From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 28 Apr 2011 21:25:09 +0200 Subject: [refpolicy] [PATCH 1/4] Support live ebuilds Message-ID: <20110428192508.GA29963@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com In Gentoo, live ebuilds exist (packages) which use the latest checkout of a version controlled repository (git, svn, cvs, ...). During installation, Portage checks out this repository in (by default) /usr/portage/distfiles/svn-src. Currently, this is labelled portage_ebuild_t but it is just plain wrong to allow the portage_sandbox_t to manage this type (which, btw, it can't do currently, so live ebuild installations isn't supported with the current policy). To resolve this, create an additional type (portage_svnsrc_t) and label the location accordingly. Also, allow portage_sandbox_t to manage the files, directories and links that it checks out by allowing the necessary privileges on portage_svnsrc_t. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.fc | 1 + policy/modules/admin/portage.if | 5 +++++ policy/modules/admin/portage.te | 3 +++ 3 files changed, 9 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..f6daba8 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -13,6 +13,7 @@ /usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_svnsrc_t,s0) /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) /var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 8aaa46d..a4026a9 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -123,6 +123,11 @@ interface(`portage_compile_domain',` manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + # Support live ebuilds + manage_dirs_pattern($1, portage_svnsrc_t, portage_svnsrc_t) + manage_files_pattern($1, portage_svnsrc_t, portage_svnsrc_t) + manage_lnk_files_pattern($1, portage_svnsrc_t, portage_svnsrc_t) + kernel_read_system_state($1) kernel_read_network_state($1) kernel_read_software_raid_state($1) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index c633aea..8f41c2e 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -36,6 +36,9 @@ term_pty(portage_devpts_t) type portage_ebuild_t; files_type(portage_ebuild_t) +type portage_svnsrc_t; +files_type(portage_svnsrc_t) + type portage_fetch_tmp_t; files_tmp_file(portage_fetch_tmp_t) -- 1.7.3.4