diff --git a/Changelog b/Changelog index 5458ffb..773ad92 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +- Remove hierarchy from portage module as it is not a good example of + hieararchy. - Remove enableaudit target from modular build as semodule -DB supplants it. * Tue Oct 14 2008 Chris PeBenito - 20081014 diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 1818e03..878a7dd 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -15,20 +15,14 @@ # interface(`portage_domtrans',` gen_require(` - type portage_t, portage_t.merge, portage_exec_t; + type portage_t, portage_exec_t; ') files_search_usr($1) corecmd_search_bin($1) - # constraining domain - domain_trans($1,portage_exec_t,portage_t) - allow portage_t $1:fd use; - allow portage_t $1:fifo_file rw_fifo_file_perms; - allow portage_t $1:process sigchld; - # transition to portage - domtrans_pattern($1, portage_exec_t, portage_t.merge) + domtrans_pattern($1, portage_exec_t, portage_t) ') ######################################## @@ -55,21 +49,14 @@ interface(`portage_domtrans',` # interface(`portage_run',` gen_require(` - type portage_t; - type portage_t.merge, portage_t.fetch, portage_t.sandbox; + type portage_t, portage_fetch_t, portage_sandbox_t; ') portage_domtrans($1) - - # constraining access - role $2 types portage_t; + role $2 types { portage_t portage_fetch_t portage_sandbox_t }; allow portage_t $3:chr_file rw_term_perms; - - # specific access - role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox }; - allow portage_t.merge $3:chr_file rw_term_perms; - allow portage_t.fetch $3:chr_file rw_term_perms; - allow portage_t.sandbox $3:chr_file rw_term_perms; + allow portage_fetch_t $3:chr_file rw_term_perms; + allow portage_sandbox_t $3:chr_file rw_term_perms; ') ######################################## @@ -212,156 +199,6 @@ interface(`portage_compile_domain',` ######################################## ## -## Template for portage fetch. -## -## -## -## Domain Allowed Access -## -## -# -interface(`portage_fetch_domain',` - gen_require(` - type portage_cache_t, portage_conf_t, portage_ebuild_t; - type portage_tmp_t, portage_fetch_tmp_t; - ') - - allow $1 self:capability { dac_override fowner fsetid }; - allow $1 self:process signal; - allow $1 self:unix_stream_socket create_socket_perms; - allow $1 self:tcp_socket create_stream_socket_perms; - - allow $1 portage_conf_t:dir list_dir_perms; - read_files_pattern($1, portage_conf_t, portage_conf_t) - - manage_dirs_pattern($1, portage_ebuild_t, portage_ebuild_t) - manage_files_pattern($1, portage_ebuild_t, portage_ebuild_t) - - manage_dirs_pattern($1, portage_fetch_tmp_t, portage_fetch_tmp_t) - manage_files_pattern($1, portage_fetch_tmp_t, portage_fetch_tmp_t) - - # portage makes home dir the portage tmp dir, so - # wget looks for .wgetrc there - dontaudit $1 portage_tmp_t:dir search_dir_perms; - - kernel_read_system_state($1) - kernel_read_kernel_sysctls($1) - - corecmd_exec_bin($1) - - corenet_all_recvfrom_unlabeled($1) - corenet_all_recvfrom_netlabel($1) - corenet_tcp_sendrecv_generic_if($1) - corenet_tcp_sendrecv_all_nodes($1) - corenet_tcp_sendrecv_all_ports($1) - # would rather not connect to unspecified ports, but - # it occasionally comes up - corenet_tcp_connect_all_reserved_ports($1) - corenet_tcp_connect_generic_port($1) - - dev_dontaudit_read_rand($1) - - domain_use_interactive_fds($1) - - files_read_etc_files($1) - files_read_etc_runtime_files($1) - files_search_var($1) - files_dontaudit_search_pids($1) - - term_search_ptys($1) - - libs_use_ld_so($1) - libs_use_shared_libs($1) - - miscfiles_read_localization($1) - - sysnet_read_config($1) - sysnet_dns_name_resolve($1) - - sysadm_dontaudit_read_home_content_files($1) - - ifdef(`hide_broken_symptoms',` - dontaudit $1 portage_cache_t:file read; - ') -') - -######################################## -## -## Template for portage main. -## -## -## -## Domain Allowed Access -## -## -# -interface(`portage_main_domain',` - gen_require(` - type portage_log_t, portage_tmp_t; - ') - - # - setfscreate for merging to live fs - # - setexec to run portage fetch - allow $1 self:process { setfscreate setexec }; - - # if sesandbox is disabled, compiles are - # performed in the main domain - portage_compile_domain($1) - - allow $1 portage_log_t:file manage_file_perms; - logging_log_filetrans($1, portage_log_t, file) - - # run scripts out of the build directory - can_exec($1, portage_tmp_t) - - # merging baselayout will need this: - kernel_write_proc_files($1) - - domain_dontaudit_read_all_domains_state($1) - - # modify any files in the system - files_manage_all_files($1) - - selinux_get_fs_mount($1) - - auth_manage_shadow($1) - - # merging baselayout will need this: - init_exec($1) - - # run setfiles -r - seutil_domtrans_setfiles($1) - # run semodule - seutil_domtrans_semanage($1) - - portage_domtrans_gcc_config($1) - - optional_policy(` - bootloader_domtrans($1) - ') - - optional_policy(` - modutils_domtrans_depmod($1) - modutils_domtrans_update_mods($1) - #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; - ') - - optional_policy(` - usermanage_domtrans_groupadd($1) - usermanage_domtrans_useradd($1) - ') - - ifdef(`TODO',` - # seems to work ok without these - dontaudit portage_t device_t:{ blk_file chr_file } getattr; - dontaudit portage_t proc_t:dir setattr; - dontaudit portage_t device_type:chr_file read_chr_file_perms; - dontaudit portage_t device_type:blk_file read_blk_file_perms; - ') -') - -######################################## -## ## Execute gcc-config in the gcc_config domain. ## ## @@ -409,8 +246,6 @@ interface(`portage_run_gcc_config',` ') portage_domtrans_gcc_config($1) - - # constraining access role $2 types gcc_config_t; allow gcc_config_t $3:chr_file rw_term_perms; ') diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index d6e817a..d2a092e 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -1,5 +1,5 @@ -policy_module(portage, 1.6.0) +policy_module(portage, 1.6.1) ######################################## # @@ -14,26 +14,22 @@ application_domain(gcc_config_t, gcc_config_exec_t) type portage_t; type portage_exec_t; application_domain(portage_t, portage_exec_t) +domain_obj_id_change_exemption(portage_t) rsync_entry_type(portage_t) corecmd_shell_entry_type(portage_t) -# portage domain for merging packages to the live fs -type portage_t.merge; -application_domain(portage_t.merge, portage_exec_t) -domain_obj_id_change_exemption(portage_t.merge) - # portage compile sandbox domain -type portage_t.sandbox alias portage_sandbox_t; -application_domain(portage_t.sandbox,portage_exec_t) +type portage_sandbox_t; +application_domain(portage_sandbox_t, portage_exec_t) # the shell is the entrypoint if regular sandbox is disabled # portage_exec_t is the entrypoint if regular sandbox is enabled -corecmd_shell_entry_type(portage_t.sandbox) +corecmd_shell_entry_type(portage_sandbox_t) # portage package fetching domain -type portage_t.fetch alias portage_fetch_t; -application_type(portage_t.fetch) -corecmd_shell_entry_type(portage_t.fetch) -rsync_entry_type(portage_t.fetch) +type portage_fetch_t; +application_type(portage_fetch_t) +corecmd_shell_entry_type(portage_fetch_t) +rsync_entry_type(portage_fetch_t) type portage_devpts_t; term_pty(portage_devpts_t) @@ -119,42 +115,81 @@ optional_policy(` ######################################## # -# Portage Constraining Rules +# Portage Merging Rules # -portage_main_domain(portage_t) -portage_compile_domain(portage_t) -portage_fetch_domain(portage_t) +# - setfscreate for merging to live fs +# - setexec to run portage fetch +allow portage_t self:process { setfscreate setexec }; -# transition between child domains on shells and rsync -corecmd_shell_spec_domtrans(portage_t, portage_t) -rsync_entry_spec_domtrans(portage_t, portage_t) +allow portage_t portage_log_t:file manage_file_perms; +logging_log_filetrans(portage_t, portage_log_t, file) -######################################## -# -# Portage Merging Rules -# +allow portage_t { portage_fetch_t portage_sandbox_t }:process signal; + +# transition for rsync and wget +corecmd_shell_spec_domtrans(portage_t, portage_fetch_t) +rsync_entry_domtrans(portage_t, portage_fetch_t) +allow portage_fetch_t portage_t:fd use; +allow portage_fetch_t portage_t:fifo_file rw_file_perms; +allow portage_fetch_t portage_t:process sigchld; + +# transition to sandbox for compiling +domain_trans(portage_t, portage_exec_t, portage_sandbox_t) +corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) +allow portage_sandbox_t portage_t:fd use; +allow portage_sandbox_t portage_t:fifo_file rw_file_perms; +allow portage_sandbox_t portage_t:process sigchld; + +# run scripts out of the build directory +can_exec(portage_t, portage_tmp_t) -portage_main_domain(portage_t.merge) +# merging baselayout will need this: +kernel_write_proc_files(portage_t) +domain_dontaudit_read_all_domains_state(portage_t) + +# modify any files in the system +files_manage_all_files(portage_t) + +selinux_get_fs_mount(portage_t) + +auth_manage_shadow(portage_t) + +# merging baselayout will need this: +init_exec(portage_t) + +# run setfiles -r +seutil_domtrans_setfiles(portage_t) +# run semodule +seutil_domtrans_semanage(portage_t) + +portage_domtrans_gcc_config(portage_t) # if sesandbox is disabled, compiling is performed in this domain -portage_compile_domain(portage_t.merge) +portage_compile_domain(portage_t) -allow portage_t.merge { portage_t.fetch portage_t.sandbox }:process signal; +optional_policy(` + bootloader_domtrans(portage_t) +') -# transition for rsync and wget -corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch) -rsync_entry_domtrans(portage_t.merge, portage_t.fetch) -allow portage_t.fetch portage_t.merge:fd use; -allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms; -allow portage_t.fetch portage_t.merge:process sigchld; +optional_policy(` + modutils_domtrans_depmod(portage_t) + modutils_domtrans_update_mods(portage_t) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; +') -# transition to sandbox for compiling -domain_trans(portage_t.merge, portage_exec_t, portage_t.sandbox) -corecmd_shell_spec_domtrans(portage_t.merge, portage_t.sandbox) -allow portage_t.sandbox portage_t.merge:fd use; -allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms; -allow portage_t.sandbox portage_t.merge:process sigchld; +optional_policy(` + usermanage_domtrans_groupadd(portage_t) + usermanage_domtrans_useradd(portage_t) +') + +ifdef(`TODO',` +# seems to work ok without these +dontaudit portage_t device_t:{ blk_file chr_file } getattr; +dontaudit portage_t proc_t:dir setattr; +dontaudit portage_t device_type:chr_file read_chr_file_perms; +dontaudit portage_t device_type:blk_file read_blk_file_perms; +') ########################################## # @@ -162,11 +197,64 @@ allow portage_t.sandbox portage_t.merge:process sigchld; # - for rsync and distfile fetching # -portage_fetch_domain(portage_t.fetch) +allow portage_fetch_t self:capability { dac_override fowner fsetid }; +allow portage_fetch_t self:process signal; +allow portage_fetch_t self:unix_stream_socket create_socket_perms; +allow portage_fetch_t self:tcp_socket create_stream_socket_perms; + +allow portage_fetch_t portage_conf_t:dir list_dir_perms; +read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t) + +manage_dirs_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) +manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t) + +manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t) +files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir }) + +# portage makes home dir the portage tmp dir, so +# wget looks for .wgetrc there +dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; + +kernel_read_system_state(portage_fetch_t) +kernel_read_kernel_sysctls(portage_fetch_t) + +corecmd_exec_bin(portage_fetch_t) -# this rule is outside of the above macro to fix conflicting type -# transitions seen in the rules for the constraining type (portage_t) -files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir }) +corenet_all_recvfrom_unlabeled(portage_fetch_t) +corenet_all_recvfrom_netlabel(portage_fetch_t) +corenet_tcp_sendrecv_generic_if(portage_fetch_t) +corenet_tcp_sendrecv_all_nodes(portage_fetch_t) +corenet_tcp_sendrecv_all_ports(portage_fetch_t) +# would rather not connect to unspecified ports, but +# it occasionally comes up +corenet_tcp_connect_all_reserved_ports(portage_fetch_t) +corenet_tcp_connect_generic_port(portage_fetch_t) + +dev_dontaudit_read_rand(portage_fetch_t) + +domain_use_interactive_fds(portage_fetch_t) + +files_read_etc_files(portage_fetch_t) +files_read_etc_runtime_files(portage_fetch_t) +files_search_var(portage_fetch_t) +files_dontaudit_search_pids(portage_fetch_t) + +term_search_ptys(portage_fetch_t) + +libs_use_ld_so(portage_fetch_t) +libs_use_shared_libs(portage_fetch_t) + +miscfiles_read_localization(portage_fetch_t) + +sysnet_read_config(portage_fetch_t) +sysnet_dns_name_resolve(portage_fetch_t) + +sysadm_dontaudit_read_home_content_files(portage_fetch_t) + +ifdef(`hide_broken_symptoms',` + dontaudit portage_fetch_t portage_cache_t:file read; +') ########################################## # @@ -174,10 +262,10 @@ files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir }) # - SELinux-enforced sandbox # -portage_compile_domain(portage_t.sandbox) +portage_compile_domain(portage_sandbox_t) ifdef(`hide_broken_symptoms',` # leaked descriptors - dontaudit portage_t.sandbox portage_cache_t:dir { setattr }; - dontaudit portage_t.sandbox portage_cache_t:file { setattr write }; + dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; + dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; ')