This revised patchset updates the portage interfaces to support
portage_run_fetch and portage_domtrans_fetch, rather than including the
support for portage_fetch_t in the regular portage_run and portage_domtrans
interfaces.
I'm not sure how to best "mix" changes across refpolicy and
refpolicy::contrib. If the patches are not correctly made, this was what I
did:
- Make changes in contrib, then format-patch to generate patches
- Make changes in refpolicy, then format-patch to generate patches
I notice that git also supports "adding" the commits from contrib to the
patches in the main refpolicy, but I'm not sure that's the idea behind it
for refpolicy.
Changes since v1
----------------
- Removes the portage_fetch_t calls from portage_domtrans and portage_run
- Adds callers for portage_fetch_t (sysadm, unconfined and puppet for now)
Since the introduction of the portage_fetch_t domain, access to the
domain was governed through the portage_domtrans and portage_run
interfaces. To support calling portage only (but no fetch domain) or
vice versa, the interfaces need to be split up.
In this patch, we introduce the interfaces portage_domtrans_fetch and
portage_run_fetch which will be used later in the domains that need to
call portage/layman/emerge-webrsync/...
The portage_domtrans and portage_run interfaces are updated not to
include anything for portage_fetch_t anymore.
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.if | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
1 files changed, 52 insertions(+), 5 deletions(-)
diff --git a/portage.if b/portage.if
index 9f7d652..22c6e17 100644
--- a/portage.if
+++ b/portage.if
@@ -16,15 +16,12 @@
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_exec_t;
- type portage_fetch_t, portage_fetch_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
- # transition to portage
domtrans_pattern($1, portage_exec_t, portage_t)
- domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
')
########################################
@@ -46,11 +43,11 @@ interface(`portage_domtrans',`
#
interface(`portage_run',`
gen_require(`
- type portage_t, portage_fetch_t, portage_sandbox_t;
+ type portage_t, portage_sandbox_t;
')
portage_domtrans($1)
- role $2 types { portage_t portage_fetch_t portage_sandbox_t };
+ role $2 types { portage_t portage_sandbox_t };
')
########################################
@@ -213,6 +210,56 @@ interface(`portage_compile_domain',`
########################################
## <summary>
+## Execute tree management functions (fetching, layman, ...)
+## in the portage_fetch_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portage_domtrans_fetch',`
+ gen_require(`
+ type portage_fetch_t, portage_fetch_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
+')
+
+########################################
+## <summary>
+## Execute tree management functions (fetching, layman, ...)
+## in the portage_fetch_t domain, and allow the specified role
+## the portage_fetch_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the portage_fetch domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`portage_run_fetch',`
+ gen_require(`
+ type portage_fetch_t;
+ ')
+
+ portage_domtrans_fetch($1)
+ role $2 types portage_fetch_t;
+')
+
+
+########################################
+## <summary>
## Execute gcc-config in the gcc_config domain.
## </summary>
## <param name="domain">
--
1.7.3.4
Puppet is a configuration management and system management tool. Part of
its job is to manage the package deployments on systems. As such, it
needs the privilege to call and transition to the various portage
domains.
Signed-off-by: Sven Vermeulen <[email protected]>
---
puppet.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/puppet.te b/puppet.te
index 941f6e1..022fde7 100644
--- a/puppet.te
+++ b/puppet.te
@@ -146,6 +146,12 @@ optional_policy(`
')
optional_policy(`
+ portage_domtrans(puppet_t)
+ portage_domtrans_fetch(puppet_t)
+ portage_domtrans_gcc_config(puppet_t)
+')
+
+optional_policy(`
files_rw_var_files(puppet_t)
rpm_domtrans(puppet_t)
--
1.7.3.4
The system administrator (in sysadm_t) is the only "user" domain that is
allowed to call portage-related services. So it also gains the privilege
to execute portage tree management functions (and as such transition to
portage_fetch_t).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/roles/sysadm.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1e1d649..954417f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -253,6 +253,7 @@ optional_policy(`
optional_policy(`
portage_run(sysadm_t, sysadm_r)
+ portage_run_fetch(sysadm_t, sysadm_r)
portage_run_gcc_config(sysadm_t, sysadm_r)
')
--
1.7.3.4
The unconfined user is currently not allowed to call portage-related
functions. However, in a targeted system (with unconfined domains
enabled), users (including administrators) should be allowed to
transition to the portage domain.
We position the portage-related calls outside the "ifdef(distro_gentoo)"
as other distributions support Portage as well.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/unconfined.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..6195e6e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -150,6 +150,12 @@ optional_policy(`
')
optional_policy(`
+ portage_run(unconfined_t, unconfined_r)
+ portage_run_fetch(unconfined_t, unconfined_r)
+ portage_run_gcc_config(unconfined_t, unconfined_r)A
+')
+
+optional_policy(`
prelink_run(unconfined_t, unconfined_r)
')
--
1.7.3.4
On 09/13/11 14:19, Sven Vermeulen wrote:
> This revised patchset updates the portage interfaces to support
> portage_run_fetch and portage_domtrans_fetch, rather than including the
> support for portage_fetch_t in the regular portage_run and portage_domtrans
> interfaces.
>
> I'm not sure how to best "mix" changes across refpolicy and
> refpolicy::contrib. If the patches are not correctly made, this was what I
> did:
> - Make changes in contrib, then format-patch to generate patches
> - Make changes in refpolicy, then format-patch to generate patches
I'm not sure what the best way is either. The way you did it is fine.
> I notice that git also supports "adding" the commits from contrib to the
> patches in the main refpolicy, but I'm not sure that's the idea behind it
> for refpolicy.
>
> Changes since v1
> ----------------
>
> - Removes the portage_fetch_t calls from portage_domtrans and portage_run
> - Adds callers for portage_fetch_t (sysadm, unconfined and puppet for now)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 09/13/11 14:22, Sven Vermeulen wrote:
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index eae5001..6195e6e 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -150,6 +150,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + portage_run(unconfined_t, unconfined_r)
> + portage_run_fetch(unconfined_t, unconfined_r)
> + portage_run_gcc_config(unconfined_t, unconfined_r)A
You introduced an extra "A" here. I manually fixed it.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com