[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Matt Thode <prometheanfire@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Tue, 02 Oct 2012 07:27:58
Message-Id:	`1349162861.7368fd919b51e248191a70e20d20f0c6d6947fa4.prometheanfire@gentoo`

1

commit:     7368fd919b51e248191a70e20d20f0c6d6947fa4

2

Author:     Matthew Thode <mthode <AT> mthode <DOT> org>

3

AuthorDate: Tue Oct  2 07:27:41 2012 +0000

4

Commit:     Matt Thode <prometheanfire <AT> gentoo <DOT> org>

5

CommitDate: Tue Oct  2 07:27:41 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7368fd91

7

8

adds autofs support to portage, needed for using portage on nfs on

9

autofs

10

11

---

12

 policy/modules/contrib/portage.te |   47 +++---------------------------------

13

 1 files changed, 4 insertions(+), 43 deletions(-)

14

15

diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te

16

index c210f1e..128e7d6 100644

17

--- a/policy/modules/contrib/portage.te

18

+++ b/policy/modules/contrib/portage.te

19

@@ -12,33 +12,12 @@ policy_module(portage, 1.13.0)

20

 ## </desc>

21

 gen_tunable(portage_use_nfs, false)

22

23

-## <desc>

24

-## <p>

25

-## (deprecated) support for dontaudit tryouts

26

-## </p>

27

-## </desc>

28

-gen_tunable(gentoo_try_dontaudit, false)

29

-

30

-## <desc>

31

-## <p>

32

-## (deprecated) support for fixes

33

-## </p>

34

-## </desc>

35

-gen_tunable(gentoo_wait_requests, false)

36

-

37

-

38

 attribute_role portage_roles;

39

40

-# Assigned to domains that are managed by eselect

41

-attribute portage_eselect_domain;

42

-

43

 type gcc_config_t;

44

 type gcc_config_exec_t;

45

 application_domain(gcc_config_t, gcc_config_exec_t)

46

47

-type gcc_config_tmp_t;

48

-files_tmp_file(gcc_config_tmp_t)

49

-

50

 # constraining type

51

 type portage_t;

52

 type portage_exec_t;

53

@@ -105,9 +84,6 @@ files_tmpfs_file(portage_tmpfs_t)

54

 allow gcc_config_t self:capability { chown fsetid };

55

 allow gcc_config_t self:fifo_file rw_file_perms;

56

57

-manage_files_pattern(gcc_config_t, gcc_config_tmp_t, gcc_config_tmp_t)

58

-files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)

59

-

60

 manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)

61

62

 read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)

63

@@ -127,8 +103,7 @@ corecmd_manage_bin_files(gcc_config_t)

64

 domain_use_interactive_fds(gcc_config_t)

65

66

 files_manage_etc_files(gcc_config_t)

67

-files_manage_etc_runtime_files(gcc_config_t)

68

-files_manage_etc_runtime_lnk_files(gcc_config_t)

69

+files_rw_etc_runtime_files(gcc_config_t)

70

 files_read_usr_files(gcc_config_t)

71

 files_search_var_lib(gcc_config_t)

72

 files_search_pids(gcc_config_t)

73

@@ -281,8 +256,6 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms;

74

 allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;

75

 allow portage_fetch_t portage_tmp_t:file manage_file_perms;

76

77

-allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr };

78

-

79

 read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)

80

81

 manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)

82

@@ -325,6 +298,9 @@ files_read_usr_files(portage_fetch_t)

83

 files_search_var_lib(portage_fetch_t)

84

 files_dontaudit_search_pids(portage_fetch_t)

85

86

+fs_search_auto_mountpoints(portage_fetch_t)

87

+dev_rw_autofs(portage_fetch_t)

88

+

89

 logging_list_logs(portage_fetch_t)

90

 logging_dontaudit_search_logs(portage_fetch_t)

91

92

@@ -337,8 +313,6 @@ sysnet_dns_name_resolve(portage_fetch_t)

93

94

 userdom_use_user_terminals(portage_fetch_t)

95

 userdom_dontaudit_read_user_home_content_files(portage_fetch_t)

96

-userdom_dontaudit_getattr_user_home_dirs(portage_fetch_t)

97

-userdom_dontaudit_search_user_home_dirs(portage_fetch_t)

98

99

 rsync_exec(portage_fetch_t)

100

101

@@ -370,16 +344,3 @@ ifdef(`hide_broken_symptoms',`

102

 	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };

103

 	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };

104

')

105

-

106

-##########################################

107

-#

108

-# Portage eselect module domain

109

-#

110

-

111

-allow portage_eselect_domain self:fifo_file { read write };

112

-

113

-corecmd_exec_shell(portage_eselect_domain)

114

-

115

-# Support for /etc/env.d changes

116

-files_manage_etc_runtime_files(portage_eselect_domain)

117

-

1	commit: 7368fd919b51e248191a70e20d20f0c6d6947fa4
2	Author: Matthew Thode <mthode <AT> mthode <DOT> org>
3	AuthorDate: Tue Oct 2 07:27:41 2012 +0000
4	Commit: Matt Thode <prometheanfire <AT> gentoo <DOT> org>
5	CommitDate: Tue Oct 2 07:27:41 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7368fd91
7
8	adds autofs support to portage, needed for using portage on nfs on
9	autofs
10
11	---
12	policy/modules/contrib/portage.te \| 47 +++---------------------------------
13	1 files changed, 4 insertions(+), 43 deletions(-)
14
15	diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
16	index c210f1e..128e7d6 100644
17	--- a/policy/modules/contrib/portage.te
18	+++ b/policy/modules/contrib/portage.te
19	@@ -12,33 +12,12 @@ policy_module(portage, 1.13.0)
20	## </desc>
21	gen_tunable(portage_use_nfs, false)
22
23	-## <desc>
24	-## <p>
25	-## (deprecated) support for dontaudit tryouts
26	-## </p>
27	-## </desc>
28	-gen_tunable(gentoo_try_dontaudit, false)
29	-
30	-## <desc>
31	-## <p>
32	-## (deprecated) support for fixes
33	-## </p>
34	-## </desc>
35	-gen_tunable(gentoo_wait_requests, false)
36	-
37	-
38	attribute_role portage_roles;
39
40	-# Assigned to domains that are managed by eselect
41	-attribute portage_eselect_domain;
42	-
43	type gcc_config_t;
44	type gcc_config_exec_t;
45	application_domain(gcc_config_t, gcc_config_exec_t)
46
47	-type gcc_config_tmp_t;
48	-files_tmp_file(gcc_config_tmp_t)
49	-
50	# constraining type
51	type portage_t;
52	type portage_exec_t;
53	@@ -105,9 +84,6 @@ files_tmpfs_file(portage_tmpfs_t)
54	allow gcc_config_t self:capability { chown fsetid };
55	allow gcc_config_t self:fifo_file rw_file_perms;
56
57	-manage_files_pattern(gcc_config_t, gcc_config_tmp_t, gcc_config_tmp_t)
58	-files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
59	-
60	manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
61
62	read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
63	@@ -127,8 +103,7 @@ corecmd_manage_bin_files(gcc_config_t)
64	domain_use_interactive_fds(gcc_config_t)
65
66	files_manage_etc_files(gcc_config_t)
67	-files_manage_etc_runtime_files(gcc_config_t)
68	-files_manage_etc_runtime_lnk_files(gcc_config_t)
69	+files_rw_etc_runtime_files(gcc_config_t)
70	files_read_usr_files(gcc_config_t)
71	files_search_var_lib(gcc_config_t)
72	files_search_pids(gcc_config_t)
73	@@ -281,8 +256,6 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms;
74	allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
75	allow portage_fetch_t portage_tmp_t:file manage_file_perms;
76
77	-allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr };
78	-
79	read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
80
81	manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
82	@@ -325,6 +298,9 @@ files_read_usr_files(portage_fetch_t)
83	files_search_var_lib(portage_fetch_t)
84	files_dontaudit_search_pids(portage_fetch_t)
85
86	+fs_search_auto_mountpoints(portage_fetch_t)
87	+dev_rw_autofs(portage_fetch_t)
88	+
89	logging_list_logs(portage_fetch_t)
90	logging_dontaudit_search_logs(portage_fetch_t)
91
92	@@ -337,8 +313,6 @@ sysnet_dns_name_resolve(portage_fetch_t)
93
94	userdom_use_user_terminals(portage_fetch_t)
95	userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
96	-userdom_dontaudit_getattr_user_home_dirs(portage_fetch_t)
97	-userdom_dontaudit_search_user_home_dirs(portage_fetch_t)
98
99	rsync_exec(portage_fetch_t)
100
101	@@ -370,16 +344,3 @@ ifdef(`hide_broken_symptoms',`
102	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
103	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
104	')
105	-
106	-##########################################
107	-#
108	-# Portage eselect module domain
109	-#
110	-
111	-allow portage_eselect_domain self:fifo_file { read write };
112	-
113	-corecmd_exec_shell(portage_eselect_domain)
114	-
115	-# Support for /etc/env.d changes
116	-files_manage_etc_runtime_files(portage_eselect_domain)
117	-

Gentoo Archives: gentoo-commits