[selinux-policy: 1113/3172] add portage from gentoo

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:41:15 UTC 2010 

commit e1c41428e23fe59a1ab45628be9f3a2a4a9ae5f1
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Jan 18 14:48:24 2006 +0000

    add portage from gentoo

 refpolicy/Changelog                           |    1 +
 refpolicy/policy/modules/admin/portage.fc     |   21 +++
 refpolicy/policy/modules/admin/portage.if     |  199 +++++++++++++++++++++++++
 refpolicy/policy/modules/admin/portage.te     |  188 +++++++++++++++++++++++
 refpolicy/policy/modules/kernel/devices.if    |   20 +++-
 refpolicy/policy/modules/system/userdomain.if |   33 ++++-
 refpolicy/policy/modules/system/userdomain.te |    4 +
 7 files changed, 462 insertions(+), 4 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 82a1694..fbe4f5c 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,4 +1,5 @@
 - Added modules:
+	portage
 	usernetctl
 
 * Tue Jan 17 2006 Chris PeBenito <selinux at tresys.com> - 20060117
diff --git a/refpolicy/policy/modules/admin/portage.fc b/refpolicy/policy/modules/admin/portage.fc
new file mode 100644
index 0000000..af0c5fe
--- /dev/null
+++ b/refpolicy/policy/modules/admin/portage.fc
@@ -0,0 +1,21 @@
+/etc/make.conf			--	gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make.globals		--	gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/portage(/.*)?			gen_context(system_u:object_r:portage_conf_t,s0)
+
+/usr/bin/sandbox			--	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/portage/bin/ebuild --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/emerge --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/quickpkg --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/ebuild.sh --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/regenworld --	gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/lib(64)?/portage/bin/sandbox --	gen_context(system_u:object_r:portage_exec_t,s0)
+
+/usr/portage(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
+
+/var/db/pkg(/.*)?			gen_context(system_u:object_r:portage_db_t,s0)
+/var/cache/edb(/.*)?			gen_context(system_u:object_r:portage_cache_t,s0)
+/var/log/emerge.log.*		--	gen_context(system_u:object_r:portage_log_t,s0)
+/var/lib/portage(/.*)?			gen_context(system_u:object_r:portage_cache_t,s0)
+/var/tmp/portage(/.*)?			gen_context(system_u:object_r:portage_tmp_t,s0)
+/var/tmp/portage-pkg(/.*)?		gen_context(system_u:object_r:portage_tmp_t,s0)
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
new file mode 100644
index 0000000..cc54a09
--- /dev/null
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -0,0 +1,199 @@
+## <summary>
+##	Portage Package Management System. The primary package management and
+##	distribution system for Gentoo.
+## </summary>
+
+########################################
+## <summary>
+##	Execute emerge in the portage domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`portage_domtrans',`
+	gen_require(`
+		type portage_t, portage_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domain_auto_trans($1,portage_exec_t,portage_t)
+
+	allow $1 portage_t:fd use;
+	allow portage_t $1:fd use;
+	allow portage_t $1:fifo_file rw_file_perms;
+	allow portage_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute emerge in the portage domain, and
+##	allow the specified role the portage domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+## <param name="role">
+##	The role to allow the portage domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow for portage to use.
+## </param>
+#
+interface(`portage_run',`
+	gen_require(`
+		type portage_t, portage_fetch_t, portage_sandbox_t;
+	')
+
+	portage_domtrans($1)
+
+	role $2 types portage_t;
+	role $2 types portage_fetch_t;
+	role $2 types portage_sandbox_t;
+
+	allow portage_t $3:chr_file rw_term_perms;
+	allow portage_fetch_t $3:chr_file rw_term_perms;
+	allow portage_sandbox_t $3:chr_file rw_term_perms;
+
+	# not sure about this one, may be stray fds
+	allow portage_t $1:udp_socket write;
+	allow $1 portage_t:udp_socket write;
+')
+
+########################################
+## <summary>
+##	Template for portage sandbox.
+## </summary>
+## <desc>
+##	<p>
+##	Template for portage sandbox.  Portage
+##	does all compiling in the sandbox.
+##	</p>
+## </desc>
+## <param name="prefix">
+##	Name to be used to derive types.
+## </param>
+#
+template(`portage_compile_domain_template',`
+	type $1_t;
+	domain_type($1_t)
+	domain_entry_file($1_t,portage_exec_t)
+
+	type $1_devpts_t;
+	term_pty($1_devpts_t)
+
+	type $1_tmp_t;
+	files_tmp_file($1_tmp_t)
+
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
+	allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+	allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem };
+	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1_t self:fd use;
+	allow $1_t self:fifo_file rw_file_perms;
+	allow $1_t self:shm create_shm_perms;
+	allow $1_t self:sem create_sem_perms;
+	allow $1_t self:msgq create_msgq_perms;
+	allow $1_t self:msg { send receive };
+	allow $1_t self:unix_dgram_socket create_socket_perms;
+	allow $1_t self:unix_stream_socket create_stream_socket_perms;
+	allow $1_t self:unix_dgram_socket sendto;
+	allow $1_t self:unix_stream_socket connectto;
+	# really shouldnt need this
+	allow $1_t self:tcp_socket create_stream_socket_perms;
+	allow $1_t self:udp_socket create_socket_perms;
+	# misc networking stuff (esp needed for compiling perl):
+	allow $1_t self:rawip_socket { create ioctl };
+	allow $1_t self:udp_socket recvfrom;
+	# needed for merging dbus:
+	allow $1_sandbox_t self:netlink_selinux_socket { bind create read };
+
+	allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
+	term_create_pty($1_t,$1_devpts_t)
+
+	allow $1_t $1_tmp_t:dir manage_dir_perms;
+	allow $1_t $1_tmp_t:file manage_file_perms;
+	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
+	allow $1_t $1_tmp_t:fifo_file manage_file_perms;
+	allow $1_t $1_tmp_t:sock_file manage_file_perms;
+	files_create_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+	allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_create_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+	# write merge logs
+	allow $1_t portage_log_t:dir setattr;
+	allow $1_t portage_log_t:file { append write setattr };
+
+	kernel_read_system_state($1_t)
+	kernel_read_network_state($1_t)
+	kernel_read_software_raid_state($1_t)
+	kernel_getattr_core($1_t)
+	kernel_getattr_message_if($1_t)
+	kernel_read_kernel_sysctl($1_t)
+
+	corecmd_exec_bin($1_t)
+	corecmd_exec_sbin($1_t)
+
+	# really shouldnt need this
+	corenet_non_ipsec_sendrecv($1_t)
+	corenet_tcp_sendrecv_generic_if($1_t)
+	corenet_udp_sendrecv_generic_if($1_t)
+	corenet_raw_sendrecv_generic_if($1_t)
+	corenet_tcp_sendrecv_all_nodes($1_t)
+	corenet_udp_sendrecv_all_nodes($1_t)
+	corenet_raw_sendrecv_all_nodes($1_t)
+	corenet_tcp_sendrecv_all_ports($1_t)
+	corenet_udp_sendrecv_all_ports($1_t)
+	corenet_tcp_connect_all_reserved_ports($1_t)
+	corenet_tcp_connect_distccd_port($1_t)
+
+	dev_read_sysfs($1_t)
+	dev_read_rand($1_t)
+	dev_read_urand($1_t)
+
+	domain_exec_all_entry_files($1_t)
+	domain_use_wide_inhert_fds($1_t)
+
+	files_exec_etc_files($1_t)
+	files_exec_usr_src_files($1_t)
+
+	fs_getattr_xattr_fs($1_t)
+	fs_list_noxattr_fs($1_t)
+	fs_read_noxattr_fs_files($1_t)
+	fs_read_noxattr_fs_symlinks($1_t)
+	fs_search_auto_mountpoints($1_t)
+
+	# needed for merging dbus:
+	selinux_compute_access_vector($1_t)
+
+	auth_read_all_dirs_except_shadow($1_t)
+	auth_read_all_files_except_shadow($1_t)
+	auth_read_all_symlinks_except_shadow($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+	libs_exec_lib_files($1_t)
+	# some config scripts use ldd
+	libs_exec_ld_so($1_t)
+	# this violates the idea of sandbox, but
+	# regular sandbox allows it
+	libs_domtrans_ldconfig($1_t)
+
+	logging_send_syslog_msg($1_t)
+
+	ifdef(`TODO',`
+	# some gui ebuilds want to interact with X server, like xawtv
+	optional_policy(`xdm',`
+		allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write };
+		allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write };
+	')
+	') dnl end TODO
+')
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
new file mode 100644
index 0000000..a863f9b
--- /dev/null
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -0,0 +1,188 @@
+
+policy_module(portage,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type portage_exec_t;
+files_type(portage_exec_t)
+
+portage_compile_domain(portage)
+domain_obj_id_change_exempt(portage_t)
+
+portage_compile_domain(portage_sandbox)
+# the shell is the entrypoint if regular sandbox is disabled
+# portage_exec_t is the entrypoint if regular sandbox is enabled
+corecmd_shell_entry_type(portage_sandbox_t)
+domain_entry_file(portage_sandbox_t,portage_exec_t)
+
+type portage_ebuild_t;
+files_type(portage_ebuild_t)
+
+type portage_fetch_t;
+domain_type(portage_fetch_t)
+
+type portage_fetch_tmp_t;
+files_tmp_file(portage_fetch_tmp_t)
+
+type portage_db_t;
+files_type(portage_db_t)
+
+type portage_conf_t;
+files_type(portage_conf_t)
+
+type portage_cache_t;
+files_type(portage_cache_t)
+
+type portage_log_t;
+logging_log_file(portage_log_t)
+
+########################################
+#
+# Portage Rules
+#
+
+# - setfscreate for merging to live fs
+# - setexec to run portage fetch
+allow portage_t self:process { setfscreate setexec };
+
+# transition for rsync and wget
+corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
+allow portage_fetch_t portage_t:fd use;
+allow portage_fetch_t portage_t:fifo_file rw_file_perms;
+allow portage_fetch_t portage_t:process sigchld;
+
+allow portage_t portage_log_t:file create_file_perms;
+logging_create_log(portage_t,portage_log_t)
+
+# transition to sandbox for compiling
+domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
+corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
+
+# run scripts out of the build directory
+can_exec($1_t,portage_tmp_t)
+
+# merging baselayout will need this:
+kernel_write_proc_file(portage_t)
+
+domain_dontaudit_read_all_domains_state(portage_t)
+
+# modify any files in the system
+files_manage_all_files(portage_t)
+
+selinux_get_fs_mount(portage_t)
+
+# merging baselayout will need this:
+init_exec(portage_t)
+
+# run setfiles -r
+seutil_domtrans_setfiles(portage_t)
+
+optional_policy(`bootloader',`
+	bootloader_domtrans(portage_t)
+')
+
+optional_policy(`modutils',`
+	modutils_domtrans_depmod(portage_t)
+	modutils_domtrans_update_modules(portage_t)
+	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+')
+
+optional_policy(`usermanage',`
+	usermanage_domtrans_groupadd(portage_t)
+	usermanage_domtrans_useradd(portage_t)
+')
+
+# seems to work ok without these
+dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+dontaudit portage_t proc_t:dir setattr;
+dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
+
+##########################################
+#
+# Portage fetch domain
+# - for rsync and distfile fetching
+#
+
+allow portage_fetch_t self:capability dac_override;
+dontaudit portage_fetch_t self:capability { fowner fsetid };
+allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+
+allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+allow portage_fetch_t portage_conf_t:file r_file_perms;
+
+allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
+allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
+
+allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
+allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
+files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+
+# portage makes home dir the portage tmp dir, so
+# wget looks for .wgetrc there
+dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
+
+kernel_read_system_state(portage_fetch_t)
+kernel_read_kernel_sysctl(portage_fetch_t)
+
+corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_sbin(portage_fetch_t)
+
+corenet_non_ipsec_sendrecv(portage_fetch_t)
+corenet_tcp_sendrecv_generic_if(portage_fetch_t)
+corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
+corenet_tcp_sendrecv_all_ports(portage_fetch_t)
+# would rather not connect to unspecified ports, but
+# it occasionally comes up
+corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
+corenet_tcp_connect_generic_port(portage_fetch_t)
+
+dev_search_ptys(portage_fetch_t)
+dev_dontaudit_read_rand(portage_fetch_t)
+
+domain_use_wide_inherit_fds(portage_fetch_t)
+
+files_read_etc_files(portage_fetch_t)
+files_read_etc_runtime_files(portage_fetch_t)
+files_search_var(portage_fetch_t)
+files_dontaudit_search_pids(portage_fetch_t)
+
+libs_use_ld_so(portage_fetch_t)
+libs_use_shared_libs(portage_fetch_t)
+
+miscfiles_read_localization(portage_fetch_t)
+
+sysnet_read_config(portage_fetch_t)
+sysnet_dns_name_resolve(portage_fetch_t)
+
+userdom_dontaudit_read_sysadm_home_files(portage_fetch_t)
+
+ifdef(`hide_broken_symptoms',`
+	dontaudit portage_fetch_t portage_cache_t:file read;
+')
+
+ifdef(`TODO',`
+domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
+')
+
+##########################################
+#
+# Portage sandbox domain
+# - SELinux-enforced sandbox
+#
+
+# seems ok w/o this
+dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
+dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+
+allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
+allow portage_sandbox_t portage_tmp_t:file manage_dir_perms;
+allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
+# run scripts out of the build directory
+can_exec(portage_sandbox_t,portage_tmp_t)
diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if
index 8c5d372..678ceff 100644
--- a/refpolicy/policy/modules/kernel/devices.if
+++ b/refpolicy/policy/modules/kernel/devices.if
@@ -1519,7 +1519,8 @@ interface(`dev_rw_printer',`
 
 ########################################
 ## <summary>
-##	Read from random devices (e.g., /dev/random)
+##	Read from random number generator
+##	devices (e.g., /dev/random)
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -1536,6 +1537,23 @@ interface(`dev_read_rand',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read from random
+##	number generator devices (e.g., /dev/random)
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`dev_dontaudit_read_rand',`
+	gen_require(`
+		type random_device_t;
+	')
+
+	dontaudit $1 random_device_t:chr_file { getattr read };
+')
+
+########################################
+## <summary>
 ##	Write to the random device (e.g., /dev/random). This adds
 ##	entropy used to generate the random data read from the
 ##	random device.
diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if
index cace0a0..e8fc6ce 100644
--- a/refpolicy/policy/modules/system/userdomain.if
+++ b/refpolicy/policy/modules/system/userdomain.if
@@ -2736,9 +2736,9 @@ interface(`userdom_search_sysadm_home_dir',`
 #
 interface(`userdom_dontaudit_search_sysadm_home_dir',`
 	ifdef(`targeted_policy',`
-	gen_require(`
-		type user_home_dir_t;
-	')
+		gen_require(`
+			type user_home_dir_t;
+		')
 
 		dontaudit $1 user_home_dir_t:dir search_dir_perms;
 	',`
@@ -2785,6 +2785,33 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to search the sysadm
+##	users home directory.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`userdom_dontaudit_read_sysadm_home_files',`
+	ifdef(`targeted_policy',`
+		gen_require(`
+			type user_home_dir_t, user_home_t;
+		')
+
+		dontaudit $1 user_home_dir_t:dir search_dir_perms;
+		dontaudit $1 user_home_t:file r_file_perms;
+	',`
+		gen_require(`
+			type sysadm_home_dir_t, sysadm_home_t;
+		')
+
+		dontaudit $1 sysadm_home_dir_t:dir search_dir_perms;
+		dontaudit $1 sysadm_home_t:dir r_file_perms;
+	')
+')
+
+########################################
+## <summary>
 ##	Create objects in sysadm home directories
 ##	with automatic file type transition.
 ## </summary>
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index a59de33..9abab87 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -274,6 +274,10 @@ ifdef(`targeted_policy',`
 		pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal)
 	')
 
+	optional_policy(`portage',`
+		portage_run(sysadm_t,sysadm_r,admin_terminal)
+	')
+
 	optional_policy(`portmap',`
 		portmap_run_helper(sysadm_t,sysadm_r,admin_terminal)
 	')

More information about the scm-commits mailing list