`
|
||||
gen_require(`
|
||||
type portage_log_t, portage_tmp_t;
|
||||
')
|
||||
|
||||
# - setfscreate for merging to live fs
|
||||
# - setexec to run portage fetch
|
||||
allow $1 self:process { setfscreate setexec };
|
||||
|
||||
# if sesandbox is disabled, compiles are
|
||||
# performed in the main domain
|
||||
portage_compile_domain($1)
|
||||
|
||||
allow $1 portage_log_t:file manage_file_perms;
|
||||
logging_log_filetrans($1, portage_log_t, file)
|
||||
|
||||
# run scripts out of the build directory
|
||||
can_exec($1, portage_tmp_t)
|
||||
|
||||
# merging baselayout will need this:
|
||||
kernel_write_proc_files($1)
|
||||
|
||||
domain_dontaudit_read_all_domains_state($1)
|
||||
|
||||
# modify any files in the system
|
||||
files_manage_all_files($1)
|
||||
|
||||
selinux_get_fs_mount($1)
|
||||
|
||||
auth_manage_shadow($1)
|
||||
|
||||
# merging baselayout will need this:
|
||||
init_exec($1)
|
||||
|
||||
# run setfiles -r
|
||||
seutil_domtrans_setfiles($1)
|
||||
# run semodule
|
||||
seutil_domtrans_semanage($1)
|
||||
|
||||
portage_domtrans_gcc_config($1)
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_domtrans_depmod($1)
|
||||
modutils_domtrans_update_mods($1)
|
||||
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
usermanage_domtrans_groupadd($1)
|
||||
usermanage_domtrans_useradd($1)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# seems to work ok without these
|
||||
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
|
||||
dontaudit portage_t proc_t:dir setattr;
|
||||
dontaudit portage_t device_type:chr_file read_chr_file_perms;
|
||||
dontaudit portage_t device_type:blk_file read_blk_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute gcc-config in the gcc_config domain.
|
||||
|
|
@ -409,8 +246,6 @@ interface(`portage_run_gcc_config',`
|
|||
')
|
||||
|
||||
portage_domtrans_gcc_config($1)
|
||||
|
||||
# constraining access
|
||||
role $2 types gcc_config_t;
|
||||
allow gcc_config_t $3:chr_file rw_term_perms;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(portage, 1.6.0)
|
||||
policy_module(portage, 1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -14,26 +14,22 @@ application_domain(gcc_config_t, gcc_config_exec_t)
|
|||
type portage_t;
|
||||
type portage_exec_t;
|
||||
application_domain(portage_t, portage_exec_t)
|
||||
domain_obj_id_change_exemption(portage_t)
|
||||
rsync_entry_type(portage_t)
|
||||
corecmd_shell_entry_type(portage_t)
|
||||
|
||||
# portage domain for merging packages to the live fs
|
||||
type portage_t.merge;
|
||||
application_domain(portage_t.merge, portage_exec_t)
|
||||
domain_obj_id_change_exemption(portage_t.merge)
|
||||
|
||||
# portage compile sandbox domain
|
||||
type portage_t.sandbox alias portage_sandbox_t;
|
||||
application_domain(portage_t.sandbox,portage_exec_t)
|
||||
type portage_sandbox_t;
|
||||
application_domain(portage_sandbox_t, portage_exec_t)
|
||||
# the shell is the entrypoint if regular sandbox is disabled
|
||||
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
||||
corecmd_shell_entry_type(portage_t.sandbox)
|
||||
corecmd_shell_entry_type(portage_sandbox_t)
|
||||
|
||||
# portage package fetching domain
|
||||
type portage_t.fetch alias portage_fetch_t;
|
||||
application_type(portage_t.fetch)
|
||||
corecmd_shell_entry_type(portage_t.fetch)
|
||||
rsync_entry_type(portage_t.fetch)
|
||||
type portage_fetch_t;
|
||||
application_type(portage_fetch_t)
|
||||
corecmd_shell_entry_type(portage_fetch_t)
|
||||
rsync_entry_type(portage_fetch_t)
|
||||
|
||||
type portage_devpts_t;
|
||||
term_pty(portage_devpts_t)
|
||||
|
|
@ -117,44 +113,83 @@ optional_policy(`
|
|||
seutil_use_newrole_fds(gcc_config_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Portage Constraining Rules
|
||||
#
|
||||
|
||||
portage_main_domain(portage_t)
|
||||
portage_compile_domain(portage_t)
|
||||
portage_fetch_domain(portage_t)
|
||||
|
||||
# transition between child domains on shells and rsync
|
||||
corecmd_shell_spec_domtrans(portage_t, portage_t)
|
||||
rsync_entry_spec_domtrans(portage_t, portage_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Portage Merging Rules
|
||||
#
|
||||
|
||||
portage_main_domain(portage_t.merge)
|
||||
# - setfscreate for merging to live fs
|
||||
# - setexec to run portage fetch
|
||||
allow portage_t self:process { setfscreate setexec };
|
||||
|
||||
# if sesandbox is disabled, compiling is performed in this domain
|
||||
portage_compile_domain(portage_t.merge)
|
||||
allow portage_t portage_log_t:file manage_file_perms;
|
||||
logging_log_filetrans(portage_t, portage_log_t, file)
|
||||
|
||||
allow portage_t.merge { portage_t.fetch portage_t.sandbox }:process signal;
|
||||
allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
|
||||
|
||||
# transition for rsync and wget
|
||||
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
|
||||
rsync_entry_domtrans(portage_t.merge, portage_t.fetch)
|
||||
allow portage_t.fetch portage_t.merge:fd use;
|
||||
allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
|
||||
allow portage_t.fetch portage_t.merge:process sigchld;
|
||||
corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
|
||||
rsync_entry_domtrans(portage_t, portage_fetch_t)
|
||||
allow portage_fetch_t portage_t:fd use;
|
||||
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
|
||||
allow portage_fetch_t portage_t:process sigchld;
|
||||
|
||||
# transition to sandbox for compiling
|
||||
domain_trans(portage_t.merge, portage_exec_t, portage_t.sandbox)
|
||||
corecmd_shell_spec_domtrans(portage_t.merge, portage_t.sandbox)
|
||||
allow portage_t.sandbox portage_t.merge:fd use;
|
||||
allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
|
||||
allow portage_t.sandbox portage_t.merge:process sigchld;
|
||||
domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
|
||||
corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
|
||||
allow portage_sandbox_t portage_t:fd use;
|
||||
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
|
||||
allow portage_sandbox_t portage_t:process sigchld;
|
||||
|
||||
# run scripts out of the build directory
|
||||
can_exec(portage_t, portage_tmp_t)
|
||||
|
||||
# merging baselayout will need this:
|
||||
kernel_write_proc_files(portage_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state(portage_t)
|
||||
|
||||
# modify any files in the system
|
||||
files_manage_all_files(portage_t)
|
||||
|
||||
selinux_get_fs_mount(portage_t)
|
||||
|
||||
auth_manage_shadow(portage_t)
|
||||
|
||||
# merging baselayout will need this:
|
||||
init_exec(portage_t)
|
||||
|
||||
# run setfiles -r
|
||||
seutil_domtrans_setfiles(portage_t)
|
||||
# run semodule
|
||||
seutil_domtrans_semanage(portage_t)
|
||||
|
||||
portage_domtrans_gcc_config(portage_t)
|
||||
# if sesandbox is disabled, compiling is performed in this domain
|
||||
portage_compile_domain(portage_t)
|
||||
|
||||
optional_policy(`
|
||||
bootloader_domtrans(portage_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
modutils_domtrans_depmod(portage_t)
|
||||
modutils_domtrans_update_mods(portage_t)
|
||||
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
usermanage_domtrans_groupadd(portage_t)
|
||||
usermanage_domtrans_useradd(portage_t)
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
# seems to work ok without these
|
||||
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
|
||||
dontaudit portage_t proc_t:dir setattr;
|
||||
dontaudit portage_t device_type:chr_file read_chr_file_perms;
|
||||
dontaudit portage_t device_type:blk_file read_blk_file_perms;
|
||||
')
|
||||
|
||||
##########################################
|
||||
#
|
||||
|
|
@ -162,11 +197,64 @@ allow portage_t.sandbox portage_t.merge:process sigchld;
|
|||
# - for rsync and distfile fetching
|
||||
#
|
||||
|
||||
portage_fetch_domain(portage_t.fetch)
|
||||
allow portage_fetch_t self:capability { dac_override fowner fsetid };
|
||||
allow portage_fetch_t self:process signal;
|
||||
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
|
||||
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
# this rule is outside of the above macro to fix conflicting type
|
||||
# transitions seen in the rules for the constraining type (portage_t)
|
||||
files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
|
||||
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
|
||||
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
|
||||
|
||||
manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
|
||||
manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
|
||||
|
||||
manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
|
||||
manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
|
||||
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
|
||||
|
||||
# portage makes home dir the portage tmp dir, so
|
||||
# wget looks for .wgetrc there
|
||||
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
|
||||
|
||||
kernel_read_system_state(portage_fetch_t)
|
||||
kernel_read_kernel_sysctls(portage_fetch_t)
|
||||
|
||||
corecmd_exec_bin(portage_fetch_t)
|
||||
|
||||
corenet_all_recvfrom_unlabeled(portage_fetch_t)
|
||||
corenet_all_recvfrom_netlabel(portage_fetch_t)
|
||||
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
|
||||
corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
|
||||
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
|
||||
# would rather not connect to unspecified ports, but
|
||||
# it occasionally comes up
|
||||
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
|
||||
corenet_tcp_connect_generic_port(portage_fetch_t)
|
||||
|
||||
dev_dontaudit_read_rand(portage_fetch_t)
|
||||
|
||||
domain_use_interactive_fds(portage_fetch_t)
|
||||
|
||||
files_read_etc_files(portage_fetch_t)
|
||||
files_read_etc_runtime_files(portage_fetch_t)
|
||||
files_search_var(portage_fetch_t)
|
||||
files_dontaudit_search_pids(portage_fetch_t)
|
||||
|
||||
term_search_ptys(portage_fetch_t)
|
||||
|
||||
libs_use_ld_so(portage_fetch_t)
|
||||
libs_use_shared_libs(portage_fetch_t)
|
||||
|
||||
miscfiles_read_localization(portage_fetch_t)
|
||||
|
||||
sysnet_read_config(portage_fetch_t)
|
||||
sysnet_dns_name_resolve(portage_fetch_t)
|
||||
|
||||
sysadm_dontaudit_read_home_content_files(portage_fetch_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit portage_fetch_t portage_cache_t:file read;
|
||||
')
|
||||
|
||||
##########################################
|
||||
#
|
||||
|
|
@ -174,10 +262,10 @@ files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
|
|||
# - SELinux-enforced sandbox
|
||||
#
|
||||
|
||||
portage_compile_domain(portage_t.sandbox)
|
||||
portage_compile_domain(portage_sandbox_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
# leaked descriptors
|
||||
dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
|
||||
dontaudit portage_t.sandbox portage_cache_t:file { setattr write };
|
||||
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
|
||||
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
|
||||
')
|
||||
|
|
|
|||
Loading…
Reference in New Issue