This patchset contains a list of smaller updates to various contrib modules
Sven Vermeulen (6):
Mark glsa-check as portage_exec_t
Allow gcc-config to work on NFS-mounted portage tree
Reshuffle tunable/optional
Do not mark java configuration tools as java entry points
Allow portage fetch domain to show download progress
Further enhance portage git support
java.fc | 2 +-
portage.fc | 2 ++
portage.if | 1 +
portage.te | 6 ++++++
telnet.te | 10 +++++-----
5 files changed, 15 insertions(+), 6 deletions(-)
--
1.7.8.6
The glsa-check application is Gentoo's application for reporting on
security-vulnerable installed packages. It reads its input from the portage tree
and allows users to update just the affected packages.
For this it needs to run in the portage_t domain.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/portage.fc b/portage.fc
index 1d5b4e5..2f6b86b 100644
--- a/portage.fc
+++ b/portage.fc
@@ -4,6 +4,7 @@
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
/usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/glsa-check -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/bin/layman -- gen_context(system_u:object_r:portage_fetch_exec_t,s0)
/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
--
1.7.8.6
When the portage tree is mounted on an NFS mount, we already introduced the
portage_use_nfs tunable to allow the portage domains to handle NFS-labeled
files.
One other domain that also needs this is the gcc_config_t domain, responsible
for listing and updating a systems' gcc. The requirement stems from gcc-config
using portageq to query for information, which requires a readable portage tree.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/portage.te b/portage.te
index 2af04b9..7516f32 100644
--- a/portage.te
+++ b/portage.te
@@ -132,6 +132,10 @@ ifdef(`distro_gentoo',`
init_exec_rc(gcc_config_t)
')
+tunable_policy(`portage_use_nfs',`
+ fs_read_nfs_files(gcc_config_t)
+')
+
optional_policy(`
seutil_use_newrole_fds(gcc_config_t)
')
--
1.7.8.6
As per the Reference Policy Style Guide, tunable_policy blocks need to go before
the optional_policy blocks.
Signed-off-by: Sven Vermeulen <[email protected]>
---
telnet.te | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/telnet.te b/telnet.te
index f40e67b..3858d35 100644
--- a/telnet.te
+++ b/telnet.te
@@ -86,11 +86,6 @@ remotelogin_domtrans(telnetd_t)
userdom_search_user_home_dirs(telnetd_t)
userdom_setattr_user_ptys(telnetd_t)
-optional_policy(`
- kerberos_keytab_template(telnetd, telnetd_t)
- kerberos_manage_host_rcache(telnetd_t)
-')
-
tunable_policy(`use_nfs_home_dirs',`
fs_search_nfs(telnetd_t)
')
@@ -98,3 +93,8 @@ tunable_policy(`use_nfs_home_dirs',`
tunable_policy(`use_samba_home_dirs',`
fs_search_cifs(telnetd_t)
')
+
+optional_policy(`
+ kerberos_keytab_template(telnetd, telnetd_t)
+ kerberos_manage_host_rcache(telnetd_t)
+')
--
1.7.8.6
Some java-supporting tools, like java-config and java-check-environment, are not
to be used as entry points for the java_t domain. Instead, these should run with
the privileges of the calling domain (and as such should remain bin_t).
The expression itself (java[^-]*) is to still support commonly found java
version binaries (java1.4, java5, java6).
Signed-off-by: Sven Vermeulen <[email protected]>
---
java.fc | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/java.fc b/java.fc
index 72f3df0..bc1a419 100644
--- a/java.fc
+++ b/java.fc
@@ -9,7 +9,7 @@
#
# /usr
#
-/usr/(.*/)?bin/java.* -- gen_context(system_u:object_r:java_exec_t,s0)
+/usr/(.*/)?bin/java[^-]* -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/fastjar -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/frysk -- gen_context(system_u:object_r:java_exec_t,s0)
/usr/bin/gappletviewer -- gen_context(system_u:object_r:java_exec_t,s0)
--
1.7.8.6
When downloading software packages, the portage application is inside the
portage_fetch_t domain. At that point, Portage wants to show the fetch progress
of the software on the users' screen. For this, it needs proper access to
portage_devpts_t.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/portage.te b/portage.te
index 7516f32..9e9cc07 100644
--- a/portage.te
+++ b/portage.te
@@ -248,6 +248,8 @@ allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr };
+
allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
allow portage_fetch_t portage_gpg_t:file manage_file_perms;
--
1.7.8.6
The git sources for ebuilds that use the git-2 eclass are stored in egit-src.
In this patch, we also allow connections towards git services.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.fc | 1 +
portage.if | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/portage.fc b/portage.fc
index 2f6b86b..d9b2a90 100644
--- a/portage.fc
+++ b/portage.fc
@@ -18,6 +18,7 @@
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
diff --git a/portage.if b/portage.if
index b4bb48a..08ac5af 100644
--- a/portage.if
+++ b/portage.if
@@ -151,6 +151,7 @@ interface(`portage_compile_domain',`
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1)
+ corenet_tcp_connect_git_port($1)
dev_read_sysfs($1)
dev_read_rand($1)
--
1.7.8.6
On 07/03/12 15:18, Sven Vermeulen wrote:
> This patchset contains a list of smaller updates to various contrib modules
>
> Sven Vermeulen (6):
> Mark glsa-check as portage_exec_t
> Allow gcc-config to work on NFS-mounted portage tree
> Reshuffle tunable/optional
> Do not mark java configuration tools as java entry points
> Allow portage fetch domain to show download progress
> Further enhance portage git support
>
> java.fc | 2 +-
> portage.fc | 2 ++
> portage.if | 1 +
> portage.te | 6 ++++++
> telnet.te | 10 +++++-----
> 5 files changed, 15 insertions(+), 6 deletions(-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com