From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 16 Aug 2011 13:53:39 -0400 Subject: [refpolicy] [PATCH 2/4] Support emerge-webrsync through portage domain In-Reply-To: <20110813182311.GC12571@siphos.be> References: <20110813182048.GA12571@siphos.be> <20110813182311.GC12571@siphos.be> Message-ID: <4E4AAEA3.2010501@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 8/13/2011 2:23 PM, Sven Vermeulen wrote: > The emerge-webrsync application fetches snapshots (archives), extracts them and > then synchronizes the local tree with the snapshot. It uses portage code (and > libraries) to do so, but is implemented as a wrapper as it also offers the > possibility of verifying the GPG signature of the snapshot first. > > By putting emerge-webrsync in portage' domain, it is handled through the > regular portage_run() and portage_domtrans() methods. It is also necessary to > put it in this domain for unattended/automated calls, such as through cron and > puppet. It seems like we would want this to run in portage_fetch_t instead. > Signed-off-by: Sven Vermeulen > --- > policy/modules/admin/portage.fc | 2 ++ > policy/modules/admin/portage.te | 4 ++++ > 2 files changed, 6 insertions(+), 0 deletions(-) > > diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc > index 38cc918..b1bb073 100644 > --- a/policy/modules/admin/portage.fc > +++ b/policy/modules/admin/portage.fc > @@ -8,6 +8,7 @@ > > /usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) > /usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) > +/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_exec_t,s0) > /usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) > /usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) > /usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) > @@ -22,5 +23,6 @@ > /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) > /var/lib/layman(/.*)? gen_context(system_u:object_r:layman_var_lib_t,s0) > /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) > +/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) > /var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) > /var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) > diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te > index 29130da..4a6e53e 100644 > --- a/policy/modules/admin/portage.te > +++ b/policy/modules/admin/portage.te > @@ -239,6 +239,10 @@ optional_policy(` > ') > > optional_policy(` > + gpg_domtrans(portage_t) > +') > + > +optional_policy(` > modutils_domtrans_depmod(portage_t) > modutils_domtrans_update_mods(portage_t) > #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com