diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if index cc54a09..cdeea5e 100644 --- a/refpolicy/policy/modules/admin/portage.if +++ b/refpolicy/policy/modules/admin/portage.if @@ -119,14 +119,14 @@ template(`portage_compile_domain_template',` allow $1_t $1_tmp_t:lnk_file create_lnk_perms; allow $1_t $1_tmp_t:fifo_file manage_file_perms; allow $1_t $1_tmp_t:sock_file manage_file_perms; - files_create_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file }) + files_filetrans_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file }) allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; - fs_create_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + fs_filetrans_tmpfs($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) # write merge logs allow $1_t portage_log_t:dir setattr; @@ -160,7 +160,7 @@ template(`portage_compile_domain_template',` dev_read_urand($1_t) domain_exec_all_entry_files($1_t) - domain_use_wide_inhert_fds($1_t) + domain_use_wide_inherit_fd($1_t) files_exec_etc_files($1_t) files_exec_usr_src_files($1_t) diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te index a863f9b..e8125c3 100644 --- a/refpolicy/policy/modules/admin/portage.te +++ b/refpolicy/policy/modules/admin/portage.te @@ -9,10 +9,10 @@ policy_module(portage,1.0.0) type portage_exec_t; files_type(portage_exec_t) -portage_compile_domain(portage) +portage_compile_domain_template(portage) domain_obj_id_change_exempt(portage_t) -portage_compile_domain(portage_sandbox) +portage_compile_domain_template(portage_sandbox) # the shell is the entrypoint if regular sandbox is disabled # portage_exec_t is the entrypoint if regular sandbox is enabled corecmd_shell_entry_type(portage_sandbox_t) @@ -55,7 +55,7 @@ allow portage_fetch_t portage_t:fifo_file rw_file_perms; allow portage_fetch_t portage_t:process sigchld; allow portage_t portage_log_t:file create_file_perms; -logging_create_log(portage_t,portage_log_t) +logging_filetrans_log(portage_t,portage_log_t) # transition to sandbox for compiling domain_trans(portage_t,portage_exec_t,portage_sandbox_t) @@ -65,7 +65,7 @@ allow portage_sandbox_t portage_t:fifo_file rw_file_perms; allow portage_sandbox_t portage_t:process sigchld; # run scripts out of the build directory -can_exec($1_t,portage_tmp_t) +can_exec(portage_t,portage_tmp_t) # merging baselayout will need this: kernel_write_proc_file(portage_t) @@ -89,7 +89,7 @@ optional_policy(`bootloader',` optional_policy(`modutils',` modutils_domtrans_depmod(portage_t) - modutils_domtrans_update_modules(portage_t) + modutils_domtrans_update_mods(portage_t) #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; ') @@ -98,10 +98,12 @@ optional_policy(`usermanage',` usermanage_domtrans_useradd(portage_t) ') +ifdef(`TODO',` # seems to work ok without these dontaudit portage_t device_t:{ blk_file chr_file } getattr; dontaudit portage_t proc_t:dir setattr; dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms; +') ########################################## # @@ -122,7 +124,7 @@ allow portage_fetch_t portage_ebuild_t:file manage_file_perms; allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms; allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms; -files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir }) +files_filetrans_tmp(portage_fetch_t, portage_fetch_tmp_t, { file dir }) # portage makes home dir the portage tmp dir, so # wget looks for .wgetrc there @@ -143,16 +145,17 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t) corenet_tcp_connect_all_reserved_ports(portage_fetch_t) corenet_tcp_connect_generic_port(portage_fetch_t) -dev_search_ptys(portage_fetch_t) dev_dontaudit_read_rand(portage_fetch_t) -domain_use_wide_inherit_fds(portage_fetch_t) +domain_use_wide_inherit_fd(portage_fetch_t) files_read_etc_files(portage_fetch_t) files_read_etc_runtime_files(portage_fetch_t) files_search_var(portage_fetch_t) files_dontaudit_search_pids(portage_fetch_t) +term_search_ptys(portage_fetch_t) + libs_use_ld_so(portage_fetch_t) libs_use_shared_libs(portage_fetch_t) @@ -167,9 +170,8 @@ ifdef(`hide_broken_symptoms',` dontaudit portage_fetch_t portage_cache_t:file read; ') -ifdef(`TODO',` -domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t) -') +# TODO: +#domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t) ########################################## #