]>
Commit | Line | Data |
---|---|---|
e1c41428 | 1 | |
29af4c13 | 2 | policy_module(portage, 1.10.0) |
e1c41428 CP |
3 | |
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
5afdf0bc CP |
9 | type gcc_config_t; |
10 | type gcc_config_exec_t; | |
0bfccda4 | 11 | application_domain(gcc_config_t, gcc_config_exec_t) |
5afdf0bc | 12 | |
82f1dfb5 | 13 | # constraining type |
02f9b21e | 14 | type portage_t; |
e1c41428 | 15 | type portage_exec_t; |
0bfccda4 | 16 | application_domain(portage_t, portage_exec_t) |
aea3f28e | 17 | domain_obj_id_change_exemption(portage_t) |
02f9b21e CP |
18 | rsync_entry_type(portage_t) |
19 | corecmd_shell_entry_type(portage_t) | |
02f9b21e | 20 | |
02f9b21e | 21 | # portage compile sandbox domain |
aea3f28e CP |
22 | type portage_sandbox_t; |
23 | application_domain(portage_sandbox_t, portage_exec_t) | |
e1c41428 CP |
24 | # the shell is the entrypoint if regular sandbox is disabled |
25 | # portage_exec_t is the entrypoint if regular sandbox is enabled | |
aea3f28e | 26 | corecmd_shell_entry_type(portage_sandbox_t) |
02f9b21e CP |
27 | |
28 | # portage package fetching domain | |
aea3f28e CP |
29 | type portage_fetch_t; |
30 | application_type(portage_fetch_t) | |
31 | corecmd_shell_entry_type(portage_fetch_t) | |
32 | rsync_entry_type(portage_fetch_t) | |
02f9b21e CP |
33 | |
34 | type portage_devpts_t; | |
35 | term_pty(portage_devpts_t) | |
e1c41428 CP |
36 | |
37 | type portage_ebuild_t; | |
38 | files_type(portage_ebuild_t) | |
39 | ||
e1c41428 CP |
40 | type portage_fetch_tmp_t; |
41 | files_tmp_file(portage_fetch_tmp_t) | |
42 | ||
43 | type portage_db_t; | |
44 | files_type(portage_db_t) | |
45 | ||
46 | type portage_conf_t; | |
47 | files_type(portage_conf_t) | |
48 | ||
49 | type portage_cache_t; | |
50 | files_type(portage_cache_t) | |
51 | ||
52 | type portage_log_t; | |
53 | logging_log_file(portage_log_t) | |
54 | ||
02f9b21e CP |
55 | type portage_tmp_t; |
56 | files_tmp_file(portage_tmp_t) | |
57 | ||
58 | type portage_tmpfs_t; | |
59 | files_tmpfs_file(portage_tmpfs_t) | |
60 | ||
5afdf0bc CP |
61 | ######################################## |
62 | # | |
63 | # gcc-config policy | |
64 | # | |
65 | ||
66 | allow gcc_config_t self:capability { chown fsetid }; | |
67 | allow gcc_config_t self:fifo_file rw_file_perms; | |
68 | ||
0bfccda4 | 69 | manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) |
5afdf0bc | 70 | |
0bfccda4 | 71 | read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) |
5afdf0bc CP |
72 | |
73 | allow gcc_config_t portage_ebuild_t:dir list_dir_perms; | |
0bfccda4 | 74 | read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) |
5afdf0bc | 75 | |
0b36a214 | 76 | allow gcc_config_t portage_exec_t:file mmap_file_perms; |
5afdf0bc CP |
77 | |
78 | kernel_read_system_state(gcc_config_t) | |
79 | kernel_read_kernel_sysctls(gcc_config_t) | |
80 | ||
81 | corecmd_exec_shell(gcc_config_t) | |
5afdf0bc | 82 | corecmd_exec_bin(gcc_config_t) |
5afdf0bc | 83 | corecmd_manage_bin_files(gcc_config_t) |
5afdf0bc | 84 | |
15d80e36 CP |
85 | domain_use_interactive_fds(gcc_config_t) |
86 | ||
5afdf0bc CP |
87 | files_manage_etc_files(gcc_config_t) |
88 | files_rw_etc_runtime_files(gcc_config_t) | |
15d80e36 | 89 | files_read_usr_files(gcc_config_t) |
5afdf0bc CP |
90 | files_search_var_lib(gcc_config_t) |
91 | files_search_pids(gcc_config_t) | |
92 | # complains loudly about not being able to list | |
93 | # the directory it is being run from | |
94 | files_list_all(gcc_config_t) | |
95 | ||
5afdf0bc CP |
96 | # seems to be ok without this |
97 | init_dontaudit_read_script_status_files(gcc_config_t) | |
98 | ||
5afdf0bc CP |
99 | libs_read_lib_files(gcc_config_t) |
100 | libs_domtrans_ldconfig(gcc_config_t) | |
101 | libs_manage_shared_libs(gcc_config_t) | |
5afdf0bc CP |
102 | # gcc-config creates a temp dir for the libs |
103 | libs_manage_lib_dirs(gcc_config_t) | |
104 | ||
105 | logging_send_syslog_msg(gcc_config_t) | |
106 | ||
107 | miscfiles_read_localization(gcc_config_t) | |
108 | ||
296273a7 CP |
109 | userdom_use_user_terminals(gcc_config_t) |
110 | ||
5afdf0bc CP |
111 | consoletype_exec(gcc_config_t) |
112 | ||
113 | optional_policy(` | |
114 | seutil_use_newrole_fds(gcc_config_t) | |
115 | ') | |
116 | ||
e1c41428 CP |
117 | ######################################## |
118 | # | |
aea3f28e | 119 | # Portage Merging Rules |
e1c41428 CP |
120 | # |
121 | ||
aea3f28e CP |
122 | # - setfscreate for merging to live fs |
123 | # - setexec to run portage fetch | |
124 | allow portage_t self:process { setfscreate setexec }; | |
15d80e36 CP |
125 | # - kill for mysql merging, at least |
126 | allow portage_t self:capability { sys_nice kill }; | |
127 | ||
128 | # user post-sync scripts | |
129 | can_exec(portage_t, portage_conf_t) | |
6d14093b | 130 | |
aea3f28e CP |
131 | allow portage_t portage_log_t:file manage_file_perms; |
132 | logging_log_filetrans(portage_t, portage_log_t, file) | |
e1c41428 | 133 | |
aea3f28e CP |
134 | allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; |
135 | ||
136 | # transition for rsync and wget | |
137 | corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) | |
138 | rsync_entry_domtrans(portage_t, portage_fetch_t) | |
139 | allow portage_fetch_t portage_t:fd use; | |
140 | allow portage_fetch_t portage_t:fifo_file rw_file_perms; | |
141 | allow portage_fetch_t portage_t:process sigchld; | |
142 | ||
143 | # transition to sandbox for compiling | |
144 | domain_trans(portage_t, portage_exec_t, portage_sandbox_t) | |
145 | corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) | |
146 | allow portage_sandbox_t portage_t:fd use; | |
147 | allow portage_sandbox_t portage_t:fifo_file rw_file_perms; | |
148 | allow portage_sandbox_t portage_t:process sigchld; | |
149 | ||
150 | # run scripts out of the build directory | |
151 | can_exec(portage_t, portage_tmp_t) | |
e1c41428 | 152 | |
aea3f28e CP |
153 | # merging baselayout will need this: |
154 | kernel_write_proc_files(portage_t) | |
e1c41428 | 155 | |
aea3f28e CP |
156 | domain_dontaudit_read_all_domains_state(portage_t) |
157 | ||
158 | # modify any files in the system | |
159 | files_manage_all_files(portage_t) | |
160 | ||
161 | selinux_get_fs_mount(portage_t) | |
162 | ||
163 | auth_manage_shadow(portage_t) | |
164 | ||
165 | # merging baselayout will need this: | |
166 | init_exec(portage_t) | |
167 | ||
168 | # run setfiles -r | |
169 | seutil_domtrans_setfiles(portage_t) | |
170 | # run semodule | |
171 | seutil_domtrans_semanage(portage_t) | |
172 | ||
173 | portage_domtrans_gcc_config(portage_t) | |
02f9b21e | 174 | # if sesandbox is disabled, compiling is performed in this domain |
aea3f28e | 175 | portage_compile_domain(portage_t) |
e1c41428 | 176 | |
aea3f28e CP |
177 | optional_policy(` |
178 | bootloader_domtrans(portage_t) | |
179 | ') | |
82f1dfb5 | 180 | |
aea3f28e CP |
181 | optional_policy(` |
182 | modutils_domtrans_depmod(portage_t) | |
183 | modutils_domtrans_update_mods(portage_t) | |
184 | #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; | |
185 | ') | |
e1c41428 | 186 | |
aea3f28e CP |
187 | optional_policy(` |
188 | usermanage_domtrans_groupadd(portage_t) | |
189 | usermanage_domtrans_useradd(portage_t) | |
190 | ') | |
191 | ||
192 | ifdef(`TODO',` | |
193 | # seems to work ok without these | |
194 | dontaudit portage_t device_t:{ blk_file chr_file } getattr; | |
195 | dontaudit portage_t proc_t:dir setattr; | |
196 | dontaudit portage_t device_type:chr_file read_chr_file_perms; | |
197 | dontaudit portage_t device_type:blk_file read_blk_file_perms; | |
198 | ') | |
e1c41428 CP |
199 | |
200 | ########################################## | |
201 | # | |
202 | # Portage fetch domain | |
203 | # - for rsync and distfile fetching | |
204 | # | |
205 | ||
aea3f28e CP |
206 | allow portage_fetch_t self:capability { dac_override fowner fsetid }; |
207 | allow portage_fetch_t self:process signal; | |
208 | allow portage_fetch_t self:unix_stream_socket create_socket_perms; | |
209 | allow portage_fetch_t self:tcp_socket create_stream_socket_perms; | |
210 | ||
211 | allow portage_fetch_t portage_conf_t:dir list_dir_perms; | |
212 | read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) | |
213 | ||
214 | manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) | |
215 | manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) | |
216 | ||
217 | manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) | |
218 | manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) | |
219 | files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) | |
220 | ||
221 | # portage makes home dir the portage tmp dir, so | |
222 | # wget looks for .wgetrc there | |
223 | dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; | |
15d80e36 CP |
224 | # rsync server timestamp check |
225 | allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms }; | |
aea3f28e CP |
226 | |
227 | kernel_read_system_state(portage_fetch_t) | |
228 | kernel_read_kernel_sysctls(portage_fetch_t) | |
229 | ||
230 | corecmd_exec_bin(portage_fetch_t) | |
e1c41428 | 231 | |
aea3f28e CP |
232 | corenet_all_recvfrom_unlabeled(portage_fetch_t) |
233 | corenet_all_recvfrom_netlabel(portage_fetch_t) | |
234 | corenet_tcp_sendrecv_generic_if(portage_fetch_t) | |
c1262146 | 235 | corenet_tcp_sendrecv_generic_node(portage_fetch_t) |
aea3f28e CP |
236 | corenet_tcp_sendrecv_all_ports(portage_fetch_t) |
237 | # would rather not connect to unspecified ports, but | |
238 | # it occasionally comes up | |
239 | corenet_tcp_connect_all_reserved_ports(portage_fetch_t) | |
240 | corenet_tcp_connect_generic_port(portage_fetch_t) | |
241 | ||
242 | dev_dontaudit_read_rand(portage_fetch_t) | |
243 | ||
244 | domain_use_interactive_fds(portage_fetch_t) | |
245 | ||
246 | files_read_etc_files(portage_fetch_t) | |
247 | files_read_etc_runtime_files(portage_fetch_t) | |
248 | files_search_var(portage_fetch_t) | |
249 | files_dontaudit_search_pids(portage_fetch_t) | |
250 | ||
251 | term_search_ptys(portage_fetch_t) | |
252 | ||
aea3f28e CP |
253 | miscfiles_read_localization(portage_fetch_t) |
254 | ||
255 | sysnet_read_config(portage_fetch_t) | |
256 | sysnet_dns_name_resolve(portage_fetch_t) | |
257 | ||
296273a7 CP |
258 | userdom_use_user_terminals(portage_fetch_t) |
259 | userdom_dontaudit_read_user_home_content_files(portage_fetch_t) | |
aea3f28e CP |
260 | |
261 | ifdef(`hide_broken_symptoms',` | |
262 | dontaudit portage_fetch_t portage_cache_t:file read; | |
263 | ') | |
e1c41428 CP |
264 | |
265 | ########################################## | |
266 | # | |
267 | # Portage sandbox domain | |
268 | # - SELinux-enforced sandbox | |
269 | # | |
270 | ||
aea3f28e | 271 | portage_compile_domain(portage_sandbox_t) |
e1c41428 | 272 | |
02f9b21e CP |
273 | ifdef(`hide_broken_symptoms',` |
274 | # leaked descriptors | |
aea3f28e CP |
275 | dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; |
276 | dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; | |
02f9b21e | 277 | ') |