## <summary>Package Management System.</summary>

########################################

## <summary>

##	Execute emerge in the portage domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

#

interface(`portage_domtrans',`

	gen_require(`

		type portage_t, portage_exec_t;

	')

	corecmd_search_bin($1)

	domtrans_pattern($1, portage_exec_t, portage_t)

')

########################################

## <summary>

##	Execute emerge in the portage domain,

##	and allow the specified role the

##	portage domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`portage_run',`

	gen_require(`

		attribute_role portage_roles;

	')

	portage_domtrans($1)

	roleattribute $2 portage_roles;

')

########################################

## <summary>

##	Template for portage sandbox.

## </summary>

## <desc>

##	

##	Template for portage sandbox.  Portage

##	does all compiling in the sandbox.

##	

## </desc>

## <param name="domain">

##	<summary>

##	Domain Allowed Access

##	</summary>

## </param>

#

interface(`portage_compile_domain',`

	gen_require(`

		class dbus send_msg;

		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;

		type portage_tmpfs_t;

	')

	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };

	dontaudit $1 self:capability sys_chroot;

	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };

	allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };

	allow $1 self:fd use;

	allow $1 self:fifo_file rw_fifo_file_perms;

	allow $1 self:shm create_shm_perms;

	allow $1 self:sem create_sem_perms;

	allow $1 self:msgq create_msgq_perms;

	allow $1 self:msg { send receive };

	allow $1 self:unix_dgram_socket create_socket_perms;

	allow $1 self:unix_stream_socket create_stream_socket_perms;

	allow $1 self:unix_dgram_socket sendto;

	allow $1 self:unix_stream_socket connectto;

	# really shouldnt need this

	allow $1 self:tcp_socket create_stream_socket_perms;

	allow $1 self:udp_socket create_socket_perms;

	# misc networking stuff (esp needed for compiling perl):

	allow $1 self:rawip_socket { create ioctl };

	# needed for merging dbus:

	allow $1 self:netlink_selinux_socket { bind create read };

	allow $1 self:dbus send_msg;

	allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms };

	term_create_pty($1, portage_devpts_t)

	# write compile logs

	allow $1 portage_log_t:dir setattr_dir_perms;

	allow $1 portage_log_t:file { write_file_perms setattr_file_perms };

	# Support live ebuilds (-9999)

	manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)

	manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)

	manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)

	# run scripts out of the build directory

	can_exec(portage_sandbox_t, portage_tmp_t)

	manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)

	manage_files_pattern($1, portage_tmp_t, portage_tmp_t)

	manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)

	manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)

	manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)

	files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })

	# SELinux-enabled programs running in the sandbox

	allow $1 portage_tmp_t:file relabel_file_perms;

	manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)

	manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)

	manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)

	manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)

	fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })

	kernel_read_system_state($1)

	kernel_read_network_state($1)

	kernel_read_software_raid_state($1)

	kernel_getattr_core_if($1)

	kernel_getattr_message_if($1)

	kernel_read_kernel_sysctls($1)

	corecmd_exec_all_executables($1)

	# really shouldnt need this but some packages test

	# network access, such as during configure

	# also distcc--need to reinvestigate confining distcc client

	corenet_all_recvfrom_unlabeled($1)

	corenet_all_recvfrom_netlabel($1)

	corenet_tcp_sendrecv_generic_if($1)

	corenet_udp_sendrecv_generic_if($1)

	corenet_raw_sendrecv_generic_if($1)

	corenet_tcp_sendrecv_generic_node($1)

	corenet_udp_sendrecv_generic_node($1)

	corenet_raw_sendrecv_generic_node($1)

	corenet_tcp_sendrecv_all_ports($1)

	corenet_udp_sendrecv_all_ports($1)

	corenet_tcp_connect_all_reserved_ports($1)

	corenet_tcp_connect_distccd_port($1)

	corenet_tcp_connect_git_port($1)

	dev_read_sysfs($1)

	dev_read_rand($1)

	dev_read_urand($1)

	domain_use_interactive_fds($1)

	domain_dontaudit_read_all_domains_state($1)

	# SELinux-aware installs doing relabels in the sandbox

	domain_obj_id_change_exemption($1)

	files_exec_etc_files($1)

	files_exec_usr_src_files($1)

	fs_getattr_xattr_fs($1)

	fs_list_noxattr_fs($1)

	fs_read_noxattr_fs_files($1)

	fs_read_noxattr_fs_symlinks($1)

	fs_search_auto_mountpoints($1)

	selinux_validate_context($1)

	# needed for merging dbus:

	selinux_compute_access_vector($1)

	files_list_non_auth_dirs($1)

	files_read_non_auth_files($1)

	files_read_non_auth_symlinks($1)

	libs_exec_lib_files($1)

	# some config scripts use ldd

	libs_exec_ld_so($1)

	libs_exec_ldconfig($1)

	logging_send_syslog_msg($1)

	userdom_use_user_terminals($1)

	# SELinux-enabled programs running in the sandbox

	seutil_libselinux_linked($1)

	tunable_policy(`portage_use_nfs',`

		fs_getattr_nfs($1)

		fs_manage_nfs_dirs($1)

		fs_manage_nfs_files($1)

		fs_manage_nfs_symlinks($1)

	')

	ifdef(`TODO',`

	# some gui ebuilds want to interact with X server, like xawtv

	optional_policy(`

		allow $1 xdm_xserver_tmp_t:dir { add_entry_dir_perms del_entry_dir_perms };

		allow $1 xdm_xserver_tmp_t:sock_file { create_file_perms delete_file_perms write_file_perms };

	')

	') dnl end TODO

')

########################################

## <summary>

##	Execute tree management functions

##	(fetching, layman, ...) in the

##	portage fetch domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

#

interface(`portage_domtrans_fetch',`

	gen_require(`

		type portage_fetch_t, portage_fetch_exec_t;

	')

	corecmd_search_bin($1)

	domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)

')

########################################

## <summary>

##	Execute tree management functions

##	(fetching, layman, ...) in the

##	portage fetch domain, and allow

##	the specified role the portage

##	fetch domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`portage_run_fetch',`

	gen_require(`

		attribute_role portage_fetch_roles;

	')

	portage_domtrans_fetch($1)

	roleattribute $2 portage_fetch_roles;

')

########################################

## <summary>

##	Execute gcc-config in the gcc config domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

#

interface(`portage_domtrans_gcc_config',`

	gen_require(`

		type gcc_config_t, gcc_config_exec_t;

	')

	corecmd_search_bin($1)

	domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)

')

########################################

## <summary>

##	Execute gcc-config in the gcc config

##	domain, and allow the specified role

##	the gcc_config domain.

## </summary>

## <param name="domain">

##	<summary>

##	Domain allowed to transition.

##	</summary>

## </param>

## <param name="role">

##	<summary>

##	Role allowed access.

##	</summary>

## </param>

## <rolecap/>

#

interface(`portage_run_gcc_config',`

	gen_require(`

		attribute_role gcc_config_roles;

	')

	portage_domtrans_gcc_config($1)

	roleattribute $2 gcc_config_roles;

')

########################################

## <summary>

##	Do not audit attempts to use

##	portage file descriptors.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`portage_dontaudit_use_fds',`

	gen_require(`

		type portage_t;

	')

	dontaudit $1 portage_t:fd use;

')

########################################

## <summary>

##	Do not audit attempts to search the

##	portage temporary directories.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`portage_dontaudit_search_tmp',`

	gen_require(`

		type portage_tmp_t;

	')

	dontaudit $1 portage_tmp_t:dir search_dir_perms;

')

########################################

## <summary>

##	Do not audit attempts to read and write

##	the portage temporary files.

## </summary>

## <param name="domain">

##	<summary>

##	Domain to not audit.

##	</summary>

## </param>

#

interface(`portage_dontaudit_rw_tmp_files',`

	gen_require(`

		type portage_tmp_t;

	')

	dontaudit $1 portage_tmp_t:file rw_file_perms;

')