From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 19 Jul 2011 23:23:17 +0200 Subject: [refpolicy] [PATCH 1/4] Support NFS mounts for portage-related locations In-Reply-To: <20110719211641.GA14490@siphos.be> References: <20110719211641.GA14490@siphos.be> Message-ID: <20110719212317.GB14490@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When users want to use NFS mounted portage tree, distfiles, packages and other locations, they need to use the proper context= mount option. However, in the majority of cases, the users use a single NFS mount. In such situation, context= cannot be used properly since it puts a label on the entire mount (whereas we would then need other labels depending on subdirectories). Introducing a boolean "portage_allow_nfs" which, when set (default off), allows the necessary portage-related domains to manage files and directories with the nfs_t label. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.te | 29 +++++++++++++++++++++++++++++ 1 files changed, 29 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index d2ff138..a645c5d 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -5,6 +5,14 @@ policy_module(portage, 1.10.2) # Declarations # +## +##

+## Allow the portage domain to use NFS mounts (regular nfs_t) for its portage +## tree, distfiles, etc. +##

+## +gen_tunable(portage_allow_nfs, false) + type gcc_config_t; type gcc_config_exec_t; application_domain(gcc_config_t, gcc_config_exec_t) @@ -174,6 +182,13 @@ portage_domtrans_gcc_config(portage_t) # if sesandbox is disabled, compiling is performed in this domain portage_compile_domain(portage_t) +tunable_policy(`portage_allow_nfs',` + fs_getattr_nfs(portage_t) + fs_manage_nfs_dirs(portage_t) + fs_manage_nfs_files(portage_t) + fs_manage_nfs_symlinks(portage_t) +') + optional_policy(` bootloader_domtrans(portage_t) ') @@ -262,6 +277,13 @@ ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; ') +tunable_policy(`portage_allow_nfs',` + fs_getattr_nfs(portage_fetch_t) + fs_manage_nfs_dirs(portage_fetch_t) + fs_manage_nfs_files(portage_fetch_t) + fs_manage_nfs_symlinks(portage_fetch_t) +') + ########################################## # # Portage sandbox domain @@ -275,3 +297,10 @@ ifdef(`hide_broken_symptoms',` dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; ') + +tunable_policy(`portage_allow_nfs',` + fs_getattr_nfs(portage_sandbox_t) + fs_manage_nfs_dirs(portage_sandbox_t) + fs_manage_nfs_files(portage_sandbox_t) + fs_manage_nfs_symlinks(portage_sandbox_t) +') -- 1.7.3.4