psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

  1.   445522dcb0e67bce8e20ae9ece2058d25543169a
  2.   refpolicy
  3.   policy
  4.   modules
  5.   admin
  6.   portage.te
Blob Blame History Raw 

policy_module(portage,1.0.0)

########################################
#
# Declarations
#

type portage_exec_t;
files_type(portage_exec_t)

portage_compile_domain_template(portage)
domain_obj_id_change_exempt(portage_t)

portage_compile_domain_template(portage_sandbox)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
corecmd_shell_entry_type(portage_sandbox_t)
domain_entry_file(portage_sandbox_t,portage_exec_t)

type portage_ebuild_t;
files_type(portage_ebuild_t)

type portage_fetch_t;
domain_type(portage_fetch_t)

type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)

type portage_db_t;
files_type(portage_db_t)

type portage_conf_t;
files_type(portage_conf_t)

type portage_cache_t;
files_type(portage_cache_t)

type portage_log_t;
logging_log_file(portage_log_t)

########################################
#
# Portage Rules
#

# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec };

# transition for rsync and wget
corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;

allow portage_t portage_log_t:file create_file_perms;
logging_filetrans_log(portage_t,portage_log_t)

# transition to sandbox for compiling
domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;

# run scripts out of the build directory
can_exec(portage_t,portage_tmp_t)

# merging baselayout will need this:
kernel_write_proc_files(portage_t)

domain_dontaudit_read_all_domains_state(portage_t)

# modify any files in the system
files_manage_all_files(portage_t)

selinux_get_fs_mount(portage_t)

auth_manage_shadow(portage_t)

# merging baselayout will need this:
init_exec(portage_t)

# run setfiles -r
seutil_domtrans_setfiles(portage_t)

optional_policy(`bootloader',`
	bootloader_domtrans(portage_t)
')

optional_policy(`modutils',`
	modutils_domtrans_depmod(portage_t)
	modutils_domtrans_update_mods(portage_t)
	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')

optional_policy(`usermanage',`
	usermanage_domtrans_groupadd(portage_t)
	usermanage_domtrans_useradd(portage_t)
')

ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
')

##########################################
#
# Portage fetch domain
# - for rsync and distfile fetching
#

allow portage_fetch_t self:capability dac_override;
dontaudit portage_fetch_t self:capability { fowner fsetid };
allow portage_fetch_t self:unix_stream_socket create_socket_perms;
allow portage_fetch_t self:tcp_socket create_stream_socket_perms;

allow portage_fetch_t portage_conf_t:dir list_dir_perms;
allow portage_fetch_t portage_conf_t:file r_file_perms;

allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
allow portage_fetch_t portage_ebuild_t:file manage_file_perms;

allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
files_filetrans_tmp(portage_fetch_t, portage_fetch_tmp_t, { file dir })

# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;

kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)

corecmd_exec_bin(portage_fetch_t)
corecmd_exec_sbin(portage_fetch_t)

corenet_non_ipsec_sendrecv(portage_fetch_t)
corenet_tcp_sendrecv_generic_if(portage_fetch_t)
corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)

dev_dontaudit_read_rand(portage_fetch_t)

domain_use_wide_inherit_fd(portage_fetch_t)

files_read_etc_files(portage_fetch_t)
files_read_etc_runtime_files(portage_fetch_t)
files_search_var(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)

term_search_ptys(portage_fetch_t)

libs_use_ld_so(portage_fetch_t)
libs_use_shared_libs(portage_fetch_t)

miscfiles_read_localization(portage_fetch_t)

sysnet_read_config(portage_fetch_t)
sysnet_dns_name_resolve(portage_fetch_t)

userdom_dontaudit_read_sysadm_home_files(portage_fetch_t)

ifdef(`hide_broken_symptoms',`
	dontaudit portage_fetch_t portage_cache_t:file read;
')

# TODO:
#domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)

##########################################
#
# Portage sandbox domain
# - SELinux-enforced sandbox
#

# seems ok w/o this
dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
dontaudit portage_sandbox_t portage_cache_t:file { setattr write };

allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
allow portage_sandbox_t portage_tmp_t:file manage_file_perms;
allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.