add portage from gentoo
This commit is contained in:
parent
fe9b0543a2
commit
e1c41428e2
@ -1,4 +1,5 @@
|
||||
- Added modules:
|
||||
portage
|
||||
usernetctl
|
||||
|
||||
* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117
|
||||
|
21
refpolicy/policy/modules/admin/portage.fc
Normal file
21
refpolicy/policy/modules/admin/portage.fc
Normal file
@ -0,0 +1,21 @@
|
||||
/etc/make.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
|
||||
/etc/make.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
|
||||
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
|
||||
|
||||
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
|
||||
/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib(64)?/portage/bin/ebuild.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
|
||||
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
|
||||
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
|
||||
/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
|
||||
/var/log/emerge.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
|
||||
/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
|
||||
/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
|
||||
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
|
199
refpolicy/policy/modules/admin/portage.if
Normal file
199
refpolicy/policy/modules/admin/portage.if
Normal file
@ -0,0 +1,199 @@
|
||||
## <summary>
|
||||
## Portage Package Management System. The primary package management and
|
||||
## distribution system for Gentoo.
|
||||
## </summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute emerge in the portage domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`portage_domtrans',`
|
||||
gen_require(`
|
||||
type portage_t, portage_exec_t;
|
||||
')
|
||||
|
||||
files_search_usr($1)
|
||||
corecmd_search_bin($1)
|
||||
domain_auto_trans($1,portage_exec_t,portage_t)
|
||||
|
||||
allow $1 portage_t:fd use;
|
||||
allow portage_t $1:fd use;
|
||||
allow portage_t $1:fifo_file rw_file_perms;
|
||||
allow portage_t $1:process sigchld;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute emerge in the portage domain, and
|
||||
## allow the specified role the portage domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## The role to allow the portage domain.
|
||||
## </param>
|
||||
## <param name="terminal">
|
||||
## The type of the terminal allow for portage to use.
|
||||
## </param>
|
||||
#
|
||||
interface(`portage_run',`
|
||||
gen_require(`
|
||||
type portage_t, portage_fetch_t, portage_sandbox_t;
|
||||
')
|
||||
|
||||
portage_domtrans($1)
|
||||
|
||||
role $2 types portage_t;
|
||||
role $2 types portage_fetch_t;
|
||||
role $2 types portage_sandbox_t;
|
||||
|
||||
allow portage_t $3:chr_file rw_term_perms;
|
||||
allow portage_fetch_t $3:chr_file rw_term_perms;
|
||||
allow portage_sandbox_t $3:chr_file rw_term_perms;
|
||||
|
||||
# not sure about this one, may be stray fds
|
||||
allow portage_t $1:udp_socket write;
|
||||
allow $1 portage_t:udp_socket write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Template for portage sandbox.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Template for portage sandbox. Portage
|
||||
## does all compiling in the sandbox.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="prefix">
|
||||
## Name to be used to derive types.
|
||||
## </param>
|
||||
#
|
||||
template(`portage_compile_domain_template',`
|
||||
type $1_t;
|
||||
domain_type($1_t)
|
||||
domain_entry_file($1_t,portage_exec_t)
|
||||
|
||||
type $1_devpts_t;
|
||||
term_pty($1_devpts_t)
|
||||
|
||||
type $1_tmp_t;
|
||||
files_tmp_file($1_tmp_t)
|
||||
|
||||
type $1_tmpfs_t;
|
||||
files_tmpfs_file($1_tmpfs_t)
|
||||
|
||||
allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
|
||||
allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem };
|
||||
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
||||
allow $1_t self:fd use;
|
||||
allow $1_t self:fifo_file rw_file_perms;
|
||||
allow $1_t self:shm create_shm_perms;
|
||||
allow $1_t self:sem create_sem_perms;
|
||||
allow $1_t self:msgq create_msgq_perms;
|
||||
allow $1_t self:msg { send receive };
|
||||
allow $1_t self:unix_dgram_socket create_socket_perms;
|
||||
allow $1_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow $1_t self:unix_dgram_socket sendto;
|
||||
allow $1_t self:unix_stream_socket connectto;
|
||||
# really shouldnt need this
|
||||
allow $1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_t self:udp_socket create_socket_perms;
|
||||
# misc networking stuff (esp needed for compiling perl):
|
||||
allow $1_t self:rawip_socket { create ioctl };
|
||||
allow $1_t self:udp_socket recvfrom;
|
||||
# needed for merging dbus:
|
||||
allow $1_sandbox_t self:netlink_selinux_socket { bind create read };
|
||||
|
||||
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
|
||||
term_create_pty($1_t,$1_devpts_t)
|
||||
|
||||
allow $1_t $1_tmp_t:dir manage_dir_perms;
|
||||
allow $1_t $1_tmp_t:file manage_file_perms;
|
||||
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
|
||||
allow $1_t $1_tmp_t:fifo_file manage_file_perms;
|
||||
allow $1_t $1_tmp_t:sock_file manage_file_perms;
|
||||
files_create_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
|
||||
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
|
||||
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
|
||||
fs_create_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
|
||||
|
||||
# write merge logs
|
||||
allow $1_t portage_log_t:dir setattr;
|
||||
allow $1_t portage_log_t:file { append write setattr };
|
||||
|
||||
kernel_read_system_state($1_t)
|
||||
kernel_read_network_state($1_t)
|
||||
kernel_read_software_raid_state($1_t)
|
||||
kernel_getattr_core($1_t)
|
||||
kernel_getattr_message_if($1_t)
|
||||
kernel_read_kernel_sysctl($1_t)
|
||||
|
||||
corecmd_exec_bin($1_t)
|
||||
corecmd_exec_sbin($1_t)
|
||||
|
||||
# really shouldnt need this
|
||||
corenet_non_ipsec_sendrecv($1_t)
|
||||
corenet_tcp_sendrecv_generic_if($1_t)
|
||||
corenet_udp_sendrecv_generic_if($1_t)
|
||||
corenet_raw_sendrecv_generic_if($1_t)
|
||||
corenet_tcp_sendrecv_all_nodes($1_t)
|
||||
corenet_udp_sendrecv_all_nodes($1_t)
|
||||
corenet_raw_sendrecv_all_nodes($1_t)
|
||||
corenet_tcp_sendrecv_all_ports($1_t)
|
||||
corenet_udp_sendrecv_all_ports($1_t)
|
||||
corenet_tcp_connect_all_reserved_ports($1_t)
|
||||
corenet_tcp_connect_distccd_port($1_t)
|
||||
|
||||
dev_read_sysfs($1_t)
|
||||
dev_read_rand($1_t)
|
||||
dev_read_urand($1_t)
|
||||
|
||||
domain_exec_all_entry_files($1_t)
|
||||
domain_use_wide_inhert_fds($1_t)
|
||||
|
||||
files_exec_etc_files($1_t)
|
||||
files_exec_usr_src_files($1_t)
|
||||
|
||||
fs_getattr_xattr_fs($1_t)
|
||||
fs_list_noxattr_fs($1_t)
|
||||
fs_read_noxattr_fs_files($1_t)
|
||||
fs_read_noxattr_fs_symlinks($1_t)
|
||||
fs_search_auto_mountpoints($1_t)
|
||||
|
||||
# needed for merging dbus:
|
||||
selinux_compute_access_vector($1_t)
|
||||
|
||||
auth_read_all_dirs_except_shadow($1_t)
|
||||
auth_read_all_files_except_shadow($1_t)
|
||||
auth_read_all_symlinks_except_shadow($1_t)
|
||||
|
||||
libs_use_ld_so($1_t)
|
||||
libs_use_shared_libs($1_t)
|
||||
libs_exec_lib_files($1_t)
|
||||
# some config scripts use ldd
|
||||
libs_exec_ld_so($1_t)
|
||||
# this violates the idea of sandbox, but
|
||||
# regular sandbox allows it
|
||||
libs_domtrans_ldconfig($1_t)
|
||||
|
||||
logging_send_syslog_msg($1_t)
|
||||
|
||||
ifdef(`TODO',`
|
||||
# some gui ebuilds want to interact with X server, like xawtv
|
||||
optional_policy(`xdm',`
|
||||
allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write };
|
||||
allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write };
|
||||
')
|
||||
') dnl end TODO
|
||||
')
|
188
refpolicy/policy/modules/admin/portage.te
Normal file
188
refpolicy/policy/modules/admin/portage.te
Normal file
@ -0,0 +1,188 @@
|
||||
|
||||
policy_module(portage,1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
type portage_exec_t;
|
||||
files_type(portage_exec_t)
|
||||
|
||||
portage_compile_domain(portage)
|
||||
domain_obj_id_change_exempt(portage_t)
|
||||
|
||||
portage_compile_domain(portage_sandbox)
|
||||
# the shell is the entrypoint if regular sandbox is disabled
|
||||
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
||||
corecmd_shell_entry_type(portage_sandbox_t)
|
||||
domain_entry_file(portage_sandbox_t,portage_exec_t)
|
||||
|
||||
type portage_ebuild_t;
|
||||
files_type(portage_ebuild_t)
|
||||
|
||||
type portage_fetch_t;
|
||||
domain_type(portage_fetch_t)
|
||||
|
||||
type portage_fetch_tmp_t;
|
||||
files_tmp_file(portage_fetch_tmp_t)
|
||||
|
||||
type portage_db_t;
|
||||
files_type(portage_db_t)
|
||||
|
||||
type portage_conf_t;
|
||||
files_type(portage_conf_t)
|
||||
|
||||
type portage_cache_t;
|
||||
files_type(portage_cache_t)
|
||||
|
||||
type portage_log_t;
|
||||
logging_log_file(portage_log_t)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Portage Rules
|
||||
#
|
||||
|
||||
# - setfscreate for merging to live fs
|
||||
# - setexec to run portage fetch
|
||||
allow portage_t self:process { setfscreate setexec };
|
||||
|
||||
# transition for rsync and wget
|
||||
corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
|
||||
allow portage_fetch_t portage_t:fd use;
|
||||
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
|
||||
allow portage_fetch_t portage_t:process sigchld;
|
||||
|
||||
allow portage_t portage_log_t:file create_file_perms;
|
||||
logging_create_log(portage_t,portage_log_t)
|
||||
|
||||
# transition to sandbox for compiling
|
||||
domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
|
||||
corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
|
||||
allow portage_sandbox_t portage_t:fd use;
|
||||
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
|
||||
allow portage_sandbox_t portage_t:process sigchld;
|
||||
|
||||
# run scripts out of the build directory
|
||||
can_exec($1_t,portage_tmp_t)
|
||||
|
||||
# merging baselayout will need this:
|
||||
kernel_write_proc_file(portage_t)
|
||||
|
||||
domain_dontaudit_read_all_domains_state(portage_t)
|
||||
|
||||
# modify any files in the system
|
||||
files_manage_all_files(portage_t)
|
||||
|
||||
selinux_get_fs_mount(portage_t)
|
||||
|
||||
# merging baselayout will need this:
|
||||
init_exec(portage_t)
|
||||
|
||||
# run setfiles -r
|
||||
seutil_domtrans_setfiles(portage_t)
|
||||
|
||||
optional_policy(`bootloader',`
|
||||
bootloader_domtrans(portage_t)
|
||||
')
|
||||
|
||||
optional_policy(`modutils',`
|
||||
modutils_domtrans_depmod(portage_t)
|
||||
modutils_domtrans_update_modules(portage_t)
|
||||
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
|
||||
')
|
||||
|
||||
optional_policy(`usermanage',`
|
||||
usermanage_domtrans_groupadd(portage_t)
|
||||
usermanage_domtrans_useradd(portage_t)
|
||||
')
|
||||
|
||||
# seems to work ok without these
|
||||
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
|
||||
dontaudit portage_t proc_t:dir setattr;
|
||||
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
|
||||
|
||||
##########################################
|
||||
#
|
||||
# Portage fetch domain
|
||||
# - for rsync and distfile fetching
|
||||
#
|
||||
|
||||
allow portage_fetch_t self:capability dac_override;
|
||||
dontaudit portage_fetch_t self:capability { fowner fsetid };
|
||||
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
|
||||
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
|
||||
allow portage_fetch_t portage_conf_t:file r_file_perms;
|
||||
|
||||
allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
|
||||
allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
|
||||
|
||||
allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
|
||||
allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
|
||||
files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir })
|
||||
|
||||
# portage makes home dir the portage tmp dir, so
|
||||
# wget looks for .wgetrc there
|
||||
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
|
||||
|
||||
kernel_read_system_state(portage_fetch_t)
|
||||
kernel_read_kernel_sysctl(portage_fetch_t)
|
||||
|
||||
corecmd_exec_bin(portage_fetch_t)
|
||||
corecmd_exec_sbin(portage_fetch_t)
|
||||
|
||||
corenet_non_ipsec_sendrecv(portage_fetch_t)
|
||||
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
|
||||
corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
|
||||
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
|
||||
# would rather not connect to unspecified ports, but
|
||||
# it occasionally comes up
|
||||
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
|
||||
corenet_tcp_connect_generic_port(portage_fetch_t)
|
||||
|
||||
dev_search_ptys(portage_fetch_t)
|
||||
dev_dontaudit_read_rand(portage_fetch_t)
|
||||
|
||||
domain_use_wide_inherit_fds(portage_fetch_t)
|
||||
|
||||
files_read_etc_files(portage_fetch_t)
|
||||
files_read_etc_runtime_files(portage_fetch_t)
|
||||
files_search_var(portage_fetch_t)
|
||||
files_dontaudit_search_pids(portage_fetch_t)
|
||||
|
||||
libs_use_ld_so(portage_fetch_t)
|
||||
libs_use_shared_libs(portage_fetch_t)
|
||||
|
||||
miscfiles_read_localization(portage_fetch_t)
|
||||
|
||||
sysnet_read_config(portage_fetch_t)
|
||||
sysnet_dns_name_resolve(portage_fetch_t)
|
||||
|
||||
userdom_dontaudit_read_sysadm_home_files(portage_fetch_t)
|
||||
|
||||
ifdef(`hide_broken_symptoms',`
|
||||
dontaudit portage_fetch_t portage_cache_t:file read;
|
||||
')
|
||||
|
||||
ifdef(`TODO',`
|
||||
domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
|
||||
')
|
||||
|
||||
##########################################
|
||||
#
|
||||
# Portage sandbox domain
|
||||
# - SELinux-enforced sandbox
|
||||
#
|
||||
|
||||
# seems ok w/o this
|
||||
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
|
||||
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
|
||||
|
||||
allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
|
||||
allow portage_sandbox_t portage_tmp_t:file manage_dir_perms;
|
||||
allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
|
||||
# run scripts out of the build directory
|
||||
can_exec(portage_sandbox_t,portage_tmp_t)
|
@ -1519,7 +1519,8 @@ interface(`dev_rw_printer',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read from random devices (e.g., /dev/random)
|
||||
## Read from random number generator
|
||||
## devices (e.g., /dev/random)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
@ -1534,6 +1535,23 @@ interface(`dev_read_rand',`
|
||||
allow $1 random_device_t:chr_file r_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read from random
|
||||
## number generator devices (e.g., /dev/random)
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain allowed access.
|
||||
## </param>
|
||||
#
|
||||
interface(`dev_dontaudit_read_rand',`
|
||||
gen_require(`
|
||||
type random_device_t;
|
||||
')
|
||||
|
||||
dontaudit $1 random_device_t:chr_file { getattr read };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Write to the random device (e.g., /dev/random). This adds
|
||||
|
@ -2736,9 +2736,9 @@ interface(`userdom_search_sysadm_home_dir',`
|
||||
#
|
||||
interface(`userdom_dontaudit_search_sysadm_home_dir',`
|
||||
ifdef(`targeted_policy',`
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
')
|
||||
gen_require(`
|
||||
type user_home_dir_t;
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_dir_t:dir search_dir_perms;
|
||||
',`
|
||||
@ -2783,6 +2783,33 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
|
||||
dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to search the sysadm
|
||||
## users home directory.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## Domain to not audit.
|
||||
## </param>
|
||||
#
|
||||
interface(`userdom_dontaudit_read_sysadm_home_files',`
|
||||
ifdef(`targeted_policy',`
|
||||
gen_require(`
|
||||
type user_home_dir_t, user_home_t;
|
||||
')
|
||||
|
||||
dontaudit $1 user_home_dir_t:dir search_dir_perms;
|
||||
dontaudit $1 user_home_t:file r_file_perms;
|
||||
',`
|
||||
gen_require(`
|
||||
type sysadm_home_dir_t, sysadm_home_t;
|
||||
')
|
||||
|
||||
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
|
||||
dontaudit $1 sysadm_home_t:dir r_file_perms;
|
||||
')
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Create objects in sysadm home directories
|
||||
|
@ -274,6 +274,10 @@ ifdef(`targeted_policy',`
|
||||
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`portage',`
|
||||
portage_run(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
||||
optional_policy(`portmap',`
|
||||
portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user