From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 13 Aug 2011 20:24:07 +0200 Subject: [refpolicy] [PATCH 3/4] Allow emerge-webrsync to copy extracted files to the tree In-Reply-To: <20110813182048.GA12571@siphos.be> References: <20110813182048.GA12571@siphos.be> Message-ID: <20110813182407.GD12571@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The emerge-webrsync application, part of Portage, is responsible for fetching a tree snapshot, having it extracted in a temporary location (portage_tmp_t) and then copied over to the main portage tree. However, its domain (portage_fetch_t) has no read rights on the temporary location. To allow this, we need to define an interface (portage_read_tmp_files) since we need to allow this both to portage_fetch_t (the emerge-webrsync application) as well as gpg (to verify the GnuPG signature of the downloaded snapshot). Also, portage_read_tmp_files doesn't use read_files_pattern since the read-permission on the dir class is needed too. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.if | 19 +++++++++++++++++++ policy/modules/admin/portage.te | 3 +++ policy/modules/apps/gpg.te | 4 ++++ 3 files changed, 26 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index faf2eba..86948c7 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -250,6 +250,25 @@ interface(`portage_run_gcc_config',` ######################################## ## +## Allow a domain to read portage_tmp_t files +## +## +## +## Domain to allow search privileges +## +## +# +interface(`portage_read_tmp_files',` + gen_require(` + type portage_tmp_t; + ') + + allow $1 portage_tmp_t:dir list_dir_perms; + allow $1 portage_tmp_t:file read_file_perms; +') + +######################################## +## ## Do not audit attempts to search the ## portage temporary directories. ## diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 4a6e53e..050202f 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -322,6 +322,9 @@ sysnet_dns_name_resolve(portage_fetch_t) userdom_use_user_terminals(portage_fetch_t) userdom_dontaudit_read_user_home_content_files(portage_fetch_t) + +portage_read_tmp_files(portage_fetch_t) + ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; ') diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te index 9050e8c..469dc93 100644 --- a/policy/modules/apps/gpg.te +++ b/policy/modules/apps/gpg.te @@ -147,6 +147,10 @@ optional_policy(` ') optional_policy(` + portage_read_tmp_files(gpg_t) +') + +optional_policy(` xserver_use_xdm_fds(gpg_t) xserver_rw_xdm_pipes(gpg_t) ') -- 1.7.3.4