[selinux-policy: 1378/3172] fixes

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:04:34 UTC 2010 

commit 82f1dfb5e8f0f27cc1ed10cb9684542297343b07
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Apr 21 18:00:51 2006 +0000

    fixes

 refpolicy/policy/modules/admin/portage.if |   23 +++++++++++++----------
 refpolicy/policy/modules/admin/portage.te |    9 ++++++---
 2 files changed, 19 insertions(+), 13 deletions(-)
---
diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index af99899..f0e35c8 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -27,7 +27,7 @@ interface(`portage_domtrans',`
 	allow portage_t $1:fifo_file rw_file_perms;
 	allow portage_t $1:process sigchld;
 
-	# main portage process
+	# transition to portage
 	domain_auto_trans($1,portage_exec_t,portage_t.merge)
 	allow portage_t.merge $1:fd use;
 	allow portage_t.merge $1:fifo_file rw_file_perms;
@@ -131,11 +131,11 @@ interface(`portage_compile_domain',`
 	allow $1 portage_tmp_t:sock_file manage_file_perms;
 	files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
 
-	allow $1 portage_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow $1 portage_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1 portage_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-	allow $1 portage_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1 portage_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 portage_tmpfs_t:dir rw_dir_perms;
+	allow $1 portage_tmpfs_t:file manage_file_perms;
+	allow $1 portage_tmpfs_t:lnk_file create_lnk_perms;
+	allow $1 portage_tmpfs_t:sock_file manage_file_perms;
+	allow $1 portage_tmpfs_t:fifo_file manage_file_perms;
 	fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
 	kernel_read_system_state($1)
@@ -147,7 +147,9 @@ interface(`portage_compile_domain',`
 
 	corecmd_exec_all_executables($1)
 
-	# really shouldnt need this
+	# really shouldnt need this but some packages test
+	# network access, such as during configure
+	# also distcc--need to reinvestigate confining distcc client
 	corenet_non_ipsec_sendrecv($1)
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
@@ -216,17 +218,18 @@ interface(`portage_fetch_domain',`
 
 	allow $1 self:capability dac_override;
 	dontaudit $1 self:capability { fowner fsetid };
+	allow $1 self:process signal;
 	allow $1 self:unix_stream_socket create_socket_perms;
 	allow $1 self:tcp_socket create_stream_socket_perms;
 
 	allow $1 portage_conf_t:dir list_dir_perms;
-	allow $1 portage_conf_t:file r_file_perms;
+	allow $1 portage_conf_t:file read_file_perms;
 
 	allow $1 portage_ebuild_t:dir manage_dir_perms;
 	allow $1 portage_ebuild_t:file manage_file_perms;
 
-	allow $1 portage_fetch_tmp_t:dir create_dir_perms;
-	allow $1 portage_fetch_tmp_t:file create_file_perms;
+	allow $1 portage_fetch_tmp_t:dir manage_dir_perms;
+	allow $1 portage_fetch_tmp_t:file manage_file_perms;
 
 	# portage makes home dir the portage tmp dir, so
 	# wget looks for .wgetrc there
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index c8d69ef..1b12cb6 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -6,7 +6,7 @@ policy_module(portage,1.0.2)
 # Declarations
 #
 
-# constraining domain
+# constraining type
 type portage_t;
 type portage_exec_t;
 domain_type(portage_t)
@@ -15,7 +15,7 @@ rsync_entry_type(portage_t)
 corecmd_shell_entry_type(portage_t)
 domain_entry_file(portage_t,portage_exec_t)
 
-# main portage domain
+# portage domain for merging packages to the live fs
 type portage_t.merge;
 domain_type(portage_t.merge)
 domain_entry_file(portage_t.merge,portage_exec_t)
@@ -85,6 +85,8 @@ portage_main_domain(portage_t.merge)
 # if sesandbox is disabled, compiling is performed in this domain
 portage_compile_domain(portage_t.merge)
 
+allow portage_t.merge portage_t.fetch:process signal;
+
 # transition for rsync and wget
 corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
 rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
@@ -107,7 +109,8 @@ allow portage_t.sandbox portage_t.merge:process sigchld;
 
 portage_fetch_domain(portage_t.fetch)
 
-# rule outside of the above macro to fix conflicting type transitions
+# this rule is outside of the above macro to fix conflicting type
+# transitions seen in the rules for the constraining type (portage_t)
 files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
 
 ##########################################

More information about the scm-commits mailing list