Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/portage.te
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/portage.te')
-rw-r--r--policy/modules/contrib/portage.te367
1 files changed, 367 insertions, 0 deletions
diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
new file mode 100644
index 000000000..1f83dd826
--- /dev/null
+++ b/policy/modules/contrib/portage.te
@@ -0,0 +1,367 @@
+policy_module(portage, 1.12.0)
+
+########################################
+#
+# Declarations
+#
+
+## <desc>
+## <p>
+## Allow the portage domains to use NFS mounts (regular nfs_t)
+## </p>
+## </desc>
+gen_tunable(portage_use_nfs, false)
+
+## <desc>
+## <p>
+## (deprecated) support for dontaudit tryouts
+## </p>
+## </desc>
+gen_tunable(gentoo_try_dontaudit, false)
+
+## <desc>
+## <p>
+## (deprecated) support for fixes
+## </p>
+## </desc>
+gen_tunable(gentoo_wait_requests, false)
+
+
+attribute_role portage_roles;
+
+type gcc_config_t;
+type gcc_config_exec_t;
+application_domain(gcc_config_t, gcc_config_exec_t)
+
+type gcc_config_tmp_t;
+files_tmp_file(gcc_config_tmp_t)
+
+# constraining type
+type portage_t;
+type portage_exec_t;
+application_domain(portage_t, portage_exec_t)
+domain_obj_id_change_exemption(portage_t)
+rsync_entry_type(portage_t)
+corecmd_shell_entry_type(portage_t)
+role portage_roles types portage_t;
+
+# portage compile sandbox domain
+type portage_sandbox_t;
+application_domain(portage_sandbox_t, portage_exec_t)
+# the shell is the entrypoint if regular sandbox is disabled
+# portage_exec_t is the entrypoint if regular sandbox is enabled
+corecmd_shell_entry_type(portage_sandbox_t)
+role portage_roles types portage_sandbox_t;
+
+# portage package fetching domain
+type portage_fetch_t;
+type portage_fetch_exec_t;
+application_domain(portage_fetch_t, portage_fetch_exec_t)
+corecmd_shell_entry_type(portage_fetch_t)
+rsync_entry_type(portage_fetch_t)
+role portage_roles types portage_fetch_t;
+
+type portage_devpts_t;
+term_pty(portage_devpts_t)
+
+type portage_ebuild_t;
+files_mountpoint(portage_ebuild_t)
+
+type portage_fetch_tmp_t;
+files_tmp_file(portage_fetch_tmp_t)
+
+type portage_db_t;
+files_type(portage_db_t)
+
+type portage_conf_t;
+files_type(portage_conf_t)
+
+type portage_cache_t;
+files_type(portage_cache_t)
+
+type portage_gpg_t;
+files_type(portage_gpg_t)
+
+type portage_log_t;
+logging_log_file(portage_log_t)
+
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
+type portage_tmp_t;
+files_tmp_file(portage_tmp_t)
+
+type portage_tmpfs_t;
+files_tmpfs_file(portage_tmpfs_t)
+
+########################################
+#
+# gcc-config policy
+#
+
+allow gcc_config_t self:capability { chown fsetid };
+allow gcc_config_t self:fifo_file rw_file_perms;
+
+manage_files_pattern(gcc_config_t, gcc_config_tmp_t, gcc_config_tmp_t)
+files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
+
+manage_files_pattern(gcc_config_t, portage_cache_t, portage_cache_t)
+
+read_files_pattern(gcc_config_t, portage_conf_t, portage_conf_t)
+
+allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
+read_files_pattern(gcc_config_t, portage_ebuild_t, portage_ebuild_t)
+
+allow gcc_config_t portage_exec_t:file mmap_file_perms;
+
+kernel_read_system_state(gcc_config_t)
+kernel_read_kernel_sysctls(gcc_config_t)
+
+corecmd_exec_shell(gcc_config_t)
+corecmd_exec_bin(gcc_config_t)
+corecmd_manage_bin_files(gcc_config_t)
+
+domain_use_interactive_fds(gcc_config_t)
+
+files_manage_etc_files(gcc_config_t)
+files_manage_etc_runtime_files(gcc_config_t)
+files_manage_etc_runtime_lnk_files(gcc_config_t)
+files_read_usr_files(gcc_config_t)
+files_search_var_lib(gcc_config_t)
+files_search_pids(gcc_config_t)
+# complains loudly about not being able to list
+# the directory it is being run from
+files_list_all(gcc_config_t)
+
+# seems to be ok without this
+init_dontaudit_read_script_status_files(gcc_config_t)
+
+libs_read_lib_files(gcc_config_t)
+libs_run_ldconfig(gcc_config_t, portage_roles)
+libs_manage_shared_libs(gcc_config_t)
+# gcc-config creates a temp dir for the libs
+libs_manage_lib_dirs(gcc_config_t)
+
+logging_send_syslog_msg(gcc_config_t)
+
+miscfiles_read_localization(gcc_config_t)
+
+userdom_use_user_terminals(gcc_config_t)
+
+consoletype_exec(gcc_config_t)
+
+ifdef(`distro_gentoo',`
+ init_exec_rc(gcc_config_t)
+')
+
+tunable_policy(`portage_use_nfs',`
+ fs_read_nfs_files(gcc_config_t)
+')
+
+optional_policy(`
+ seutil_use_newrole_fds(gcc_config_t)
+')
+
+########################################
+#
+# Portage Merging Rules
+#
+
+# - setfscreate for merging to live fs
+# - setexec to run portage fetch
+allow portage_t self:process { setfscreate setexec };
+# - kill for mysql merging, at least
+allow portage_t self:capability { sys_nice kill setfcap };
+dontaudit portage_t self:capability { dac_read_search };
+dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
+
+# user post-sync scripts
+can_exec(portage_t, portage_conf_t)
+
+allow portage_t portage_log_t:file manage_file_perms;
+logging_log_filetrans(portage_t, portage_log_t, file)
+
+allow portage_t { portage_fetch_t portage_sandbox_t }:process signal;
+
+# transition for rsync and wget
+corecmd_shell_spec_domtrans(portage_t, portage_fetch_t)
+rsync_entry_domtrans(portage_t, portage_fetch_t)
+allow portage_fetch_t portage_t:fd use;
+allow portage_fetch_t portage_t:fifo_file rw_file_perms;
+allow portage_fetch_t portage_t:process sigchld;
+dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
+
+# transition to sandbox for compiling
+domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
+corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+
+# run scripts out of the build directory
+can_exec(portage_t, portage_tmp_t)
+
+kernel_dontaudit_request_load_module(portage_t)
+# merging baselayout will need this:
+kernel_write_proc_files(portage_t)
+
+domain_dontaudit_read_all_domains_state(portage_t)
+
+# modify any files in the system
+files_manage_all_files(portage_t)
+
+selinux_get_fs_mount(portage_t)
+
+auth_manage_shadow(portage_t)
+
+# merging baselayout will need this:
+init_exec(portage_t)
+
+# run setfiles -r
+seutil_run_setfiles(portage_t, portage_roles)
+# run semodule
+seutil_run_semanage(portage_t, portage_roles)
+
+portage_run_gcc_config(portage_t, portage_roles)
+# if sesandbox is disabled, compiling is performed in this domain
+portage_compile_domain(portage_t)
+
+optional_policy(`
+ bootloader_run(portage_t, portage_roles)
+')
+
+optional_policy(`
+ cron_system_entry(portage_t, portage_exec_t)
+ cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+')
+
+optional_policy(`
+ modutils_run_depmod(portage_t, portage_roles)
+ modutils_run_update_mods(portage_t, portage_roles)
+ #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+')
+
+optional_policy(`
+ usermanage_run_groupadd(portage_t, portage_roles)
+ usermanage_run_useradd(portage_t, portage_roles)
+')
+
+ifdef(`TODO',`
+# seems to work ok without these
+dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+dontaudit portage_t proc_t:dir setattr;
+dontaudit portage_t device_type:chr_file read_chr_file_perms;
+dontaudit portage_t device_type:blk_file read_blk_file_perms;
+')
+
+##########################################
+#
+# Portage fetch domain
+# - for rsync and distfile fetching
+#
+
+allow portage_fetch_t self:process signal;
+allow portage_fetch_t self:capability { dac_override fowner fsetid chown };
+allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
+allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+allow portage_fetch_t self:unix_stream_socket create_socket_perms;
+
+allow portage_fetch_t portage_conf_t:dir list_dir_perms;
+
+allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
+allow portage_fetch_t portage_gpg_t:file manage_file_perms;
+
+allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
+allow portage_fetch_t portage_tmp_t:file manage_file_perms;
+
+allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr };
+
+read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
+
+manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
+files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+
+kernel_read_system_state(portage_fetch_t)
+kernel_read_kernel_sysctls(portage_fetch_t)
+
+corecmd_exec_bin(portage_fetch_t)
+corecmd_exec_shell(portage_fetch_t)
+
+corenet_all_recvfrom_unlabeled(portage_fetch_t)
+corenet_all_recvfrom_netlabel(portage_fetch_t)
+corenet_tcp_sendrecv_generic_if(portage_fetch_t)
+corenet_tcp_sendrecv_generic_node(portage_fetch_t)
+corenet_tcp_sendrecv_all_ports(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t)
+corenet_tcp_connect_git_port(portage_fetch_t)
+corenet_tcp_connect_rsync_port(portage_fetch_t)
+corenet_sendrecv_http_client_packets(portage_fetch_t)
+corenet_sendrecv_http_cache_client_packets(portage_fetch_t)
+corenet_sendrecv_git_client_packets(portage_fetch_t)
+corenet_sendrecv_rsync_client_packets(portage_fetch_t)
+# would rather not connect to unspecified ports, but
+# it occasionally comes up
+corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
+corenet_tcp_connect_generic_port(portage_fetch_t)
+
+dev_dontaudit_read_rand(portage_fetch_t)
+
+domain_use_interactive_fds(portage_fetch_t)
+
+files_read_etc_files(portage_fetch_t)
+files_read_etc_runtime_files(portage_fetch_t)
+files_read_usr_files(portage_fetch_t)
+files_search_var_lib(portage_fetch_t)
+files_dontaudit_search_pids(portage_fetch_t)
+
+logging_list_logs(portage_fetch_t)
+logging_dontaudit_search_logs(portage_fetch_t)
+
+term_search_ptys(portage_fetch_t)
+
+miscfiles_read_localization(portage_fetch_t)
+
+sysnet_read_config(portage_fetch_t)
+sysnet_dns_name_resolve(portage_fetch_t)
+
+userdom_use_user_terminals(portage_fetch_t)
+userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+userdom_dontaudit_getattr_user_home_dirs(portage_fetch_t)
+userdom_dontaudit_search_user_home_dirs(portage_fetch_t)
+
+rsync_exec(portage_fetch_t)
+
+ifdef(`hide_broken_symptoms',`
+ dontaudit portage_fetch_t portage_cache_t:file read;
+')
+
+tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs(portage_fetch_t)
+ fs_manage_nfs_dirs(portage_fetch_t)
+ fs_manage_nfs_files(portage_fetch_t)
+ fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
+optional_policy(`
+ gpg_exec(portage_fetch_t)
+')
+
+##########################################
+#
+# Portage sandbox domain
+# - SELinux-enforced sandbox
+#
+
+portage_compile_domain(portage_sandbox_t)
+
+ifdef(`hide_broken_symptoms',`
+ # leaked descriptors
+ dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
+ dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+')