From: dominick.grift@gmail.com (grift) Date: Sun, 09 Dec 2012 14:51:22 +0100 Subject: [refpolicy] [PATCH 01/11] Moving sandbox code to sandbox section (v2) In-Reply-To: <1355000222-7297-2-git-send-email-sven.vermeulen@siphos.be> References: <1355000222-7297-1-git-send-email-sven.vermeulen@siphos.be> <1355000222-7297-2-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1355061082.1797.65.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, 2012-12-08 at 21:56 +0100, Sven Vermeulen wrote: > Some portage_sandbox_t code is sitting in the main portage_t section. Moving > this to its own sandbox location. Also switch a domain_trans towards > spec_domtrans_pattern as this cleans the policy up a little bit. > This was merged, thanks > Signed-off-by: Sven Vermeulen > --- > portage.te | 13 +++++-------- > 1 files changed, 5 insertions(+), 8 deletions(-) > > diff --git a/portage.te b/portage.te > index 7d2fc08..f9b9ce8 100644 > --- a/portage.te > +++ b/portage.te > @@ -150,8 +150,7 @@ optional_policy(` > # > > # - setfscreate for merging to live fs > -# - setexec to run portage fetch > -allow portage_t self:process { setfscreate setexec }; > +allow portage_t self:process { setfscreate }; > # - kill for mysql merging, at least > allow portage_t self:capability { sys_nice kill setfcap }; > dontaudit portage_t self:capability { dac_read_search }; > @@ -174,13 +173,8 @@ allow portage_fetch_t portage_t:process sigchld; > dontaudit portage_fetch_t portage_devpts_t:chr_file { read write }; > > # transition to sandbox for compiling > -domain_trans(portage_t, portage_exec_t, portage_sandbox_t) > +spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t) > corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) > -allow portage_sandbox_t portage_t:fd use; > -allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms; > -allow portage_sandbox_t portage_t:process sigchld; > -allow portage_sandbox_t self:process ptrace; > -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; > > # run scripts out of the build directory > can_exec(portage_t, portage_tmp_t) > @@ -338,6 +332,9 @@ optional_policy(` > # - SELinux-enforced sandbox > # > > +allow portage_sandbox_t self:process ptrace; > +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; > + > portage_compile_domain(portage_sandbox_t) > > auth_use_nsswitch(portage_sandbox_t)