A couple of patches that were introduced for Portage. No large changes:
1. Support NFS mounts (when NFS mounts using context= aren't possible)
2. Support live ebuilds (portage needs more privileges on particular
locations then)
3. Support proxy servers for Portage
Changes since v1
----------------
- The gcc-config fix to call /sbin/rc is removed from this patchset and
will be introduced in another one, using a new rc_exec_t type
- Support for PORTAGE_BINHOST will be tackled by Gentoo bug #375835 and as
such does not require a policy update anymore
When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).
Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.if | 7 +++++++
policy/modules/admin/portage.te | 15 +++++++++++++++
2 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 0f27b1c..6eff375 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -188,6 +188,13 @@ interface(`portage_compile_domain',`
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
+ tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_manage_nfs_symlinks($1)
+ ')
+
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d2ff138..492d742 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
# Declarations
#
+## <desc>
+## <p>
+## Allow the portage domains to use NFS mounts (regular nfs_t)
+## </p>
+## </desc>
+gen_tunable(portage_use_nfs, false)
+
+
type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t, gcc_config_exec_t)
@@ -258,6 +266,13 @@ sysnet_dns_name_resolve(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs(portage_fetch_t)
+ fs_manage_nfs_dirs(portage_fetch_t)
+ fs_manage_nfs_files(portage_fetch_t)
+ fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
--
1.7.3.4
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).
To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like
portage_sandbox_t) to manage the checkouts.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.fc | 3 +++
policy/modules/admin/portage.if | 7 ++++++-
policy/modules/admin/portage.te | 3 +++
3 files changed, 12 insertions(+), 1 deletions(-)
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..9097092 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -12,6 +12,9 @@
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 6eff375..08b361b 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -71,7 +71,7 @@ interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
- type portage_devpts_t, portage_log_t, portage_tmp_t;
+ type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
')
@@ -105,6 +105,11 @@ interface(`portage_compile_domain',`
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { write_file_perms setattr };
+ # Support live ebuilds (-9999)
+ manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 492d742..16524c7 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -59,6 +59,9 @@ files_type(portage_cache_t)
type portage_log_t;
logging_log_file(portage_log_t)
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
type portage_tmp_t;
files_tmp_file(portage_tmp_t)
--
1.7.3.4
Portage supports the use of proxy systems (which usually run on port 8080)
for the fetching of software archives.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 16524c7..e11a4ab 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -249,6 +249,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
--
1.7.3.4
On 07/21/11 05:07, Sven Vermeulen wrote:
> A couple of patches that were introduced for Portage. No large changes:
>
> 1. Support NFS mounts (when NFS mounts using context= aren't possible)
> 2. Support live ebuilds (portage needs more privileges on particular
> locations then)
> 3. Support proxy servers for Portage
>
> Changes since v1
> ----------------
>
> - The gcc-config fix to call /sbin/rc is removed from this patchset and
> will be introduced in another one, using a new rc_exec_t type
> - Support for PORTAGE_BINHOST will be tackled by Gentoo bug #375835 and as
> such does not require a policy update anymore
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com