In Gentoo, live ebuilds exist (packages) which use the latest checkout of a
version controlled repository (git, svn, cvs, ...). During installation,
Portage checks out this repository in (by default)
/usr/portage/distfiles/svn-src. Currently, this is labelled portage_ebuild_t
but it is just plain wrong to allow the portage_sandbox_t to manage this
type (which, btw, it can't do currently, so live ebuild installations isn't
supported with the current policy).
To resolve this, create an additional type (portage_svnsrc_t) and label the
location accordingly. Also, allow portage_sandbox_t to manage the files,
directories and links that it checks out by allowing the necessary
privileges on portage_svnsrc_t.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.fc | 1 +
policy/modules/admin/portage.if | 5 +++++
policy/modules/admin/portage.te | 3 +++
3 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..f6daba8 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -13,6 +13,7 @@
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
+/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_svnsrc_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 8aaa46d..a4026a9 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -123,6 +123,11 @@ interface(`portage_compile_domain',`
manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
+ # Support live ebuilds
+ manage_dirs_pattern($1, portage_svnsrc_t, portage_svnsrc_t)
+ manage_files_pattern($1, portage_svnsrc_t, portage_svnsrc_t)
+ manage_lnk_files_pattern($1, portage_svnsrc_t, portage_svnsrc_t)
+
kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index c633aea..8f41c2e 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -36,6 +36,9 @@ term_pty(portage_devpts_t)
type portage_ebuild_t;
files_type(portage_ebuild_t)
+type portage_svnsrc_t;
+files_type(portage_svnsrc_t)
+
type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)
--
1.7.3.4
On 04/28/11 15:25, Sven Vermeulen wrote:
> In Gentoo, live ebuilds exist (packages) which use the latest checkout of a
> version controlled repository (git, svn, cvs, ...). During installation,
> Portage checks out this repository in (by default)
> /usr/portage/distfiles/svn-src. Currently, this is labelled portage_ebuild_t
> but it is just plain wrong to allow the portage_sandbox_t to manage this
> type (which, btw, it can't do currently, so live ebuild installations isn't
> supported with the current policy).
>
> To resolve this, create an additional type (portage_svnsrc_t) and label the
> location accordingly. Also, allow portage_sandbox_t to manage the files,
> directories and links that it checks out by allowing the necessary
> privileges on portage_svnsrc_t.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/portage.fc | 1 +
> policy/modules/admin/portage.if | 5 +++++
> policy/modules/admin/portage.te | 3 +++
> 3 files changed, 9 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
> index db46387..f6daba8 100644
> --- a/policy/modules/admin/portage.fc
> +++ b/policy/modules/admin/portage.fc
> @@ -13,6 +13,7 @@
> /usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
>
> /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
> +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_svnsrc_t,s0)
Its been a while since I used a live ebuild, but iirc, there are other
dirs such as cvs-src (maybe git-src, etc. too?)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com