From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 29 Jul 2011 08:49:00 -0400 Subject: [refpolicy] [PATCH 1/2] Support layman through its own domain In-Reply-To: <20110724104300.GB6581@siphos.be> References: <20110724104149.GA6581@siphos.be> <20110724104300.GB6581@siphos.be> Message-ID: <4E32AC3C.6050708@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/24/11 06:43, Sven Vermeulen wrote: > The layman utility is used by Gentoo to manage additional overlays. The > application manages files in /var/lib/layman (which are the various overlays) > and is able to update them using utilities like rsync, svn, git, ... > > Previously, layman was just ran within the domain of the caller (which was > usually sysadm_t). However, when using automated methods like updating the > trees through cron or puppet, this fails since these domains do not hold the > necessary privileges. By putting the necessary privileges in a separate domain, > we can assign this domain to the appropriate roles. > > Since layman and portage (emerge) are very closely related, we manage the > necessary domtrans rules through the portage_domtrans() method. There is > hardly any point to make this a separate interface. > > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/portage.fc | 2 + > policy/modules/admin/portage.if | 6 +++- > policy/modules/admin/portage.te | 61 +++++++++++++++++++++++++++++++++++++++ > 3 files changed, 68 insertions(+), 1 deletions(-) > > diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc > index db46387..38cc918 100644 > --- a/policy/modules/admin/portage.fc > +++ b/policy/modules/admin/portage.fc > @@ -3,6 +3,7 @@ > /etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) > > /usr/bin/gcc-config -- gen_context(system_u:object_r:gcc_config_exec_t,s0) > +/usr/bin/layman -- gen_context(system_u:object_r:layman_exec_t,s0) > /usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) > > /usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) > @@ -19,6 +20,7 @@ > /var/log/emerge\.log.* -- gen_context(system_u:object_r:portage_log_t,s0) > /var/log/emerge-fetch.log -- gen_context(system_u:object_r:portage_log_t,s0) > /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) > +/var/lib/layman(/.*)? gen_context(system_u:object_r:layman_var_lib_t,s0) > /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) > /var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) > /var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) > diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if > index 0f27b1c..faf2eba 100644 > --- a/policy/modules/admin/portage.if > +++ b/policy/modules/admin/portage.if > @@ -16,6 +16,7 @@ > interface(`portage_domtrans',` > gen_require(` > type portage_t, portage_exec_t; > + type layman_t, layman_exec_t; > ') > > files_search_usr($1) > @@ -23,6 +24,8 @@ interface(`portage_domtrans',` > > # transition to portage > domtrans_pattern($1, portage_exec_t, portage_t) > + # transition to layman > + domtrans_pattern($1, layman_exec_t, layman_t) > ') > > ######################################## > @@ -45,10 +48,11 @@ interface(`portage_domtrans',` > interface(`portage_run',` > gen_require(` > type portage_t, portage_fetch_t, portage_sandbox_t; > + type layman_t; > ') > > portage_domtrans($1) > - role $2 types { portage_t portage_fetch_t portage_sandbox_t }; > + role $2 types { portage_t portage_fetch_t portage_sandbox_t layman_t }; > ') > > ######################################## > diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te > index d2ff138..7d7242d 100644 > --- a/policy/modules/admin/portage.te > +++ b/policy/modules/admin/portage.te > @@ -9,6 +9,16 @@ type gcc_config_t; > type gcc_config_exec_t; > application_domain(gcc_config_t, gcc_config_exec_t) > > +type layman_t; > +type layman_exec_t; > +application_domain(layman_t, layman_exec_t) > + > +type layman_var_lib_t; > +files_type(layman_var_lib_t) > + > +type layman_tmp_t; > +files_tmp_file(layman_tmp_t) These last two are out of order. > # constraining type > type portage_t; > type portage_exec_t; > @@ -115,6 +125,57 @@ optional_policy(` > > ######################################## > # > +# Layman local policy > +# > +allow layman_t self:process signal; > +allow layman_t self:fifo_file rw_fifo_file_perms; > + > +# Manage layman var/lib files > +manage_files_pattern(layman_t, layman_var_lib_t, layman_var_lib_t) > +manage_dirs_pattern(layman_t, layman_var_lib_t, layman_var_lib_t) > +manage_lnk_files_pattern(layman_t, layman_var_lib_t, layman_var_lib_t) > + > +# Manage layman tmp files (needed in case of subversion) > +manage_dirs_pattern(layman_t, layman_tmp_t, layman_tmp_t) > +manage_files_pattern(layman_t, layman_tmp_t, layman_tmp_t) > +files_tmp_filetrans(layman_t, layman_tmp_t, { file dir }) > + > +## Kernel layer calls > +# > +kernel_dontaudit_read_system_state(layman_t) > +kernel_dontaudit_request_load_module(layman_t) > + > +corecmd_exec_bin(layman_t) > +corecmd_exec_shell(layman_t) > + > +corenet_tcp_connect_generic_port(layman_t) > +corenet_tcp_connect_git_port(layman_t) > +corenet_tcp_connect_http_port(layman_t) > +corenet_tcp_connect_rsync_port(layman_t) > + Needs sendrecv on http, rsync, and git client packets > +domain_use_interactive_fds(layman_t) > + > +files_read_etc_files(layman_t) > +files_read_etc_runtime_files(layman_t) > +files_read_usr_files(layman_t) > +files_search_var_lib(layman_t) > + > +## System layer calls > +# > +logging_list_logs(layman_t) > +miscfiles_read_localization(layman_t) > +sysnet_dns_name_resolve(layman_t) > +userdom_dontaudit_list_user_home_dirs(layman_t) > +userdom_use_user_terminals(layman_t) > + > +## Other calls > +# > +rsync_exec(layman_t) > + > + > + Needs some whitespace and extra comments cleanup. > +######################################## > +# > # Portage Merging Rules > # > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com