[selinux-policy: 1378/3172] fixes
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:04:34 UTC 2010
commit 82f1dfb5e8f0f27cc1ed10cb9684542297343b07
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Apr 21 18:00:51 2006 +0000
fixes
refpolicy/policy/modules/admin/portage.if | 23 +++++++++++++----------
refpolicy/policy/modules/admin/portage.te | 9 ++++++---
2 files changed, 19 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index af99899..f0e35c8 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -27,7 +27,7 @@ interface(`portage_domtrans',`
allow portage_t $1:fifo_file rw_file_perms;
allow portage_t $1:process sigchld;
- # main portage process
+ # transition to portage
domain_auto_trans($1,portage_exec_t,portage_t.merge)
allow portage_t.merge $1:fd use;
allow portage_t.merge $1:fifo_file rw_file_perms;
@@ -131,11 +131,11 @@ interface(`portage_compile_domain',`
allow $1 portage_tmp_t:sock_file manage_file_perms;
files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
- allow $1 portage_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1 portage_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1 portage_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1 portage_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1 portage_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 portage_tmpfs_t:dir rw_dir_perms;
+ allow $1 portage_tmpfs_t:file manage_file_perms;
+ allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
+ allow $1 portage_tmpfs_t:sock_file manage_file_perms;
+ allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
@@ -147,7 +147,9 @@ interface(`portage_compile_domain',`
corecmd_exec_all_executables($1)
- # really shouldnt need this
+ # really shouldnt need this but some packages test
+ # network access, such as during configure
+ # also distcc--need to reinvestigate confining distcc client
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
@@ -216,17 +218,18 @@ interface(`portage_fetch_domain',`
allow $1 self:capability dac_override;
dontaudit $1 self:capability { fowner fsetid };
+ allow $1 self:process signal;
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 portage_conf_t:dir list_dir_perms;
- allow $1 portage_conf_t:file r_file_perms;
+ allow $1 portage_conf_t:file read_file_perms;
allow $1 portage_ebuild_t:dir manage_dir_perms;
allow $1 portage_ebuild_t:file manage_file_perms;
- allow $1 portage_fetch_tmp_t:dir create_dir_perms;
- allow $1 portage_fetch_tmp_t:file create_file_perms;
+ allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
+ allow $1 portage_fetch_tmp_t:file manage_file_perms;
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index c8d69ef..1b12cb6 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -6,7 +6,7 @@ policy_module(portage,1.0.2)
# Declarations
#
-# constraining domain
+# constraining type
type portage_t;
type portage_exec_t;
domain_type(portage_t)
@@ -15,7 +15,7 @@ rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)
domain_entry_file(portage_t,portage_exec_t)
-# main portage domain
+# portage domain for merging packages to the live fs
type portage_t.merge;
domain_type(portage_t.merge)
domain_entry_file(portage_t.merge,portage_exec_t)
@@ -85,6 +85,8 @@ portage_main_domain(portage_t.merge)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t.merge)
+allow portage_t.merge portage_t.fetch:process signal;
+
# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
@@ -107,7 +109,8 @@ allow portage_t.sandbox portage_t.merge:process sigchld;
portage_fetch_domain(portage_t.fetch)
-# rule outside of the above macro to fix conflicting type transitions
+# this rule is outside of the above macro to fix conflicting type
+# transitions seen in the rules for the constraining type (portage_t)
files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
##########################################
More information about the scm-commits
mailing list