Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Sun, 03 Nov 2013 11:19:17
Message-Id: 1383477374.ee154a5d02d8ee55ec048796017ec187ad888b43.swift@gentoo
1 commit: ee154a5d02d8ee55ec048796017ec187ad888b43
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Sun Nov 3 11:16:14 2013 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Sun Nov 3 11:16:14 2013 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=ee154a5d
7
8 Support self-update of Portage
9
10 When Portage is asked to update itself, it triggers a specific procedure
11 (in portage/pym/portage/package/ebuild/doebuild.py, a method called
12 _prepare_self_update).
13
14 In this method, it will create a temporary copy of PORTAGE_BIN_PATH and
15 PORTAGE_PYM_PATH (which are bin_t, lib_t and some specific Portage
16 types).
17
18 During this copy, it needs to set the proper labels on the files, which
19 is why we now allow the various relabel operations.
20
21 ---
22 policy/modules/contrib/portage.te | 13 +++++++++++++
23 1 file changed, 13 insertions(+)
24
25 diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
26 index 533919c..5230679 100644
27 --- a/policy/modules/contrib/portage.te
28 +++ b/policy/modules/contrib/portage.te
29 @@ -395,12 +395,25 @@ ifdef(`distro_gentoo',`
30 #
31 allow portage_t self:capability2 block_suspend;
32
33 + # Support self-update of Portage
34 + allow portage_t portage_tmp_t:dir relabel_dir_perms;
35 + allow portage_t portage_tmp_t:lnk_file relabel_lnk_file_perms;
36 + allow portage_t portage_exec_t:file relabel_file_perms;
37 + allow portage_t portage_fetch_exec_t:file relabel_file_perms;
38 +
39 # Portage is selinuxaware, transitions on calling ebuild, now marked as bin_t
40 corecmd_bin_entry_type(portage_t)
41 + # Support self-update of Portage
42 + corecmd_relabel_bin_dirs(portage_t)
43 + corecmd_relabel_bin_files(portage_t)
44 + corecmd_relabel_bin_lnk_files(portage_t)
45
46 auth_use_nsswitch(portage_t)
47
48 libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~")
49 + # Support self-update of Portage
50 + libs_relabel_lib_dirs(portage_t)
51 + libs_relabel_lib_files(portage_t)
52
53 ##########################################
54 #
Report Message
Find on MARC Find on Google Groups