From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 20 Jul 2011 14:07:45 -0400 Subject: [refpolicy] [PATCH 2/4] Support live ebuilds through portage_srcrepo_t In-Reply-To: <20110719212618.GC14490@siphos.be> References: <20110719211641.GA14490@siphos.be> <20110719212618.GC14490@siphos.be> Message-ID: <4E271971.8090100@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/19/11 17:26, Sven Vermeulen wrote: > Portage supports the notion of "live ebuilds", which are packages that, when > installed, update a repository checkout on a specific location. This means > that a few portage-related domains need to have manage_* privileges on that > location whereas they usually have much more limited rights (when live > ebuilds aren't used). > > To support live ebuilds, we introduce another label called portage_srcrepo_t > for those specific locations where the "higher" privileges are needed for, > and grant the proper permissions on the compile domain (portage_sandbox_t) > to manage the checkouts. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/portage.fc | 3 +++ > policy/modules/admin/portage.if | 5 +++++ > policy/modules/admin/portage.te | 3 +++ > 3 files changed, 11 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc > index db46387..9097092 100644 > --- a/policy/modules/admin/portage.fc > +++ b/policy/modules/admin/portage.fc > @@ -12,6 +12,9 @@ > /usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) > /usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) > > +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) > +/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) > +/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) > /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) > > /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) > diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if > index 0f27b1c..e327da3 100644 > --- a/policy/modules/admin/portage.if > +++ b/policy/modules/admin/portage.if > @@ -123,6 +123,11 @@ interface(`portage_compile_domain',` > manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) > fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file }) > > + # Support live ebuilds (-9999) > + manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) > + manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) > + manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) > + > kernel_read_system_state($1) > kernel_read_network_state($1) > kernel_read_software_raid_state($1) > diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te > index a645c5d..88c6d60 100644 > --- a/policy/modules/admin/portage.te > +++ b/policy/modules/admin/portage.te > @@ -44,6 +44,9 @@ term_pty(portage_devpts_t) > type portage_ebuild_t; > files_type(portage_ebuild_t) > > +type portage_srcrepo_t; > +files_type(portage_srcrepo_t) > + > type portage_fetch_tmp_t; > files_tmp_file(portage_fetch_tmp_t) The content of the patch is fine, but the ordering of the lines/blocks needs to be fixed (eg srcrepo comes before tmp). -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com