From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 20 Jul 2011 11:49:55 -0400 Subject: [refpolicy] [PATCH 4/4] Support proxy server/cache servers and binpkg servers In-Reply-To: <20110719213100.GE14490@siphos.be> References: <20110719211641.GA14490@siphos.be> <20110719213100.GE14490@siphos.be> Message-ID: <4E26F923.7060307@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/19/11 17:31, Sven Vermeulen wrote: > Portage supports the use of proxy systems (which usually run on port 8080) > for both the fetching of software archives as well as fetching binaries (in > case of PORTAGE_BINHOST support). > > Hence the introduction of the connect_http_port& connect_http_cache_port > for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives). > > In the latter case, connect_http_port is already available through > connect_all_reserved_ports. I presume portage is using wget to do this? Why can't we update portage to do setexeccon, like when it is doing when downloading source files? > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/portage.te | 5 +++++ > 1 files changed, 5 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te > index e555e41..b11cdd2 100644 > --- a/policy/modules/admin/portage.te > +++ b/policy/modules/admin/portage.te > @@ -166,6 +166,10 @@ can_exec(portage_t, portage_tmp_t) > # merging baselayout will need this: > kernel_write_proc_files(portage_t) > > +# allow emerge to fetch binpkgs from PORTAGE_BINHOST > +corenet_tcp_connect_http_port(portage_t) > +corenet_tcp_connect_http_cache_port(portage_t) > + > domain_dontaudit_read_all_domains_state(portage_t) > > # modify any files in the system > @@ -258,6 +262,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t) > # it occasionally comes up > corenet_tcp_connect_all_reserved_ports(portage_fetch_t) > corenet_tcp_connect_generic_port(portage_fetch_t) > +corenet_tcp_connect_http_cache_port(portage_fetch_t) # In case of cache server connections/proxy > > dev_dontaudit_read_rand(portage_fetch_t) > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com