[people/stevee/selinux-policy.git] / refpolicy / policy / modules / admin / portage.te


policy_module(portage,1.0.0)

########################################
#
# Declarations
#

type portage_exec_t;
files_type(portage_exec_t)

portage_compile_domain(portage)
domain_obj_id_change_exempt(portage_t)

portage_compile_domain(portage_sandbox)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
domain_entry_file(portage_sandbox_t,portage_exec_t)

type portage_ebuild_t;
files_type(portage_ebuild_t)

type portage_fetch_t;
domain_type(portage_fetch_t)

type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)

type portage_db_t;
files_type(portage_db_t)

type portage_conf_t;
files_type(portage_conf_t)

type portage_cache_t;
files_type(portage_cache_t)

type portage_log_t;
logging_log_file(portage_log_t)

########################################
#
# Portage Rules
#

# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec };

# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;

allow portage_t portage_log_t:file create_file_perms;
logging_create_log(portage_t,portage_log_t)

# transition to sandbox for compiling
domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;

# run scripts out of the build directory
can_exec($1_t,portage_tmp_t)

# merging baselayout will need this:
kernel_write_proc_file(portage_t)

domain_dontaudit_read_all_domains_state(portage_t)

# modify any files in the system
files_manage_all_files(portage_t)

selinux_get_fs_mount(portage_t)

# merging baselayout will need this:
init_exec(portage_t)

# run setfiles -r
seutil_domtrans_setfiles(portage_t)

optional_policy(`bootloader',`
	bootloader_domtrans(portage_t)
')

optional_policy(`modutils',`
	modutils_domtrans_depmod(portage_t)
	modutils_domtrans_update_modules(portage_t)
	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')

optional_policy(`usermanage',`
	usermanage_domtrans_groupadd(portage_t)
	usermanage_domtrans_useradd(portage_t)
')

# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;

##########################################
#
# Portage fetch domain
# - for rsync and distfile fetching
#

allow portage_fetch_t self:capability dac_override;
dontaudit portage_fetch_t self:capability { fowner fsetid };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;

allow portage_fetch_t portage_conf_t:dir list_dir_perms;
allow portage_fetch_t portage_conf_t:file r_file_perms;

allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
allow portage_fetch_t portage_ebuild_t:file manage_file_perms;

allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir })

# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;

kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctl(portage_fetch_t)

corecmd_exec_bin(portage_fetch_t)
corecmd_exec_sbin(portage_fetch_t)

corenet_non_ipsec_sendrecv(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)

dev_search_ptys(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)

domain_use_wide_inherit_fds(portage_fetch_t)

files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_search_var(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)

libs_use_ld_so(portage_fetch_t)
libs_use_shared_libs(portage_fetch_t)

miscfiles_read_localization(portage_fetch_t)

sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)

userdom_dontaudit_read_sysadm_home_files(portage_fetch_t)

ifdef(`hide_broken_symptoms',`
	dontaudit portage_fetch_t portage_cache_t:file read;
')

ifdef(`TODO',`
domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
')

##########################################
#
# Portage sandbox domain
# - SELinux-enforced sandbox
#

# seems ok w/o this
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };

allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
allow portage_sandbox_t portage_tmp_t:file manage_dir_perms;
allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)
Commit	Line	Data
e1c41428 CP	1
	2	policy_module(portage,1.0.0)
	3
	4	########################################
	5	#
	6	# Declarations
	7	#
	8
	9	type portage_exec_t;
	10	files_type(portage_exec_t)
	11
	12	portage_compile_domain(portage)
	13	domain_obj_id_change_exempt(portage_t)
	14
	15	portage_compile_domain(portage_sandbox)
	16	# the shell is the entrypoint if regular sandbox is disabled
	17	# portage_exec_t is the entrypoint if regular sandbox is enabled
	18	corecmd_shell_entry_type(portage_sandbox_t)
	19	domain_entry_file(portage_sandbox_t,portage_exec_t)
	20
	21	type portage_ebuild_t;
	22	files_type(portage_ebuild_t)
	23
	24	type portage_fetch_t;
	25	domain_type(portage_fetch_t)
	26
	27	type portage_fetch_tmp_t;
	28	files_tmp_file(portage_fetch_tmp_t)
	29
	30	type portage_db_t;
	31	files_type(portage_db_t)
	32
	33	type portage_conf_t;
	34	files_type(portage_conf_t)
	35
	36	type portage_cache_t;
	37	files_type(portage_cache_t)
	38
	39	type portage_log_t;
	40	logging_log_file(portage_log_t)
	41
	42	########################################
	43	#
	44	# Portage Rules
	45	#
	46
	47	# - setfscreate for merging to live fs
	48	# - setexec to run portage fetch
	49	allow portage_t self:process { setfscreate setexec };
	50
	51	# transition for rsync and wget
	52	corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
	53	allow portage_fetch_t portage_t:fd use;
	54	allow portage_fetch_t portage_t:fifo_file rw_file_perms;
	55	allow portage_fetch_t portage_t:process sigchld;
	56
	57	allow portage_t portage_log_t:file create_file_perms;
	58	logging_create_log(portage_t,portage_log_t)
	59
	60	# transition to sandbox for compiling
	61	domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
	62	corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
	63	allow portage_sandbox_t portage_t:fd use;
	64	allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
65	allow portage_sandbox_t portage_t:process sigchld;
66
67	# run scripts out of the build directory
68	can_exec($1_t,portage_tmp_t)
69
70	# merging baselayout will need this:
71	kernel_write_proc_file(portage_t)
72
73	domain_dontaudit_read_all_domains_state(portage_t)
74
75	# modify any files in the system
76	files_manage_all_files(portage_t)
77
78	selinux_get_fs_mount(portage_t)
79
80	# merging baselayout will need this:
81	init_exec(portage_t)
82
83	# run setfiles -r
84	seutil_domtrans_setfiles(portage_t)
85
86	optional_policy(`bootloader',`
87	bootloader_domtrans(portage_t)
88	')
89
90	optional_policy(`modutils',`
91	modutils_domtrans_depmod(portage_t)
92	modutils_domtrans_update_modules(portage_t)
93	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
94	')
95
96	optional_policy(`usermanage',`
97	usermanage_domtrans_groupadd(portage_t)
98	usermanage_domtrans_useradd(portage_t)
99	')
100
101	# seems to work ok without these
102	dontaudit portage_t device_t:{ blk_file chr_file } getattr;
103	dontaudit portage_t proc_t:dir setattr;
104	dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
105
106	##########################################
107	#
108	# Portage fetch domain
109	# - for rsync and distfile fetching
110	#
111
112	allow portage_fetch_t self:capability dac_override;
113	dontaudit portage_fetch_t self:capability { fowner fsetid };
114	allow portage_fetch_t self:unix_stream_socket create_socket_perms;
115	allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
116
117	allow portage_fetch_t portage_conf_t:dir list_dir_perms;
118	allow portage_fetch_t portage_conf_t:file r_file_perms;
119
120	allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
121	allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
122
123	allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
124	allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
125	files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir })
126
127	# portage makes home dir the portage tmp dir, so
128	# wget looks for .wgetrc there
129	dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
130
131	kernel_read_system_state(portage_fetch_t)
132	kernel_read_kernel_sysctl(portage_fetch_t)
133
134	corecmd_exec_bin(portage_fetch_t)
135	corecmd_exec_sbin(portage_fetch_t)
136
137	corenet_non_ipsec_sendrecv(portage_fetch_t)
138	corenet_tcp_sendrecv_generic_if(portage_fetch_t)
139	corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
140	corenet_tcp_sendrecv_all_ports(portage_fetch_t)
141	# would rather not connect to unspecified ports, but
142	# it occasionally comes up
143	corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
144	corenet_tcp_connect_generic_port(portage_fetch_t)
145
146	dev_search_ptys(portage_fetch_t)
147	dev_dontaudit_read_rand(portage_fetch_t)
148
149	domain_use_wide_inherit_fds(portage_fetch_t)
150
151	files_read_etc_files(portage_fetch_t)
152	files_read_etc_runtime_files(portage_fetch_t)
153	files_search_var(portage_fetch_t)
154	files_dontaudit_search_pids(portage_fetch_t)
155
156	libs_use_ld_so(portage_fetch_t)
157	libs_use_shared_libs(portage_fetch_t)
158
159	miscfiles_read_localization(portage_fetch_t)
160
161	sysnet_read_config(portage_fetch_t)
162	sysnet_dns_name_resolve(portage_fetch_t)
163
164	userdom_dontaudit_read_sysadm_home_files(portage_fetch_t)
165
166	ifdef(`hide_broken_symptoms',`
167	dontaudit portage_fetch_t portage_cache_t:file read;
168	')
169
170	ifdef(`TODO',`
171	domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
172	')
173
174	##########################################
175	#
176	# Portage sandbox domain
177	# - SELinux-enforced sandbox
178	#
179
180	# seems ok w/o this
181	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
182	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
183
184	allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
185	allow portage_sandbox_t portage_tmp_t:file manage_dir_perms;
186	allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
187	# run scripts out of the build directory
188	can_exec(portage_sandbox_t,portage_tmp_t)