From: Manoj Srivastava <[email protected]>
Debian uses the python-support module infrastructure to conditionally
byte compile python files during installation. This commit adds
support for the package, which is critical for Python library package
installation on Debian machines.
Signed-off-by: Russell Coker <[email protected]>
Acked-By: Manoj Srivastava <[email protected]>
---
policy/modules/admin/apt.te | 4 ++
policy/modules/system/pythonsupport.fc | 2 +
policy/modules/system/pythonsupport.if | 55 ++++++++++++++++++++++++++++++++
policy/modules/system/pythonsupport.te | 44 +++++++++++++++++++++++++
policy/modules/system/selinuxutil.te | 10 ++++++
policy/modules/system/userdomain.if | 4 ++
6 files changed, 119 insertions(+), 0 deletions(-)
create mode 100644 policy/modules/system/pythonsupport.fc
create mode 100644 policy/modules/system/pythonsupport.if
create mode 100644 policy/modules/system/pythonsupport.te
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index c79157a..1ffa5b3 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -127,6 +127,10 @@ userdom_use_user_terminals(apt_t)
#')
optional_policy(`
+ pythonsupport_domtrans(apt_t)
+')
+
+optional_policy(`
# dpkg interaction
dpkg_read_db(apt_t)
dpkg_domtrans(apt_t)
diff --git a/policy/modules/system/pythonsupport.fc b/policy/modules/system/pythonsupport.fc
new file mode 100644
index 0000000..95a0998
--- /dev/null
+++ b/policy/modules/system/pythonsupport.fc
@@ -0,0 +1,2 @@
+/usr/sbin/update-python-modules -- gen_context(system_u:object_r:pythoncompile_exec_t,s0)
+/var/lib/python-support(/.*)? gen_context(system_u:object_r:python_compiled_t,s0)
diff --git a/policy/modules/system/pythonsupport.if b/policy/modules/system/pythonsupport.if
new file mode 100644
index 0000000..f5b154b
--- /dev/null
+++ b/policy/modules/system/pythonsupport.if
@@ -0,0 +1,55 @@
+## <summary>Support for precompiling python modules</summary>
+## <desc>
+## <p>
+## Debians python-support will precompile installed python
+## packages for installed python versions. This way,
+## the python2.3-foobar and python2.4-foobar (and 2.5) packages
+## could be merged into one python-foobar while keeping the
+## dependency information useful.
+## </p>
+## </desc>
+#
+
+########################################
+## <summary>
+## Execute the python-support utility to precompile modules.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`pythonsupport_domtrans',`
+ gen_require(`
+ type pythoncompile_t, pythoncompile_exec_t;
+ ')
+
+ domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t)
+
+ allow $1 pythoncompile_t:fd use;
+ allow pythoncompile_t $1:fd use;
+ allow $1 pythoncompile_t:fifo_file rw_file_perms;
+ allow $1 pythoncompile_t:process sigchld;
+')
+
+########################################
+## <summary>
+## Read compiled python modules
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read the compiled python modules.
+## </summary>
+## </param>
+#
+interface(`pythonsupport_compiled_read',`
+ gen_require(`
+ type python_compiled_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 python_compiled_t:dir list_dir_perms;
+ allow $1 python_compiled_t:file read_file_perms;
+ allow $1 python_compiled_t:lnk_file read_lnk_file_perms;
+')
diff --git a/policy/modules/system/pythonsupport.te b/policy/modules/system/pythonsupport.te
new file mode 100644
index 0000000..69c1bc6
--- /dev/null
+++ b/policy/modules/system/pythonsupport.te
@@ -0,0 +1,44 @@
+policy_module(pythonsupport,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type pythoncompile_t;
+type pythoncompile_exec_t;
+domain_type(pythoncompile_t)
+domain_entry_file(pythoncompile_t, pythoncompile_exec_t)
+
+role system_r types pythoncompile_t;
+role sysadm_r types pythoncompile_t;
+
+type python_compiled_t;
+files_type(python_compiled_t)
+
+########################################
+#
+# python-support local policy
+#
+
+kernel_read_system_state(pythoncompile_t)
+kernel_read_kernel_sysctls(pythoncompile_t)
+
+corecmd_exec_bin(pythoncompile_t)
+corecmd_exec_sbin(pythoncompile_t)
+
+files_read_etc_files(pythoncompile_t)
+files_read_usr_files(pythoncompile_t)
+
+libs_use_ld_so(pythoncompile_t)
+libs_use_shared_libs(pythoncompile_t)
+libs_use_lib_files(pythoncompile_t)
+
+miscfiles_read_localization(pythoncompile_t)
+
+
+# create compiled python modules
+allow pythoncompile_t python_compiled_t:dir manage_dir_perms;
+allow pythoncompile_t python_compiled_t:file manage_file_perms;
+allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms;
+files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index f706ef0..90e0245 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -425,6 +425,7 @@ allow semanage_t self:capability { dac_override audit_write };
allow semanage_t self:unix_stream_socket create_stream_socket_perms;
allow semanage_t self:unix_dgram_socket create_socket_perms;
allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+fs_getattr_xattr_fs(semanage_t)
allow semanage_t policy_config_t:file rw_file_perms;
@@ -432,6 +433,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
allow semanage_t semanage_tmp_t:file manage_file_perms;
files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
+ifdef(`targeted_policy',`
+ allow semanage_t initrc_t:fd use;
+')
+
kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)
@@ -449,6 +454,7 @@ files_list_pids(semanage_t)
mls_file_write_all_levels(semanage_t)
mls_file_read_all_levels(semanage_t)
+selinux_get_fs_mount(semanage_t)
selinux_validate_context(semanage_t)
selinux_get_enforce_mode(semanage_t)
selinux_getattr_fs(semanage_t)
@@ -499,6 +505,10 @@ ifdef(`enable_mls',`
userdom_read_user_tmp_files(semanage_t)
')
+optional_policy(`
+ pythonsupport_compiled_read(semanage_t)
+')
+
########################################
#
# Setfiles local policy
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8634334..a30aeee 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ pythonsupport_compiled_read($1_t)
+ ')
+
+ optional_policy(`
pcscd_read_pub_files($1_t)
pcscd_stream_connect($1_t)
')
--
1.6.3.3
On Tue, 2009-07-14 at 14:35 -0500, Manoj Srivastava wrote:
> From: Manoj Srivastava <[email protected]>
>
> Debian uses the python-support module infrastructure to conditionally
> byte compile python files during installation. This commit adds
> support for the package, which is critical for Python library package
> installation on Debian machines.
This needs some cleanup (comments inline). Since python is used in a
variety of domains, does use of these precompiled libraries really need
to be added to individual modules, or does it make sense to optionally
add the access to all domains (see libs_uses_shared_libs() usage in
domain.te) since they're effectively system libraries created by a by a
trusted process?
> Signed-off-by: Russell Coker <[email protected]>
> Acked-By: Manoj Srivastava <[email protected]>
> ---
> policy/modules/admin/apt.te | 4 ++
> policy/modules/system/pythonsupport.fc | 2 +
> policy/modules/system/pythonsupport.if | 55 ++++++++++++++++++++++++++++++++
> policy/modules/system/pythonsupport.te | 44 +++++++++++++++++++++++++
> policy/modules/system/selinuxutil.te | 10 ++++++
> policy/modules/system/userdomain.if | 4 ++
> 6 files changed, 119 insertions(+), 0 deletions(-)
> create mode 100644 policy/modules/system/pythonsupport.fc
> create mode 100644 policy/modules/system/pythonsupport.if
> create mode 100644 policy/modules/system/pythonsupport.te
>
> diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
> index c79157a..1ffa5b3 100644
> --- a/policy/modules/admin/apt.te
> +++ b/policy/modules/admin/apt.te
> @@ -127,6 +127,10 @@ userdom_use_user_terminals(apt_t)
> #')
>
> optional_policy(`
> + pythonsupport_domtrans(apt_t)
> +')
> +
> +optional_policy(`
> # dpkg interaction
> dpkg_read_db(apt_t)
> dpkg_domtrans(apt_t)
> diff --git a/policy/modules/system/pythonsupport.fc b/policy/modules/system/pythonsupport.fc
> new file mode 100644
> index 0000000..95a0998
> --- /dev/null
> +++ b/policy/modules/system/pythonsupport.fc
> @@ -0,0 +1,2 @@
> +/usr/sbin/update-python-modules -- gen_context(system_u:object_r:pythoncompile_exec_t,s0)
> +/var/lib/python-support(/.*)? gen_context(system_u:object_r:python_compiled_t,s0)
> diff --git a/policy/modules/system/pythonsupport.if b/policy/modules/system/pythonsupport.if
> new file mode 100644
> index 0000000..f5b154b
> --- /dev/null
> +++ b/policy/modules/system/pythonsupport.if
> @@ -0,0 +1,55 @@
> +## <summary>Support for precompiling python modules</summary>
> +## <desc>
> +## <p>
> +## Debians python-support will precompile installed python
> +## packages for installed python versions. This way,
> +## the python2.3-foobar and python2.4-foobar (and 2.5) packages
> +## could be merged into one python-foobar while keeping the
> +## dependency information useful.
> +## </p>
> +## </desc>
> +#
> +
> +########################################
> +## <summary>
> +## Execute the python-support utility to precompile modules.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`pythonsupport_domtrans',`
Consider using pysupport in the interface names.
> + gen_require(`
> + type pythoncompile_t, pythoncompile_exec_t;
> + ')
> +
> + domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t)
> +
> + allow $1 pythoncompile_t:fd use;
> + allow pythoncompile_t $1:fd use;
> + allow $1 pythoncompile_t:fifo_file rw_file_perms;
> + allow $1 pythoncompile_t:process sigchld;
Use domtrans_pattern()
> +')
> +
> +########################################
> +## <summary>
> +## Read compiled python modules
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to read the compiled python modules.
> +## </summary>
> +## </param>
> +#
> +interface(`pythonsupport_compiled_read',`
This should be pythonsupport_read_compiled().
> + gen_require(`
> + type python_compiled_t;
> + ')
> +
> + files_search_var_lib($1)
> + allow $1 python_compiled_t:dir list_dir_perms;
> + allow $1 python_compiled_t:file read_file_perms;
> + allow $1 python_compiled_t:lnk_file read_lnk_file_perms;
> +')
> diff --git a/policy/modules/system/pythonsupport.te b/policy/modules/system/pythonsupport.te
> new file mode 100644
> index 0000000..69c1bc6
> --- /dev/null
> +++ b/policy/modules/system/pythonsupport.te
> @@ -0,0 +1,44 @@
> +policy_module(pythonsupport,0.0.1)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type pythoncompile_t;
> +type pythoncompile_exec_t;
> +domain_type(pythoncompile_t)
> +domain_entry_file(pythoncompile_t, pythoncompile_exec_t)
> +
> +role system_r types pythoncompile_t;
> +role sysadm_r types pythoncompile_t;
Not allowed.
> +
> +type python_compiled_t;
> +files_type(python_compiled_t)
> +
> +########################################
> +#
> +# python-support local policy
> +#
> +
> +kernel_read_system_state(pythoncompile_t)
> +kernel_read_kernel_sysctls(pythoncompile_t)
> +
> +corecmd_exec_bin(pythoncompile_t)
> +corecmd_exec_sbin(pythoncompile_t)
> +
> +files_read_etc_files(pythoncompile_t)
> +files_read_usr_files(pythoncompile_t)
> +
> +libs_use_ld_so(pythoncompile_t)
> +libs_use_shared_libs(pythoncompile_t)
Redundant.
> +libs_use_lib_files(pythoncompile_t)
> +
> +miscfiles_read_localization(pythoncompile_t)
> +
> +
> +# create compiled python modules
> +allow pythoncompile_t python_compiled_t:dir manage_dir_perms;
> +allow pythoncompile_t python_compiled_t:file manage_file_perms;
> +allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms;
> +files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir)
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index f706ef0..90e0245 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -425,6 +425,7 @@ allow semanage_t self:capability { dac_override audit_write };
> allow semanage_t self:unix_stream_socket create_stream_socket_perms;
> allow semanage_t self:unix_dgram_socket create_socket_perms;
> allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +fs_getattr_xattr_fs(semanage_t)
Unrelated change.
> allow semanage_t policy_config_t:file rw_file_perms;
>
> @@ -432,6 +433,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
> allow semanage_t semanage_tmp_t:file manage_file_perms;
> files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
>
> +ifdef(`targeted_policy',`
> + allow semanage_t initrc_t:fd use;
> +')
No longer a valid build option, also unrelated change.
> kernel_read_system_state(semanage_t)
> kernel_read_kernel_sysctls(semanage_t)
>
> @@ -449,6 +454,7 @@ files_list_pids(semanage_t)
> mls_file_write_all_levels(semanage_t)
> mls_file_read_all_levels(semanage_t)
>
> +selinux_get_fs_mount(semanage_t)
Another unrelated change.
> selinux_validate_context(semanage_t)
> selinux_get_enforce_mode(semanage_t)
> selinux_getattr_fs(semanage_t)
> @@ -499,6 +505,10 @@ ifdef(`enable_mls',`
> userdom_read_user_tmp_files(semanage_t)
> ')
>
> +optional_policy(`
> + pythonsupport_compiled_read(semanage_t)
> +')
> +
> ########################################
> #
> # Setfiles local policy
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 8634334..a30aeee 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
> ')
>
> optional_policy(`
> + pythonsupport_compiled_read($1_t)
> + ')
> +
> + optional_policy(`
> pcscd_read_pub_files($1_t)
> pcscd_stream_connect($1_t)
> ')
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150