From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 20 Jul 2011 14:06:19 -0400 Subject: [refpolicy] [PATCH 1/4] Support NFS mounts for portage-related locations In-Reply-To: <20110719212317.GB14490@siphos.be> References: <20110719211641.GA14490@siphos.be> <20110719212317.GB14490@siphos.be> Message-ID: <4E27191B.3000908@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/19/11 17:23, Sven Vermeulen wrote: > When users want to use NFS mounted portage tree, distfiles, packages and > other locations, they need to use the proper context= mount option. However, > in the majority of cases, the users use a single NFS mount. In such > situation, context= cannot be used properly since it puts a label on the > entire mount (whereas we would then need other labels depending on > subdirectories). > > Introducing a boolean "portage_allow_nfs" which, when set (default off), > allows the necessary portage-related domains to manage files and directories > with the nfs_t label. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/portage.te | 29 +++++++++++++++++++++++++++++ > 1 files changed, 29 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te > index d2ff138..a645c5d 100644 > --- a/policy/modules/admin/portage.te > +++ b/policy/modules/admin/portage.te > @@ -5,6 +5,14 @@ policy_module(portage, 1.10.2) > # Declarations > # > > +## > +##

> +## Allow the portage domain to use NFS mounts (regular nfs_t) for its portage > +## tree, distfiles, etc. > +##

> +## > +gen_tunable(portage_allow_nfs, false) I suspect portage_use_nfs is a clearer Boolean name. > type gcc_config_t; > type gcc_config_exec_t; > application_domain(gcc_config_t, gcc_config_exec_t) > @@ -174,6 +182,13 @@ portage_domtrans_gcc_config(portage_t) > # if sesandbox is disabled, compiling is performed in this domain > portage_compile_domain(portage_t) > > +tunable_policy(`portage_allow_nfs',` > + fs_getattr_nfs(portage_t) > + fs_manage_nfs_dirs(portage_t) > + fs_manage_nfs_files(portage_t) > + fs_manage_nfs_symlinks(portage_t) > +') This and the similar block for sandbox should be in the portage_compile_domain() interface. > optional_policy(` > bootloader_domtrans(portage_t) > ') > @@ -262,6 +277,13 @@ ifdef(`hide_broken_symptoms',` > dontaudit portage_fetch_t portage_cache_t:file read; > ') > > +tunable_policy(`portage_allow_nfs',` > + fs_getattr_nfs(portage_fetch_t) > + fs_manage_nfs_dirs(portage_fetch_t) > + fs_manage_nfs_files(portage_fetch_t) > + fs_manage_nfs_symlinks(portage_fetch_t) > +') > + > ########################################## > # > # Portage sandbox domain > @@ -275,3 +297,10 @@ ifdef(`hide_broken_symptoms',` > dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; > dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; > ') > + > +tunable_policy(`portage_allow_nfs',` > + fs_getattr_nfs(portage_sandbox_t) > + fs_manage_nfs_dirs(portage_sandbox_t) > + fs_manage_nfs_files(portage_sandbox_t) > + fs_manage_nfs_symlinks(portage_sandbox_t) > +') -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com