From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 19 Jul 2011 23:26:19 +0200 Subject: [refpolicy] [PATCH 2/4] Support live ebuilds through portage_srcrepo_t In-Reply-To: <20110719211641.GA14490@siphos.be> References: <20110719211641.GA14490@siphos.be> Message-ID: <20110719212618.GC14490@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Portage supports the notion of "live ebuilds", which are packages that, when installed, update a repository checkout on a specific location. This means that a few portage-related domains need to have manage_* privileges on that location whereas they usually have much more limited rights (when live ebuilds aren't used). To support live ebuilds, we introduce another label called portage_srcrepo_t for those specific locations where the "higher" privileges are needed for, and grant the proper permissions on the compile domain (portage_sandbox_t) to manage the checkouts. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.fc | 3 +++ policy/modules/admin/portage.if | 5 +++++ policy/modules/admin/portage.te | 3 +++ 3 files changed, 11 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db46387..9097092 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -12,6 +12,9 @@ /usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 0f27b1c..e327da3 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -123,6 +123,11 @@ interface(`portage_compile_domain',` manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) + # Support live ebuilds (-9999) + manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + kernel_read_system_state($1) kernel_read_network_state($1) kernel_read_software_raid_state($1) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index a645c5d..88c6d60 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -44,6 +44,9 @@ term_pty(portage_devpts_t) type portage_ebuild_t; files_type(portage_ebuild_t) +type portage_srcrepo_t; +files_type(portage_srcrepo_t) + type portage_fetch_tmp_t; files_tmp_file(portage_fetch_tmp_t) -- 1.7.3.4