]>
Commit | Line | Data |
---|---|---|
e1c41428 CP |
1 | |
2 | policy_module(portage,1.0.0) | |
3 | ||
4 | ######################################## | |
5 | # | |
6 | # Declarations | |
7 | # | |
8 | ||
9 | type portage_exec_t; | |
10 | files_type(portage_exec_t) | |
11 | ||
12 | portage_compile_domain(portage) | |
13 | domain_obj_id_change_exempt(portage_t) | |
14 | ||
15 | portage_compile_domain(portage_sandbox) | |
16 | # the shell is the entrypoint if regular sandbox is disabled | |
17 | # portage_exec_t is the entrypoint if regular sandbox is enabled | |
18 | corecmd_shell_entry_type(portage_sandbox_t) | |
19 | domain_entry_file(portage_sandbox_t,portage_exec_t) | |
20 | ||
21 | type portage_ebuild_t; | |
22 | files_type(portage_ebuild_t) | |
23 | ||
24 | type portage_fetch_t; | |
25 | domain_type(portage_fetch_t) | |
26 | ||
27 | type portage_fetch_tmp_t; | |
28 | files_tmp_file(portage_fetch_tmp_t) | |
29 | ||
30 | type portage_db_t; | |
31 | files_type(portage_db_t) | |
32 | ||
33 | type portage_conf_t; | |
34 | files_type(portage_conf_t) | |
35 | ||
36 | type portage_cache_t; | |
37 | files_type(portage_cache_t) | |
38 | ||
39 | type portage_log_t; | |
40 | logging_log_file(portage_log_t) | |
41 | ||
42 | ######################################## | |
43 | # | |
44 | # Portage Rules | |
45 | # | |
46 | ||
47 | # - setfscreate for merging to live fs | |
48 | # - setexec to run portage fetch | |
49 | allow portage_t self:process { setfscreate setexec }; | |
50 | ||
51 | # transition for rsync and wget | |
52 | corecmd_shell_spec_domtrans(portage_t,portage_fetch_t) | |
53 | allow portage_fetch_t portage_t:fd use; | |
54 | allow portage_fetch_t portage_t:fifo_file rw_file_perms; | |
55 | allow portage_fetch_t portage_t:process sigchld; | |
56 | ||
57 | allow portage_t portage_log_t:file create_file_perms; | |
58 | logging_create_log(portage_t,portage_log_t) | |
59 | ||
60 | # transition to sandbox for compiling | |
61 | domain_trans(portage_t,portage_exec_t,portage_sandbox_t) | |
62 | corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t) | |
63 | allow portage_sandbox_t portage_t:fd use; | |
64 | allow portage_sandbox_t portage_t:fifo_file rw_file_perms; | |
65 | allow portage_sandbox_t portage_t:process sigchld; | |
66 | ||
67 | # run scripts out of the build directory | |
68 | can_exec($1_t,portage_tmp_t) | |
69 | ||
70 | # merging baselayout will need this: | |
71 | kernel_write_proc_file(portage_t) | |
72 | ||
73 | domain_dontaudit_read_all_domains_state(portage_t) | |
74 | ||
75 | # modify any files in the system | |
76 | files_manage_all_files(portage_t) | |
77 | ||
78 | selinux_get_fs_mount(portage_t) | |
79 | ||
80 | # merging baselayout will need this: | |
81 | init_exec(portage_t) | |
82 | ||
83 | # run setfiles -r | |
84 | seutil_domtrans_setfiles(portage_t) | |
85 | ||
86 | optional_policy(`bootloader',` | |
87 | bootloader_domtrans(portage_t) | |
88 | ') | |
89 | ||
90 | optional_policy(`modutils',` | |
91 | modutils_domtrans_depmod(portage_t) | |
92 | modutils_domtrans_update_modules(portage_t) | |
93 | #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; | |
94 | ') | |
95 | ||
96 | optional_policy(`usermanage',` | |
97 | usermanage_domtrans_groupadd(portage_t) | |
98 | usermanage_domtrans_useradd(portage_t) | |
99 | ') | |
100 | ||
101 | # seems to work ok without these | |
102 | dontaudit portage_t device_t:{ blk_file chr_file } getattr; | |
103 | dontaudit portage_t proc_t:dir setattr; | |
104 | dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms; | |
105 | ||
106 | ########################################## | |
107 | # | |
108 | # Portage fetch domain | |
109 | # - for rsync and distfile fetching | |
110 | # | |
111 | ||
112 | allow portage_fetch_t self:capability dac_override; | |
113 | dontaudit portage_fetch_t self:capability { fowner fsetid }; | |
114 | allow portage_fetch_t self:unix_stream_socket create_socket_perms; | |
115 | allow portage_fetch_t self:tcp_socket create_stream_socket_perms; | |
116 | ||
117 | allow portage_fetch_t portage_conf_t:dir list_dir_perms; | |
118 | allow portage_fetch_t portage_conf_t:file r_file_perms; | |
119 | ||
120 | allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms; | |
121 | allow portage_fetch_t portage_ebuild_t:file manage_file_perms; | |
122 | ||
123 | allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms; | |
124 | allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms; | |
125 | files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir }) | |
126 | ||
127 | # portage makes home dir the portage tmp dir, so | |
128 | # wget looks for .wgetrc there | |
129 | dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; | |
130 | ||
131 | kernel_read_system_state(portage_fetch_t) | |
132 | kernel_read_kernel_sysctl(portage_fetch_t) | |
133 | ||
134 | corecmd_exec_bin(portage_fetch_t) | |
135 | corecmd_exec_sbin(portage_fetch_t) | |
136 | ||
137 | corenet_non_ipsec_sendrecv(portage_fetch_t) | |
138 | corenet_tcp_sendrecv_generic_if(portage_fetch_t) | |
139 | corenet_tcp_sendrecv_all_nodes(portage_fetch_t) | |
140 | corenet_tcp_sendrecv_all_ports(portage_fetch_t) | |
141 | # would rather not connect to unspecified ports, but | |
142 | # it occasionally comes up | |
143 | corenet_tcp_connect_all_reserved_ports(portage_fetch_t) | |
144 | corenet_tcp_connect_generic_port(portage_fetch_t) | |
145 | ||
146 | dev_search_ptys(portage_fetch_t) | |
147 | dev_dontaudit_read_rand(portage_fetch_t) | |
148 | ||
149 | domain_use_wide_inherit_fds(portage_fetch_t) | |
150 | ||
151 | files_read_etc_files(portage_fetch_t) | |
152 | files_read_etc_runtime_files(portage_fetch_t) | |
153 | files_search_var(portage_fetch_t) | |
154 | files_dontaudit_search_pids(portage_fetch_t) | |
155 | ||
156 | libs_use_ld_so(portage_fetch_t) | |
157 | libs_use_shared_libs(portage_fetch_t) | |
158 | ||
159 | miscfiles_read_localization(portage_fetch_t) | |
160 | ||
161 | sysnet_read_config(portage_fetch_t) | |
162 | sysnet_dns_name_resolve(portage_fetch_t) | |
163 | ||
164 | userdom_dontaudit_read_sysadm_home_files(portage_fetch_t) | |
165 | ||
166 | ifdef(`hide_broken_symptoms',` | |
167 | dontaudit portage_fetch_t portage_cache_t:file read; | |
168 | ') | |
169 | ||
170 | ifdef(`TODO',` | |
171 | domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t) | |
172 | ') | |
173 | ||
174 | ########################################## | |
175 | # | |
176 | # Portage sandbox domain | |
177 | # - SELinux-enforced sandbox | |
178 | # | |
179 | ||
180 | # seems ok w/o this | |
181 | dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; | |
182 | dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; | |
183 | ||
184 | allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms; | |
185 | allow portage_sandbox_t portage_tmp_t:file manage_dir_perms; | |
186 | allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms; | |
187 | # run scripts out of the build directory | |
188 | can_exec(portage_sandbox_t,portage_tmp_t) |