A couple of patches that were introduced for Portage. No large changes:
1. Support NFS mounts (when NFS mounts using context= aren't possible)
2. Support live ebuilds (portage needs more privileges on particular
locations then)
3. Allow gcc-config to call /sbin/rc (needed since openrc support)
4. Support proxy servers for Portage (and PORTAGE_BINHOST support too)
Wkr,
Sven Vermeulen
When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).
Introducing a boolean "portage_allow_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 29 +++++++++++++++++++++++++++++
1 files changed, 29 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d2ff138..a645c5d 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
# Declarations
#
+## <desc>
+## <p>
+## Allow the portage domain to use NFS mounts (regular nfs_t) for its portage
+## tree, distfiles, etc.
+## </p>
+## </desc>
+gen_tunable(portage_allow_nfs, false)
+
type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t, gcc_config_exec_t)
@@ -174,6 +182,13 @@ portage_domtrans_gcc_config(portage_t)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)
+tunable_policy(`portage_allow_nfs',`
+ fs_getattr_nfs(portage_t)
+ fs_manage_nfs_dirs(portage_t)
+ fs_manage_nfs_files(portage_t)
+ fs_manage_nfs_symlinks(portage_t)
+')
+
optional_policy(`
bootloader_domtrans(portage_t)
')
@@ -262,6 +277,13 @@ ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
+tunable_policy(`portage_allow_nfs',`
+ fs_getattr_nfs(portage_fetch_t)
+ fs_manage_nfs_dirs(portage_fetch_t)
+ fs_manage_nfs_files(portage_fetch_t)
+ fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
##########################################
#
# Portage sandbox domain
@@ -275,3 +297,10 @@ ifdef(`hide_broken_symptoms',`
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
')
+
+tunable_policy(`portage_allow_nfs',`
+ fs_getattr_nfs(portage_sandbox_t)
+ fs_manage_nfs_dirs(portage_sandbox_t)
+ fs_manage_nfs_files(portage_sandbox_t)
+ fs_manage_nfs_symlinks(portage_sandbox_t)
+')
--
1.7.3.4
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).
To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domain (portage_sandbox_t)
to manage the checkouts.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.fc | 3 +++
policy/modules/admin/portage.if | 5 +++++
policy/modules/admin/portage.te | 3 +++
3 files changed, 11 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..9097092 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -12,6 +12,9 @@
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 0f27b1c..e327da3 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -123,6 +123,11 @@ interface(`portage_compile_domain',`
manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ # Support live ebuilds (-9999)
+ manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+
kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index a645c5d..88c6d60 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -44,6 +44,9 @@ term_pty(portage_devpts_t)
type portage_ebuild_t;
files_type(portage_ebuild_t)
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)
--
1.7.3.4
Since the introduction of OpenRC (init system), a few changes are made on
the general Gentoo related files and applications. gcc-config is one of
them. It calls /sbin/rc (the main "entrypoint" for all OpenRC-related
actions) which, with the current policy, wasn't allowed.
Allow gcc-config to call /sbin/rc (initrc_exec_t) without transitioning.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 88c6d60..e555e41 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -105,6 +105,8 @@ files_list_all(gcc_config_t)
# seems to be ok without this
init_dontaudit_read_script_status_files(gcc_config_t)
+# Since OpenRC, gcc-config calls rc (but transitioning isn't needed)
+init_exec_script_files(gcc_config_t)
libs_read_lib_files(gcc_config_t)
libs_domtrans_ldconfig(gcc_config_t)
--
1.7.3.4
Portage supports the use of proxy systems (which usually run on port 8080)
for both the fetching of software archives as well as fetching binaries (in
case of PORTAGE_BINHOST support).
Hence the introduction of the connect_http_port & connect_http_cache_port
for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
In the latter case, connect_http_port is already available through
connect_all_reserved_ports.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index e555e41..b11cdd2 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -166,6 +166,10 @@ can_exec(portage_t, portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files(portage_t)
+# allow emerge to fetch binpkgs from PORTAGE_BINHOST
+corenet_tcp_connect_http_port(portage_t)
+corenet_tcp_connect_http_cache_port(portage_t)
+
domain_dontaudit_read_all_domains_state(portage_t)
# modify any files in the system
@@ -258,6 +262,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t) # In case of cache server connections/proxy
dev_dontaudit_read_rand(portage_fetch_t)
--
1.7.3.4
On 07/19/11 17:31, Sven Vermeulen wrote:
> Portage supports the use of proxy systems (which usually run on port 8080)
> for both the fetching of software archives as well as fetching binaries (in
> case of PORTAGE_BINHOST support).
>
> Hence the introduction of the connect_http_port& connect_http_cache_port
> for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
>
> In the latter case, connect_http_port is already available through
> connect_all_reserved_ports.
I presume portage is using wget to do this? Why can't we update portage
to do setexeccon, like when it is doing when downloading source files?
> Signed-off-by: Sven Vermeulen<[email protected]>
> ---
> policy/modules/admin/portage.te | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index e555e41..b11cdd2 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -166,6 +166,10 @@ can_exec(portage_t, portage_tmp_t)
> # merging baselayout will need this:
> kernel_write_proc_files(portage_t)
>
> +# allow emerge to fetch binpkgs from PORTAGE_BINHOST
> +corenet_tcp_connect_http_port(portage_t)
> +corenet_tcp_connect_http_cache_port(portage_t)
> +
> domain_dontaudit_read_all_domains_state(portage_t)
>
> # modify any files in the system
> @@ -258,6 +262,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
> # it occasionally comes up
> corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
> corenet_tcp_connect_generic_port(portage_fetch_t)
> +corenet_tcp_connect_http_cache_port(portage_fetch_t) # In case of cache server connections/proxy
>
> dev_dontaudit_read_rand(portage_fetch_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, Jul 20, 2011 at 11:49:55AM -0400, Christopher J. PeBenito wrote:
> On 07/19/11 17:31, Sven Vermeulen wrote:
> > Portage supports the use of proxy systems (which usually run on port 8080)
> > for both the fetching of software archives as well as fetching binaries (in
> > case of PORTAGE_BINHOST support).
> >
> > Hence the introduction of the connect_http_port& connect_http_cache_port
> > for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
> >
> > In the latter case, connect_http_port is already available through
> > connect_all_reserved_ports.
>
> I presume portage is using wget to do this? Why can't we update portage
> to do setexeccon, like when it is doing when downloading source files?
You mean to have Portage transition to portage_fetch_t again so that the
privileges on portage_t aren't necessary? I don't think that would be a
problem.
Wkr,
Sven Vermeulen
On 07/20/11 13:12, Sven Vermeulen wrote:
> On Wed, Jul 20, 2011 at 11:49:55AM -0400, Christopher J. PeBenito wrote:
>> On 07/19/11 17:31, Sven Vermeulen wrote:
>>> Portage supports the use of proxy systems (which usually run on port 8080)
>>> for both the fetching of software archives as well as fetching binaries (in
>>> case of PORTAGE_BINHOST support).
>>>
>>> Hence the introduction of the connect_http_port& connect_http_cache_port
>>> for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
>>>
>>> In the latter case, connect_http_port is already available through
>>> connect_all_reserved_ports.
>>
>> I presume portage is using wget to do this? Why can't we update portage
>> to do setexeccon, like when it is doing when downloading source files?
>
> You mean to have Portage transition to portage_fetch_t again so that the
> privileges on portage_t aren't necessary? I don't think that would be a
> problem.
Yes. As much as possible, we were trying to keep the network access in
portage_fetch_t.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/19/11 17:23, Sven Vermeulen wrote:
> When users want to use NFS mounted portage tree, distfiles, packages and
> other locations, they need to use the proper context= mount option. However,
> in the majority of cases, the users use a single NFS mount. In such
> situation, context= cannot be used properly since it puts a label on the
> entire mount (whereas we would then need other labels depending on
> subdirectories).
>
> Introducing a boolean "portage_allow_nfs" which, when set (default off),
> allows the necessary portage-related domains to manage files and directories
> with the nfs_t label.
>
> Signed-off-by: Sven Vermeulen<[email protected]>
> ---
> policy/modules/admin/portage.te | 29 +++++++++++++++++++++++++++++
> 1 files changed, 29 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index d2ff138..a645c5d 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
> # Declarations
> #
>
> +##<desc>
> +##<p>
> +## Allow the portage domain to use NFS mounts (regular nfs_t) for its portage
> +## tree, distfiles, etc.
> +##</p>
> +##</desc>
> +gen_tunable(portage_allow_nfs, false)
I suspect portage_use_nfs is a clearer Boolean name.
> type gcc_config_t;
> type gcc_config_exec_t;
> application_domain(gcc_config_t, gcc_config_exec_t)
> @@ -174,6 +182,13 @@ portage_domtrans_gcc_config(portage_t)
> # if sesandbox is disabled, compiling is performed in this domain
> portage_compile_domain(portage_t)
>
> +tunable_policy(`portage_allow_nfs',`
> + fs_getattr_nfs(portage_t)
> + fs_manage_nfs_dirs(portage_t)
> + fs_manage_nfs_files(portage_t)
> + fs_manage_nfs_symlinks(portage_t)
> +')
This and the similar block for sandbox should be in the
portage_compile_domain() interface.
> optional_policy(`
> bootloader_domtrans(portage_t)
> ')
> @@ -262,6 +277,13 @@ ifdef(`hide_broken_symptoms',`
> dontaudit portage_fetch_t portage_cache_t:file read;
> ')
>
> +tunable_policy(`portage_allow_nfs',`
> + fs_getattr_nfs(portage_fetch_t)
> + fs_manage_nfs_dirs(portage_fetch_t)
> + fs_manage_nfs_files(portage_fetch_t)
> + fs_manage_nfs_symlinks(portage_fetch_t)
> +')
> +
> ##########################################
> #
> # Portage sandbox domain
> @@ -275,3 +297,10 @@ ifdef(`hide_broken_symptoms',`
> dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
> dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
> ')
> +
> +tunable_policy(`portage_allow_nfs',`
> + fs_getattr_nfs(portage_sandbox_t)
> + fs_manage_nfs_dirs(portage_sandbox_t)
> + fs_manage_nfs_files(portage_sandbox_t)
> + fs_manage_nfs_symlinks(portage_sandbox_t)
> +')
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/19/11 17:26, Sven Vermeulen wrote:
> Portage supports the notion of "live ebuilds", which are packages that, when
> installed, update a repository checkout on a specific location. This means
> that a few portage-related domains need to have manage_* privileges on that
> location whereas they usually have much more limited rights (when live
> ebuilds aren't used).
>
> To support live ebuilds, we introduce another label called portage_srcrepo_t
> for those specific locations where the "higher" privileges are needed for,
> and grant the proper permissions on the compile domain (portage_sandbox_t)
> to manage the checkouts.
>
> Signed-off-by: Sven Vermeulen<[email protected]>
> ---
> policy/modules/admin/portage.fc | 3 +++
> policy/modules/admin/portage.if | 5 +++++
> policy/modules/admin/portage.te | 3 +++
> 3 files changed, 11 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
> index db46387..9097092 100644
> --- a/policy/modules/admin/portage.fc
> +++ b/policy/modules/admin/portage.fc
> @@ -12,6 +12,9 @@
> /usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
> /usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
>
> +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
> +/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
> +/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
> /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
>
> /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 0f27b1c..e327da3 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -123,6 +123,11 @@ interface(`portage_compile_domain',`
> manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
> fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>
> + # Support live ebuilds (-9999)
> + manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> + manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> + manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> +
> kernel_read_system_state($1)
> kernel_read_network_state($1)
> kernel_read_software_raid_state($1)
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index a645c5d..88c6d60 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -44,6 +44,9 @@ term_pty(portage_devpts_t)
> type portage_ebuild_t;
> files_type(portage_ebuild_t)
>
> +type portage_srcrepo_t;
> +files_type(portage_srcrepo_t)
> +
> type portage_fetch_tmp_t;
> files_tmp_file(portage_fetch_tmp_t)
The content of the patch is fine, but the ordering of the lines/blocks
needs to be fixed (eg srcrepo comes before tmp).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 07/19/11 17:28, Sven Vermeulen wrote:
> Since the introduction of OpenRC (init system), a few changes are made on
> the general Gentoo related files and applications. gcc-config is one of
> them. It calls /sbin/rc (the main "entrypoint" for all OpenRC-related
> actions) which, with the current policy, wasn't allowed.
>
> Allow gcc-config to call /sbin/rc (initrc_exec_t) without transitioning.
I'm going to hold on this one until resolution of what to do with /sbin/rc.
> Signed-off-by: Sven Vermeulen<[email protected]>
> ---
> policy/modules/admin/portage.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index 88c6d60..e555e41 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -105,6 +105,8 @@ files_list_all(gcc_config_t)
>
> # seems to be ok without this
> init_dontaudit_read_script_status_files(gcc_config_t)
> +# Since OpenRC, gcc-config calls rc (but transitioning isn't needed)
> +init_exec_script_files(gcc_config_t)
>
> libs_read_lib_files(gcc_config_t)
> libs_domtrans_ldconfig(gcc_config_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com