From: dominick.grift@gmail.com (grift)
Date: Tue, 27 Nov 2012 13:53:04 +0100
Subject: [refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section
In-Reply-To: <1353612118-9745-2-git-send-email-sven.vermeulen@siphos.be>
References: <1353612118-9745-1-git-send-email-sven.vermeulen@siphos.be>
	<1353612118-9745-2-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1354020784.1888.6.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Some portage_sandbox_t code is sitting in the main portage_t section. Moving
> this to its own sandbox location.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |   11 ++++++-----
>  1 files changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index 7d2fc08..074828c 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -176,11 +176,6 @@ dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
>  # transition to sandbox for compiling
>  domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
>  corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
> -allow portage_sandbox_t portage_t:fd use;
> -allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> -allow portage_sandbox_t portage_t:process sigchld;
> -allow portage_sandbox_t self:process ptrace;
> -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)
> @@ -338,6 +333,12 @@ optional_policy(`
>  # - SELinux-enforced sandbox
>  #
>  
> +allow portage_sandbox_t portage_t:fd use;
> +allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> +allow portage_sandbox_t portage_t:process sigchld;
> +allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
> +
>  portage_compile_domain(portage_sandbox_t)
>  
>  auth_use_nsswitch(portage_sandbox_t)

I guess i could merge this but this could be better

instead of domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
you could use: spec_domtrans_pattern(portage_t, portage_exec_t,
portage_sandbox_t)

That allows you to be able to remove:

+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;

Since that is included in the spec_domtrans_pattern()

it also allows you to remove the explicit setexec since that is also
included in this pattern.

If you do that then the ordering of rules is also cleaned up
since self rules should be on top.