---
redis.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/redis.te b/redis.te
index fda6e5b..2c8495b 100644
--- a/redis.te
+++ b/redis.te
@@ -39,6 +39,7 @@ allow redis_t redis_conf_t:file rw_file_perms;
manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
manage_files_pattern(redis_t, redis_log_t, redis_log_t)
manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
+logging_log_filetrans(redis_t, redis_log_t, dir)
manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
--
2.16.4
---
colord.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/colord.te b/colord.te
index 0236b27..ca3aae6 100644
--- a/colord.te
+++ b/colord.te
@@ -83,6 +83,7 @@ domain_use_interactive_fds(colord_t)
files_list_mnt(colord_t)
files_read_usr_files(colord_t)
+files_map_usr_files(colord_t)
fs_getattr_noxattr_fs(colord_t)
fs_getattr_tmpfs(colord_t)
--
2.16.4
---
dirmngr.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dirmngr.te b/dirmngr.te
index f2be3f7..983de0c 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -69,10 +69,12 @@ dev_read_rand(dirmngr_t)
sysnet_dns_name_resolve(dirmngr_t)
+corenet_tcp_connect_http_port(dirmngr_t)
corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
corenet_udp_bind_generic_node(dirmngr_t)
files_read_etc_files(dirmngr_t)
+files_read_usr_files(dirmngr_t)
miscfiles_read_localization(dirmngr_t)
miscfiles_read_generic_certs(dirmngr_t)
--
2.16.4
---
portage.if | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/portage.if b/portage.if
index c0c7e9b..69ec4eb 100644
--- a/portage.if
+++ b/portage.if
@@ -322,6 +322,29 @@ interface(`portage_dontaudit_use_fds',`
dontaudit $1 portage_t:fd use;
')
+########################################
+## <summary>
+## Manage portage tmp content
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`portage_manage_tmp',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ allow $1 portage_tmp_t:dir manage_dir_perms;
+ allow $1 portage_tmp_t:file manage_file_perms;
+ allow $1 portage_tmp_t:lnk_file manage_lnk_file_perms;
+ allow $1 portage_tmp_t:fifo_file manage_fifo_file_perms;
+ allow $1 portage_tmp_t:sock_file manage_sock_file_perms;
+ files_search_tmp($1)
+')
+
########################################
## <summary>
## Do not audit attempts to search the
--
2.16.4
---
dirmngr.te | 6 ++++++
gpg.te | 12 ++++++++++++
portage.te | 4 ++++
3 files changed, 22 insertions(+)
diff --git a/dirmngr.te b/dirmngr.te
index 983de0c..d087f0e 100644
--- a/dirmngr.te
+++ b/dirmngr.te
@@ -89,3 +89,9 @@ optional_policy(`
gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
gpg_stream_connect_agent(dirmngr_t)
')
+
+ifdef(`distro_gentoo',`
+ optional_policy(`
+ portage_manage_tmp(dirmngr_t)
+ ')
+')
diff --git a/gpg.te b/gpg.te
index 3420a21..fe407f5 100644
--- a/gpg.te
+++ b/gpg.te
@@ -193,6 +193,12 @@ optional_policy(`
xserver_rw_xdm_pipes(gpg_t)
')
+ifdef(`distro_gentoo',`
+ optional_policy(`
+ portage_manage_tmp(gpg_t)
+ ')
+')
+
########################################
#
# Helper local policy
@@ -318,6 +324,12 @@ optional_policy(`
xserver_read_user_xauth(gpg_agent_t)
')
+ifdef(`distro_gentoo',`
+ optional_policy(`
+ portage_manage_tmp(gpg_agent_t)
+ ')
+')
+
##############################
#
# Pinentry local policy
diff --git a/portage.te b/portage.te
index 2146005..4b72a16 100644
--- a/portage.te
+++ b/portage.te
@@ -218,6 +218,10 @@ optional_policy(`
cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
')
+optional_policy(`
+ gpg_domtrans(portage_t)
+')
+
optional_policy(`
modutils_run(portage_t, portage_roles)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
--
2.16.4
After talking to Dominick, I decided to change this around to use the
portage_fetch_t domain instead, please dont apply patches 4/5 or 5/5, I
am sending new patches instead.
-- Jason
On Fri, Jun 08, 2018 at 05:53:41PM +0800, Jason Zaman wrote:
> ---
> dirmngr.te | 6 ++++++
> gpg.te | 12 ++++++++++++
> portage.te | 4 ++++
> 3 files changed, 22 insertions(+)
>
> diff --git a/dirmngr.te b/dirmngr.te
> index 983de0c..d087f0e 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -89,3 +89,9 @@ optional_policy(`
> gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> gpg_stream_connect_agent(dirmngr_t)
> ')
> +
> +ifdef(`distro_gentoo',`
> + optional_policy(`
> + portage_manage_tmp(dirmngr_t)
> + ')
> +')
> diff --git a/gpg.te b/gpg.te
> index 3420a21..fe407f5 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -193,6 +193,12 @@ optional_policy(`
> xserver_rw_xdm_pipes(gpg_t)
> ')
>
> +ifdef(`distro_gentoo',`
> + optional_policy(`
> + portage_manage_tmp(gpg_t)
> + ')
> +')
> +
> ########################################
> #
> # Helper local policy
> @@ -318,6 +324,12 @@ optional_policy(`
> xserver_read_user_xauth(gpg_agent_t)
> ')
>
> +ifdef(`distro_gentoo',`
> + optional_policy(`
> + portage_manage_tmp(gpg_agent_t)
> + ')
> +')
> +
> ##############################
> #
> # Pinentry local policy
> diff --git a/portage.te b/portage.te
> index 2146005..4b72a16 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -218,6 +218,10 @@ optional_policy(`
> cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
> ')
>
> +optional_policy(`
> + gpg_domtrans(portage_t)
> +')
> +
> optional_policy(`
> modutils_run(portage_t, portage_roles)
> #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
> --
> 2.16.4
>
On 06/08/2018 05:53 AM, Jason Zaman wrote:
> ---
> redis.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/redis.te b/redis.te
> index fda6e5b..2c8495b 100644
> --- a/redis.te
> +++ b/redis.te
> @@ -39,6 +39,7 @@ allow redis_t redis_conf_t:file rw_file_perms;
> manage_dirs_pattern(redis_t, redis_log_t, redis_log_t)
> manage_files_pattern(redis_t, redis_log_t, redis_log_t)
> manage_lnk_files_pattern(redis_t, redis_log_t, redis_log_t)
> +logging_log_filetrans(redis_t, redis_log_t, dir)
>
> manage_dirs_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
> manage_files_pattern(redis_t, redis_var_lib_t, redis_var_lib_t)
Merged.
--
Chris PeBenito
On 06/08/2018 05:53 AM, Jason Zaman wrote:
> ---
> dirmngr.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/dirmngr.te b/dirmngr.te
> index f2be3f7..983de0c 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -69,10 +69,12 @@ dev_read_rand(dirmngr_t)
>
> sysnet_dns_name_resolve(dirmngr_t)
>
> +corenet_tcp_connect_http_port(dirmngr_t)
> corenet_tcp_connect_pgpkeyserver_port(dirmngr_t)
> corenet_udp_bind_generic_node(dirmngr_t)
>
> files_read_etc_files(dirmngr_t)
> +files_read_usr_files(dirmngr_t)
>
> miscfiles_read_localization(dirmngr_t)
> miscfiles_read_generic_certs(dirmngr_t)
Merged.
--
Chris PeBenito
On 06/08/2018 05:53 AM, Jason Zaman wrote:
> ---
> colord.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/colord.te b/colord.te
> index 0236b27..ca3aae6 100644
> --- a/colord.te
> +++ b/colord.te
> @@ -83,6 +83,7 @@ domain_use_interactive_fds(colord_t)
>
> files_list_mnt(colord_t)
> files_read_usr_files(colord_t)
> +files_map_usr_files(colord_t)
>
> fs_getattr_noxattr_fs(colord_t)
> fs_getattr_tmpfs(colord_t)
Merged.
--
Chris PeBenito