diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index efddda5..af99899 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -20,12 +20,18 @@ interface(`portage_domtrans',`
files_search_usr($1)
corecmd_search_bin($1)
- domain_auto_trans($1,portage_exec_t,portage_t)
- allow $1 portage_t:fd use;
+ # constraining domain
+ domain_trans($1,portage_exec_t,portage_t)
allow portage_t $1:fd use;
allow portage_t $1:fifo_file rw_file_perms;
allow portage_t $1:process sigchld;
+
+ # main portage process
+ domain_auto_trans($1,portage_exec_t,portage_t.merge)
+ allow portage_t.merge $1:fd use;
+ allow portage_t.merge $1:fifo_file rw_file_perms;
+ allow portage_t.merge $1:process sigchld;
')
########################################
@@ -51,22 +57,21 @@ interface(`portage_domtrans',`
#
interface(`portage_run',`
gen_require(`
- type portage_t, portage_fetch_t, portage_sandbox_t;
+ type portage_t;
+ type portage_t.merge, portage_t.fetch, portage_t.sandbox;
')
portage_domtrans($1)
+ # constraining access
role $2 types portage_t;
- role $2 types portage_fetch_t;
- role $2 types portage_sandbox_t;
-
allow portage_t $3:chr_file rw_term_perms;
- allow portage_fetch_t $3:chr_file rw_term_perms;
- allow portage_sandbox_t $3:chr_file rw_term_perms;
- # not sure about this one, may be stray fds
- allow portage_t $1:udp_socket write;
- allow $1 portage_t:udp_socket write;
+ # specific access
+ role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
+ allow portage_t.merge $3:chr_file rw_term_perms;
+ allow portage_t.fetch $3:chr_file rw_term_perms;
+ allow portage_t.sandbox $3:chr_file rw_term_perms;
')
########################################
@@ -79,129 +84,258 @@ interface(`portage_run',`
## does all compiling in the sandbox.
##
##
-##
+##
##
-## Name to be used to derive types.
+## Domain Allowed Access
##
##
#
-template(`portage_compile_domain_template',`
- type $1_t;
- domain_type($1_t)
- domain_entry_file($1_t,portage_exec_t)
-
- type $1_devpts_t;
- term_pty($1_devpts_t)
-
- type $1_tmp_t;
- files_tmp_file($1_tmp_t)
-
- type $1_tmpfs_t;
- files_tmpfs_file($1_tmpfs_t)
-
- allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
- allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem };
- allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
- allow $1_t self:fd use;
- allow $1_t self:fifo_file rw_file_perms;
- allow $1_t self:shm create_shm_perms;
- allow $1_t self:sem create_sem_perms;
- allow $1_t self:msgq create_msgq_perms;
- allow $1_t self:msg { send receive };
- allow $1_t self:unix_dgram_socket create_socket_perms;
- allow $1_t self:unix_stream_socket create_stream_socket_perms;
- allow $1_t self:unix_dgram_socket sendto;
- allow $1_t self:unix_stream_socket connectto;
+interface(`portage_compile_domain',`
+
+ allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+ allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
+ allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+ allow $1 self:fd use;
+ allow $1 self:fifo_file rw_file_perms;
+ allow $1 self:shm create_shm_perms;
+ allow $1 self:sem create_sem_perms;
+ allow $1 self:msgq create_msgq_perms;
+ allow $1 self:msg { send receive };
+ allow $1 self:unix_dgram_socket create_socket_perms;
+ allow $1 self:unix_stream_socket create_stream_socket_perms;
+ allow $1 self:unix_dgram_socket sendto;
+ allow $1 self:unix_stream_socket connectto;
# really shouldnt need this
- allow $1_t self:tcp_socket create_stream_socket_perms;
- allow $1_t self:udp_socket create_socket_perms;
+ allow $1 self:tcp_socket create_stream_socket_perms;
+ allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
- allow $1_t self:rawip_socket { create ioctl };
- allow $1_t self:udp_socket recvfrom;
+ allow $1 self:rawip_socket { create ioctl };
+ allow $1 self:udp_socket recvfrom;
# needed for merging dbus:
- allow $1_t self:netlink_selinux_socket { bind create read };
-
- allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
- term_create_pty($1_t,$1_devpts_t)
-
- allow $1_t $1_tmp_t:dir manage_dir_perms;
- allow $1_t $1_tmp_t:file manage_file_perms;
- allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
- allow $1_t $1_tmp_t:fifo_file manage_file_perms;
- allow $1_t $1_tmp_t:sock_file manage_file_perms;
- files_tmp_filetrans($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
-
- allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
- allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
- allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
- allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
- fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
-
- # write merge logs
- allow $1_t portage_log_t:dir setattr;
- allow $1_t portage_log_t:file { append write setattr };
-
- kernel_read_system_state($1_t)
- kernel_read_network_state($1_t)
- kernel_read_software_raid_state($1_t)
- kernel_getattr_core_if($1_t)
- kernel_getattr_message_if($1_t)
- kernel_read_kernel_sysctls($1_t)
-
- corecmd_exec_all_executables($1_t)
+ allow $1 self:netlink_selinux_socket { bind create read };
+
+ allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
+ term_create_pty($1,portage_devpts_t)
+
+ # write compile logs
+ allow $1 portage_log_t:dir setattr;
+ allow $1 portage_log_t:file { append write setattr };
+
+ # run scripts out of the build directory
+ can_exec(portage_sandbox_t,portage_tmp_t)
+
+ allow $1 portage_tmp_t:dir manage_dir_perms;
+ allow $1 portage_tmp_t:file manage_file_perms;
+ allow $1 portage_tmp_t:lnk_file create_lnk_perms;
+ allow $1 portage_tmp_t:fifo_file manage_file_perms;
+ allow $1 portage_tmp_t:sock_file manage_file_perms;
+ files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
+
+ allow $1 portage_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+ allow $1 portage_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 portage_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+ allow $1 portage_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+ allow $1 portage_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+ fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+
+ kernel_read_system_state($1)
+ kernel_read_network_state($1)
+ kernel_read_software_raid_state($1)
+ kernel_getattr_core_if($1)
+ kernel_getattr_message_if($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_all_executables($1)
# really shouldnt need this
- corenet_non_ipsec_sendrecv($1_t)
- corenet_tcp_sendrecv_generic_if($1_t)
- corenet_udp_sendrecv_generic_if($1_t)
- corenet_raw_sendrecv_generic_if($1_t)
- corenet_tcp_sendrecv_all_nodes($1_t)
- corenet_udp_sendrecv_all_nodes($1_t)
- corenet_raw_sendrecv_all_nodes($1_t)
- corenet_tcp_sendrecv_all_ports($1_t)
- corenet_udp_sendrecv_all_ports($1_t)
- corenet_tcp_connect_all_reserved_ports($1_t)
- corenet_tcp_connect_distccd_port($1_t)
-
- dev_read_sysfs($1_t)
- dev_read_rand($1_t)
- dev_read_urand($1_t)
-
- domain_use_interactive_fds($1_t)
-
- files_exec_etc_files($1_t)
- files_exec_usr_src_files($1_t)
-
- fs_getattr_xattr_fs($1_t)
- fs_list_noxattr_fs($1_t)
- fs_read_noxattr_fs_files($1_t)
- fs_read_noxattr_fs_symlinks($1_t)
- fs_search_auto_mountpoints($1_t)
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_udp_sendrecv_generic_if($1)
+ corenet_raw_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_udp_sendrecv_all_nodes($1)
+ corenet_raw_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ corenet_udp_sendrecv_all_ports($1)
+ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_distccd_port($1)
+
+ dev_read_sysfs($1)
+ dev_read_rand($1)
+ dev_read_urand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_exec_etc_files($1)
+ files_exec_usr_src_files($1)
+
+ fs_getattr_xattr_fs($1)
+ fs_list_noxattr_fs($1)
+ fs_read_noxattr_fs_files($1)
+ fs_read_noxattr_fs_symlinks($1)
+ fs_search_auto_mountpoints($1)
# needed for merging dbus:
- selinux_compute_access_vector($1_t)
+ selinux_compute_access_vector($1)
- auth_read_all_dirs_except_shadow($1_t)
- auth_read_all_files_except_shadow($1_t)
- auth_read_all_symlinks_except_shadow($1_t)
+ auth_read_all_dirs_except_shadow($1)
+ auth_read_all_files_except_shadow($1)
+ auth_read_all_symlinks_except_shadow($1)
- libs_use_ld_so($1_t)
- libs_use_shared_libs($1_t)
- libs_exec_lib_files($1_t)
+ libs_use_ld_so($1)
+ libs_use_shared_libs($1)
+ libs_exec_lib_files($1)
# some config scripts use ldd
- libs_exec_ld_so($1_t)
+ libs_exec_ld_so($1)
# this violates the idea of sandbox, but
# regular sandbox allows it
- libs_domtrans_ldconfig($1_t)
+ libs_domtrans_ldconfig($1)
- logging_send_syslog_msg($1_t)
+ logging_send_syslog_msg($1)
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
- allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write };
- allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write };
+ allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
+ allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')
') dnl end TODO
')
+
+########################################
+##
+## Template for portage fetch.
+##
+##
+##
+## Domain Allowed Access
+##
+##
+#
+interface(`portage_fetch_domain',`
+
+ allow $1 self:capability dac_override;
+ dontaudit $1 self:capability { fowner fsetid };
+ allow $1 self:unix_stream_socket create_socket_perms;
+ allow $1 self:tcp_socket create_stream_socket_perms;
+
+ allow $1 portage_conf_t:dir list_dir_perms;
+ allow $1 portage_conf_t:file r_file_perms;
+
+ allow $1 portage_ebuild_t:dir manage_dir_perms;
+ allow $1 portage_ebuild_t:file manage_file_perms;
+
+ allow $1 portage_fetch_tmp_t:dir create_dir_perms;
+ allow $1 portage_fetch_tmp_t:file create_file_perms;
+
+ # portage makes home dir the portage tmp dir, so
+ # wget looks for .wgetrc there
+ dontaudit $1 portage_tmp_t:dir search_dir_perms;
+
+ kernel_read_system_state($1)
+ kernel_read_kernel_sysctls($1)
+
+ corecmd_exec_bin($1)
+ corecmd_exec_sbin($1)
+
+ corenet_non_ipsec_sendrecv($1)
+ corenet_tcp_sendrecv_generic_if($1)
+ corenet_tcp_sendrecv_all_nodes($1)
+ corenet_tcp_sendrecv_all_ports($1)
+ # would rather not connect to unspecified ports, but
+ # it occasionally comes up
+ corenet_tcp_connect_all_reserved_ports($1)
+ corenet_tcp_connect_generic_port($1)
+
+ dev_dontaudit_read_rand($1)
+
+ domain_use_interactive_fds($1)
+
+ files_read_etc_files($1)
+ files_read_etc_runtime_files($1)
+ files_search_var($1)
+ files_dontaudit_search_pids($1)
+
+ term_search_ptys($1)
+
+ libs_use_ld_so($1)
+ libs_use_shared_libs($1)
+
+ miscfiles_read_localization($1)
+
+ sysnet_read_config($1)
+ sysnet_dns_name_resolve($1)
+
+ userdom_dontaudit_read_sysadm_home_content_files($1)
+
+ ifdef(`hide_broken_symptoms',`
+ dontaudit $1 portage_cache_t:file read;
+ ')
+')
+
+########################################
+##
+## Template for portage main.
+##
+##
+##
+## Domain Allowed Access
+##
+##
+#
+interface(`portage_main_domain',`
+
+ # - setfscreate for merging to live fs
+ # - setexec to run portage fetch
+ allow $1 self:process { setfscreate setexec };
+
+ # if sesandbox is disabled, compiles are
+ # performed in the main domain
+ portage_compile_domain($1)
+
+ allow $1 portage_log_t:file create_file_perms;
+ logging_log_filetrans($1,portage_log_t,file)
+
+ # run scripts out of the build directory
+ can_exec($1,portage_tmp_t)
+
+ # merging baselayout will need this:
+ kernel_write_proc_files($1)
+
+ domain_dontaudit_read_all_domains_state($1)
+
+ # modify any files in the system
+ files_manage_all_files($1)
+
+ selinux_get_fs_mount($1)
+
+ auth_manage_shadow($1)
+
+ # merging baselayout will need this:
+ init_exec($1)
+
+ # run setfiles -r
+ seutil_domtrans_setfiles($1)
+
+ optional_policy(`
+ bootloader_domtrans($1)
+ ')
+
+ optional_policy(`
+ modutils_domtrans_depmod($1)
+ modutils_domtrans_update_mods($1)
+ #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+ ')
+
+ optional_policy(`
+ usermanage_domtrans_groupadd($1)
+ usermanage_domtrans_useradd($1)
+ ')
+
+ ifdef(`TODO',`
+ # seems to work ok without these
+ dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+ dontaudit portage_t proc_t:dir setattr;
+ dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
+ ')
+')
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index 8cfa6de..c8d69ef 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -1,29 +1,46 @@
-policy_module(portage,1.0.1)
+policy_module(portage,1.0.2)
########################################
#
# Declarations
#
+# constraining domain
+type portage_t;
type portage_exec_t;
-files_type(portage_exec_t)
-
-portage_compile_domain_template(portage)
-domain_obj_id_change_exemption(portage_t)
-
-portage_compile_domain_template(portage_sandbox)
+domain_type(portage_t)
+domain_entry_file(portage_t,portage_exec_t)
+rsync_entry_type(portage_t)
+corecmd_shell_entry_type(portage_t)
+domain_entry_file(portage_t,portage_exec_t)
+
+# main portage domain
+type portage_t.merge;
+domain_type(portage_t.merge)
+domain_entry_file(portage_t.merge,portage_exec_t)
+domain_obj_id_change_exemption(portage_t.merge)
+
+# portage compile sandbox domain
+type portage_t.sandbox alias portage_sandbox_t;
+domain_type(portage_t.sandbox)
# the shell is the entrypoint if regular sandbox is disabled
# portage_exec_t is the entrypoint if regular sandbox is enabled
-corecmd_shell_entry_type(portage_sandbox_t)
-domain_entry_file(portage_sandbox_t,portage_exec_t)
+corecmd_shell_entry_type(portage_t.sandbox)
+domain_entry_file(portage_t.sandbox,portage_exec_t)
+
+# portage package fetching domain
+type portage_t.fetch alias portage_fetch_t;
+domain_type(portage_t.fetch)
+corecmd_shell_entry_type(portage_t.fetch)
+rsync_entry_type(portage_t.fetch)
+
+type portage_devpts_t;
+term_pty(portage_devpts_t)
type portage_ebuild_t;
files_type(portage_ebuild_t)
-type portage_fetch_t;
-domain_type(portage_fetch_t)
-
type portage_fetch_tmp_t;
files_tmp_file(portage_fetch_tmp_t)
@@ -39,73 +56,48 @@ files_type(portage_cache_t)
type portage_log_t;
logging_log_file(portage_log_t)
+type portage_tmp_t;
+files_tmp_file(portage_tmp_t)
+
+type portage_tmpfs_t;
+files_tmpfs_file(portage_tmpfs_t)
+
########################################
#
-# Portage Rules
+# Portage Constraining Rules
#
-# - setfscreate for merging to live fs
-# - setexec to run portage fetch
-allow portage_t self:process { setfscreate setexec };
-
-# transition for rsync and wget
-corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
-allow portage_fetch_t portage_t:fd use;
-allow portage_fetch_t portage_t:fifo_file rw_file_perms;
-allow portage_fetch_t portage_t:process sigchld;
-
-allow portage_t portage_log_t:file create_file_perms;
-logging_log_filetrans(portage_t,portage_log_t,file)
-
-# transition to sandbox for compiling
-domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
-corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
-allow portage_sandbox_t portage_t:fd use;
-allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
-allow portage_sandbox_t portage_t:process sigchld;
-
-# run scripts out of the build directory
-can_exec(portage_t,portage_tmp_t)
-
-# merging baselayout will need this:
-kernel_write_proc_files(portage_t)
-
-domain_dontaudit_read_all_domains_state(portage_t)
-
-# modify any files in the system
-files_manage_all_files(portage_t)
-
-selinux_get_fs_mount(portage_t)
-
-auth_manage_shadow(portage_t)
+portage_main_domain(portage_t)
+portage_compile_domain(portage_t)
+portage_fetch_domain(portage_t)
-# merging baselayout will need this:
-init_exec(portage_t)
+# transition between child domains on shells and rsync
+corecmd_shell_spec_domtrans(portage_t,portage_t)
+rsync_entry_spec_domtrans(portage_t,portage_t)
-# run setfiles -r
-seutil_domtrans_setfiles(portage_t)
+########################################
+#
+# Portage Merging Rules
+#
-optional_policy(`
- bootloader_domtrans(portage_t)
-')
+portage_main_domain(portage_t.merge)
-optional_policy(`
- modutils_domtrans_depmod(portage_t)
- modutils_domtrans_update_mods(portage_t)
- #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
-')
+# if sesandbox is disabled, compiling is performed in this domain
+portage_compile_domain(portage_t.merge)
-optional_policy(`
- usermanage_domtrans_groupadd(portage_t)
- usermanage_domtrans_useradd(portage_t)
-')
+# transition for rsync and wget
+corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
+rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
+allow portage_t.fetch portage_t.merge:fd use;
+allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
+allow portage_t.fetch portage_t.merge:process sigchld;
-ifdef(`TODO',`
-# seems to work ok without these
-dontaudit portage_t device_t:{ blk_file chr_file } getattr;
-dontaudit portage_t proc_t:dir setattr;
-dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
-')
+# transition to sandbox for compiling
+domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
+corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
+allow portage_t.sandbox portage_t.merge:fd use;
+allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
+allow portage_t.sandbox portage_t.merge:process sigchld;
##########################################
#
@@ -113,67 +105,10 @@ dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
# - for rsync and distfile fetching
#
-allow portage_fetch_t self:capability dac_override;
-dontaudit portage_fetch_t self:capability { fowner fsetid };
-allow portage_fetch_t self:unix_stream_socket create_socket_perms;
-allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
-
-allow portage_fetch_t portage_conf_t:dir list_dir_perms;
-allow portage_fetch_t portage_conf_t:file r_file_perms;
-
-allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
-allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
-
-allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
-allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
-files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
-
-# portage makes home dir the portage tmp dir, so
-# wget looks for .wgetrc there
-dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
-
-kernel_read_system_state(portage_fetch_t)
-kernel_read_kernel_sysctls(portage_fetch_t)
-
-corecmd_exec_bin(portage_fetch_t)
-corecmd_exec_sbin(portage_fetch_t)
-
-corenet_non_ipsec_sendrecv(portage_fetch_t)
-corenet_tcp_sendrecv_generic_if(portage_fetch_t)
-corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
-corenet_tcp_sendrecv_all_ports(portage_fetch_t)
-# would rather not connect to unspecified ports, but
-# it occasionally comes up
-corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
-corenet_tcp_connect_generic_port(portage_fetch_t)
-
-dev_dontaudit_read_rand(portage_fetch_t)
-
-domain_use_interactive_fds(portage_fetch_t)
+portage_fetch_domain(portage_t.fetch)
-files_read_etc_files(portage_fetch_t)
-files_read_etc_runtime_files(portage_fetch_t)
-files_search_var(portage_fetch_t)
-files_dontaudit_search_pids(portage_fetch_t)
-
-term_search_ptys(portage_fetch_t)
-
-libs_use_ld_so(portage_fetch_t)
-libs_use_shared_libs(portage_fetch_t)
-
-miscfiles_read_localization(portage_fetch_t)
-
-sysnet_read_config(portage_fetch_t)
-sysnet_dns_name_resolve(portage_fetch_t)
-
-userdom_dontaudit_read_sysadm_home_content_files(portage_fetch_t)
-
-ifdef(`hide_broken_symptoms',`
- dontaudit portage_fetch_t portage_cache_t:file read;
-')
-
-# TODO:
-#domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
+# rule outside of the above macro to fix conflicting type transitions
+files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
##########################################
#
@@ -181,12 +116,10 @@ ifdef(`hide_broken_symptoms',`
# - SELinux-enforced sandbox
#
-# seems ok w/o this
-dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
-dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+portage_compile_domain(portage_t.sandbox)
-allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
-allow portage_sandbox_t portage_tmp_t:file manage_file_perms;
-allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
-# run scripts out of the build directory
-can_exec(portage_sandbox_t,portage_tmp_t)
+ifdef(`hide_broken_symptoms',`
+ # leaked descriptors
+ dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
+ dontaudit portage_t.sandbox portage_cache_t:file { setattr write };
+')
diff --git a/refpolicy/policy/modules/services/rsync.if b/refpolicy/policy/modules/services/rsync.if
index 84c701f..78e11fc 100644
--- a/refpolicy/policy/modules/services/rsync.if
+++ b/refpolicy/policy/modules/services/rsync.if
@@ -1 +1,86 @@
## Fast incremental file transfer for synchronization
+
+########################################
+##
+## Make rsync an entry point for
+## the specified domain.
+##
+##
+##
+## The domain for which init scripts are an entrypoint.
+##
+##
+# cjp: added for portage
+interface(`rsync_entry_type',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_entry_file($1,rsync_exec_t)
+')
+
+########################################
+##
+## Execute a rsync in a specified domain.
+##
+##
+##
+## Execute a rsync in a specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain to transition from.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+# cjp: added for portage
+interface(`rsync_entry_spec_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_trans($1,rsync_exec_t,$2)
+')
+
+########################################
+##
+## Execute a rsync in a specified domain.
+##
+##
+##
+## Execute a rsync in a specified domain.
+##
+##
+## No interprocess communication (signals, pipes,
+## etc.) is provided by this interface since
+## the domains are not owned by this module.
+##
+##
+##
+##
+## Domain to transition from.
+##
+##
+##
+##
+## Domain to transition to.
+##
+##
+# cjp: added for portage
+interface(`rsync_entry_domtrans',`
+ gen_require(`
+ type rsync_exec_t;
+ ')
+
+ domain_auto_trans($1,rsync_exec_t,$2)
+')
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index e362e71..7e4cba2 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync,1.2.1)
+policy_module(rsync,1.2.2)
########################################
#