From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 22 Nov 2012 20:21:52 +0100 Subject: [refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section In-Reply-To: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be> References: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353612118-9745-2-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Some portage_sandbox_t code is sitting in the main portage_t section. Moving this to its own sandbox location. Signed-off-by: Sven Vermeulen --- portage.te | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-) diff --git a/portage.te b/portage.te index 7d2fc08..074828c 100644 --- a/portage.te +++ b/portage.te @@ -176,11 +176,6 @@ dontaudit portage_fetch_t portage_devpts_t:chr_file { read write }; # transition to sandbox for compiling domain_trans(portage_t, portage_exec_t, portage_sandbox_t) corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) -allow portage_sandbox_t portage_t:fd use; -allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms; -allow portage_sandbox_t portage_t:process sigchld; -allow portage_sandbox_t self:process ptrace; -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; # run scripts out of the build directory can_exec(portage_t, portage_tmp_t) @@ -338,6 +333,12 @@ optional_policy(` # - SELinux-enforced sandbox # +allow portage_sandbox_t portage_t:fd use; +allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms; +allow portage_sandbox_t portage_t:process sigchld; +allow portage_sandbox_t self:process ptrace; +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; + portage_compile_domain(portage_sandbox_t) auth_use_nsswitch(portage_sandbox_t) -- 1.7.8.6