add portage from gentoo

This commit is contained in:
Chris PeBenito 2006-01-18 14:48:24 +00:00
parent fe9b0543a2
commit e1c41428e2
7 changed files with 462 additions and 4 deletions

View File

@ -1,4 +1,5 @@
- Added modules:
portage
usernetctl
* Tue Jan 17 2006 Chris PeBenito <selinux@tresys.com> - 20060117

View File

@ -0,0 +1,21 @@
/etc/make.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/ebuild.sh -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
/var/log/emerge.log.* -- gen_context(system_u:object_r:portage_log_t,s0)
/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)
/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0)

View File

@ -0,0 +1,199 @@
## <summary>
## Portage Package Management System. The primary package management and
## distribution system for Gentoo.
## </summary>
########################################
## <summary>
## Execute emerge in the portage domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domain_auto_trans($1,portage_exec_t,portage_t)
allow $1 portage_t:fd use;
allow portage_t $1:fd use;
allow portage_t $1:fifo_file rw_file_perms;
allow portage_t $1:process sigchld;
')
########################################
## <summary>
## Execute emerge in the portage domain, and
## allow the specified role the portage domain.
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
## <param name="role">
## The role to allow the portage domain.
## </param>
## <param name="terminal">
## The type of the terminal allow for portage to use.
## </param>
#
interface(`portage_run',`
gen_require(`
type portage_t, portage_fetch_t, portage_sandbox_t;
')
portage_domtrans($1)
role $2 types portage_t;
role $2 types portage_fetch_t;
role $2 types portage_sandbox_t;
allow portage_t $3:chr_file rw_term_perms;
allow portage_fetch_t $3:chr_file rw_term_perms;
allow portage_sandbox_t $3:chr_file rw_term_perms;
# not sure about this one, may be stray fds
allow portage_t $1:udp_socket write;
allow $1 portage_t:udp_socket write;
')
########################################
## <summary>
## Template for portage sandbox.
## </summary>
## <desc>
## <p>
## Template for portage sandbox. Portage
## does all compiling in the sandbox.
## </p>
## </desc>
## <param name="prefix">
## Name to be used to derive types.
## </param>
#
template(`portage_compile_domain_template',`
type $1_t;
domain_type($1_t)
domain_entry_file($1_t,portage_exec_t)
type $1_devpts_t;
term_pty($1_devpts_t)
type $1_tmp_t;
files_tmp_file($1_tmp_t)
type $1_tmpfs_t;
files_tmpfs_file($1_tmpfs_t)
allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem };
allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_t self:fd use;
allow $1_t self:fifo_file rw_file_perms;
allow $1_t self:shm create_shm_perms;
allow $1_t self:sem create_sem_perms;
allow $1_t self:msgq create_msgq_perms;
allow $1_t self:msg { send receive };
allow $1_t self:unix_dgram_socket create_socket_perms;
allow $1_t self:unix_stream_socket create_stream_socket_perms;
allow $1_t self:unix_dgram_socket sendto;
allow $1_t self:unix_stream_socket connectto;
# really shouldnt need this
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
allow $1_t self:rawip_socket { create ioctl };
allow $1_t self:udp_socket recvfrom;
# needed for merging dbus:
allow $1_sandbox_t self:netlink_selinux_socket { bind create read };
allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
term_create_pty($1_t,$1_devpts_t)
allow $1_t $1_tmp_t:dir manage_dir_perms;
allow $1_t $1_tmp_t:file manage_file_perms;
allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
allow $1_t $1_tmp_t:fifo_file manage_file_perms;
allow $1_t $1_tmp_t:sock_file manage_file_perms;
files_create_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
fs_create_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
# write merge logs
allow $1_t portage_log_t:dir setattr;
allow $1_t portage_log_t:file { append write setattr };
kernel_read_system_state($1_t)
kernel_read_network_state($1_t)
kernel_read_software_raid_state($1_t)
kernel_getattr_core($1_t)
kernel_getattr_message_if($1_t)
kernel_read_kernel_sysctl($1_t)
corecmd_exec_bin($1_t)
corecmd_exec_sbin($1_t)
# really shouldnt need this
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_udp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_nodes($1_t)
corenet_raw_sendrecv_all_nodes($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_reserved_ports($1_t)
corenet_tcp_connect_distccd_port($1_t)
dev_read_sysfs($1_t)
dev_read_rand($1_t)
dev_read_urand($1_t)
domain_exec_all_entry_files($1_t)
domain_use_wide_inhert_fds($1_t)
files_exec_etc_files($1_t)
files_exec_usr_src_files($1_t)
fs_getattr_xattr_fs($1_t)
fs_list_noxattr_fs($1_t)
fs_read_noxattr_fs_files($1_t)
fs_read_noxattr_fs_symlinks($1_t)
fs_search_auto_mountpoints($1_t)
# needed for merging dbus:
selinux_compute_access_vector($1_t)
auth_read_all_dirs_except_shadow($1_t)
auth_read_all_files_except_shadow($1_t)
auth_read_all_symlinks_except_shadow($1_t)
libs_use_ld_so($1_t)
libs_use_shared_libs($1_t)
libs_exec_lib_files($1_t)
# some config scripts use ldd
libs_exec_ld_so($1_t)
# this violates the idea of sandbox, but
# regular sandbox allows it
libs_domtrans_ldconfig($1_t)
logging_send_syslog_msg($1_t)
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`xdm',`
allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')
') dnl end TODO
')

View File

@ -0,0 +1,188 @@
policy_module(portage,1.0.0)
########################################
#
# Declarations
#
type portage_exec_t;
files_type(portage_exec_t)
portage_compile_domain(portage)
domain_obj_id_change_exempt(portage_t)
portage_compile_domain(portage_sandbox)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
domain_entry_file(portage_sandbox_t,portage_exec_t)
type portage_ebuild_t;
files_type(portage_ebuild_t)
type portage_fetch_t;
domain_type(portage_fetch_t)
type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)
type portage_db_t;
files_type(portage_db_t)
type portage_conf_t;
files_type(portage_conf_t)
type portage_cache_t;
files_type(portage_cache_t)
type portage_log_t;
logging_log_file(portage_log_t)
########################################
#
# Portage Rules
#
# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec };
# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;
allow portage_t portage_log_t:file create_file_perms;
logging_create_log(portage_t,portage_log_t)
# transition to sandbox for compiling
domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;
# run scripts out of the build directory
can_exec($1_t,portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_file(portage_t)
domain_dontaudit_read_all_domains_state(portage_t)
# modify any files in the system
files_manage_all_files(portage_t)
selinux_get_fs_mount(portage_t)
# merging baselayout will need this:
init_exec(portage_t)
# run setfiles -r
seutil_domtrans_setfiles(portage_t)
optional_policy(`bootloader',`
bootloader_domtrans(portage_t)
')
optional_policy(`modutils',`
modutils_domtrans_depmod(portage_t)
modutils_domtrans_update_modules(portage_t)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`usermanage',`
usermanage_domtrans_groupadd(portage_t)
usermanage_domtrans_useradd(portage_t)
')
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
##########################################
#
# Portage fetch domain
# - for rsync and distfile fetching
#
allow portage_fetch_t self:capability dac_override;
dontaudit portage_fetch_t self:capability { fowner fsetid };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
allow portage_fetch_t portage_conf_t:file r_file_perms;
allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir })
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctl(portage_fetch_t)
corecmd_exec_bin(portage_fetch_t)
corecmd_exec_sbin(portage_fetch_t)
corenet_non_ipsec_sendrecv(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
dev_search_ptys(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
domain_use_wide_inherit_fds(portage_fetch_t)
files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_search_var(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
libs_use_ld_so(portage_fetch_t)
libs_use_shared_libs(portage_fetch_t)
miscfiles_read_localization(portage_fetch_t)
sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)
userdom_dontaudit_read_sysadm_home_files(portage_fetch_t)
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
ifdef(`TODO',`
domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
')
##########################################
#
# Portage sandbox domain
# - SELinux-enforced sandbox
#
# seems ok w/o this
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
allow portage_sandbox_t portage_tmp_t:file manage_dir_perms;
allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)

View File

@ -1519,7 +1519,8 @@ interface(`dev_rw_printer',`
########################################
## <summary>
## Read from random devices (e.g., /dev/random)
## Read from random number generator
## devices (e.g., /dev/random)
## </summary>
## <param name="domain">
## Domain allowed access.
@ -1534,6 +1535,23 @@ interface(`dev_read_rand',`
allow $1 random_device_t:chr_file r_file_perms;
')
########################################
## <summary>
## Do not audit attempts to read from random
## number generator devices (e.g., /dev/random)
## </summary>
## <param name="domain">
## Domain allowed access.
## </param>
#
interface(`dev_dontaudit_read_rand',`
gen_require(`
type random_device_t;
')
dontaudit $1 random_device_t:chr_file { getattr read };
')
########################################
## <summary>
## Write to the random device (e.g., /dev/random). This adds

View File

@ -2736,9 +2736,9 @@ interface(`userdom_search_sysadm_home_dir',`
#
interface(`userdom_dontaudit_search_sysadm_home_dir',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t;
')
gen_require(`
type user_home_dir_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
',`
@ -2783,6 +2783,33 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
dontaudit $1 sysadm_home_dir_t:dir list_dir_perms;
')
########################################
## <summary>
## Do not audit attempts to search the sysadm
## users home directory.
## </summary>
## <param name="domain">
## Domain to not audit.
## </param>
#
interface(`userdom_dontaudit_read_sysadm_home_files',`
ifdef(`targeted_policy',`
gen_require(`
type user_home_dir_t, user_home_t;
')
dontaudit $1 user_home_dir_t:dir search_dir_perms;
dontaudit $1 user_home_t:file r_file_perms;
',`
gen_require(`
type sysadm_home_dir_t, sysadm_home_t;
')
dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
dontaudit $1 sysadm_home_t:dir r_file_perms;
')
')
########################################
## <summary>
## Create objects in sysadm home directories

View File

@ -274,6 +274,10 @@ ifdef(`targeted_policy',`
pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`portage',`
portage_run(sysadm_t,sysadm_r,admin_terminal)
')
optional_policy(`portmap',`
portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
')