diff options
Diffstat (limited to 'policy/modules/contrib/portage.te')
-rw-r--r-- | policy/modules/contrib/portage.te | 408 |
1 files changed, 0 insertions, 408 deletions
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te deleted file mode 100644 index 15c709f90..000000000 --- a/policy/modules/contrib/portage.te +++ /dev/null @@ -1,408 +0,0 @@ -policy_module(portage, 1.13.7) - -######################################## -# -# Declarations -# - -## <desc> -## <p> -## Determine whether portage can -## use nfs filesystems. -## </p> -## </desc> -gen_tunable(portage_use_nfs, false) - -attribute_role gcc_config_roles; -attribute_role portage_roles; -attribute_role portage_fetch_roles; - -type gcc_config_t; -type gcc_config_exec_t; -application_domain(gcc_config_t, gcc_config_exec_t) -role gcc_config_roles types gcc_config_t; - -# constraining type -type portage_t; -type portage_exec_t; -application_domain(portage_t, portage_exec_t) -domain_obj_id_change_exemption(portage_t) -rsync_entry_type(portage_t) -corecmd_shell_entry_type(portage_t) -role portage_roles types portage_t; - -# portage compile sandbox domain -type portage_sandbox_t; -application_domain(portage_sandbox_t, portage_exec_t) -# the shell is the entrypoint if regular sandbox is disabled -# portage_exec_t is the entrypoint if regular sandbox is enabled -corecmd_shell_entry_type(portage_sandbox_t) -role portage_roles types portage_sandbox_t; - -# portage package fetching domain -type portage_fetch_t; -type portage_fetch_exec_t; -application_domain(portage_fetch_t, portage_fetch_exec_t) -corecmd_shell_entry_type(portage_fetch_t) -rsync_entry_type(portage_fetch_t) -role portage_fetch_roles types portage_fetch_t; - -type portage_devpts_t; -term_pty(portage_devpts_t) - -type portage_ebuild_t; -files_mountpoint(portage_ebuild_t) - -type portage_fetch_tmp_t; -files_tmp_file(portage_fetch_tmp_t) - -type portage_db_t; -files_type(portage_db_t) - -type portage_conf_t; -files_type(portage_conf_t) - -type portage_cache_t; -files_type(portage_cache_t) - -type portage_gpg_t; -files_type(portage_gpg_t) - -type portage_log_t; -logging_log_file(portage_log_t) - -type portage_srcrepo_t; -files_type(portage_srcrepo_t) - -type portage_tmp_t; -files_tmp_file(portage_tmp_t) - -type portage_tmpfs_t; -files_tmpfs_file(portage_tmpfs_t) - -######################################## -# -# gcc-config policy -# - -allow gcc_config_t self:capability { chown fsetid }; -allow gcc_config_t self:fifo_file rw_fifo_file_perms; - -manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) - -read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) - -allow gcc_config_t portage_ebuild_t:dir list_dir_perms; -read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) - -allow gcc_config_t portage_exec_t:file mmap_file_perms; - -kernel_read_system_state(gcc_config_t) -kernel_read_kernel_sysctls(gcc_config_t) - -corecmd_exec_shell(gcc_config_t) -corecmd_exec_bin(gcc_config_t) -corecmd_manage_bin_files(gcc_config_t) - -domain_use_interactive_fds(gcc_config_t) - -files_manage_etc_files(gcc_config_t) -files_rw_etc_runtime_files(gcc_config_t) -files_read_usr_files(gcc_config_t) -files_search_var_lib(gcc_config_t) -files_search_pids(gcc_config_t) -# complains loudly about not being able to list -# the directory it is being run from -files_list_all(gcc_config_t) - -# seems to be ok without this -init_dontaudit_read_script_status_files(gcc_config_t) - -libs_read_lib_files(gcc_config_t) -libs_run_ldconfig(gcc_config_t, portage_roles) -libs_manage_shared_libs(gcc_config_t) -# gcc-config creates a temp dir for the libs -libs_manage_lib_dirs(gcc_config_t) - -logging_send_syslog_msg(gcc_config_t) - -miscfiles_read_localization(gcc_config_t) - -userdom_use_user_terminals(gcc_config_t) - -consoletype_exec(gcc_config_t) - -ifdef(`distro_gentoo',` - init_exec_rc(gcc_config_t) -') - -tunable_policy(`portage_use_nfs',` - fs_read_nfs_files(gcc_config_t) -') - -optional_policy(` - seutil_use_newrole_fds(gcc_config_t) -') - -######################################## -# -# Portage Merging Rules -# - -# - setfscreate for merging to live fs -allow portage_t self:process { setfscreate }; -# - kill for mysql merging, at least -allow portage_t self:capability { sys_nice kill setfcap }; -dontaudit portage_t self:capability { dac_read_search }; -dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; - -# user post-sync scripts -can_exec(portage_t, portage_conf_t) - -allow portage_t portage_log_t:file manage_file_perms; -logging_log_filetrans(portage_t, portage_log_t, file) - -allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; - -# transition for rsync and wget -corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) -rsync_entry_domtrans(portage_t, portage_fetch_t) -allow portage_fetch_t portage_t:fd use; -allow portage_fetch_t portage_t:fifo_file rw_fifo_file_perms; -allow portage_fetch_t portage_t:process sigchld; -dontaudit portage_fetch_t portage_devpts_t:chr_file { read write }; - -# transition to sandbox for compiling -spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t) -corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) - -# run scripts out of the build directory -can_exec(portage_t, portage_tmp_t) - -kernel_dontaudit_request_load_module(portage_t) -# merging baselayout will need this: -kernel_write_proc_files(portage_t) - -domain_dontaudit_read_all_domains_state(portage_t) - -# modify any files in the system -files_manage_all_files(portage_t) - -selinux_get_fs_mount(portage_t) - -auth_manage_shadow(portage_t) - -# merging baselayout will need this: -init_exec(portage_t) - -# run setfiles -r -seutil_run_setfiles(portage_t, portage_roles) -# run semodule -seutil_run_semanage(portage_t, portage_roles) - -portage_run_gcc_config(portage_t, portage_roles) -# if sesandbox is disabled, compiling is performed in this domain -portage_compile_domain(portage_t) - -optional_policy(` - bootloader_run(portage_t, portage_roles) -') - -optional_policy(` - cron_system_entry(portage_t, portage_exec_t) - cron_system_entry(portage_fetch_t, portage_fetch_exec_t) -') - -optional_policy(` - modutils_run_depmod(portage_t, portage_roles) - modutils_run_update_mods(portage_t, portage_roles) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -') - -optional_policy(` - usermanage_run_groupadd(portage_t, portage_roles) - usermanage_run_useradd(portage_t, portage_roles) -') - -ifdef(`TODO',` -# seems to work ok without these -dontaudit portage_t device_t:{ blk_file chr_file } getattr; -dontaudit portage_t proc_t:dir setattr_dir_perms; -dontaudit portage_t device_type:chr_file read_chr_file_perms; -dontaudit portage_t device_type:blk_file read_blk_file_perms; -') - -########################################## -# -# Portage fetch domain -# - for rsync and distfile fetching -# - -allow portage_fetch_t self:process signal; -allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; -allow portage_fetch_t self:fifo_file rw_fifo_file_perms; -allow portage_fetch_t self:tcp_socket { accept listen }; -allow portage_fetch_t self:unix_stream_socket create_socket_perms; - -allow portage_fetch_t portage_conf_t:dir list_dir_perms; - -allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr_chr_file_perms }; - -allow portage_fetch_t portage_gpg_t:dir rw_dir_perms; -allow portage_fetch_t portage_gpg_t:file manage_file_perms; - -allow portage_fetch_t portage_tmp_t:dir manage_dir_perms; -allow portage_fetch_t portage_tmp_t:file manage_file_perms; - -read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) - -manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) -manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) - -manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) -files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) - -kernel_read_system_state(portage_fetch_t) -kernel_read_kernel_sysctls(portage_fetch_t) - -corecmd_exec_bin(portage_fetch_t) -corecmd_exec_shell(portage_fetch_t) - -corenet_all_recvfrom_unlabeled(portage_fetch_t) -corenet_all_recvfrom_netlabel(portage_fetch_t) -corenet_tcp_sendrecv_generic_if(portage_fetch_t) -corenet_tcp_sendrecv_generic_node(portage_fetch_t) -corenet_tcp_sendrecv_all_ports(portage_fetch_t) -corenet_tcp_connect_http_cache_port(portage_fetch_t) -corenet_tcp_connect_git_port(portage_fetch_t) -corenet_tcp_connect_rsync_port(portage_fetch_t) -corenet_sendrecv_http_client_packets(portage_fetch_t) -corenet_sendrecv_http_cache_client_packets(portage_fetch_t) -corenet_sendrecv_git_client_packets(portage_fetch_t) -corenet_sendrecv_rsync_client_packets(portage_fetch_t) -# would rather not connect to unspecified ports, but -# it occasionally comes up -corenet_tcp_connect_all_reserved_ports(portage_fetch_t) -corenet_tcp_connect_generic_port(portage_fetch_t) - -dev_dontaudit_read_rand(portage_fetch_t) - -domain_use_interactive_fds(portage_fetch_t) - -files_read_etc_runtime_files(portage_fetch_t) -files_read_usr_files(portage_fetch_t) -files_dontaudit_search_pids(portage_fetch_t) - -fs_search_auto_mountpoints(portage_fetch_t) - -logging_list_logs(portage_fetch_t) -logging_dontaudit_search_logs(portage_fetch_t) - -term_search_ptys(portage_fetch_t) - -auth_use_nsswitch(portage_fetch_t) - -miscfiles_read_generic_certs(portage_fetch_t) -miscfiles_read_localization(portage_fetch_t) - -userdom_use_user_terminals(portage_fetch_t) -userdom_dontaudit_read_user_home_content_files(portage_fetch_t) - -rsync_exec(portage_fetch_t) - -ifdef(`hide_broken_symptoms',` - dontaudit portage_fetch_t portage_cache_t:file read; -') - -tunable_policy(`portage_use_nfs',` - fs_getattr_nfs(portage_fetch_t) - fs_manage_nfs_dirs(portage_fetch_t) - fs_manage_nfs_files(portage_fetch_t) - fs_manage_nfs_symlinks(portage_fetch_t) -') - -optional_policy(` - gpg_exec(portage_fetch_t) -') - -########################################## -# -# Portage sandbox domain -# - SELinux-enforced sandbox -# - -allow portage_sandbox_t self:process ptrace; -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; - -allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms }; -logging_log_filetrans(portage_sandbox_t, portage_log_t, file) - -portage_compile_domain(portage_sandbox_t) - -auth_use_nsswitch(portage_sandbox_t) - -ifdef(`hide_broken_symptoms',` - # leaked descriptors - dontaudit portage_sandbox_t portage_cache_t:dir { setattr_dir_perms }; - dontaudit portage_sandbox_t portage_cache_t:file { setattr_file_perms write }; -') - -ifdef(`distro_gentoo',` - allow portage_t self:capability2 block_suspend; - - ########################################## - # - # Type declarations - # - - type gcc_config_tmp_t; - files_tmp_file(gcc_config_tmp_t) - - # Assigned to domains that are managed by eselect - attribute portage_eselect_domain; - - ########################################## - # - # Portage fetch local policy - # - - dev_rw_autofs(portage_fetch_t) - - ########################################## - # - # GCC config local policy - # - - allow gcc_config_t gcc_config_tmp_t:file manage_file_perms; - files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) - - - files_manage_etc_runtime_files(gcc_config_t) - files_manage_etc_runtime_lnk_files(gcc_config_t) - - ########################################## - # - # Portage local policy - # - - libs_generic_etc_filetrans_ld_so_cache(portage_t, file, "ld.so.cache~") - - ########################################## - # - # Portage sandbox local policy - # - - rw_dirs_pattern(portage_sandbox_t, portage_log_t, portage_log_t) - - ########################################## - # - # Portage eselect module domain - # - - allow portage_eselect_domain self:fifo_file { read write }; - - corecmd_exec_shell(portage_eselect_domain) - - files_manage_etc_runtime_files(portage_eselect_domain) -') |