1 |
commit: 72408360d594d0ce2600219c514a3d5ccc6675a2 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Fri Nov 2 18:56:51 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Fri Nov 2 18:56:51 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=72408360 |
7 |
|
8 |
Reshuffle gentoo specific java code |
9 |
|
10 |
--- |
11 |
policy/modules/contrib/portage.te | 58 ++++++++++++++++++++++-------------- |
12 |
1 files changed, 35 insertions(+), 23 deletions(-) |
13 |
|
14 |
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te |
15 |
index 1e0e1e1..5e5cb70 100644 |
16 |
--- a/policy/modules/contrib/portage.te |
17 |
+++ b/policy/modules/contrib/portage.te |
18 |
@@ -8,7 +8,7 @@ policy_module(portage, 1.13.4) |
19 |
## <desc> |
20 |
## <p> |
21 |
## Determine whether portage can |
22 |
-## use nfs filesystems |
23 |
+## use nfs filesystems. |
24 |
## </p> |
25 |
## </desc> |
26 |
gen_tunable(portage_use_nfs, false) |
27 |
@@ -17,17 +17,11 @@ attribute_role gcc_config_roles; |
28 |
attribute_role portage_roles; |
29 |
attribute_role portage_fetch_roles; |
30 |
|
31 |
-# Assigned to domains that are managed by eselect |
32 |
-attribute portage_eselect_domain; |
33 |
- |
34 |
type gcc_config_t; |
35 |
type gcc_config_exec_t; |
36 |
application_domain(gcc_config_t, gcc_config_exec_t) |
37 |
role gcc_config_roles types gcc_config_t; |
38 |
|
39 |
-type gcc_config_tmp_t; |
40 |
-files_tmp_file(gcc_config_tmp_t) |
41 |
- |
42 |
# constraining type |
43 |
type portage_t; |
44 |
type portage_exec_t; |
45 |
@@ -86,6 +80,14 @@ files_tmp_file(portage_tmp_t) |
46 |
type portage_tmpfs_t; |
47 |
files_tmpfs_file(portage_tmpfs_t) |
48 |
|
49 |
+ifdef(`distro_gentoo',` |
50 |
+ type gcc_config_tmp_t; |
51 |
+ files_tmp_file(gcc_config_tmp_t) |
52 |
+ |
53 |
+ # Assigned to domains that are managed by eselect |
54 |
+ attribute portage_eselect_domain; |
55 |
+') |
56 |
+ |
57 |
######################################## |
58 |
# |
59 |
# gcc-config policy |
60 |
@@ -94,9 +96,6 @@ files_tmpfs_file(portage_tmpfs_t) |
61 |
allow gcc_config_t self:capability { chown fsetid }; |
62 |
allow gcc_config_t self:fifo_file rw_fifo_file_perms; |
63 |
|
64 |
-allow gcc_config_t gcc_config_tmp_t:file manage_file_perms; |
65 |
-files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) |
66 |
- |
67 |
manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) |
68 |
|
69 |
read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) |
70 |
@@ -116,8 +115,7 @@ corecmd_manage_bin_files(gcc_config_t) |
71 |
domain_use_interactive_fds(gcc_config_t) |
72 |
|
73 |
files_manage_etc_files(gcc_config_t) |
74 |
-files_manage_etc_runtime_files(gcc_config_t) |
75 |
-files_manage_etc_runtime_lnk_files(gcc_config_t) |
76 |
+files_rw_etc_runtime_files(gcc_config_t) |
77 |
files_read_usr_files(gcc_config_t) |
78 |
files_search_var_lib(gcc_config_t) |
79 |
files_search_pids(gcc_config_t) |
80 |
@@ -143,7 +141,13 @@ userdom_use_user_terminals(gcc_config_t) |
81 |
consoletype_exec(gcc_config_t) |
82 |
|
83 |
ifdef(`distro_gentoo',` |
84 |
+ allow gcc_config_t gcc_config_tmp_t:file manage_file_perms; |
85 |
+ files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) |
86 |
+ |
87 |
init_exec_rc(gcc_config_t) |
88 |
+ |
89 |
+ files_manage_etc_runtime_files(gcc_config_t) |
90 |
+ files_manage_etc_runtime_lnk_files(gcc_config_t) |
91 |
') |
92 |
|
93 |
tunable_policy(`portage_use_nfs',` |
94 |
@@ -165,7 +169,6 @@ allow portage_t self:process { setfscreate setexec }; |
95 |
# - kill for mysql merging, at least |
96 |
allow portage_t self:capability { sys_nice kill setfcap }; |
97 |
dontaudit portage_t self:capability { dac_read_search }; |
98 |
-allow portage_t self:capability2 block_suspend; |
99 |
dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; |
100 |
|
101 |
# user post-sync scripts |
102 |
@@ -221,6 +224,10 @@ portage_run_gcc_config(portage_t, portage_roles) |
103 |
# if sesandbox is disabled, compiling is performed in this domain |
104 |
portage_compile_domain(portage_t) |
105 |
|
106 |
+ifdef(`distro_gentoo',` |
107 |
+ allow portage_t self:capability2 block_suspend; |
108 |
+') |
109 |
+ |
110 |
optional_policy(` |
111 |
bootloader_run(portage_t, portage_roles) |
112 |
') |
113 |
@@ -312,9 +319,6 @@ files_read_usr_files(portage_fetch_t) |
114 |
files_dontaudit_search_pids(portage_fetch_t) |
115 |
|
116 |
fs_search_auto_mountpoints(portage_fetch_t) |
117 |
-dev_rw_autofs(portage_fetch_t) |
118 |
- |
119 |
-fs_search_auto_mountpoints(portage_fetch_t) |
120 |
|
121 |
logging_list_logs(portage_fetch_t) |
122 |
logging_dontaudit_search_logs(portage_fetch_t) |
123 |
@@ -330,6 +334,12 @@ userdom_dontaudit_read_user_home_content_files(portage_fetch_t) |
124 |
|
125 |
rsync_exec(portage_fetch_t) |
126 |
|
127 |
+ifdef(`distro_gentoo',` |
128 |
+ dev_rw_autofs(portage_fetch_t) |
129 |
+ |
130 |
+ fs_search_auto_mountpoints(portage_fetch_t) |
131 |
+') |
132 |
+ |
133 |
ifdef(`hide_broken_symptoms',` |
134 |
dontaudit portage_fetch_t portage_cache_t:file read; |
135 |
') |
136 |
@@ -361,13 +371,15 @@ ifdef(`hide_broken_symptoms',` |
137 |
dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write }; |
138 |
') |
139 |
|
140 |
-########################################## |
141 |
-# |
142 |
-# Portage eselect module domain |
143 |
-# |
144 |
+ifdef(`distro_gentoo',` |
145 |
+ ########################################## |
146 |
+ # |
147 |
+ # Portage eselect module domain |
148 |
+ # |
149 |
|
150 |
-allow portage_eselect_domain self:fifo_file { read write }; |
151 |
+ allow portage_eselect_domain self:fifo_file { read write }; |
152 |
|
153 |
-corecmd_exec_shell(portage_eselect_domain) |
154 |
+ corecmd_exec_shell(portage_eselect_domain) |
155 |
|
156 |
-files_manage_etc_runtime_files(portage_eselect_domain) |
157 |
+ files_manage_etc_runtime_files(portage_eselect_domain) |
158 |
+') |