* [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates
@ 2011-07-21 9:07 Sven Vermeulen
2011-07-21 9:09 ` [refpolicy] [PATCH 1/3] Support NFS mounts for portage related locations Sven Vermeulen
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Sven Vermeulen @ 2011-07-21 9:07 UTC (permalink / raw)
To: refpolicy
A couple of patches that were introduced for Portage. No large changes:
1. Support NFS mounts (when NFS mounts using context= aren't possible)
2. Support live ebuilds (portage needs more privileges on particular
locations then)
3. Support proxy servers for Portage
Changes since v1
----------------
- The gcc-config fix to call /sbin/rc is removed from this patchset and
will be introduced in another one, using a new rc_exec_t type
- Support for PORTAGE_BINHOST will be tackled by Gentoo bug #375835 and as
such does not require a policy update anymore
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/3] Support NFS mounts for portage related locations
2011-07-21 9:07 [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Sven Vermeulen
@ 2011-07-21 9:09 ` Sven Vermeulen
2011-07-21 9:10 ` [refpolicy] [PATCH 2/3] Support live ebuilds through portage_srcrepo_t Sven Vermeulen
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2011-07-21 9:09 UTC (permalink / raw)
To: refpolicy
When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).
Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/admin/portage.if | 7 +++++++
policy/modules/admin/portage.te | 15 +++++++++++++++
2 files changed, 22 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 0f27b1c..6eff375 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -188,6 +188,13 @@ interface(`portage_compile_domain',`
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
+ tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs($1)
+ fs_manage_nfs_dirs($1)
+ fs_manage_nfs_files($1)
+ fs_manage_nfs_symlinks($1)
+ ')
+
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d2ff138..492d742 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
# Declarations
#
+## <desc>
+## <p>
+## Allow the portage domains to use NFS mounts (regular nfs_t)
+## </p>
+## </desc>
+gen_tunable(portage_use_nfs, false)
+
+
type gcc_config_t;
type gcc_config_exec_t;
application_domain(gcc_config_t, gcc_config_exec_t)
@@ -258,6 +266,13 @@ sysnet_dns_name_resolve(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs(portage_fetch_t)
+ fs_manage_nfs_dirs(portage_fetch_t)
+ fs_manage_nfs_files(portage_fetch_t)
+ fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
--
1.7.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 2/3] Support live ebuilds through portage_srcrepo_t
2011-07-21 9:07 [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Sven Vermeulen
2011-07-21 9:09 ` [refpolicy] [PATCH 1/3] Support NFS mounts for portage related locations Sven Vermeulen
@ 2011-07-21 9:10 ` Sven Vermeulen
2011-07-21 9:11 ` [refpolicy] [PATCH 3/3] Support proxy/cache servers Sven Vermeulen
2011-07-22 12:44 ` [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Christopher J. PeBenito
3 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2011-07-21 9:10 UTC (permalink / raw)
To: refpolicy
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).
To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like
portage_sandbox_t) to manage the checkouts.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/admin/portage.fc | 3 +++
policy/modules/admin/portage.if | 7 ++++++-
policy/modules/admin/portage.te | 3 +++
3 files changed, 12 insertions(+), 1 deletions(-)
diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..9097092 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -12,6 +12,9 @@
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
+/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 6eff375..08b361b 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -71,7 +71,7 @@ interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
- type portage_devpts_t, portage_log_t, portage_tmp_t;
+ type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
')
@@ -105,6 +105,11 @@ interface(`portage_compile_domain',`
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { write_file_perms setattr };
+ # Support live ebuilds (-9999)
+ manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 492d742..16524c7 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -59,6 +59,9 @@ files_type(portage_cache_t)
type portage_log_t;
logging_log_file(portage_log_t)
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
type portage_tmp_t;
files_tmp_file(portage_tmp_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 3/3] Support proxy/cache servers
2011-07-21 9:07 [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Sven Vermeulen
2011-07-21 9:09 ` [refpolicy] [PATCH 1/3] Support NFS mounts for portage related locations Sven Vermeulen
2011-07-21 9:10 ` [refpolicy] [PATCH 2/3] Support live ebuilds through portage_srcrepo_t Sven Vermeulen
@ 2011-07-21 9:11 ` Sven Vermeulen
2011-07-22 12:44 ` [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Christopher J. PeBenito
3 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2011-07-21 9:11 UTC (permalink / raw)
To: refpolicy
Portage supports the use of proxy systems (which usually run on port 8080)
for the fetching of software archives.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/admin/portage.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 16524c7..e11a4ab 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -249,6 +249,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
corenet_tcp_connect_generic_port(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t)
dev_dontaudit_read_rand(portage_fetch_t)
--
1.7.3.4
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates
2011-07-21 9:07 [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Sven Vermeulen
` (2 preceding siblings ...)
2011-07-21 9:11 ` [refpolicy] [PATCH 3/3] Support proxy/cache servers Sven Vermeulen
@ 2011-07-22 12:44 ` Christopher J. PeBenito
3 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2011-07-22 12:44 UTC (permalink / raw)
To: refpolicy
On 07/21/11 05:07, Sven Vermeulen wrote:
> A couple of patches that were introduced for Portage. No large changes:
>
> 1. Support NFS mounts (when NFS mounts using context= aren't possible)
> 2. Support live ebuilds (portage needs more privileges on particular
> locations then)
> 3. Support proxy servers for Portage
>
> Changes since v1
> ----------------
>
> - The gcc-config fix to call /sbin/rc is removed from this patchset and
> will be introduced in another one, using a new rc_exec_t type
> - Support for PORTAGE_BINHOST will be tackled by Gentoo bug #375835 and as
> such does not require a policy update anymore
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-07-22 12:44 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-07-21 9:07 [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Sven Vermeulen
2011-07-21 9:09 ` [refpolicy] [PATCH 1/3] Support NFS mounts for portage related locations Sven Vermeulen
2011-07-21 9:10 ` [refpolicy] [PATCH 2/3] Support live ebuilds through portage_srcrepo_t Sven Vermeulen
2011-07-21 9:11 ` [refpolicy] [PATCH 3/3] Support proxy/cache servers Sven Vermeulen
2011-07-22 12:44 ` [refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.