From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 15 Jul 2009 09:49:45 -0400 Subject: [refpolicy] [PATCH] Added support for python-support In-Reply-To: <1247600115-22879-1-git-send-email-srivasta@golden-gryphon.com> References: <1247600115-22879-1-git-send-email-srivasta@golden-gryphon.com> Message-ID: <1247665787.23783.21.camel@gorn.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2009-07-14 at 14:35 -0500, Manoj Srivastava wrote: > From: Manoj Srivastava > > Debian uses the python-support module infrastructure to conditionally > byte compile python files during installation. This commit adds > support for the package, which is critical for Python library package > installation on Debian machines. This needs some cleanup (comments inline). Since python is used in a variety of domains, does use of these precompiled libraries really need to be added to individual modules, or does it make sense to optionally add the access to all domains (see libs_uses_shared_libs() usage in domain.te) since they're effectively system libraries created by a by a trusted process? > Signed-off-by: Russell Coker > Acked-By: Manoj Srivastava > --- > policy/modules/admin/apt.te | 4 ++ > policy/modules/system/pythonsupport.fc | 2 + > policy/modules/system/pythonsupport.if | 55 ++++++++++++++++++++++++++++++++ > policy/modules/system/pythonsupport.te | 44 +++++++++++++++++++++++++ > policy/modules/system/selinuxutil.te | 10 ++++++ > policy/modules/system/userdomain.if | 4 ++ > 6 files changed, 119 insertions(+), 0 deletions(-) > create mode 100644 policy/modules/system/pythonsupport.fc > create mode 100644 policy/modules/system/pythonsupport.if > create mode 100644 policy/modules/system/pythonsupport.te > > diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te > index c79157a..1ffa5b3 100644 > --- a/policy/modules/admin/apt.te > +++ b/policy/modules/admin/apt.te > @@ -127,6 +127,10 @@ userdom_use_user_terminals(apt_t) > #') > > optional_policy(` > + pythonsupport_domtrans(apt_t) > +') > + > +optional_policy(` > # dpkg interaction > dpkg_read_db(apt_t) > dpkg_domtrans(apt_t) > diff --git a/policy/modules/system/pythonsupport.fc b/policy/modules/system/pythonsupport.fc > new file mode 100644 > index 0000000..95a0998 > --- /dev/null > +++ b/policy/modules/system/pythonsupport.fc > @@ -0,0 +1,2 @@ > +/usr/sbin/update-python-modules -- gen_context(system_u:object_r:pythoncompile_exec_t,s0) > +/var/lib/python-support(/.*)? gen_context(system_u:object_r:python_compiled_t,s0) > diff --git a/policy/modules/system/pythonsupport.if b/policy/modules/system/pythonsupport.if > new file mode 100644 > index 0000000..f5b154b > --- /dev/null > +++ b/policy/modules/system/pythonsupport.if > @@ -0,0 +1,55 @@ > +## Support for precompiling python modules > +## > +##

> +## Debians python-support will precompile installed python > +## packages for installed python versions. This way, > +## the python2.3-foobar and python2.4-foobar (and 2.5) packages > +## could be merged into one python-foobar while keeping the > +## dependency information useful. > +##

> +##
> +# > + > +######################################## > +## > +## Execute the python-support utility to precompile modules. > +## > +## > +## > +## Domain allowed to transition. > +## > +## > +# > +interface(`pythonsupport_domtrans',` Consider using pysupport in the interface names. > + gen_require(` > + type pythoncompile_t, pythoncompile_exec_t; > + ') > + > + domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t) > + > + allow $1 pythoncompile_t:fd use; > + allow pythoncompile_t $1:fd use; > + allow $1 pythoncompile_t:fifo_file rw_file_perms; > + allow $1 pythoncompile_t:process sigchld; Use domtrans_pattern() > +') > + > +######################################## > +## > +## Read compiled python modules > +## > +## > +## > +## Domain allowed to read the compiled python modules. > +## > +## > +# > +interface(`pythonsupport_compiled_read',` This should be pythonsupport_read_compiled(). > + gen_require(` > + type python_compiled_t; > + ') > + > + files_search_var_lib($1) > + allow $1 python_compiled_t:dir list_dir_perms; > + allow $1 python_compiled_t:file read_file_perms; > + allow $1 python_compiled_t:lnk_file read_lnk_file_perms; > +') > diff --git a/policy/modules/system/pythonsupport.te b/policy/modules/system/pythonsupport.te > new file mode 100644 > index 0000000..69c1bc6 > --- /dev/null > +++ b/policy/modules/system/pythonsupport.te > @@ -0,0 +1,44 @@ > +policy_module(pythonsupport,0.0.1) > + > +######################################## > +# > +# Declarations > +# > + > +type pythoncompile_t; > +type pythoncompile_exec_t; > +domain_type(pythoncompile_t) > +domain_entry_file(pythoncompile_t, pythoncompile_exec_t) > + > +role system_r types pythoncompile_t; > +role sysadm_r types pythoncompile_t; Not allowed. > + > +type python_compiled_t; > +files_type(python_compiled_t) > + > +######################################## > +# > +# python-support local policy > +# > + > +kernel_read_system_state(pythoncompile_t) > +kernel_read_kernel_sysctls(pythoncompile_t) > + > +corecmd_exec_bin(pythoncompile_t) > +corecmd_exec_sbin(pythoncompile_t) > + > +files_read_etc_files(pythoncompile_t) > +files_read_usr_files(pythoncompile_t) > + > +libs_use_ld_so(pythoncompile_t) > +libs_use_shared_libs(pythoncompile_t) Redundant. > +libs_use_lib_files(pythoncompile_t) > + > +miscfiles_read_localization(pythoncompile_t) > + > + > +# create compiled python modules > +allow pythoncompile_t python_compiled_t:dir manage_dir_perms; > +allow pythoncompile_t python_compiled_t:file manage_file_perms; > +allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms; > +files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir) > diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te > index f706ef0..90e0245 100644 > --- a/policy/modules/system/selinuxutil.te > +++ b/policy/modules/system/selinuxutil.te > @@ -425,6 +425,7 @@ allow semanage_t self:capability { dac_override audit_write }; > allow semanage_t self:unix_stream_socket create_stream_socket_perms; > allow semanage_t self:unix_dgram_socket create_socket_perms; > allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; > +fs_getattr_xattr_fs(semanage_t) Unrelated change. > allow semanage_t policy_config_t:file rw_file_perms; > > @@ -432,6 +433,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms; > allow semanage_t semanage_tmp_t:file manage_file_perms; > files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir }) > > +ifdef(`targeted_policy',` > + allow semanage_t initrc_t:fd use; > +') No longer a valid build option, also unrelated change. > kernel_read_system_state(semanage_t) > kernel_read_kernel_sysctls(semanage_t) > > @@ -449,6 +454,7 @@ files_list_pids(semanage_t) > mls_file_write_all_levels(semanage_t) > mls_file_read_all_levels(semanage_t) > > +selinux_get_fs_mount(semanage_t) Another unrelated change. > selinux_validate_context(semanage_t) > selinux_get_enforce_mode(semanage_t) > selinux_getattr_fs(semanage_t) > @@ -499,6 +505,10 @@ ifdef(`enable_mls',` > userdom_read_user_tmp_files(semanage_t) > ') > > +optional_policy(` > + pythonsupport_compiled_read(semanage_t) > +') > + > ######################################## > # > # Setfiles local policy > diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if > index 8634334..a30aeee 100644 > --- a/policy/modules/system/userdomain.if > +++ b/policy/modules/system/userdomain.if > @@ -664,6 +664,10 @@ template(`userdom_common_user_template',` > ') > > optional_policy(` > + pythonsupport_compiled_read($1_t) > + ') > + > + optional_policy(` > pcscd_read_pub_files($1_t) > pcscd_stream_connect($1_t) > ') -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150