From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 3 Sep 2011 16:21:48 +0200
Subject: [refpolicy] [PATCHv2 5/8] Introduce portage_fetch_t as an
	application domain
In-Reply-To: <20110903141833.GA25374@siphos.be>
References: <20110903141833.GA25374@siphos.be>
Message-ID: <20110903142147.GF25374@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Enhance portage_fetch_t from an application type to a domain. Introduce
the proper portage_fetch_exec_t and add the necessary privileges to the
domain definition to allow portage_fetch_t to be used by Portage
management utilities like layman and emerge-webrsync.

We enhance portage_domtrans() to include portage_fetch_t support.
Providing a different interface (portage_fetch_domtrans) is possible
too, but since every application and role that needs to deal with
portage needs to deal with the fetching as well, and vice versa, we keep
this in portage_domtrans.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.fc |    5 +++++
 policy/modules/admin/portage.if |    2 ++
 policy/modules/admin/portage.te |   32 +++++++++++++++++++++++---------
 3 files changed, 30 insertions(+), 9 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index 13dc979..d5ea7b5 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -3,10 +3,12 @@
 /etc/portage(/.*)?			gen_context(system_u:object_r:portage_conf_t,s0)
 
 /usr/bin/gcc-config		--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/layman			--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/sandbox		--	gen_context(system_u:object_r:portage_exec_t,s0)
 
 /usr/lib(64)?/portage/bin/ebuild --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/emerge --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge-webrsync	--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/lib(64)?/portage/bin/quickpkg --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/ebuild\.sh --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/regenworld --	gen_context(system_u:object_r:portage_exec_t,s0)
@@ -22,6 +24,9 @@
 /var/log/emerge\.log.*		--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/emerge-fetch.log	--	gen_context(system_u:object_r:portage_log_t,s0)
 /var/log/portage(/.*)?			gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/layman(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
 /var/lib/portage(/.*)?			gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/binpkgs(/.*)?			gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/emerge-webrsync(/.*)?		gen_context(system_u:object_r:portage_tmp_t,s0)
 /var/tmp/portage(/.*)?			gen_context(system_u:object_r:portage_tmp_t,s0)
 /var/tmp/portage-pkg(/.*)?		gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 3dd9f65..9f7d652 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -16,6 +16,7 @@
 interface(`portage_domtrans',`
 	gen_require(`
 		type portage_t, portage_exec_t;
+		type portage_fetch_t, portage_fetch_exec_t;
 	')
 
 	files_search_usr($1)
@@ -23,6 +24,7 @@ interface(`portage_domtrans',`
 
 	# transition to portage
 	domtrans_pattern($1, portage_exec_t, portage_t)
+	domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
 ')
 
 ########################################
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index fb51d36..c309d84 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -34,7 +34,8 @@ corecmd_shell_entry_type(portage_sandbox_t)
 
 # portage package fetching domain
 type portage_fetch_t;
-application_type(portage_fetch_t)
+type portage_fetch_exec_t;
+application_domain(portage_fetch_t, portage_fetch_exec_t)
 corecmd_shell_entry_type(portage_fetch_t)
 rsync_entry_type(portage_fetch_t)
 
@@ -218,10 +219,15 @@ dontaudit portage_t device_type:blk_file read_blk_file_perms;
 # - for rsync and distfile fetching
 #
 
-allow portage_fetch_t self:capability { dac_override fowner fsetid };
 allow portage_fetch_t self:process signal;
-allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
 allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+
+allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
+allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+allow portage_fetch_t portage_conf_t:dir list_dir_perms;
 
 allow portage_fetch_t portage_conf_t:dir list_dir_perms;
 read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
@@ -233,19 +239,19 @@ manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
 manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
 files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
 
-# portage makes home dir the portage tmp dir, so
-# wget looks for .wgetrc there
-dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
-# rsync server timestamp check
-allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
 
 kernel_read_system_state(portage_fetch_t)
 kernel_read_kernel_sysctls(portage_fetch_t)
 
 corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_shell(portage_fetch_t)
 
 corenet_all_recvfrom_unlabeled(portage_fetch_t)
 corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_sendrecv_http_client_packets(portage_fetch_t)
+corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
+corenet_sendrecv_git_client_packets(portage_fetch_t)
+corenet_sendrecv_rsync_client_packets(portage_fetch_t)
 corenet_tcp_sendrecv_generic_if(portage_fetch_t)
 corenet_tcp_sendrecv_generic_node(portage_fetch_t)
 corenet_tcp_sendrecv_all_ports(portage_fetch_t)
@@ -254,6 +260,8 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
 corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
 corenet_tcp_connect_generic_port(portage_fetch_t)
 corenet_tcp_connect_http_cache_port(portage_fetch_t)
+corenet_tcp_connect_git_port(portage_fetch_t)
+corenet_tcp_connect_rsync_port(portage_fetch_t)
 
 dev_dontaudit_read_rand(portage_fetch_t)
 
@@ -261,9 +269,12 @@ domain_use_interactive_fds(portage_fetch_t)
 
 files_read_etc_files(portage_fetch_t)
 files_read_etc_runtime_files(portage_fetch_t)
-files_search_var(portage_fetch_t)
+files_read_usr_files(portage_fetch_t)
+files_search_var_lib(portage_fetch_t)
 files_dontaudit_search_pids(portage_fetch_t)
 
+logging_list_logs(portage_fetch_t)
+
 term_search_ptys(portage_fetch_t)
 
 miscfiles_read_localization(portage_fetch_t)
@@ -274,6 +285,9 @@ sysnet_dns_name_resolve(portage_fetch_t)
 userdom_use_user_terminals(portage_fetch_t)
 userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
+
+rsync_exec(portage_fetch_t)
+
 ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;
 ')
-- 
1.7.3.4