[refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates

[refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates

[Sven Vermeulen]

A couple of patches that were introduced for Portage. No large changes:

1. Support NFS mounts (when NFS mounts using context= aren't possible)
2. Support live ebuilds (portage needs more privileges on particular
   locations then)
3. Support proxy servers for Portage

Changes since v1
----------------

- The gcc-config fix to call /sbin/rc is removed from this patchset and
  will be introduced in another one, using a new rc_exec_t type
- Support for PORTAGE_BINHOST will be tackled by Gentoo bug #375835 and as
  such does not require a policy update anymore

[refpolicy] [PATCH 1/3] Support NFS mounts for portage related locations

[Sven Vermeulen]

When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).

Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.if |    7 +++++++
 policy/modules/admin/portage.te |   15 +++++++++++++++
 2 files changed, 22 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 0f27b1c..6eff375 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -188,6 +188,13 @@ interface(`portage_compile_domain',`
 	# SELinux-enabled programs running in the sandbox
 	seutil_libselinux_linked($1)
 
+	tunable_policy(`portage_use_nfs',`
+		fs_getattr_nfs($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+		fs_manage_nfs_symlinks($1)
+	')
+
 	ifdef(`TODO',`
 	# some gui ebuilds want to interact with X server, like xawtv
 	optional_policy(`
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d2ff138..492d742 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+##   Allow the portage domains to use NFS mounts (regular nfs_t)
+## </p>
+## </desc>
+gen_tunable(portage_use_nfs, false)
+
+
 type gcc_config_t;
 type gcc_config_exec_t;
 application_domain(gcc_config_t, gcc_config_exec_t)
@@ -258,6 +266,13 @@ sysnet_dns_name_resolve(portage_fetch_t)
 userdom_use_user_terminals(portage_fetch_t)
 userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
+tunable_policy(`portage_use_nfs',`
+	fs_getattr_nfs(portage_fetch_t)
+	fs_manage_nfs_dirs(portage_fetch_t)
+	fs_manage_nfs_files(portage_fetch_t)
+	fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
 ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;
 ')
-- 
1.7.3.4

[refpolicy] [PATCH 2/3] Support live ebuilds through portage_srcrepo_t

[Sven Vermeulen]

Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).

To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like 
portage_sandbox_t) to manage the checkouts.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.fc |    3 +++
 policy/modules/admin/portage.if |    7 ++++++-
 policy/modules/admin/portage.te |    3 +++
 3 files changed, 12 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..9097092 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -12,6 +12,9 @@
 /usr/lib(64)?/portage/bin/regenworld --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/sandbox --	gen_context(system_u:object_r:portage_exec_t,s0)
 
+/usr/portage/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
 
 /var/db/pkg(/.*)?			gen_context(system_u:object_r:portage_db_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 6eff375..08b361b 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -71,7 +71,7 @@ interface(`portage_compile_domain',`
 
 	gen_require(`
 		class dbus send_msg;
-		type portage_devpts_t, portage_log_t, portage_tmp_t;
+		type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
 		type portage_tmpfs_t;
 	')
 
@@ -105,6 +105,11 @@ interface(`portage_compile_domain',`
 	allow $1 portage_log_t:dir setattr;
 	allow $1 portage_log_t:file { write_file_perms setattr };
 
+	# Support live ebuilds (-9999)
+	manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+	manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+	manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+
 	# run scripts out of the build directory
 	can_exec(portage_sandbox_t, portage_tmp_t)
 
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 492d742..16524c7 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -59,6 +59,9 @@ files_type(portage_cache_t)
 type portage_log_t;
 logging_log_file(portage_log_t)
 
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
 type portage_tmp_t;
 files_tmp_file(portage_tmp_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 3/3] Support proxy/cache servers

[Sven Vermeulen]

Portage supports the use of proxy systems (which usually run on port 8080)
for the fetching of software archives.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 16524c7..e11a4ab 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -249,6 +249,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
 # it occasionally comes up
 corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
 corenet_tcp_connect_generic_port(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t)
 
 dev_dontaudit_read_rand(portage_fetch_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 0/3 v2] Gentoo/Portage related updates

[Christopher J. PeBenito]

On 07/21/11 05:07, Sven Vermeulen wrote:
> A couple of patches that were introduced for Portage. No large changes:
>
> 1. Support NFS mounts (when NFS mounts using context= aren't possible)
> 2. Support live ebuilds (portage needs more privileges on particular
>     locations then)
> 3. Support proxy servers for Portage
>
> Changes since v1
> ----------------
>
> - The gcc-config fix to call /sbin/rc is removed from this patchset and
>    will be introduced in another one, using a new rc_exec_t type
> - Support for PORTAGE_BINHOST will be tackled by Gentoo bug #375835 and as
>    such does not require a policy update anymore

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com