diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 82a1694..fbe4f5c 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,4 +1,5 @@ - Added modules: + portage usernetctl * Tue Jan 17 2006 Chris PeBenito - 20060117 diff --git a/refpolicy/policy/modules/admin/portage.fc b/refpolicy/policy/modules/admin/portage.fc new file mode 100644 index 0000000..af0c5fe --- /dev/null +++ b/refpolicy/policy/modules/admin/portage.fc @@ -0,0 +1,21 @@ +/etc/make.conf -- gen_context(system_u:object_r:portage_conf_t,s0) +/etc/make.globals -- gen_context(system_u:object_r:portage_conf_t,s0) +/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0) + +/usr/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/ebuild.sh -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) + +/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) + +/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) +/var/cache/edb(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/log/emerge.log.* -- gen_context(system_u:object_r:portage_log_t,s0) +/var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) +/var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if new file mode 100644 index 0000000..cc54a09 --- /dev/null +++ b/refpolicy/policy/modules/admin/portage.if @@ -0,0 +1,199 @@ +## +## Portage Package Management System. The primary package management and +## distribution system for Gentoo. +## + +######################################## +## +## Execute emerge in the portage domain. +## +## +## Domain allowed access. +## +# +interface(`portage_domtrans',` + gen_require(` + type portage_t, portage_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + domain_auto_trans($1,portage_exec_t,portage_t) + + allow $1 portage_t:fd use; + allow portage_t $1:fd use; + allow portage_t $1:fifo_file rw_file_perms; + allow portage_t $1:process sigchld; +') + +######################################## +## +## Execute emerge in the portage domain, and +## allow the specified role the portage domain. +## +## +## Domain allowed access. +## +## +## The role to allow the portage domain. +## +## +## The type of the terminal allow for portage to use. +## +# +interface(`portage_run',` + gen_require(` + type portage_t, portage_fetch_t, portage_sandbox_t; + ') + + portage_domtrans($1) + + role $2 types portage_t; + role $2 types portage_fetch_t; + role $2 types portage_sandbox_t; + + allow portage_t $3:chr_file rw_term_perms; + allow portage_fetch_t $3:chr_file rw_term_perms; + allow portage_sandbox_t $3:chr_file rw_term_perms; + + # not sure about this one, may be stray fds + allow portage_t $1:udp_socket write; + allow $1 portage_t:udp_socket write; +') + +######################################## +## +## Template for portage sandbox. +## +## +##

+## Template for portage sandbox. Portage +## does all compiling in the sandbox. +##

+##
+## +## Name to be used to derive types. +## +# +template(`portage_compile_domain_template',` + type $1_t; + domain_type($1_t) + domain_entry_file($1_t,portage_exec_t) + + type $1_devpts_t; + term_pty($1_devpts_t) + + type $1_tmp_t; + files_tmp_file($1_tmp_t) + + type $1_tmpfs_t; + files_tmpfs_file($1_tmpfs_t) + + allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; + allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem }; + allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; + allow $1_t self:fd use; + allow $1_t self:fifo_file rw_file_perms; + allow $1_t self:shm create_shm_perms; + allow $1_t self:sem create_sem_perms; + allow $1_t self:msgq create_msgq_perms; + allow $1_t self:msg { send receive }; + allow $1_t self:unix_dgram_socket create_socket_perms; + allow $1_t self:unix_stream_socket create_stream_socket_perms; + allow $1_t self:unix_dgram_socket sendto; + allow $1_t self:unix_stream_socket connectto; + # really shouldnt need this + allow $1_t self:tcp_socket create_stream_socket_perms; + allow $1_t self:udp_socket create_socket_perms; + # misc networking stuff (esp needed for compiling perl): + allow $1_t self:rawip_socket { create ioctl }; + allow $1_t self:udp_socket recvfrom; + # needed for merging dbus: + allow $1_sandbox_t self:netlink_selinux_socket { bind create read }; + + allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr }; + term_create_pty($1_t,$1_devpts_t) + + allow $1_t $1_tmp_t:dir manage_dir_perms; + allow $1_t $1_tmp_t:file manage_file_perms; + allow $1_t $1_tmp_t:lnk_file create_lnk_perms; + allow $1_t $1_tmp_t:fifo_file manage_file_perms; + allow $1_t $1_tmp_t:sock_file manage_file_perms; + files_create_tmp($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file }) + + allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write }; + allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename }; + allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename }; + allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename }; + fs_create_tmpfs_data($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file }) + + # write merge logs + allow $1_t portage_log_t:dir setattr; + allow $1_t portage_log_t:file { append write setattr }; + + kernel_read_system_state($1_t) + kernel_read_network_state($1_t) + kernel_read_software_raid_state($1_t) + kernel_getattr_core($1_t) + kernel_getattr_message_if($1_t) + kernel_read_kernel_sysctl($1_t) + + corecmd_exec_bin($1_t) + corecmd_exec_sbin($1_t) + + # really shouldnt need this + corenet_non_ipsec_sendrecv($1_t) + corenet_tcp_sendrecv_generic_if($1_t) + corenet_udp_sendrecv_generic_if($1_t) + corenet_raw_sendrecv_generic_if($1_t) + corenet_tcp_sendrecv_all_nodes($1_t) + corenet_udp_sendrecv_all_nodes($1_t) + corenet_raw_sendrecv_all_nodes($1_t) + corenet_tcp_sendrecv_all_ports($1_t) + corenet_udp_sendrecv_all_ports($1_t) + corenet_tcp_connect_all_reserved_ports($1_t) + corenet_tcp_connect_distccd_port($1_t) + + dev_read_sysfs($1_t) + dev_read_rand($1_t) + dev_read_urand($1_t) + + domain_exec_all_entry_files($1_t) + domain_use_wide_inhert_fds($1_t) + + files_exec_etc_files($1_t) + files_exec_usr_src_files($1_t) + + fs_getattr_xattr_fs($1_t) + fs_list_noxattr_fs($1_t) + fs_read_noxattr_fs_files($1_t) + fs_read_noxattr_fs_symlinks($1_t) + fs_search_auto_mountpoints($1_t) + + # needed for merging dbus: + selinux_compute_access_vector($1_t) + + auth_read_all_dirs_except_shadow($1_t) + auth_read_all_files_except_shadow($1_t) + auth_read_all_symlinks_except_shadow($1_t) + + libs_use_ld_so($1_t) + libs_use_shared_libs($1_t) + libs_exec_lib_files($1_t) + # some config scripts use ldd + libs_exec_ld_so($1_t) + # this violates the idea of sandbox, but + # regular sandbox allows it + libs_domtrans_ldconfig($1_t) + + logging_send_syslog_msg($1_t) + + ifdef(`TODO',` + # some gui ebuilds want to interact with X server, like xawtv + optional_policy(`xdm',` + allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write }; + allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write }; + ') + ') dnl end TODO +') diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te new file mode 100644 index 0000000..a863f9b --- /dev/null +++ b/refpolicy/policy/modules/admin/portage.te @@ -0,0 +1,188 @@ + +policy_module(portage,1.0.0) + +######################################## +# +# Declarations +# + +type portage_exec_t; +files_type(portage_exec_t) + +portage_compile_domain(portage) +domain_obj_id_change_exempt(portage_t) + +portage_compile_domain(portage_sandbox) +# the shell is the entrypoint if regular sandbox is disabled +# portage_exec_t is the entrypoint if regular sandbox is enabled +corecmd_shell_entry_type(portage_sandbox_t) +domain_entry_file(portage_sandbox_t,portage_exec_t) + +type portage_ebuild_t; +files_type(portage_ebuild_t) + +type portage_fetch_t; +domain_type(portage_fetch_t) + +type portage_fetch_tmp_t; +files_tmp_file(portage_fetch_tmp_t) + +type portage_db_t; +files_type(portage_db_t) + +type portage_conf_t; +files_type(portage_conf_t) + +type portage_cache_t; +files_type(portage_cache_t) + +type portage_log_t; +logging_log_file(portage_log_t) + +######################################## +# +# Portage Rules +# + +# - setfscreate for merging to live fs +# - setexec to run portage fetch +allow portage_t self:process { setfscreate setexec }; + +# transition for rsync and wget +corecmd_shell_spec_domtrans(portage_t,portage_fetch_t) +allow portage_fetch_t portage_t:fd use; +allow portage_fetch_t portage_t:fifo_file rw_file_perms; +allow portage_fetch_t portage_t:process sigchld; + +allow portage_t portage_log_t:file create_file_perms; +logging_create_log(portage_t,portage_log_t) + +# transition to sandbox for compiling +domain_trans(portage_t,portage_exec_t,portage_sandbox_t) +corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t) +allow portage_sandbox_t portage_t:fd use; +allow portage_sandbox_t portage_t:fifo_file rw_file_perms; +allow portage_sandbox_t portage_t:process sigchld; + +# run scripts out of the build directory +can_exec($1_t,portage_tmp_t) + +# merging baselayout will need this: +kernel_write_proc_file(portage_t) + +domain_dontaudit_read_all_domains_state(portage_t) + +# modify any files in the system +files_manage_all_files(portage_t) + +selinux_get_fs_mount(portage_t) + +# merging baselayout will need this: +init_exec(portage_t) + +# run setfiles -r +seutil_domtrans_setfiles(portage_t) + +optional_policy(`bootloader',` + bootloader_domtrans(portage_t) +') + +optional_policy(`modutils',` + modutils_domtrans_depmod(portage_t) + modutils_domtrans_update_modules(portage_t) + #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; +') + +optional_policy(`usermanage',` + usermanage_domtrans_groupadd(portage_t) + usermanage_domtrans_useradd(portage_t) +') + +# seems to work ok without these +dontaudit portage_t device_t:{ blk_file chr_file } getattr; +dontaudit portage_t proc_t:dir setattr; +dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms; + +########################################## +# +# Portage fetch domain +# - for rsync and distfile fetching +# + +allow portage_fetch_t self:capability dac_override; +dontaudit portage_fetch_t self:capability { fowner fsetid }; +allow portage_fetch_t self:unix_stream_socket create_socket_perms; +allow portage_fetch_t self:tcp_socket create_stream_socket_perms; + +allow portage_fetch_t portage_conf_t:dir list_dir_perms; +allow portage_fetch_t portage_conf_t:file r_file_perms; + +allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms; +allow portage_fetch_t portage_ebuild_t:file manage_file_perms; + +allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms; +allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms; +files_create_tmp_files(portage_fetch_t, portage_fetch_tmp_t, { file dir }) + +# portage makes home dir the portage tmp dir, so +# wget looks for .wgetrc there +dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms; + +kernel_read_system_state(portage_fetch_t) +kernel_read_kernel_sysctl(portage_fetch_t) + +corecmd_exec_bin(portage_fetch_t) +corecmd_exec_sbin(portage_fetch_t) + +corenet_non_ipsec_sendrecv(portage_fetch_t) +corenet_tcp_sendrecv_generic_if(portage_fetch_t) +corenet_tcp_sendrecv_all_nodes(portage_fetch_t) +corenet_tcp_sendrecv_all_ports(portage_fetch_t) +# would rather not connect to unspecified ports, but +# it occasionally comes up +corenet_tcp_connect_all_reserved_ports(portage_fetch_t) +corenet_tcp_connect_generic_port(portage_fetch_t) + +dev_search_ptys(portage_fetch_t) +dev_dontaudit_read_rand(portage_fetch_t) + +domain_use_wide_inherit_fds(portage_fetch_t) + +files_read_etc_files(portage_fetch_t) +files_read_etc_runtime_files(portage_fetch_t) +files_search_var(portage_fetch_t) +files_dontaudit_search_pids(portage_fetch_t) + +libs_use_ld_so(portage_fetch_t) +libs_use_shared_libs(portage_fetch_t) + +miscfiles_read_localization(portage_fetch_t) + +sysnet_read_config(portage_fetch_t) +sysnet_dns_name_resolve(portage_fetch_t) + +userdom_dontaudit_read_sysadm_home_files(portage_fetch_t) + +ifdef(`hide_broken_symptoms',` + dontaudit portage_fetch_t portage_cache_t:file read; +') + +ifdef(`TODO',` +domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t) +') + +########################################## +# +# Portage sandbox domain +# - SELinux-enforced sandbox +# + +# seems ok w/o this +dontaudit portage_sandbox_t portage_cache_t:dir { setattr }; +dontaudit portage_sandbox_t portage_cache_t:file { setattr write }; + +allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms; +allow portage_sandbox_t portage_tmp_t:file manage_dir_perms; +allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms; +# run scripts out of the build directory +can_exec(portage_sandbox_t,portage_tmp_t) diff --git a/refpolicy/policy/modules/kernel/devices.if b/refpolicy/policy/modules/kernel/devices.if index 8c5d372..678ceff 100644 --- a/refpolicy/policy/modules/kernel/devices.if +++ b/refpolicy/policy/modules/kernel/devices.if @@ -1519,7 +1519,8 @@ interface(`dev_rw_printer',` ######################################## ## -## Read from random devices (e.g., /dev/random) +## Read from random number generator +## devices (e.g., /dev/random) ## ## ## Domain allowed access. @@ -1536,6 +1537,23 @@ interface(`dev_read_rand',` ######################################## ## +## Do not audit attempts to read from random +## number generator devices (e.g., /dev/random) +## +## +## Domain allowed access. +## +# +interface(`dev_dontaudit_read_rand',` + gen_require(` + type random_device_t; + ') + + dontaudit $1 random_device_t:chr_file { getattr read }; +') + +######################################## +## ## Write to the random device (e.g., /dev/random). This adds ## entropy used to generate the random data read from the ## random device. diff --git a/refpolicy/policy/modules/system/userdomain.if b/refpolicy/policy/modules/system/userdomain.if index cace0a0..e8fc6ce 100644 --- a/refpolicy/policy/modules/system/userdomain.if +++ b/refpolicy/policy/modules/system/userdomain.if @@ -2736,9 +2736,9 @@ interface(`userdom_search_sysadm_home_dir',` # interface(`userdom_dontaudit_search_sysadm_home_dir',` ifdef(`targeted_policy',` - gen_require(` - type user_home_dir_t; - ') + gen_require(` + type user_home_dir_t; + ') dontaudit $1 user_home_dir_t:dir search_dir_perms; ',` @@ -2785,6 +2785,33 @@ interface(`userdom_dontaudit_list_sysadm_home_dir',` ######################################## ## +## Do not audit attempts to search the sysadm +## users home directory. +## +## +## Domain to not audit. +## +# +interface(`userdom_dontaudit_read_sysadm_home_files',` + ifdef(`targeted_policy',` + gen_require(` + type user_home_dir_t, user_home_t; + ') + + dontaudit $1 user_home_dir_t:dir search_dir_perms; + dontaudit $1 user_home_t:file r_file_perms; + ',` + gen_require(` + type sysadm_home_dir_t, sysadm_home_t; + ') + + dontaudit $1 sysadm_home_dir_t:dir search_dir_perms; + dontaudit $1 sysadm_home_t:dir r_file_perms; + ') +') + +######################################## +## ## Create objects in sysadm home directories ## with automatic file type transition. ## diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te index a59de33..9abab87 100644 --- a/refpolicy/policy/modules/system/userdomain.te +++ b/refpolicy/policy/modules/system/userdomain.te @@ -274,6 +274,10 @@ ifdef(`targeted_policy',` pcmcia_run_cardctl(sysadm_t,sysadm_r,admin_terminal) ') + optional_policy(`portage',` + portage_run(sysadm_t,sysadm_r,admin_terminal) + ') + optional_policy(`portmap',` portmap_run_helper(sysadm_t,sysadm_r,admin_terminal) ')