diff options
Diffstat (limited to 'policy/modules/contrib/portage.te')
-rw-r--r-- | policy/modules/contrib/portage.te | 367 |
1 files changed, 367 insertions, 0 deletions
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te new file mode 100644 index 000000000..1f83dd826 --- /dev/null +++ b/policy/modules/contrib/portage.te @@ -0,0 +1,367 @@ +policy_module(portage, 1.12.0) + +######################################## +# +# Declarations +# + +## <desc> +## <p> +## Allow the portage domains to use NFS mounts (regular nfs_t) +## </p> +## </desc> +gen_tunable(portage_use_nfs, false) + +## <desc> +## <p> +## (deprecated) support for dontaudit tryouts +## </p> +## </desc> +gen_tunable(gentoo_try_dontaudit, false) + +## <desc> +## <p> +## (deprecated) support for fixes +## </p> +## </desc> +gen_tunable(gentoo_wait_requests, false) + + +attribute_role portage_roles; + +type gcc_config_t; +type gcc_config_exec_t; +application_domain(gcc_config_t, gcc_config_exec_t) + +type gcc_config_tmp_t; +files_tmp_file(gcc_config_tmp_t) + +# constraining type +type portage_t; +type portage_exec_t; +application_domain(portage_t, portage_exec_t) +domain_obj_id_change_exemption(portage_t) +rsync_entry_type(portage_t) +corecmd_shell_entry_type(portage_t) +role portage_roles types portage_t; + +# portage compile sandbox domain +type portage_sandbox_t; +application_domain(portage_sandbox_t, portage_exec_t) +# the shell is the entrypoint if regular sandbox is disabled +# portage_exec_t is the entrypoint if regular sandbox is enabled +corecmd_shell_entry_type(portage_sandbox_t) +role portage_roles types portage_sandbox_t; + +# portage package fetching domain +type portage_fetch_t; +type portage_fetch_exec_t; +application_domain(portage_fetch_t, portage_fetch_exec_t) +corecmd_shell_entry_type(portage_fetch_t) +rsync_entry_type(portage_fetch_t) +role portage_roles types portage_fetch_t; + +type portage_devpts_t; +term_pty(portage_devpts_t) + +type portage_ebuild_t; +files_mountpoint(portage_ebuild_t) + +type portage_fetch_tmp_t; +files_tmp_file(portage_fetch_tmp_t) + +type portage_db_t; +files_type(portage_db_t) + +type portage_conf_t; +files_type(portage_conf_t) + +type portage_cache_t; +files_type(portage_cache_t) + +type portage_gpg_t; +files_type(portage_gpg_t) + +type portage_log_t; +logging_log_file(portage_log_t) + +type portage_srcrepo_t; +files_type(portage_srcrepo_t) + +type portage_tmp_t; +files_tmp_file(portage_tmp_t) + +type portage_tmpfs_t; +files_tmpfs_file(portage_tmpfs_t) + +######################################## +# +# gcc-config policy +# + +allow gcc_config_t self:capability { chown fsetid }; +allow gcc_config_t self:fifo_file rw_file_perms; + +manage_files_pattern(gcc_config_t, gcc_config_tmp_t, gcc_config_tmp_t) +files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file) + +manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t) + +read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t) + +allow gcc_config_t portage_ebuild_t:dir list_dir_perms; +read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t) + +allow gcc_config_t portage_exec_t:file mmap_file_perms; + +kernel_read_system_state(gcc_config_t) +kernel_read_kernel_sysctls(gcc_config_t) + +corecmd_exec_shell(gcc_config_t) +corecmd_exec_bin(gcc_config_t) +corecmd_manage_bin_files(gcc_config_t) + +domain_use_interactive_fds(gcc_config_t) + +files_manage_etc_files(gcc_config_t) +files_manage_etc_runtime_files(gcc_config_t) +files_manage_etc_runtime_lnk_files(gcc_config_t) +files_read_usr_files(gcc_config_t) +files_search_var_lib(gcc_config_t) +files_search_pids(gcc_config_t) +# complains loudly about not being able to list +# the directory it is being run from +files_list_all(gcc_config_t) + +# seems to be ok without this +init_dontaudit_read_script_status_files(gcc_config_t) + +libs_read_lib_files(gcc_config_t) +libs_run_ldconfig(gcc_config_t, portage_roles) +libs_manage_shared_libs(gcc_config_t) +# gcc-config creates a temp dir for the libs +libs_manage_lib_dirs(gcc_config_t) + +logging_send_syslog_msg(gcc_config_t) + +miscfiles_read_localization(gcc_config_t) + +userdom_use_user_terminals(gcc_config_t) + +consoletype_exec(gcc_config_t) + +ifdef(`distro_gentoo',` + init_exec_rc(gcc_config_t) +') + +tunable_policy(`portage_use_nfs',` + fs_read_nfs_files(gcc_config_t) +') + +optional_policy(` + seutil_use_newrole_fds(gcc_config_t) +') + +######################################## +# +# Portage Merging Rules +# + +# - setfscreate for merging to live fs +# - setexec to run portage fetch +allow portage_t self:process { setfscreate setexec }; +# - kill for mysql merging, at least +allow portage_t self:capability { sys_nice kill setfcap }; +dontaudit portage_t self:capability { dac_read_search }; +dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms; + +# user post-sync scripts +can_exec(portage_t, portage_conf_t) + +allow portage_t portage_log_t:file manage_file_perms; +logging_log_filetrans(portage_t, portage_log_t, file) + +allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; + +# transition for rsync and wget +corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) +rsync_entry_domtrans(portage_t, portage_fetch_t) +allow portage_fetch_t portage_t:fd use; +allow portage_fetch_t portage_t:fifo_file rw_file_perms; +allow portage_fetch_t portage_t:process sigchld; +dontaudit portage_fetch_t portage_devpts_t:chr_file { read write }; + +# transition to sandbox for compiling +domain_trans(portage_t, portage_exec_t, portage_sandbox_t) +corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) +allow portage_sandbox_t portage_t:fd use; +allow portage_sandbox_t portage_t:fifo_file rw_file_perms; +allow portage_sandbox_t portage_t:process sigchld; +allow portage_sandbox_t self:process ptrace; +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms; + +# run scripts out of the build directory +can_exec(portage_t, portage_tmp_t) + +kernel_dontaudit_request_load_module(portage_t) +# merging baselayout will need this: +kernel_write_proc_files(portage_t) + +domain_dontaudit_read_all_domains_state(portage_t) + +# modify any files in the system +files_manage_all_files(portage_t) + +selinux_get_fs_mount(portage_t) + +auth_manage_shadow(portage_t) + +# merging baselayout will need this: +init_exec(portage_t) + +# run setfiles -r +seutil_run_setfiles(portage_t, portage_roles) +# run semodule +seutil_run_semanage(portage_t, portage_roles) + +portage_run_gcc_config(portage_t, portage_roles) +# if sesandbox is disabled, compiling is performed in this domain +portage_compile_domain(portage_t) + +optional_policy(` + bootloader_run(portage_t, portage_roles) +') + +optional_policy(` + cron_system_entry(portage_t, portage_exec_t) + cron_system_entry(portage_fetch_t, portage_fetch_exec_t) +') + +optional_policy(` + modutils_run_depmod(portage_t, portage_roles) + modutils_run_update_mods(portage_t, portage_roles) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; +') + +optional_policy(` + usermanage_run_groupadd(portage_t, portage_roles) + usermanage_run_useradd(portage_t, portage_roles) +') + +ifdef(`TODO',` +# seems to work ok without these +dontaudit portage_t device_t:{ blk_file chr_file } getattr; +dontaudit portage_t proc_t:dir setattr; +dontaudit portage_t device_type:chr_file read_chr_file_perms; +dontaudit portage_t device_type:blk_file read_blk_file_perms; +') + +########################################## +# +# Portage fetch domain +# - for rsync and distfile fetching +# + +allow portage_fetch_t self:process signal; +allow portage_fetch_t self:capability { dac_override fowner fsetid chown }; +allow portage_fetch_t self:fifo_file rw_fifo_file_perms; +allow portage_fetch_t self:tcp_socket create_stream_socket_perms; +allow portage_fetch_t self:unix_stream_socket create_socket_perms; + +allow portage_fetch_t portage_conf_t:dir list_dir_perms; + +allow portage_fetch_t portage_gpg_t:dir rw_dir_perms; +allow portage_fetch_t portage_gpg_t:file manage_file_perms; + +allow portage_fetch_t portage_tmp_t:dir manage_dir_perms; +allow portage_fetch_t portage_tmp_t:file manage_file_perms; + +allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr }; + +read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) + +manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) +manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) + +manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) + +kernel_read_system_state(portage_fetch_t) +kernel_read_kernel_sysctls(portage_fetch_t) + +corecmd_exec_bin(portage_fetch_t) +corecmd_exec_shell(portage_fetch_t) + +corenet_all_recvfrom_unlabeled(portage_fetch_t) +corenet_all_recvfrom_netlabel(portage_fetch_t) +corenet_tcp_sendrecv_generic_if(portage_fetch_t) +corenet_tcp_sendrecv_generic_node(portage_fetch_t) +corenet_tcp_sendrecv_all_ports(portage_fetch_t) +corenet_tcp_connect_http_cache_port(portage_fetch_t) +corenet_tcp_connect_git_port(portage_fetch_t) +corenet_tcp_connect_rsync_port(portage_fetch_t) +corenet_sendrecv_http_client_packets(portage_fetch_t) +corenet_sendrecv_http_cache_client_packets(portage_fetch_t) +corenet_sendrecv_git_client_packets(portage_fetch_t) +corenet_sendrecv_rsync_client_packets(portage_fetch_t) +# would rather not connect to unspecified ports, but +# it occasionally comes up +corenet_tcp_connect_all_reserved_ports(portage_fetch_t) +corenet_tcp_connect_generic_port(portage_fetch_t) + +dev_dontaudit_read_rand(portage_fetch_t) + +domain_use_interactive_fds(portage_fetch_t) + +files_read_etc_files(portage_fetch_t) +files_read_etc_runtime_files(portage_fetch_t) +files_read_usr_files(portage_fetch_t) +files_search_var_lib(portage_fetch_t) +files_dontaudit_search_pids(portage_fetch_t) + +logging_list_logs(portage_fetch_t) +logging_dontaudit_search_logs(portage_fetch_t) + +term_search_ptys(portage_fetch_t) + +miscfiles_read_localization(portage_fetch_t) + +sysnet_read_config(portage_fetch_t) +sysnet_dns_name_resolve(portage_fetch_t) + +userdom_use_user_terminals(portage_fetch_t) +userdom_dontaudit_read_user_home_content_files(portage_fetch_t) +userdom_dontaudit_getattr_user_home_dirs(portage_fetch_t) +userdom_dontaudit_search_user_home_dirs(portage_fetch_t) + +rsync_exec(portage_fetch_t) + +ifdef(`hide_broken_symptoms',` + dontaudit portage_fetch_t portage_cache_t:file read; +') + +tunable_policy(`portage_use_nfs',` + fs_getattr_nfs(portage_fetch_t) + fs_manage_nfs_dirs(portage_fetch_t) + fs_manage_nfs_files(portage_fetch_t) + fs_manage_nfs_symlinks(portage_fetch_t) +') + +optional_policy(` + gpg_exec(portage_fetch_t) +') + +########################################## +# +# Portage sandbox domain +# - SELinux-enforced sandbox +# + +portage_compile_domain(portage_sandbox_t) + +ifdef(`hide_broken_symptoms',` + # leaked descriptors + dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; + dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; +') |