1 |
commit: 7368fd919b51e248191a70e20d20f0c6d6947fa4 |
2 |
Author: Matthew Thode <mthode <AT> mthode <DOT> org> |
3 |
AuthorDate: Tue Oct 2 07:27:41 2012 +0000 |
4 |
Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org> |
5 |
CommitDate: Tue Oct 2 07:27:41 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7368fd91 |
7 |
|
8 |
adds autofs support to portage, needed for using portage on nfs on |
9 |
autofs |
10 |
|
11 |
--- |
12 |
policy/modules/contrib/portage.te | 47 +++--------------------------------- |
13 |
1 files changed, 4 insertions(+), 43 deletions(-) |
14 |
|
15 |
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te |
16 |
index c210f1e..128e7d6 100644 |
17 |
--- a/policy/modules/contrib/portage.te |
18 |
+++ b/policy/modules/contrib/portage.te |
19 |
@@ -12,33 +12,12 @@ policy_module(portage, 1.13.0) |
20 |
## </desc> |
21 |
gen_tunable(portage_use_nfs, false) |
22 |
|
23 |
-## <desc> |
24 |
-## <p> |
25 |
-## (deprecated) support for dontaudit tryouts |
26 |
-## </p> |
27 |
-## </desc> |
28 |
-gen_tunable(gentoo_try_dontaudit, false) |
29 |
- |
30 |
-## <desc> |
31 |
-## <p> |
32 |
-## (deprecated) support for fixes |
33 |
-## </p> |
34 |
-## </desc> |
35 |
-gen_tunable(gentoo_wait_requests, false) |
36 |
- |
37 |
- |
38 |
attribute_role portage_roles; |
39 |
|
40 |
-# Assigned to domains that are managed by eselect |
41 |
-attribute portage_eselect_domain; |
42 |
- |
43 |
type gcc_config_t; |
44 |
type gcc_config_exec_t; |
45 |
application_domain(gcc_config_t, gcc_config_exec_t) |
46 |
|
47 |
-type gcc_config_tmp_t; |
48 |
-files_tmp_file(gcc_config_tmp_t) |
49 |
- |
50 |
# constraining type |
51 |
type portage_t; |
52 |
type portage_exec_t; |
53 |
@@ -105,9 +84,6 @@ files_tmpfs_file(portage_tmpfs_t) |
54 |
allow gcc_config_t self:capability { chown fsetid }; |
55 |
allow gcc_config_t self:fifo_file rw_file_perms; |
56 |
|
57 |
-manage_files_pattern(gcc_config_t, gcc_config_tmp_t, gcc_config_tmp_t) |
58 |
-files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) |
59 |
- |
60 |
manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) |
61 |
|
62 |
read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) |
63 |
@@ -127,8 +103,7 @@ corecmd_manage_bin_files(gcc_config_t) |
64 |
domain_use_interactive_fds(gcc_config_t) |
65 |
|
66 |
files_manage_etc_files(gcc_config_t) |
67 |
-files_manage_etc_runtime_files(gcc_config_t) |
68 |
-files_manage_etc_runtime_lnk_files(gcc_config_t) |
69 |
+files_rw_etc_runtime_files(gcc_config_t) |
70 |
files_read_usr_files(gcc_config_t) |
71 |
files_search_var_lib(gcc_config_t) |
72 |
files_search_pids(gcc_config_t) |
73 |
@@ -281,8 +256,6 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms; |
74 |
allow portage_fetch_t portage_tmp_t:dir manage_dir_perms; |
75 |
allow portage_fetch_t portage_tmp_t:file manage_file_perms; |
76 |
|
77 |
-allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr }; |
78 |
- |
79 |
read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) |
80 |
|
81 |
manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) |
82 |
@@ -325,6 +298,9 @@ files_read_usr_files(portage_fetch_t) |
83 |
files_search_var_lib(portage_fetch_t) |
84 |
files_dontaudit_search_pids(portage_fetch_t) |
85 |
|
86 |
+fs_search_auto_mountpoints(portage_fetch_t) |
87 |
+dev_rw_autofs(portage_fetch_t) |
88 |
+ |
89 |
logging_list_logs(portage_fetch_t) |
90 |
logging_dontaudit_search_logs(portage_fetch_t) |
91 |
|
92 |
@@ -337,8 +313,6 @@ sysnet_dns_name_resolve(portage_fetch_t) |
93 |
|
94 |
userdom_use_user_terminals(portage_fetch_t) |
95 |
userdom_dontaudit_read_user_home_content_files(portage_fetch_t) |
96 |
-userdom_dontaudit_getattr_user_home_dirs(portage_fetch_t) |
97 |
-userdom_dontaudit_search_user_home_dirs(portage_fetch_t) |
98 |
|
99 |
rsync_exec(portage_fetch_t) |
100 |
|
101 |
@@ -370,16 +344,3 @@ ifdef(`hide_broken_symptoms',` |
102 |
dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; |
103 |
dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; |
104 |
') |
105 |
- |
106 |
-########################################## |
107 |
-# |
108 |
-# Portage eselect module domain |
109 |
-# |
110 |
- |
111 |
-allow portage_eselect_domain self:fifo_file { read write }; |
112 |
- |
113 |
-corecmd_exec_shell(portage_eselect_domain) |
114 |
- |
115 |
-# Support for /etc/env.d changes |
116 |
-files_manage_etc_runtime_files(portage_eselect_domain) |
117 |
- |