[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ - gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date:	Fri, 02 Nov 2012 19:09:51
Message-Id:	`1351882611.72408360d594d0ce2600219c514a3d5ccc6675a2.SwifT@gentoo`

1

commit:     72408360d594d0ce2600219c514a3d5ccc6675a2

2

Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

3

AuthorDate: Fri Nov  2 18:56:51 2012 +0000

4

Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>

5

CommitDate: Fri Nov  2 18:56:51 2012 +0000

6

URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=72408360

7

8

Reshuffle gentoo specific java code

9

10

---

11

 policy/modules/contrib/portage.te |   58 ++++++++++++++++++++++--------------

12

 1 files changed, 35 insertions(+), 23 deletions(-)

13

14

diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te

15

index 1e0e1e1..5e5cb70 100644

16

--- a/policy/modules/contrib/portage.te

17

+++ b/policy/modules/contrib/portage.te

18

@@ -8,7 +8,7 @@ policy_module(portage, 1.13.4)

19

 ## <desc>

20

 ##	<p>

21

 ##	Determine whether portage can

22

-##	use nfs filesystems

23

+##	use nfs filesystems.

24

 ##	</p>

25

 ## </desc>

26

 gen_tunable(portage_use_nfs, false)

27

@@ -17,17 +17,11 @@ attribute_role gcc_config_roles;

28

 attribute_role portage_roles;

29

 attribute_role portage_fetch_roles;

30

31

-# Assigned to domains that are managed by eselect

32

-attribute portage_eselect_domain;

33

-

34

 type gcc_config_t;

35

 type gcc_config_exec_t;

36

 application_domain(gcc_config_t, gcc_config_exec_t)

37

 role gcc_config_roles types gcc_config_t;

38

39

-type gcc_config_tmp_t;

40

-files_tmp_file(gcc_config_tmp_t)

41

-

42

 # constraining type

43

 type portage_t;

44

 type portage_exec_t;

45

@@ -86,6 +80,14 @@ files_tmp_file(portage_tmp_t)

46

 type portage_tmpfs_t;

47

 files_tmpfs_file(portage_tmpfs_t)

48

49

+ifdef(`distro_gentoo',`

50

+	type gcc_config_tmp_t;

51

+	files_tmp_file(gcc_config_tmp_t)

52

+

53

+	# Assigned to domains that are managed by eselect

54

+	attribute portage_eselect_domain;

55

+')

56

+

57

 ########################################

58

#

59

 # gcc-config policy

60

@@ -94,9 +96,6 @@ files_tmpfs_file(portage_tmpfs_t)

61

 allow gcc_config_t self:capability { chown fsetid };

62

 allow gcc_config_t self:fifo_file rw_fifo_file_perms;

63

64

-allow gcc_config_t gcc_config_tmp_t:file manage_file_perms;

65

-files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)

66

-

67

 manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)

68

69

 read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)

70

@@ -116,8 +115,7 @@ corecmd_manage_bin_files(gcc_config_t)

71

 domain_use_interactive_fds(gcc_config_t)

72

73

 files_manage_etc_files(gcc_config_t)

74

-files_manage_etc_runtime_files(gcc_config_t)

75

-files_manage_etc_runtime_lnk_files(gcc_config_t)

76

+files_rw_etc_runtime_files(gcc_config_t)

77

 files_read_usr_files(gcc_config_t)

78

 files_search_var_lib(gcc_config_t)

79

 files_search_pids(gcc_config_t)

80

@@ -143,7 +141,13 @@ userdom_use_user_terminals(gcc_config_t)

81

 consoletype_exec(gcc_config_t)

82

83

 ifdef(`distro_gentoo',`

84

+	allow gcc_config_t gcc_config_tmp_t:file manage_file_perms;

85

+	files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)

86

+

87

 	init_exec_rc(gcc_config_t)

88

+

89

+	files_manage_etc_runtime_files(gcc_config_t)

90

+	files_manage_etc_runtime_lnk_files(gcc_config_t)

91

')

92

93

 tunable_policy(`portage_use_nfs',`

94

@@ -165,7 +169,6 @@ allow portage_t self:process { setfscreate setexec };

95

 # - kill for mysql merging, at least

96

 allow portage_t self:capability { sys_nice kill setfcap };

97

 dontaudit portage_t self:capability { dac_read_search };

98

-allow portage_t self:capability2 block_suspend;

99

 dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;

100

101

 # user post-sync scripts

102

@@ -221,6 +224,10 @@ portage_run_gcc_config(portage_t, portage_roles)

103

 # if sesandbox is disabled, compiling is performed in this domain

104

 portage_compile_domain(portage_t)

105

106

+ifdef(`distro_gentoo',`

107

+	allow portage_t self:capability2 block_suspend;

108

+')

109

+

110

 optional_policy(`

111

 	bootloader_run(portage_t, portage_roles)

112

')

113

@@ -312,9 +319,6 @@ files_read_usr_files(portage_fetch_t)

114

 files_dontaudit_search_pids(portage_fetch_t)

115

116

 fs_search_auto_mountpoints(portage_fetch_t)

117

-dev_rw_autofs(portage_fetch_t)

118

-

119

-fs_search_auto_mountpoints(portage_fetch_t)

120

121

 logging_list_logs(portage_fetch_t)

122

 logging_dontaudit_search_logs(portage_fetch_t)

123

@@ -330,6 +334,12 @@ userdom_dontaudit_read_user_home_content_files(portage_fetch_t)

124

125

 rsync_exec(portage_fetch_t)

126

127

+ifdef(`distro_gentoo',`

128

+	dev_rw_autofs(portage_fetch_t)

129

+

130

+	fs_search_auto_mountpoints(portage_fetch_t)

131

+')

132

+

133

 ifdef(`hide_broken_symptoms',`

134

 	dontaudit portage_fetch_t portage_cache_t:file read;

135

')

136

@@ -361,13 +371,15 @@ ifdef(`hide_broken_symptoms',`

137

 	dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write };

138

')

139

140

-##########################################

141

-#

142

-# Portage eselect module domain

143

-#

144

+ifdef(`distro_gentoo',`

145

+	##########################################

146

+	#

147

+	# Portage eselect module domain

148

+	#

149

150

-allow portage_eselect_domain self:fifo_file { read write };

151

+	allow portage_eselect_domain self:fifo_file { read write };

152

153

-corecmd_exec_shell(portage_eselect_domain)

154

+	corecmd_exec_shell(portage_eselect_domain)

155

156

-files_manage_etc_runtime_files(portage_eselect_domain)

157

+	files_manage_etc_runtime_files(portage_eselect_domain)

158

+')

1	commit: 72408360d594d0ce2600219c514a3d5ccc6675a2
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Fri Nov 2 18:56:51 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Fri Nov 2 18:56:51 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=72408360
7
8	Reshuffle gentoo specific java code
9
10	---
11	policy/modules/contrib/portage.te \| 58 ++++++++++++++++++++++--------------
12	1 files changed, 35 insertions(+), 23 deletions(-)
13
14	diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
15	index 1e0e1e1..5e5cb70 100644
16	--- a/policy/modules/contrib/portage.te
17	+++ b/policy/modules/contrib/portage.te
18	@@ -8,7 +8,7 @@ policy_module(portage, 1.13.4)
19	## <desc>
20	## <p>
21	## Determine whether portage can
22	-## use nfs filesystems
23	+## use nfs filesystems.
24	## </p>
25	## </desc>
26	gen_tunable(portage_use_nfs, false)
27	@@ -17,17 +17,11 @@ attribute_role gcc_config_roles;
28	attribute_role portage_roles;
29	attribute_role portage_fetch_roles;
30
31	-# Assigned to domains that are managed by eselect
32	-attribute portage_eselect_domain;
33	-
34	type gcc_config_t;
35	type gcc_config_exec_t;
36	application_domain(gcc_config_t, gcc_config_exec_t)
37	role gcc_config_roles types gcc_config_t;
38
39	-type gcc_config_tmp_t;
40	-files_tmp_file(gcc_config_tmp_t)
41	-
42	# constraining type
43	type portage_t;
44	type portage_exec_t;
45	@@ -86,6 +80,14 @@ files_tmp_file(portage_tmp_t)
46	type portage_tmpfs_t;
47	files_tmpfs_file(portage_tmpfs_t)
48
49	+ifdef(`distro_gentoo',`
50	+ type gcc_config_tmp_t;
51	+ files_tmp_file(gcc_config_tmp_t)
52	+
53	+ # Assigned to domains that are managed by eselect
54	+ attribute portage_eselect_domain;
55	+')
56	+
57	########################################
58	#
59	# gcc-config policy
60	@@ -94,9 +96,6 @@ files_tmpfs_file(portage_tmpfs_t)
61	allow gcc_config_t self:capability { chown fsetid };
62	allow gcc_config_t self:fifo_file rw_fifo_file_perms;
63
64	-allow gcc_config_t gcc_config_tmp_t:file manage_file_perms;
65	-files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
66	-
67	manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
68
69	read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
70	@@ -116,8 +115,7 @@ corecmd_manage_bin_files(gcc_config_t)
71	domain_use_interactive_fds(gcc_config_t)
72
73	files_manage_etc_files(gcc_config_t)
74	-files_manage_etc_runtime_files(gcc_config_t)
75	-files_manage_etc_runtime_lnk_files(gcc_config_t)
76	+files_rw_etc_runtime_files(gcc_config_t)
77	files_read_usr_files(gcc_config_t)
78	files_search_var_lib(gcc_config_t)
79	files_search_pids(gcc_config_t)
80	@@ -143,7 +141,13 @@ userdom_use_user_terminals(gcc_config_t)
81	consoletype_exec(gcc_config_t)
82
83	ifdef(`distro_gentoo',`
84	+ allow gcc_config_t gcc_config_tmp_t:file manage_file_perms;
85	+ files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
86	+
87	init_exec_rc(gcc_config_t)
88	+
89	+ files_manage_etc_runtime_files(gcc_config_t)
90	+ files_manage_etc_runtime_lnk_files(gcc_config_t)
91	')
92
93	tunable_policy(`portage_use_nfs',`
94	@@ -165,7 +169,6 @@ allow portage_t self:process { setfscreate setexec };
95	# - kill for mysql merging, at least
96	allow portage_t self:capability { sys_nice kill setfcap };
97	dontaudit portage_t self:capability { dac_read_search };
98	-allow portage_t self:capability2 block_suspend;
99	dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
100
101	# user post-sync scripts
102	@@ -221,6 +224,10 @@ portage_run_gcc_config(portage_t, portage_roles)
103	# if sesandbox is disabled, compiling is performed in this domain
104	portage_compile_domain(portage_t)
105
106	+ifdef(`distro_gentoo',`
107	+ allow portage_t self:capability2 block_suspend;
108	+')
109	+
110	optional_policy(`
111	bootloader_run(portage_t, portage_roles)
112	')
113	@@ -312,9 +319,6 @@ files_read_usr_files(portage_fetch_t)
114	files_dontaudit_search_pids(portage_fetch_t)
115
116	fs_search_auto_mountpoints(portage_fetch_t)
117	-dev_rw_autofs(portage_fetch_t)
118	-
119	-fs_search_auto_mountpoints(portage_fetch_t)
120
121	logging_list_logs(portage_fetch_t)
122	logging_dontaudit_search_logs(portage_fetch_t)
123	@@ -330,6 +334,12 @@ userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
124
125	rsync_exec(portage_fetch_t)
126
127	+ifdef(`distro_gentoo',`
128	+ dev_rw_autofs(portage_fetch_t)
129	+
130	+ fs_search_auto_mountpoints(portage_fetch_t)
131	+')
132	+
133	ifdef(`hide_broken_symptoms',`
134	dontaudit portage_fetch_t portage_cache_t:file read;
135	')
136	@@ -361,13 +371,15 @@ ifdef(`hide_broken_symptoms',`
137	dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write };
138	')
139
140	-##########################################
141	-#
142	-# Portage eselect module domain
143	-#
144	+ifdef(`distro_gentoo',`
145	+ ##########################################
146	+ #
147	+ # Portage eselect module domain
148	+ #
149
150	-allow portage_eselect_domain self:fifo_file { read write };
151	+ allow portage_eselect_domain self:fifo_file { read write };
152
153	-corecmd_exec_shell(portage_eselect_domain)
154	+ corecmd_exec_shell(portage_eselect_domain)
155
156	-files_manage_etc_runtime_files(portage_eselect_domain)
157	+ files_manage_etc_runtime_files(portage_eselect_domain)
158	+')

Gentoo Archives: gentoo-commits