190 lines
5.0 KiB
Plaintext
190 lines
5.0 KiB
Plaintext
|
|
policy_module(portage,1.2.0)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type gcc_config_t;
|
|
type gcc_config_exec_t;
|
|
domain_type(gcc_config_t)
|
|
domain_entry_file(gcc_config_t,gcc_config_exec_t)
|
|
|
|
# constraining type
|
|
type portage_t;
|
|
type portage_exec_t;
|
|
domain_type(portage_t)
|
|
domain_entry_file(portage_t,portage_exec_t)
|
|
rsync_entry_type(portage_t)
|
|
corecmd_shell_entry_type(portage_t)
|
|
domain_entry_file(portage_t,portage_exec_t)
|
|
|
|
# portage domain for merging packages to the live fs
|
|
type portage_t.merge;
|
|
domain_type(portage_t.merge)
|
|
domain_entry_file(portage_t.merge,portage_exec_t)
|
|
domain_obj_id_change_exemption(portage_t.merge)
|
|
|
|
# portage compile sandbox domain
|
|
type portage_t.sandbox alias portage_sandbox_t;
|
|
domain_type(portage_t.sandbox)
|
|
# the shell is the entrypoint if regular sandbox is disabled
|
|
# portage_exec_t is the entrypoint if regular sandbox is enabled
|
|
corecmd_shell_entry_type(portage_t.sandbox)
|
|
domain_entry_file(portage_t.sandbox,portage_exec_t)
|
|
|
|
# portage package fetching domain
|
|
type portage_t.fetch alias portage_fetch_t;
|
|
domain_type(portage_t.fetch)
|
|
corecmd_shell_entry_type(portage_t.fetch)
|
|
rsync_entry_type(portage_t.fetch)
|
|
|
|
type portage_devpts_t;
|
|
term_pty(portage_devpts_t)
|
|
|
|
type portage_ebuild_t;
|
|
files_type(portage_ebuild_t)
|
|
|
|
type portage_fetch_tmp_t;
|
|
files_tmp_file(portage_fetch_tmp_t)
|
|
|
|
type portage_db_t;
|
|
files_type(portage_db_t)
|
|
|
|
type portage_conf_t;
|
|
files_type(portage_conf_t)
|
|
|
|
type portage_cache_t;
|
|
files_type(portage_cache_t)
|
|
|
|
type portage_log_t;
|
|
logging_log_file(portage_log_t)
|
|
|
|
type portage_tmp_t;
|
|
files_tmp_file(portage_tmp_t)
|
|
|
|
type portage_tmpfs_t;
|
|
files_tmpfs_file(portage_tmpfs_t)
|
|
|
|
########################################
|
|
#
|
|
# gcc-config policy
|
|
#
|
|
|
|
allow gcc_config_t self:capability { chown fsetid };
|
|
allow gcc_config_t self:fifo_file rw_file_perms;
|
|
|
|
manage_files_pattern(gcc_config_t,portage_cache_t,portage_cache_t)
|
|
|
|
read_files_pattern(gcc_config_t,portage_conf_t,portage_conf_t)
|
|
|
|
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
|
|
read_files_pattern(gcc_config_t,portage_ebuild_t,portage_ebuild_t)
|
|
|
|
allow gcc_config_t portage_exec_t:file { execute getattr };
|
|
|
|
kernel_read_system_state(gcc_config_t)
|
|
kernel_read_kernel_sysctls(gcc_config_t)
|
|
|
|
corecmd_exec_shell(gcc_config_t)
|
|
corecmd_exec_bin(gcc_config_t)
|
|
corecmd_manage_bin_files(gcc_config_t)
|
|
|
|
files_manage_etc_files(gcc_config_t)
|
|
files_rw_etc_runtime_files(gcc_config_t)
|
|
files_search_var_lib(gcc_config_t)
|
|
files_search_pids(gcc_config_t)
|
|
# complains loudly about not being able to list
|
|
# the directory it is being run from
|
|
files_list_all(gcc_config_t)
|
|
|
|
term_search_ptys(gcc_config_t)
|
|
|
|
# seems to be ok without this
|
|
init_dontaudit_read_script_status_files(gcc_config_t)
|
|
|
|
libs_use_ld_so(gcc_config_t)
|
|
libs_use_shared_libs(gcc_config_t)
|
|
libs_read_lib_files(gcc_config_t)
|
|
libs_domtrans_ldconfig(gcc_config_t)
|
|
libs_manage_shared_libs(gcc_config_t)
|
|
files_lib_filetrans_shared_lib(gcc_config_t,file)
|
|
# gcc-config creates a temp dir for the libs
|
|
libs_manage_lib_dirs(gcc_config_t)
|
|
|
|
logging_send_syslog_msg(gcc_config_t)
|
|
|
|
miscfiles_read_localization(gcc_config_t)
|
|
|
|
consoletype_exec(gcc_config_t)
|
|
|
|
optional_policy(`
|
|
seutil_use_newrole_fds(gcc_config_t)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Portage Constraining Rules
|
|
#
|
|
|
|
portage_main_domain(portage_t)
|
|
portage_compile_domain(portage_t)
|
|
portage_fetch_domain(portage_t)
|
|
|
|
# transition between child domains on shells and rsync
|
|
corecmd_shell_spec_domtrans(portage_t,portage_t)
|
|
rsync_entry_spec_domtrans(portage_t,portage_t)
|
|
|
|
########################################
|
|
#
|
|
# Portage Merging Rules
|
|
#
|
|
|
|
portage_main_domain(portage_t.merge)
|
|
|
|
# if sesandbox is disabled, compiling is performed in this domain
|
|
portage_compile_domain(portage_t.merge)
|
|
|
|
allow portage_t.merge { portage_t.fetch portage_t.sandbox }:process signal;
|
|
|
|
# transition for rsync and wget
|
|
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
|
|
rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
|
|
allow portage_t.fetch portage_t.merge:fd use;
|
|
allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
|
|
allow portage_t.fetch portage_t.merge:process sigchld;
|
|
|
|
# transition to sandbox for compiling
|
|
domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
|
|
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
|
|
allow portage_t.sandbox portage_t.merge:fd use;
|
|
allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
|
|
allow portage_t.sandbox portage_t.merge:process sigchld;
|
|
|
|
##########################################
|
|
#
|
|
# Portage fetch domain
|
|
# - for rsync and distfile fetching
|
|
#
|
|
|
|
portage_fetch_domain(portage_t.fetch)
|
|
|
|
# this rule is outside of the above macro to fix conflicting type
|
|
# transitions seen in the rules for the constraining type (portage_t)
|
|
files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
|
|
|
|
##########################################
|
|
#
|
|
# Portage sandbox domain
|
|
# - SELinux-enforced sandbox
|
|
#
|
|
|
|
portage_compile_domain(portage_t.sandbox)
|
|
|
|
ifdef(`hide_broken_symptoms',`
|
|
# leaked descriptors
|
|
dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
|
|
dontaudit portage_t.sandbox portage_cache_t:file { setattr write };
|
|
')
|