From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 23 Aug 2011 15:43:45 +0200
Subject: [refpolicy] [PATCH 07/11] Introduce portage_fetch_t as an
	application domain
In-Reply-To: <20110823133643.GA857@siphos.be>
References: <20110823133643.GA857@siphos.be>
Message-ID: <20110823134345.GH857@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Enhance portage_fetch_t from an application type to a domain. Introduce the
proper portage_fetch_exec_t and add the necessary privileges to the domain
definition to allow portage_fetch_t to be used by Portage management utilities
like layman and emerge-webrsync.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.fc |    5 +++++
 policy/modules/admin/portage.te |   20 ++++++++++++++++++--
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 13dc979..41ce431 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -3,12 +3,14 @@
 /etc/portage(/.*)?			gen_context(system_u:object_r:portage_conf_t,s0)
 
 /usr/bin/gcc-config		--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/layman			--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/sandbox		--	gen_context(system_u:object_r:portage_exec_t,s0)
 
 /usr/lib(64)?/portage/bin/ebuild --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/emerge --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/quickpkg --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/ebuild\.sh --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge-webrsync	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/lib(64)?/portage/bin/regenworld --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/sandbox --	gen_context(system_u:object_r:portage_exec_t,s0)
 
@@ -22,6 +24,9 @@
 /var/log/emerge\.log.*		--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/emerge-fetch.log	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/portage(/.*)?			gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/layman(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/lib/portage(/.*)?			gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/binpkgs(/.*)?			gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/emerge-webrsync(/.*)?		gen_context(system_u:object_r:portage_tmp_t,s0)
 /var/tmp/portage(/.*)?			gen_context(system_u:object_r:portage_tmp_t,s0)
 /var/tmp/portage-pkg(/.*)?		gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 2794531..beeeb81 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -34,7 +34,8 @@ corecmd_shell_entry_type(portage_sandbox_t)
 
 # portage package fetching domain
 type portage_fetch_t;
-application_type(portage_fetch_t)
+type portage_fetch_exec_t;
+application_domain(portage_fetch_t, portage_fetch_exec_t)
 corecmd_shell_entry_type(portage_fetch_t)
 rsync_entry_type(portage_fetch_t)
 
@@ -219,8 +220,10 @@ allow portage_fetch_t self:capability { dac_override fowner fsetid };
 allow portage_fetch_t self:process signal;
 allow portage_fetch_t self:unix_stream_socket create_socket_perms;
 allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
 
 allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+
 read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
 
 manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
@@ -240,9 +243,14 @@ kernel_read_system_state(portage_fetch_t)
 kernel_read_kernel_sysctls(portage_fetch_t)
 
 corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_shell(portage_fetch_t)
 
 corenet_all_recvfrom_unlabeled(portage_fetch_t)
 corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_sendrecv_http_client_packets(portage_fetch_t)
+corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
+corenet_sendrecv_git_client_packets(portage_fetch_t)
+corenet_sendrecv_rsync_client_packets(portage_fetch_t)
 corenet_tcp_sendrecv_generic_if(portage_fetch_t)
 corenet_tcp_sendrecv_generic_node(portage_fetch_t)
 corenet_tcp_sendrecv_all_ports(portage_fetch_t)
@@ -251,6 +259,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
 corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
 corenet_tcp_connect_generic_port(portage_fetch_t)
 corenet_tcp_connect_http_cache_port(portage_fetch_t)
+corenet_tcp_connect_git_port(portage_fetch_t)
 
 dev_dontaudit_read_rand(portage_fetch_t)
 
@@ -258,11 +267,15 @@ domain_use_interactive_fds(portage_fetch_t)
 
 files_read_etc_files(portage_fetch_t)
 files_read_etc_runtime_files(portage_fetch_t)
-files_search_var(portage_fetch_t)
+files_read_usr_files(portage_fetch_t)
+files_search_var_lib(portage_fetch_t)
 files_dontaudit_search_pids(portage_fetch_t)
 
+logging_list_logs(portage_fetch_t)
+
 term_search_ptys(portage_fetch_t)
 
+
 miscfiles_read_localization(portage_fetch_t)
 
 sysnet_read_config(portage_fetch_t)
@@ -271,6 +284,9 @@ sysnet_dns_name_resolve(portage_fetch_t)
 userdom_use_user_terminals(portage_fetch_t)
 userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
+
+rsync_exec(portage_fetch_t)
+
 ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;
 ')
-- 
1.7.3.4