From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 21 Jul 2011 11:09:09 +0200 Subject: [refpolicy] [PATCH 1/3] Support NFS mounts for portage related locations In-Reply-To: <20110721090746.GA22505@siphos.be> References: <20110721090746.GA22505@siphos.be> Message-ID: <20110721090909.GB22505@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When users want to use NFS mounted portage tree, distfiles, packages and other locations, they need to use the proper context= mount option. However, in the majority of cases, the users use a single NFS mount. In such situation, context= cannot be used properly since it puts a label on the entire mount (whereas we would then need other labels depending on subdirectories). Introducing a boolean "portage_use_nfs" which, when set (default off), allows the necessary portage-related domains to manage files and directories with the nfs_t label. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.if | 7 +++++++ policy/modules/admin/portage.te | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 0f27b1c..6eff375 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -188,6 +188,13 @@ interface(`portage_compile_domain',` # SELinux-enabled programs running in the sandbox seutil_libselinux_linked($1) + tunable_policy(`portage_use_nfs',` + fs_getattr_nfs($1) + fs_manage_nfs_dirs($1) + fs_manage_nfs_files($1) + fs_manage_nfs_symlinks($1) + ') + ifdef(`TODO',` # some gui ebuilds want to interact with X server, like xawtv optional_policy(` diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index d2ff138..492d742 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -5,6 +5,14 @@ policy_module(portage, 1.10.2) # Declarations # +## +##

+## Allow the portage domains to use NFS mounts (regular nfs_t) +##

+## +gen_tunable(portage_use_nfs, false) + + type gcc_config_t; type gcc_config_exec_t; application_domain(gcc_config_t, gcc_config_exec_t) @@ -258,6 +266,13 @@ sysnet_dns_name_resolve(portage_fetch_t) userdom_use_user_terminals(portage_fetch_t) userdom_dontaudit_read_user_home_content_files(portage_fetch_t) +tunable_policy(`portage_use_nfs',` + fs_getattr_nfs(portage_fetch_t) + fs_manage_nfs_dirs(portage_fetch_t) + fs_manage_nfs_files(portage_fetch_t) + fs_manage_nfs_symlinks(portage_fetch_t) +') + ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; ') -- 1.7.3.4