From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 3 Sep 2011 16:22:57 +0200
Subject: [refpolicy] [PATCH 7/8] Allow portage to call gpg
In-Reply-To: <20110903141833.GA25374@siphos.be>
References: <20110903141833.GA25374@siphos.be>
Message-ID: <20110903142257.GH25374@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

We allow portage to call gpg. However, this requires that the location
where the trustdb is stored is marked as a read/write type. The default
location used within Gentoo is /etc/portage/gpg, which would lead to
portage_conf_t. However, this type should remain a read-only type.

As such, we introduce a type called portage_gpg_t for this location and
grant portage_fetch_t the necessary rights on this type.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.fc |    1 +
 policy/modules/admin/portage.te |   10 +++++++++-
 2 files changed, 10 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index d5ea7b5..af2d51f 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -1,6 +1,7 @@
 /etc/make\.conf			--	gen_context(system_u:object_r:portage_conf_t,s0)
 /etc/make\.globals		--	gen_context(system_u:object_r:portage_conf_t,s0)
 /etc/portage(/.*)?			gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage/gpg(/.*)?			gen_context(system_u:object_r:portage_gpg_t,s0)
 
 /usr/bin/gcc-config		--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
 /usr/bin/layman			--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index c309d84..429ffb0 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -57,6 +57,9 @@ files_type(portage_conf_t)
 type portage_cache_t;
 files_type(portage_cache_t)
 
+type portage_gpg_t;
+files_type(portage_gpg_t)
+
 type portage_log_t;
 logging_log_file(portage_log_t)
 
@@ -228,8 +231,9 @@ allow portage_fetch_t self:unix_stream_socket create_socket_perms;
 allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
 allow portage_fetch_t portage_tmp_t:file manage_file_perms;
 allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
+allow portage_fetch_t portage_gpg_t:file manage_file_perms;
 
-allow portage_fetch_t portage_conf_t:dir list_dir_perms;
 read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
 
 manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
@@ -299,6 +303,10 @@ tunable_policy(`portage_use_nfs',`
 	fs_manage_nfs_symlinks(portage_fetch_t)
 ')
 
+optional_policy(`
+	gpg_exec(portage_fetch_t)
+')
+
 ##########################################
 #
 # Portage sandbox domain
-- 
1.7.3.4