[people/stevee/selinux-policy.git] / policy / modules / admin / portage.te


policy_module(portage, 1.10.0)

########################################
#
# Declarations
#

type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t, gcc_config_exec_t)

# constraining type
type portage_t;
type portage_exec_t;
application_domain(portage_t, portage_exec_t)
domain_obj_id_change_exemption(portage_t)
rsync_entry_type(portage_t)
corecmd_shell_entry_type(portage_t)

# portage compile sandbox domain
type portage_sandbox_t;
application_domain(portage_sandbox_t, portage_exec_t)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)

# portage package fetching domain
type portage_fetch_t;
application_type(portage_fetch_t)
corecmd_shell_entry_type(portage_fetch_t)
rsync_entry_type(portage_fetch_t)

type portage_devpts_t;
term_pty(portage_devpts_t)

type portage_ebuild_t;
files_type(portage_ebuild_t)

type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)

type portage_db_t;
files_type(portage_db_t)

type portage_conf_t;
files_type(portage_conf_t)

type portage_cache_t;
files_type(portage_cache_t)

type portage_log_t;
logging_log_file(portage_log_t)

type portage_tmp_t;
files_tmp_file(portage_tmp_t)

type portage_tmpfs_t;
files_tmpfs_file(portage_tmpfs_t)

########################################
#
# gcc-config policy
#

allow gcc_config_t self:capability { chown fsetid };
allow gcc_config_t self:fifo_file rw_file_perms;

manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)

read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)

allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)

allow gcc_config_t portage_exec_t:file mmap_file_perms;

kernel_read_system_state(gcc_config_t)
kernel_read_kernel_sysctls(gcc_config_t)

corecmd_exec_shell(gcc_config_t)
corecmd_exec_bin(gcc_config_t)
corecmd_manage_bin_files(gcc_config_t)

domain_use_interactive_fds(gcc_config_t)

files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t)
# complains loudly about not being able to list
# the directory it is being run from
files_list_all(gcc_config_t)

# seems to be ok without this
init_dontaudit_read_script_status_files(gcc_config_t)

libs_read_lib_files(gcc_config_t)
libs_domtrans_ldconfig(gcc_config_t)
libs_manage_shared_libs(gcc_config_t)
# gcc-config creates a temp dir for the libs
libs_manage_lib_dirs(gcc_config_t)

logging_send_syslog_msg(gcc_config_t)

miscfiles_read_localization(gcc_config_t)

userdom_use_user_terminals(gcc_config_t)

consoletype_exec(gcc_config_t)

optional_policy(`
	seutil_use_newrole_fds(gcc_config_t)
')

########################################
#
# Portage Merging Rules
#

# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec };
# - kill for mysql merging, at least
allow portage_t self:capability { sys_nice kill };

# user post-sync scripts
can_exec(portage_t, portage_conf_t)

allow portage_t portage_log_t:file manage_file_perms;
logging_log_filetrans(portage_t, portage_log_t, file)

allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;

# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
rsync_entry_domtrans(portage_t, portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;

# transition to sandbox for compiling
domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;

# run scripts out of the build directory
can_exec(portage_t, portage_tmp_t)

# merging baselayout will need this:
kernel_write_proc_files(portage_t)

domain_dontaudit_read_all_domains_state(portage_t)

# modify any files in the system
files_manage_all_files(portage_t)

selinux_get_fs_mount(portage_t)

auth_manage_shadow(portage_t)

# merging baselayout will need this:
init_exec(portage_t)

# run setfiles -r
seutil_domtrans_setfiles(portage_t)
# run semodule
seutil_domtrans_semanage(portage_t)

portage_domtrans_gcc_config(portage_t)
# if sesandbox is disabled, compiling is performed in this domain
portage_compile_domain(portage_t)

optional_policy(`
	bootloader_domtrans(portage_t)
')

optional_policy(`
	modutils_domtrans_depmod(portage_t)
	modutils_domtrans_update_mods(portage_t)
	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')

optional_policy(`
	usermanage_domtrans_groupadd(portage_t)
	usermanage_domtrans_useradd(portage_t)
')

ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:chr_file read_chr_file_perms;
dontaudit portage_t device_type:blk_file read_blk_file_perms;
')

##########################################
#
# Portage fetch domain
# - for rsync and distfile fetching
#

allow portage_fetch_t self:capability { dac_override fowner fsetid };
allow portage_fetch_t self:process signal;
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;

allow portage_fetch_t portage_conf_t:dir list_dir_perms;
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)

manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)

manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })

# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
# rsync server timestamp check
allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };

kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)

corecmd_exec_bin(portage_fetch_t)

corenet_all_recvfrom_unlabeled(portage_fetch_t)
corenet_all_recvfrom_netlabel(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_generic_node(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)

dev_dontaudit_read_rand(portage_fetch_t)

domain_use_interactive_fds(portage_fetch_t)

files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_search_var(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)

term_search_ptys(portage_fetch_t)

miscfiles_read_localization(portage_fetch_t)

sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)

userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)

ifdef(`hide_broken_symptoms',`
	dontaudit portage_fetch_t portage_cache_t:file read;
')

##########################################
#
# Portage sandbox domain
# - SELinux-enforced sandbox
#

portage_compile_domain(portage_sandbox_t)

ifdef(`hide_broken_symptoms',`
	# leaked descriptors
	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
')
Commit	Line	Data
e1c41428	1
29af4c13	2	policy_module(portage, 1.10.0)
e1c41428 CP	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
5afdf0bc CP	9	type gcc_config_t;
5afdf0bc CP	10	type gcc_config_exec_t;
0bfccda4	11	application_domain(gcc_config_t, gcc_config_exec_t)
5afdf0bc	12
82f1dfb5	13	# constraining type
02f9b21e	14	type portage_t;
e1c41428	15	type portage_exec_t;
0bfccda4	16	application_domain(portage_t, portage_exec_t)
aea3f28e	17	domain_obj_id_change_exemption(portage_t)
02f9b21e CP	18	rsync_entry_type(portage_t)
02f9b21e CP	19	corecmd_shell_entry_type(portage_t)
02f9b21e	20
02f9b21e	21	# portage compile sandbox domain
aea3f28e CP	22	type portage_sandbox_t;
aea3f28e CP	23	application_domain(portage_sandbox_t, portage_exec_t)
e1c41428 CP	24	# the shell is the entrypoint if regular sandbox is disabled
e1c41428 CP	25	# portage_exec_t is the entrypoint if regular sandbox is enabled
aea3f28e	26	corecmd_shell_entry_type(portage_sandbox_t)
02f9b21e CP	27
02f9b21e CP	28	# portage package fetching domain
aea3f28e CP	29	type portage_fetch_t;
	30	application_type(portage_fetch_t)
	31	corecmd_shell_entry_type(portage_fetch_t)
	32	rsync_entry_type(portage_fetch_t)
02f9b21e CP	33
	34	type portage_devpts_t;
	35	term_pty(portage_devpts_t)
e1c41428 CP	36
	37	type portage_ebuild_t;
	38	files_type(portage_ebuild_t)
	39
e1c41428 CP	40	type portage_fetch_tmp_t;
	41	files_tmp_file(portage_fetch_tmp_t)
	42
	43	type portage_db_t;
	44	files_type(portage_db_t)
	45
	46	type portage_conf_t;
	47	files_type(portage_conf_t)
	48
	49	type portage_cache_t;
	50	files_type(portage_cache_t)
	51
	52	type portage_log_t;
	53	logging_log_file(portage_log_t)
	54
02f9b21e CP	55	type portage_tmp_t;
	56	files_tmp_file(portage_tmp_t)
	57
	58	type portage_tmpfs_t;
	59	files_tmpfs_file(portage_tmpfs_t)
	60
5afdf0bc CP	61	########################################
	62	#
	63	# gcc-config policy
	64	#
	65
	66	allow gcc_config_t self:capability { chown fsetid };
	67	allow gcc_config_t self:fifo_file rw_file_perms;
	68
0bfccda4	69	manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
5afdf0bc	70
0bfccda4	71	read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
5afdf0bc CP	72
5afdf0bc CP	73	allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
0bfccda4	74	read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
5afdf0bc	75
0b36a214	76	allow gcc_config_t portage_exec_t:file mmap_file_perms;
5afdf0bc CP	77
	78	kernel_read_system_state(gcc_config_t)
	79	kernel_read_kernel_sysctls(gcc_config_t)
	80
	81	corecmd_exec_shell(gcc_config_t)
5afdf0bc	82	corecmd_exec_bin(gcc_config_t)
5afdf0bc	83	corecmd_manage_bin_files(gcc_config_t)
5afdf0bc	84
15d80e36 CP	85	domain_use_interactive_fds(gcc_config_t)
15d80e36 CP	86
5afdf0bc CP	87	files_manage_etc_files(gcc_config_t)
5afdf0bc CP	88	files_rw_etc_runtime_files(gcc_config_t)
15d80e36	89	files_read_usr_files(gcc_config_t)
5afdf0bc CP	90	files_search_var_lib(gcc_config_t)
	91	files_search_pids(gcc_config_t)
	92	# complains loudly about not being able to list
	93	# the directory it is being run from
	94	files_list_all(gcc_config_t)
	95
5afdf0bc CP	96	# seems to be ok without this
	97	init_dontaudit_read_script_status_files(gcc_config_t)
	98
5afdf0bc CP	99	libs_read_lib_files(gcc_config_t)
	100	libs_domtrans_ldconfig(gcc_config_t)
	101	libs_manage_shared_libs(gcc_config_t)
5afdf0bc CP	102	# gcc-config creates a temp dir for the libs
	103	libs_manage_lib_dirs(gcc_config_t)
	104
	105	logging_send_syslog_msg(gcc_config_t)
	106
	107	miscfiles_read_localization(gcc_config_t)
	108
296273a7 CP	109	userdom_use_user_terminals(gcc_config_t)
296273a7 CP	110
5afdf0bc CP	111	consoletype_exec(gcc_config_t)
	112
	113	optional_policy(`
	114	seutil_use_newrole_fds(gcc_config_t)
	115	')
	116
e1c41428 CP	117	########################################
e1c41428 CP	118	#
aea3f28e	119	# Portage Merging Rules
e1c41428 CP	120	#
e1c41428 CP	121
aea3f28e CP	122	# - setfscreate for merging to live fs
	123	# - setexec to run portage fetch
	124	allow portage_t self:process { setfscreate setexec };
15d80e36 CP	125	# - kill for mysql merging, at least
	126	allow portage_t self:capability { sys_nice kill };
	127
	128	# user post-sync scripts
	129	can_exec(portage_t, portage_conf_t)
6d14093b	130
aea3f28e CP	131	allow portage_t portage_log_t:file manage_file_perms;
aea3f28e CP	132	logging_log_filetrans(portage_t, portage_log_t, file)
e1c41428	133
aea3f28e CP	134	allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
	135
	136	# transition for rsync and wget
	137	corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
	138	rsync_entry_domtrans(portage_t, portage_fetch_t)
	139	allow portage_fetch_t portage_t:fd use;
	140	allow portage_fetch_t portage_t:fifo_file rw_file_perms;
	141	allow portage_fetch_t portage_t:process sigchld;
	142
	143	# transition to sandbox for compiling
	144	domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
	145	corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
	146	allow portage_sandbox_t portage_t:fd use;
	147	allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
	148	allow portage_sandbox_t portage_t:process sigchld;
	149
	150	# run scripts out of the build directory
	151	can_exec(portage_t, portage_tmp_t)
e1c41428	152
aea3f28e CP	153	# merging baselayout will need this:
aea3f28e CP	154	kernel_write_proc_files(portage_t)
e1c41428	155
aea3f28e CP	156	domain_dontaudit_read_all_domains_state(portage_t)
	157
	158	# modify any files in the system
	159	files_manage_all_files(portage_t)
	160
	161	selinux_get_fs_mount(portage_t)
	162
	163	auth_manage_shadow(portage_t)
	164
	165	# merging baselayout will need this:
	166	init_exec(portage_t)
	167
	168	# run setfiles -r
	169	seutil_domtrans_setfiles(portage_t)
	170	# run semodule
	171	seutil_domtrans_semanage(portage_t)
	172
	173	portage_domtrans_gcc_config(portage_t)
02f9b21e	174	# if sesandbox is disabled, compiling is performed in this domain
aea3f28e	175	portage_compile_domain(portage_t)
e1c41428	176
aea3f28e CP	177	optional_policy(`
	178	bootloader_domtrans(portage_t)
	179	')
82f1dfb5	180
aea3f28e CP	181	optional_policy(`
	182	modutils_domtrans_depmod(portage_t)
	183	modutils_domtrans_update_mods(portage_t)
	184	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
	185	')
e1c41428	186
aea3f28e CP	187	optional_policy(`
	188	usermanage_domtrans_groupadd(portage_t)
	189	usermanage_domtrans_useradd(portage_t)
	190	')
	191
	192	ifdef(`TODO',`
	193	# seems to work ok without these
	194	dontaudit portage_t device_t:{ blk_file chr_file } getattr;
	195	dontaudit portage_t proc_t:dir setattr;
	196	dontaudit portage_t device_type:chr_file read_chr_file_perms;
	197	dontaudit portage_t device_type:blk_file read_blk_file_perms;
	198	')
e1c41428 CP	199
	200	##########################################
	201	#
	202	# Portage fetch domain
	203	# - for rsync and distfile fetching
	204	#
	205
aea3f28e CP	206	allow portage_fetch_t self:capability { dac_override fowner fsetid };
	207	allow portage_fetch_t self:process signal;
	208	allow portage_fetch_t self:unix_stream_socket create_socket_perms;
	209	allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
	210
	211	allow portage_fetch_t portage_conf_t:dir list_dir_perms;
	212	read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
	213
	214	manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
	215	manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
	216
	217	manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
	218	manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
	219	files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
	220
	221	# portage makes home dir the portage tmp dir, so
	222	# wget looks for .wgetrc there
	223	dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
15d80e36 CP	224	# rsync server timestamp check
15d80e36 CP	225	allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
aea3f28e CP	226
	227	kernel_read_system_state(portage_fetch_t)
	228	kernel_read_kernel_sysctls(portage_fetch_t)
	229
	230	corecmd_exec_bin(portage_fetch_t)
e1c41428	231
aea3f28e CP	232	corenet_all_recvfrom_unlabeled(portage_fetch_t)
	233	corenet_all_recvfrom_netlabel(portage_fetch_t)
	234	corenet_tcp_sendrecv_generic_if(portage_fetch_t)
c1262146	235	corenet_tcp_sendrecv_generic_node(portage_fetch_t)
aea3f28e CP	236	corenet_tcp_sendrecv_all_ports(portage_fetch_t)
	237	# would rather not connect to unspecified ports, but
	238	# it occasionally comes up
	239	corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
	240	corenet_tcp_connect_generic_port(portage_fetch_t)
	241
	242	dev_dontaudit_read_rand(portage_fetch_t)
	243
	244	domain_use_interactive_fds(portage_fetch_t)
	245
	246	files_read_etc_files(portage_fetch_t)
	247	files_read_etc_runtime_files(portage_fetch_t)
	248	files_search_var(portage_fetch_t)
	249	files_dontaudit_search_pids(portage_fetch_t)
	250
	251	term_search_ptys(portage_fetch_t)
	252
aea3f28e CP	253	miscfiles_read_localization(portage_fetch_t)
	254
	255	sysnet_read_config(portage_fetch_t)
	256	sysnet_dns_name_resolve(portage_fetch_t)
	257
296273a7 CP	258	userdom_use_user_terminals(portage_fetch_t)
296273a7 CP	259	userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
aea3f28e CP	260
	261	ifdef(`hide_broken_symptoms',`
	262	dontaudit portage_fetch_t portage_cache_t:file read;
	263	')
e1c41428 CP	264
	265	##########################################
	266	#
	267	# Portage sandbox domain
	268	# - SELinux-enforced sandbox
	269	#
	270
aea3f28e	271	portage_compile_domain(portage_sandbox_t)
e1c41428	272
02f9b21e CP	273	ifdef(`hide_broken_symptoms',`
02f9b21e CP	274	# leaked descriptors
aea3f28e CP	275	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
aea3f28e CP	276	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
02f9b21e	277	')