diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if index efddda5..af99899 100644 --- a/refpolicy/policy/modules/admin/portage.if +++ b/refpolicy/policy/modules/admin/portage.if @@ -20,12 +20,18 @@ interface(`portage_domtrans',` files_search_usr($1) corecmd_search_bin($1) - domain_auto_trans($1,portage_exec_t,portage_t) - allow $1 portage_t:fd use; + # constraining domain + domain_trans($1,portage_exec_t,portage_t) allow portage_t $1:fd use; allow portage_t $1:fifo_file rw_file_perms; allow portage_t $1:process sigchld; + + # main portage process + domain_auto_trans($1,portage_exec_t,portage_t.merge) + allow portage_t.merge $1:fd use; + allow portage_t.merge $1:fifo_file rw_file_perms; + allow portage_t.merge $1:process sigchld; ') ######################################## @@ -51,22 +57,21 @@ interface(`portage_domtrans',` # interface(`portage_run',` gen_require(` - type portage_t, portage_fetch_t, portage_sandbox_t; + type portage_t; + type portage_t.merge, portage_t.fetch, portage_t.sandbox; ') portage_domtrans($1) + # constraining access role $2 types portage_t; - role $2 types portage_fetch_t; - role $2 types portage_sandbox_t; - allow portage_t $3:chr_file rw_term_perms; - allow portage_fetch_t $3:chr_file rw_term_perms; - allow portage_sandbox_t $3:chr_file rw_term_perms; - # not sure about this one, may be stray fds - allow portage_t $1:udp_socket write; - allow $1 portage_t:udp_socket write; + # specific access + role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox }; + allow portage_t.merge $3:chr_file rw_term_perms; + allow portage_t.fetch $3:chr_file rw_term_perms; + allow portage_t.sandbox $3:chr_file rw_term_perms; ') ######################################## @@ -79,129 +84,258 @@ interface(`portage_run',` ## does all compiling in the sandbox. ##

## -## +## ## -## Name to be used to derive types. +## Domain Allowed Access ## ## # -template(`portage_compile_domain_template',` - type $1_t; - domain_type($1_t) - domain_entry_file($1_t,portage_exec_t) - - type $1_devpts_t; - term_pty($1_devpts_t) - - type $1_tmp_t; - files_tmp_file($1_tmp_t) - - type $1_tmpfs_t; - files_tmpfs_file($1_tmpfs_t) - - allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; - allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem }; - allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; - allow $1_t self:fd use; - allow $1_t self:fifo_file rw_file_perms; - allow $1_t self:shm create_shm_perms; - allow $1_t self:sem create_sem_perms; - allow $1_t self:msgq create_msgq_perms; - allow $1_t self:msg { send receive }; - allow $1_t self:unix_dgram_socket create_socket_perms; - allow $1_t self:unix_stream_socket create_stream_socket_perms; - allow $1_t self:unix_dgram_socket sendto; - allow $1_t self:unix_stream_socket connectto; +interface(`portage_compile_domain',` + + allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; + allow $1 self:process { setpgid setsched setrlimit signal_perms execmem }; + allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1 self:fd use; + allow $1 self:fifo_file rw_file_perms; + allow $1 self:shm create_shm_perms; + allow $1 self:sem create_sem_perms; + allow $1 self:msgq create_msgq_perms; + allow $1 self:msg { send receive }; + allow $1 self:unix_dgram_socket create_socket_perms; + allow $1 self:unix_stream_socket create_stream_socket_perms; + allow $1 self:unix_dgram_socket sendto; + allow $1 self:unix_stream_socket connectto; # really shouldnt need this - allow $1_t self:tcp_socket create_stream_socket_perms; - allow $1_t self:udp_socket create_socket_perms; + allow $1 self:tcp_socket create_stream_socket_perms; + allow $1 self:udp_socket create_socket_perms; # misc networking stuff (esp needed for compiling perl): - allow $1_t self:rawip_socket { create ioctl }; - allow $1_t self:udp_socket recvfrom; + allow $1 self:rawip_socket { create ioctl }; + allow $1 self:udp_socket recvfrom; # needed for merging dbus: - allow $1_t self:netlink_selinux_socket { bind create read }; - - allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr }; - term_create_pty($1_t,$1_devpts_t) - - allow $1_t $1_tmp_t:dir manage_dir_perms; - allow $1_t $1_tmp_t:file manage_file_perms; - allow $1_t $1_tmp_t:lnk_file create_lnk_perms; - allow $1_t $1_tmp_t:fifo_file manage_file_perms; - allow $1_t $1_tmp_t:sock_file manage_file_perms; - files_tmp_filetrans($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file }) - - allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; - allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; - allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; - allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) - - # write merge logs - allow $1_t portage_log_t:dir setattr; - allow $1_t portage_log_t:file { append write setattr }; - - kernel_read_system_state($1_t) - kernel_read_network_state($1_t) - kernel_read_software_raid_state($1_t) - kernel_getattr_core_if($1_t) - kernel_getattr_message_if($1_t) - kernel_read_kernel_sysctls($1_t) - - corecmd_exec_all_executables($1_t) + allow $1 self:netlink_selinux_socket { bind create read }; + + allow $1 portage_devpts_t:chr_file { rw_file_perms setattr }; + term_create_pty($1,portage_devpts_t) + + # write compile logs + allow $1 portage_log_t:dir setattr; + allow $1 portage_log_t:file { append write setattr }; + + # run scripts out of the build directory + can_exec(portage_sandbox_t,portage_tmp_t) + + allow $1 portage_tmp_t:dir manage_dir_perms; + allow $1 portage_tmp_t:file manage_file_perms; + allow $1 portage_tmp_t:lnk_file create_lnk_perms; + allow $1 portage_tmp_t:fifo_file manage_file_perms; + allow $1 portage_tmp_t:sock_file manage_file_perms; + files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file }) + + allow $1 portage_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1 portage_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 portage_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1 portage_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1 portage_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + kernel_read_system_state($1) + kernel_read_network_state($1) + kernel_read_software_raid_state($1) + kernel_getattr_core_if($1) + kernel_getattr_message_if($1) + kernel_read_kernel_sysctls($1) + + corecmd_exec_all_executables($1) # really shouldnt need this - corenet_non_ipsec_sendrecv($1_t) - corenet_tcp_sendrecv_generic_if($1_t) - corenet_udp_sendrecv_generic_if($1_t) - corenet_raw_sendrecv_generic_if($1_t) - corenet_tcp_sendrecv_all_nodes($1_t) - corenet_udp_sendrecv_all_nodes($1_t) - corenet_raw_sendrecv_all_nodes($1_t) - corenet_tcp_sendrecv_all_ports($1_t) - corenet_udp_sendrecv_all_ports($1_t) - corenet_tcp_connect_all_reserved_ports($1_t) - corenet_tcp_connect_distccd_port($1_t) - - dev_read_sysfs($1_t) - dev_read_rand($1_t) - dev_read_urand($1_t) - - domain_use_interactive_fds($1_t) - - files_exec_etc_files($1_t) - files_exec_usr_src_files($1_t) - - fs_getattr_xattr_fs($1_t) - fs_list_noxattr_fs($1_t) - fs_read_noxattr_fs_files($1_t) - fs_read_noxattr_fs_symlinks($1_t) - fs_search_auto_mountpoints($1_t) + corenet_non_ipsec_sendrecv($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_udp_sendrecv_generic_if($1) + corenet_raw_sendrecv_generic_if($1) + corenet_tcp_sendrecv_all_nodes($1) + corenet_udp_sendrecv_all_nodes($1) + corenet_raw_sendrecv_all_nodes($1) + corenet_tcp_sendrecv_all_ports($1) + corenet_udp_sendrecv_all_ports($1) + corenet_tcp_connect_all_reserved_ports($1) + corenet_tcp_connect_distccd_port($1) + + dev_read_sysfs($1) + dev_read_rand($1) + dev_read_urand($1) + + domain_use_interactive_fds($1) + + files_exec_etc_files($1) + files_exec_usr_src_files($1) + + fs_getattr_xattr_fs($1) + fs_list_noxattr_fs($1) + fs_read_noxattr_fs_files($1) + fs_read_noxattr_fs_symlinks($1) + fs_search_auto_mountpoints($1) # needed for merging dbus: - selinux_compute_access_vector($1_t) + selinux_compute_access_vector($1) - auth_read_all_dirs_except_shadow($1_t) - auth_read_all_files_except_shadow($1_t) - auth_read_all_symlinks_except_shadow($1_t) + auth_read_all_dirs_except_shadow($1) + auth_read_all_files_except_shadow($1) + auth_read_all_symlinks_except_shadow($1) - libs_use_ld_so($1_t) - libs_use_shared_libs($1_t) - libs_exec_lib_files($1_t) + libs_use_ld_so($1) + libs_use_shared_libs($1) + libs_exec_lib_files($1) # some config scripts use ldd - libs_exec_ld_so($1_t) + libs_exec_ld_so($1) # this violates the idea of sandbox, but # regular sandbox allows it - libs_domtrans_ldconfig($1_t) + libs_domtrans_ldconfig($1) - logging_send_syslog_msg($1_t) + logging_send_syslog_msg($1) ifdef(`TODO',` # some gui ebuilds want to interact with X server, like xawtv optional_policy(` - allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write }; - allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write }; + allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write }; + allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write }; ') ') dnl end TODO ') + +######################################## +## +## Template for portage fetch. +## +## +## +## Domain Allowed Access +## +## +# +interface(`portage_fetch_domain',` + + allow $1 self:capability dac_override; + dontaudit $1 self:capability { fowner fsetid }; + allow $1 self:unix_stream_socket create_socket_perms; + allow $1 self:tcp_socket create_stream_socket_perms; + + allow $1 portage_conf_t:dir list_dir_perms; + allow $1 portage_conf_t:file r_file_perms; + + allow $1 portage_ebuild_t:dir manage_dir_perms; + allow $1 portage_ebuild_t:file manage_file_perms; + + allow $1 portage_fetch_tmp_t:dir create_dir_perms; + allow $1 portage_fetch_tmp_t:file create_file_perms; + + # portage makes home dir the portage tmp dir, so + # wget looks for .wgetrc there + dontaudit $1 portage_tmp_t:dir search_dir_perms; + + kernel_read_system_state($1) + kernel_read_kernel_sysctls($1) + + corecmd_exec_bin($1) + corecmd_exec_sbin($1) + + corenet_non_ipsec_sendrecv($1) + corenet_tcp_sendrecv_generic_if($1) + corenet_tcp_sendrecv_all_nodes($1) + corenet_tcp_sendrecv_all_ports($1) + # would rather not connect to unspecified ports, but + # it occasionally comes up + corenet_tcp_connect_all_reserved_ports($1) + corenet_tcp_connect_generic_port($1) + + dev_dontaudit_read_rand($1) + + domain_use_interactive_fds($1) + + files_read_etc_files($1) + files_read_etc_runtime_files($1) + files_search_var($1) + files_dontaudit_search_pids($1) + + term_search_ptys($1) + + libs_use_ld_so($1) + libs_use_shared_libs($1) + + miscfiles_read_localization($1) + + sysnet_read_config($1) + sysnet_dns_name_resolve($1) + + userdom_dontaudit_read_sysadm_home_content_files($1) + + ifdef(`hide_broken_symptoms',` + dontaudit $1 portage_cache_t:file read; + ') +') + +######################################## +## +## Template for portage main. +## +## +## +## Domain Allowed Access +## +## +# +interface(`portage_main_domain',` + + # - setfscreate for merging to live fs + # - setexec to run portage fetch + allow $1 self:process { setfscreate setexec }; + + # if sesandbox is disabled, compiles are + # performed in the main domain + portage_compile_domain($1) + + allow $1 portage_log_t:file create_file_perms; + logging_log_filetrans($1,portage_log_t,file) + + # run scripts out of the build directory + can_exec($1,portage_tmp_t) + + # merging baselayout will need this: + kernel_write_proc_files($1) + + domain_dontaudit_read_all_domains_state($1) + + # modify any files in the system + files_manage_all_files($1) + + selinux_get_fs_mount($1) + + auth_manage_shadow($1) + + # merging baselayout will need this: + init_exec($1) + + # run setfiles -r + seutil_domtrans_setfiles($1) + + optional_policy(` + bootloader_domtrans($1) + ') + + optional_policy(` + modutils_domtrans_depmod($1) + modutils_domtrans_update_mods($1) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; + ') + + optional_policy(` + usermanage_domtrans_groupadd($1) + usermanage_domtrans_useradd($1) + ') + + ifdef(`TODO',` + # seems to work ok without these + dontaudit portage_t device_t:{ blk_file chr_file } getattr; + dontaudit portage_t proc_t:dir setattr; + dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms; + ') +') diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te index 8cfa6de..c8d69ef 100644 --- a/refpolicy/policy/modules/admin/portage.te +++ b/refpolicy/policy/modules/admin/portage.te @@ -1,29 +1,46 @@ -policy_module(portage,1.0.1) +policy_module(portage,1.0.2) ######################################## # # Declarations # +# constraining domain +type portage_t; type portage_exec_t; -files_type(portage_exec_t) - -portage_compile_domain_template(portage) -domain_obj_id_change_exemption(portage_t) - -portage_compile_domain_template(portage_sandbox) +domain_type(portage_t) +domain_entry_file(portage_t,portage_exec_t) +rsync_entry_type(portage_t) +corecmd_shell_entry_type(portage_t) +domain_entry_file(portage_t,portage_exec_t) + +# main portage domain +type portage_t.merge; +domain_type(portage_t.merge) +domain_entry_file(portage_t.merge,portage_exec_t) +domain_obj_id_change_exemption(portage_t.merge) + +# portage compile sandbox domain +type portage_t.sandbox alias portage_sandbox_t; +domain_type(portage_t.sandbox) # the shell is the entrypoint if regular sandbox is disabled # portage_exec_t is the entrypoint if regular sandbox is enabled -corecmd_shell_entry_type(portage_sandbox_t) -domain_entry_file(portage_sandbox_t,portage_exec_t) +corecmd_shell_entry_type(portage_t.sandbox) +domain_entry_file(portage_t.sandbox,portage_exec_t) + +# portage package fetching domain +type portage_t.fetch alias portage_fetch_t; +domain_type(portage_t.fetch) +corecmd_shell_entry_type(portage_t.fetch) +rsync_entry_type(portage_t.fetch) + +type portage_devpts_t; +term_pty(portage_devpts_t) type portage_ebuild_t; files_type(portage_ebuild_t) -type portage_fetch_t; -domain_type(portage_fetch_t) - type portage_fetch_tmp_t; files_tmp_file(portage_fetch_tmp_t) @@ -39,73 +56,48 @@ files_type(portage_cache_t) type portage_log_t; logging_log_file(portage_log_t) +type portage_tmp_t; +files_tmp_file(portage_tmp_t) + +type portage_tmpfs_t; +files_tmpfs_file(portage_tmpfs_t) + ######################################## # -# Portage Rules +# Portage Constraining Rules # -# - setfscreate for merging to live fs -# - setexec to run portage fetch -allow portage_t self:process { setfscreate setexec }; - -# transition for rsync and wget -corecmd_shell_spec_domtrans(portage_t,portage_fetch_t) -allow portage_fetch_t portage_t:fd use; -allow portage_fetch_t portage_t:fifo_file rw_file_perms; -allow portage_fetch_t portage_t:process sigchld; - -allow portage_t portage_log_t:file create_file_perms; -logging_log_filetrans(portage_t,portage_log_t,file) - -# transition to sandbox for compiling -domain_trans(portage_t,portage_exec_t,portage_sandbox_t) -corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t) -allow portage_sandbox_t portage_t:fd use; -allow portage_sandbox_t portage_t:fifo_file rw_file_perms; -allow portage_sandbox_t portage_t:process sigchld; - -# run scripts out of the build directory -can_exec(portage_t,portage_tmp_t) - -# merging baselayout will need this: -kernel_write_proc_files(portage_t) - -domain_dontaudit_read_all_domains_state(portage_t) - -# modify any files in the system -files_manage_all_files(portage_t) - -selinux_get_fs_mount(portage_t) - -auth_manage_shadow(portage_t) +portage_main_domain(portage_t) +portage_compile_domain(portage_t) +portage_fetch_domain(portage_t) -# merging baselayout will need this: -init_exec(portage_t) +# transition between child domains on shells and rsync +corecmd_shell_spec_domtrans(portage_t,portage_t) +rsync_entry_spec_domtrans(portage_t,portage_t) -# run setfiles -r -seutil_domtrans_setfiles(portage_t) +######################################## +# +# Portage Merging Rules +# -optional_policy(` - bootloader_domtrans(portage_t) -') +portage_main_domain(portage_t.merge) -optional_policy(` - modutils_domtrans_depmod(portage_t) - modutils_domtrans_update_mods(portage_t) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -') +# if sesandbox is disabled, compiling is performed in this domain +portage_compile_domain(portage_t.merge) -optional_policy(` - usermanage_domtrans_groupadd(portage_t) - usermanage_domtrans_useradd(portage_t) -') +# transition for rsync and wget +corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch) +rsync_entry_domtrans(portage_t.merge,portage_t.fetch) +allow portage_t.fetch portage_t.merge:fd use; +allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms; +allow portage_t.fetch portage_t.merge:process sigchld; -ifdef(`TODO',` -# seems to work ok without these -dontaudit portage_t device_t:{ blk_file chr_file } getattr; -dontaudit portage_t proc_t:dir setattr; -dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms; -') +# transition to sandbox for compiling +domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox) +corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox) +allow portage_t.sandbox portage_t.merge:fd use; +allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms; +allow portage_t.sandbox portage_t.merge:process sigchld; ########################################## # @@ -113,67 +105,10 @@ dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms; # - for rsync and distfile fetching # -allow portage_fetch_t self:capability dac_override; -dontaudit portage_fetch_t self:capability { fowner fsetid }; -allow portage_fetch_t self:unix_stream_socket create_socket_perms; -allow portage_fetch_t self:tcp_socket create_stream_socket_perms; - -allow portage_fetch_t portage_conf_t:dir list_dir_perms; -allow portage_fetch_t portage_conf_t:file r_file_perms; - -allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms; -allow portage_fetch_t portage_ebuild_t:file manage_file_perms; - -allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms; -allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms; -files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) - -# portage makes home dir the portage tmp dir, so -# wget looks for .wgetrc there -dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; - -kernel_read_system_state(portage_fetch_t) -kernel_read_kernel_sysctls(portage_fetch_t) - -corecmd_exec_bin(portage_fetch_t) -corecmd_exec_sbin(portage_fetch_t) - -corenet_non_ipsec_sendrecv(portage_fetch_t) -corenet_tcp_sendrecv_generic_if(portage_fetch_t) -corenet_tcp_sendrecv_all_nodes(portage_fetch_t) -corenet_tcp_sendrecv_all_ports(portage_fetch_t) -# would rather not connect to unspecified ports, but -# it occasionally comes up -corenet_tcp_connect_all_reserved_ports(portage_fetch_t) -corenet_tcp_connect_generic_port(portage_fetch_t) - -dev_dontaudit_read_rand(portage_fetch_t) - -domain_use_interactive_fds(portage_fetch_t) +portage_fetch_domain(portage_t.fetch) -files_read_etc_files(portage_fetch_t) -files_read_etc_runtime_files(portage_fetch_t) -files_search_var(portage_fetch_t) -files_dontaudit_search_pids(portage_fetch_t) - -term_search_ptys(portage_fetch_t) - -libs_use_ld_so(portage_fetch_t) -libs_use_shared_libs(portage_fetch_t) - -miscfiles_read_localization(portage_fetch_t) - -sysnet_read_config(portage_fetch_t) -sysnet_dns_name_resolve(portage_fetch_t) - -userdom_dontaudit_read_sysadm_home_content_files(portage_fetch_t) - -ifdef(`hide_broken_symptoms',` - dontaudit portage_fetch_t portage_cache_t:file read; -') - -# TODO: -#domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t) +# rule outside of the above macro to fix conflicting type transitions +files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir }) ########################################## # @@ -181,12 +116,10 @@ ifdef(`hide_broken_symptoms',` # - SELinux-enforced sandbox # -# seems ok w/o this -dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; -dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; +portage_compile_domain(portage_t.sandbox) -allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms; -allow portage_sandbox_t portage_tmp_t:file manage_file_perms; -allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms; -# run scripts out of the build directory -can_exec(portage_sandbox_t,portage_tmp_t) +ifdef(`hide_broken_symptoms',` + # leaked descriptors + dontaudit portage_t.sandbox portage_cache_t:dir { setattr }; + dontaudit portage_t.sandbox portage_cache_t:file { setattr write }; +') diff --git a/refpolicy/policy/modules/services/rsync.if b/refpolicy/policy/modules/services/rsync.if index 84c701f..78e11fc 100644 --- a/refpolicy/policy/modules/services/rsync.if +++ b/refpolicy/policy/modules/services/rsync.if @@ -1 +1,86 @@ ## Fast incremental file transfer for synchronization + +######################################## +## +## Make rsync an entry point for +## the specified domain. +## +## +## +## The domain for which init scripts are an entrypoint. +## +## +# cjp: added for portage +interface(`rsync_entry_type',` + gen_require(` + type rsync_exec_t; + ') + + domain_entry_file($1,rsync_exec_t) +') + +######################################## +## +## Execute a rsync in a specified domain. +## +## +##

+## Execute a rsync in a specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Domain to transition from. +## +## +## +## +## Domain to transition to. +## +## +# cjp: added for portage +interface(`rsync_entry_spec_domtrans',` + gen_require(` + type rsync_exec_t; + ') + + domain_trans($1,rsync_exec_t,$2) +') + +######################################## +## +## Execute a rsync in a specified domain. +## +## +##

+## Execute a rsync in a specified domain. +##

+##

+## No interprocess communication (signals, pipes, +## etc.) is provided by this interface since +## the domains are not owned by this module. +##

+##
+## +## +## Domain to transition from. +## +## +## +## +## Domain to transition to. +## +## +# cjp: added for portage +interface(`rsync_entry_domtrans',` + gen_require(` + type rsync_exec_t; + ') + + domain_auto_trans($1,rsync_exec_t,$2) +') diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te index e362e71..7e4cba2 100644 --- a/refpolicy/policy/modules/services/rsync.te +++ b/refpolicy/policy/modules/services/rsync.te @@ -1,5 +1,5 @@ -policy_module(rsync,1.2.1) +policy_module(rsync,1.2.2) ######################################## #