From: srivasta@golden-gryphon.com (Manoj Srivastava) Date: Tue, 14 Jul 2009 14:35:15 -0500 Subject: [refpolicy] [PATCH] Added support for python-support Message-ID: <1247600115-22879-1-git-send-email-srivasta@golden-gryphon.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com From: Manoj Srivastava Debian uses the python-support module infrastructure to conditionally byte compile python files during installation. This commit adds support for the package, which is critical for Python library package installation on Debian machines. Signed-off-by: Russell Coker Acked-By: Manoj Srivastava --- policy/modules/admin/apt.te | 4 ++ policy/modules/system/pythonsupport.fc | 2 + policy/modules/system/pythonsupport.if | 55 ++++++++++++++++++++++++++++++++ policy/modules/system/pythonsupport.te | 44 +++++++++++++++++++++++++ policy/modules/system/selinuxutil.te | 10 ++++++ policy/modules/system/userdomain.if | 4 ++ 6 files changed, 119 insertions(+), 0 deletions(-) create mode 100644 policy/modules/system/pythonsupport.fc create mode 100644 policy/modules/system/pythonsupport.if create mode 100644 policy/modules/system/pythonsupport.te diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te index c79157a..1ffa5b3 100644 --- a/policy/modules/admin/apt.te +++ b/policy/modules/admin/apt.te @@ -127,6 +127,10 @@ userdom_use_user_terminals(apt_t) #') optional_policy(` + pythonsupport_domtrans(apt_t) +') + +optional_policy(` # dpkg interaction dpkg_read_db(apt_t) dpkg_domtrans(apt_t) diff --git a/policy/modules/system/pythonsupport.fc b/policy/modules/system/pythonsupport.fc new file mode 100644 index 0000000..95a0998 --- /dev/null +++ b/policy/modules/system/pythonsupport.fc @@ -0,0 +1,2 @@ +/usr/sbin/update-python-modules -- gen_context(system_u:object_r:pythoncompile_exec_t,s0) +/var/lib/python-support(/.*)? gen_context(system_u:object_r:python_compiled_t,s0) diff --git a/policy/modules/system/pythonsupport.if b/policy/modules/system/pythonsupport.if new file mode 100644 index 0000000..f5b154b --- /dev/null +++ b/policy/modules/system/pythonsupport.if @@ -0,0 +1,55 @@ +## Support for precompiling python modules +## +##

+## Debians python-support will precompile installed python +## packages for installed python versions. This way, +## the python2.3-foobar and python2.4-foobar (and 2.5) packages +## could be merged into one python-foobar while keeping the +## dependency information useful. +##

+## +# + +######################################## +## +## Execute the python-support utility to precompile modules. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`pythonsupport_domtrans',` + gen_require(` + type pythoncompile_t, pythoncompile_exec_t; + ') + + domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t) + + allow $1 pythoncompile_t:fd use; + allow pythoncompile_t $1:fd use; + allow $1 pythoncompile_t:fifo_file rw_file_perms; + allow $1 pythoncompile_t:process sigchld; +') + +######################################## +## +## Read compiled python modules +## +## +## +## Domain allowed to read the compiled python modules. +## +## +# +interface(`pythonsupport_compiled_read',` + gen_require(` + type python_compiled_t; + ') + + files_search_var_lib($1) + allow $1 python_compiled_t:dir list_dir_perms; + allow $1 python_compiled_t:file read_file_perms; + allow $1 python_compiled_t:lnk_file read_lnk_file_perms; +') diff --git a/policy/modules/system/pythonsupport.te b/policy/modules/system/pythonsupport.te new file mode 100644 index 0000000..69c1bc6 --- /dev/null +++ b/policy/modules/system/pythonsupport.te @@ -0,0 +1,44 @@ +policy_module(pythonsupport,0.0.1) + +######################################## +# +# Declarations +# + +type pythoncompile_t; +type pythoncompile_exec_t; +domain_type(pythoncompile_t) +domain_entry_file(pythoncompile_t, pythoncompile_exec_t) + +role system_r types pythoncompile_t; +role sysadm_r types pythoncompile_t; + +type python_compiled_t; +files_type(python_compiled_t) + +######################################## +# +# python-support local policy +# + +kernel_read_system_state(pythoncompile_t) +kernel_read_kernel_sysctls(pythoncompile_t) + +corecmd_exec_bin(pythoncompile_t) +corecmd_exec_sbin(pythoncompile_t) + +files_read_etc_files(pythoncompile_t) +files_read_usr_files(pythoncompile_t) + +libs_use_ld_so(pythoncompile_t) +libs_use_shared_libs(pythoncompile_t) +libs_use_lib_files(pythoncompile_t) + +miscfiles_read_localization(pythoncompile_t) + + +# create compiled python modules +allow pythoncompile_t python_compiled_t:dir manage_dir_perms; +allow pythoncompile_t python_compiled_t:file manage_file_perms; +allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms; +files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir) diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index f706ef0..90e0245 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -425,6 +425,7 @@ allow semanage_t self:capability { dac_override audit_write }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +fs_getattr_xattr_fs(semanage_t) allow semanage_t policy_config_t:file rw_file_perms; @@ -432,6 +433,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms; allow semanage_t semanage_tmp_t:file manage_file_perms; files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) +ifdef(`targeted_policy',` + allow semanage_t initrc_t:fd use; +') + kernel_read_system_state(semanage_t) kernel_read_kernel_sysctls(semanage_t) @@ -449,6 +454,7 @@ files_list_pids(semanage_t) mls_file_write_all_levels(semanage_t) mls_file_read_all_levels(semanage_t) +selinux_get_fs_mount(semanage_t) selinux_validate_context(semanage_t) selinux_get_enforce_mode(semanage_t) selinux_getattr_fs(semanage_t) @@ -499,6 +505,10 @@ ifdef(`enable_mls',` userdom_read_user_tmp_files(semanage_t) ') +optional_policy(` + pythonsupport_compiled_read(semanage_t) +') + ######################################## # # Setfiles local policy diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index 8634334..a30aeee 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -664,6 +664,10 @@ template(`userdom_common_user_template',` ') optional_policy(` + pythonsupport_compiled_read($1_t) + ') + + optional_policy(` pcscd_read_pub_files($1_t) pcscd_stream_connect($1_t) ') -- 1.6.3.3