From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Mon, 02 May 2011 11:25:18 -0400 Subject: [refpolicy] [PATCH 1/4] Support live ebuilds In-Reply-To: <20110428192508.GA29963@siphos.be> References: <20110428192508.GA29963@siphos.be> Message-ID: <4DBECCDE.1000608@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/28/11 15:25, Sven Vermeulen wrote: > In Gentoo, live ebuilds exist (packages) which use the latest checkout of a > version controlled repository (git, svn, cvs, ...). During installation, > Portage checks out this repository in (by default) > /usr/portage/distfiles/svn-src. Currently, this is labelled portage_ebuild_t > but it is just plain wrong to allow the portage_sandbox_t to manage this > type (which, btw, it can't do currently, so live ebuild installations isn't > supported with the current policy). > > To resolve this, create an additional type (portage_svnsrc_t) and label the > location accordingly. Also, allow portage_sandbox_t to manage the files, > directories and links that it checks out by allowing the necessary > privileges on portage_svnsrc_t. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/portage.fc | 1 + > policy/modules/admin/portage.if | 5 +++++ > policy/modules/admin/portage.te | 3 +++ > 3 files changed, 9 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc > index db46387..f6daba8 100644 > --- a/policy/modules/admin/portage.fc > +++ b/policy/modules/admin/portage.fc > @@ -13,6 +13,7 @@ > /usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) > > /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) > +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_svnsrc_t,s0) Its been a while since I used a live ebuild, but iirc, there are other dirs such as cvs-src (maybe git-src, etc. too?) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com