From 02f9b21e8c766781b19d9f5e03b188fb380b840f Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Fri, 21 Apr 2006 15:08:21 +0000
Subject: [PATCH] first cut of hierarchical policy

---
 refpolicy/policy/modules/admin/portage.if  | 338 ++++++++++++++-------
 refpolicy/policy/modules/admin/portage.te  | 207 +++++--------
 refpolicy/policy/modules/services/rsync.if |  85 ++++++
 refpolicy/policy/modules/services/rsync.te |   2 +-
 4 files changed, 392 insertions(+), 240 deletions(-)

diff --git a/refpolicy/policy/modules/admin/portage.if b/refpolicy/policy/modules/admin/portage.if
index efddda5d5..af99899eb 100644
--- a/refpolicy/policy/modules/admin/portage.if
+++ b/refpolicy/policy/modules/admin/portage.if
@@ -20,12 +20,18 @@ interface(`portage_domtrans',`
 
 	files_search_usr($1)
 	corecmd_search_bin($1)
-	domain_auto_trans($1,portage_exec_t,portage_t)
 
-	allow $1 portage_t:fd use;
+	# constraining domain
+	domain_trans($1,portage_exec_t,portage_t)
 	allow portage_t $1:fd use;
 	allow portage_t $1:fifo_file rw_file_perms;
 	allow portage_t $1:process sigchld;
+
+	# main portage process
+	domain_auto_trans($1,portage_exec_t,portage_t.merge)
+	allow portage_t.merge $1:fd use;
+	allow portage_t.merge $1:fifo_file rw_file_perms;
+	allow portage_t.merge $1:process sigchld;
 ')
 
 ########################################
@@ -51,22 +57,21 @@ interface(`portage_domtrans',`
 #
 interface(`portage_run',`
 	gen_require(`
-		type portage_t, portage_fetch_t, portage_sandbox_t;
+		type portage_t;
+		type portage_t.merge, portage_t.fetch, portage_t.sandbox;
 	')
 
 	portage_domtrans($1)
 
+	# constraining access
 	role $2 types portage_t;
-	role $2 types portage_fetch_t;
-	role $2 types portage_sandbox_t;
-
 	allow portage_t $3:chr_file rw_term_perms;
-	allow portage_fetch_t $3:chr_file rw_term_perms;
-	allow portage_sandbox_t $3:chr_file rw_term_perms;
 
-	# not sure about this one, may be stray fds
-	allow portage_t $1:udp_socket write;
-	allow $1 portage_t:udp_socket write;
+	# specific access
+	role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
+	allow portage_t.merge $3:chr_file rw_term_perms;
+	allow portage_t.fetch $3:chr_file rw_term_perms;
+	allow portage_t.sandbox $3:chr_file rw_term_perms;
 ')
 
 ########################################
@@ -79,129 +84,258 @@ interface(`portage_run',`
 ##	does all compiling in the sandbox.
 ##	</p>
 ## </desc>
-## <param name="prefix">
+## <param name="domain">
 ##	<summary>
-##	Name to be used to derive types.
+##	Domain Allowed Access
 ##	</summary>
 ## </param>
 #
-template(`portage_compile_domain_template',`
-	type $1_t;
-	domain_type($1_t)
-	domain_entry_file($1_t,portage_exec_t)
+interface(`portage_compile_domain',`
 
-	type $1_devpts_t;
-	term_pty($1_devpts_t)
-
-	type $1_tmp_t;
-	files_tmp_file($1_tmp_t)
-
-	type $1_tmpfs_t;
-	files_tmpfs_file($1_tmpfs_t)
-
-	allow $1_t self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
-	allow $1_t self:process { setpgid setsched setrlimit signal_perms execmem };
-	allow $1_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
-	allow $1_t self:fd use;
-	allow $1_t self:fifo_file rw_file_perms;
-	allow $1_t self:shm create_shm_perms;
-	allow $1_t self:sem create_sem_perms;
-	allow $1_t self:msgq create_msgq_perms;
-	allow $1_t self:msg { send receive };
-	allow $1_t self:unix_dgram_socket create_socket_perms;
-	allow $1_t self:unix_stream_socket create_stream_socket_perms;
-	allow $1_t self:unix_dgram_socket sendto;
-	allow $1_t self:unix_stream_socket connectto;
+	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
+	allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1 self:fd use;
+	allow $1 self:fifo_file rw_file_perms;
+	allow $1 self:shm create_shm_perms;
+	allow $1 self:sem create_sem_perms;
+	allow $1 self:msgq create_msgq_perms;
+	allow $1 self:msg { send receive };
+	allow $1 self:unix_dgram_socket create_socket_perms;
+	allow $1 self:unix_stream_socket create_stream_socket_perms;
+	allow $1 self:unix_dgram_socket sendto;
+	allow $1 self:unix_stream_socket connectto;
 	# really shouldnt need this
-	allow $1_t self:tcp_socket create_stream_socket_perms;
-	allow $1_t self:udp_socket create_socket_perms;
+	allow $1 self:tcp_socket create_stream_socket_perms;
+	allow $1 self:udp_socket create_socket_perms;
 	# misc networking stuff (esp needed for compiling perl):
-	allow $1_t self:rawip_socket { create ioctl };
-	allow $1_t self:udp_socket recvfrom;
+	allow $1 self:rawip_socket { create ioctl };
+	allow $1 self:udp_socket recvfrom;
 	# needed for merging dbus:
-	allow $1_t self:netlink_selinux_socket { bind create read };
+	allow $1 self:netlink_selinux_socket { bind create read };
 
-	allow $1_t $1_devpts_t:chr_file { rw_file_perms setattr };
-	term_create_pty($1_t,$1_devpts_t)
+	allow $1 portage_devpts_t:chr_file { rw_file_perms setattr };
+	term_create_pty($1,portage_devpts_t)
 
-	allow $1_t $1_tmp_t:dir manage_dir_perms;
-	allow $1_t $1_tmp_t:file manage_file_perms;
-	allow $1_t $1_tmp_t:lnk_file create_lnk_perms;
-	allow $1_t $1_tmp_t:fifo_file manage_file_perms;
-	allow $1_t $1_tmp_t:sock_file manage_file_perms;
-	files_tmp_filetrans($1_t,$1_tmp_t,{ dir file lnk_file sock_file fifo_file })
+	# write compile logs
+	allow $1 portage_log_t:dir setattr;
+	allow $1 portage_log_t:file { append write setattr };
 
-	allow $1_t $1_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
-	allow $1_t $1_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
-	allow $1_t $1_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
-	allow $1_t $1_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
-	fs_tmpfs_filetrans($1_t,$1_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
+	# run scripts out of the build directory
+	can_exec(portage_sandbox_t,portage_tmp_t)
 
-	# write merge logs
-	allow $1_t portage_log_t:dir setattr;
-	allow $1_t portage_log_t:file { append write setattr };
+	allow $1 portage_tmp_t:dir manage_dir_perms;
+	allow $1 portage_tmp_t:file manage_file_perms;
+	allow $1 portage_tmp_t:lnk_file create_lnk_perms;
+	allow $1 portage_tmp_t:fifo_file manage_file_perms;
+	allow $1 portage_tmp_t:sock_file manage_file_perms;
+	files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
 
-	kernel_read_system_state($1_t)
-	kernel_read_network_state($1_t)
-	kernel_read_software_raid_state($1_t)
-	kernel_getattr_core_if($1_t)
-	kernel_getattr_message_if($1_t)
-	kernel_read_kernel_sysctls($1_t)
+	allow $1 portage_tmpfs_t:dir { read getattr lock search ioctl add_name remove_name write };
+	allow $1 portage_tmpfs_t:file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 portage_tmpfs_t:lnk_file { create read getattr setattr link unlink rename };
+	allow $1 portage_tmpfs_t:sock_file { create ioctl read getattr lock write setattr append link unlink rename };
+	allow $1 portage_tmpfs_t:fifo_file { create ioctl read getattr lock write setattr append link unlink rename };
+	fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
 
-	corecmd_exec_all_executables($1_t)
+	kernel_read_system_state($1)
+	kernel_read_network_state($1)
+	kernel_read_software_raid_state($1)
+	kernel_getattr_core_if($1)
+	kernel_getattr_message_if($1)
+	kernel_read_kernel_sysctls($1)
+
+	corecmd_exec_all_executables($1)
 
 	# really shouldnt need this
-	corenet_non_ipsec_sendrecv($1_t)
-	corenet_tcp_sendrecv_generic_if($1_t)
-	corenet_udp_sendrecv_generic_if($1_t)
-	corenet_raw_sendrecv_generic_if($1_t)
-	corenet_tcp_sendrecv_all_nodes($1_t)
-	corenet_udp_sendrecv_all_nodes($1_t)
-	corenet_raw_sendrecv_all_nodes($1_t)
-	corenet_tcp_sendrecv_all_ports($1_t)
-	corenet_udp_sendrecv_all_ports($1_t)
-	corenet_tcp_connect_all_reserved_ports($1_t)
-	corenet_tcp_connect_distccd_port($1_t)
+	corenet_non_ipsec_sendrecv($1)
+	corenet_tcp_sendrecv_generic_if($1)
+	corenet_udp_sendrecv_generic_if($1)
+	corenet_raw_sendrecv_generic_if($1)
+	corenet_tcp_sendrecv_all_nodes($1)
+	corenet_udp_sendrecv_all_nodes($1)
+	corenet_raw_sendrecv_all_nodes($1)
+	corenet_tcp_sendrecv_all_ports($1)
+	corenet_udp_sendrecv_all_ports($1)
+	corenet_tcp_connect_all_reserved_ports($1)
+	corenet_tcp_connect_distccd_port($1)
 
-	dev_read_sysfs($1_t)
-	dev_read_rand($1_t)
-	dev_read_urand($1_t)
+	dev_read_sysfs($1)
+	dev_read_rand($1)
+	dev_read_urand($1)
 
-	domain_use_interactive_fds($1_t)
+	domain_use_interactive_fds($1)
 
-	files_exec_etc_files($1_t)
-	files_exec_usr_src_files($1_t)
+	files_exec_etc_files($1)
+	files_exec_usr_src_files($1)
 
-	fs_getattr_xattr_fs($1_t)
-	fs_list_noxattr_fs($1_t)
-	fs_read_noxattr_fs_files($1_t)
-	fs_read_noxattr_fs_symlinks($1_t)
-	fs_search_auto_mountpoints($1_t)
+	fs_getattr_xattr_fs($1)
+	fs_list_noxattr_fs($1)
+	fs_read_noxattr_fs_files($1)
+	fs_read_noxattr_fs_symlinks($1)
+	fs_search_auto_mountpoints($1)
 
 	# needed for merging dbus:
-	selinux_compute_access_vector($1_t)
+	selinux_compute_access_vector($1)
 
-	auth_read_all_dirs_except_shadow($1_t)
-	auth_read_all_files_except_shadow($1_t)
-	auth_read_all_symlinks_except_shadow($1_t)
+	auth_read_all_dirs_except_shadow($1)
+	auth_read_all_files_except_shadow($1)
+	auth_read_all_symlinks_except_shadow($1)
 
-	libs_use_ld_so($1_t)
-	libs_use_shared_libs($1_t)
-	libs_exec_lib_files($1_t)
+	libs_use_ld_so($1)
+	libs_use_shared_libs($1)
+	libs_exec_lib_files($1)
 	# some config scripts use ldd
-	libs_exec_ld_so($1_t)
+	libs_exec_ld_so($1)
 	# this violates the idea of sandbox, but
 	# regular sandbox allows it
-	libs_domtrans_ldconfig($1_t)
+	libs_domtrans_ldconfig($1)
 
-	logging_send_syslog_msg($1_t)
+	logging_send_syslog_msg($1)
 
 	ifdef(`TODO',`
 	# some gui ebuilds want to interact with X server, like xawtv
 	optional_policy(`
-		allow $1_t xdm_xserver_tmp_t:dir { add_name remove_name write };
-		allow $1_t xdm_xserver_tmp_t:sock_file { create getattr unlink write };
+		allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
+		allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
 	')
 	') dnl end TODO
 ')
+
+########################################
+## <summary>
+##	Template for portage fetch.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain Allowed Access
+##	</summary>
+## </param>
+#
+interface(`portage_fetch_domain',`
+
+	allow $1 self:capability dac_override;
+	dontaudit $1 self:capability { fowner fsetid };
+	allow $1 self:unix_stream_socket create_socket_perms;
+	allow $1 self:tcp_socket create_stream_socket_perms;
+
+	allow $1 portage_conf_t:dir list_dir_perms;
+	allow $1 portage_conf_t:file r_file_perms;
+
+	allow $1 portage_ebuild_t:dir manage_dir_perms;
+	allow $1 portage_ebuild_t:file manage_file_perms;
+
+	allow $1 portage_fetch_tmp_t:dir create_dir_perms;
+	allow $1 portage_fetch_tmp_t:file create_file_perms;
+
+	# portage makes home dir the portage tmp dir, so
+	# wget looks for .wgetrc there
+	dontaudit $1 portage_tmp_t:dir search_dir_perms;
+
+	kernel_read_system_state($1)
+	kernel_read_kernel_sysctls($1)
+
+	corecmd_exec_bin($1)
+	corecmd_exec_sbin($1)
+
+	corenet_non_ipsec_sendrecv($1)
+	corenet_tcp_sendrecv_generic_if($1)
+	corenet_tcp_sendrecv_all_nodes($1)
+	corenet_tcp_sendrecv_all_ports($1)
+	# would rather not connect to unspecified ports, but
+	# it occasionally comes up
+	corenet_tcp_connect_all_reserved_ports($1)
+	corenet_tcp_connect_generic_port($1)
+
+	dev_dontaudit_read_rand($1)
+
+	domain_use_interactive_fds($1)
+
+	files_read_etc_files($1)
+	files_read_etc_runtime_files($1)
+	files_search_var($1)
+	files_dontaudit_search_pids($1)
+
+	term_search_ptys($1)
+
+	libs_use_ld_so($1)
+	libs_use_shared_libs($1)
+
+	miscfiles_read_localization($1)
+
+	sysnet_read_config($1)
+	sysnet_dns_name_resolve($1)
+
+	userdom_dontaudit_read_sysadm_home_content_files($1)
+
+	ifdef(`hide_broken_symptoms',`
+		dontaudit $1 portage_cache_t:file read;
+	')
+')
+
+########################################
+## <summary>
+##	Template for portage main.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain Allowed Access
+##	</summary>
+## </param>
+#
+interface(`portage_main_domain',`
+
+	# - setfscreate for merging to live fs
+	# - setexec to run portage fetch
+	allow $1 self:process { setfscreate setexec };
+
+	# if sesandbox is disabled, compiles are
+	# performed in the main domain
+	portage_compile_domain($1)
+
+	allow $1 portage_log_t:file create_file_perms;
+	logging_log_filetrans($1,portage_log_t,file)
+
+	# run scripts out of the build directory
+	can_exec($1,portage_tmp_t)
+
+	# merging baselayout will need this:
+	kernel_write_proc_files($1)
+
+	domain_dontaudit_read_all_domains_state($1)
+
+	# modify any files in the system
+	files_manage_all_files($1)
+
+	selinux_get_fs_mount($1)
+
+	auth_manage_shadow($1)
+
+	# merging baselayout will need this:
+	init_exec($1)
+
+	# run setfiles -r
+	seutil_domtrans_setfiles($1)
+
+	optional_policy(`
+		bootloader_domtrans($1)
+	')
+
+	optional_policy(`
+		modutils_domtrans_depmod($1)
+		modutils_domtrans_update_mods($1)
+		#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
+	')
+
+	optional_policy(`
+		usermanage_domtrans_groupadd($1)
+		usermanage_domtrans_useradd($1)
+	')
+
+	ifdef(`TODO',`
+	# seems to work ok without these
+	dontaudit portage_t device_t:{ blk_file chr_file } getattr;
+	dontaudit portage_t proc_t:dir setattr;
+	dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
+	')
+')
diff --git a/refpolicy/policy/modules/admin/portage.te b/refpolicy/policy/modules/admin/portage.te
index 8cfa6de79..c8d69ef4e 100644
--- a/refpolicy/policy/modules/admin/portage.te
+++ b/refpolicy/policy/modules/admin/portage.te
@@ -1,29 +1,46 @@
 
-policy_module(portage,1.0.1)
+policy_module(portage,1.0.2)
 
 ########################################
 #
 # Declarations
 #
 
+# constraining domain
+type portage_t;
 type portage_exec_t;
-files_type(portage_exec_t)
+domain_type(portage_t)
+domain_entry_file(portage_t,portage_exec_t)
+rsync_entry_type(portage_t)
+corecmd_shell_entry_type(portage_t)
+domain_entry_file(portage_t,portage_exec_t)
 
-portage_compile_domain_template(portage)
-domain_obj_id_change_exemption(portage_t)
+# main portage domain
+type portage_t.merge;
+domain_type(portage_t.merge)
+domain_entry_file(portage_t.merge,portage_exec_t)
+domain_obj_id_change_exemption(portage_t.merge)
 
-portage_compile_domain_template(portage_sandbox)
+# portage compile sandbox domain
+type portage_t.sandbox alias portage_sandbox_t;
+domain_type(portage_t.sandbox)
 # the shell is the entrypoint if regular sandbox is disabled
 # portage_exec_t is the entrypoint if regular sandbox is enabled
-corecmd_shell_entry_type(portage_sandbox_t)
-domain_entry_file(portage_sandbox_t,portage_exec_t)
+corecmd_shell_entry_type(portage_t.sandbox)
+domain_entry_file(portage_t.sandbox,portage_exec_t)
+
+# portage package fetching domain
+type portage_t.fetch alias portage_fetch_t;
+domain_type(portage_t.fetch)
+corecmd_shell_entry_type(portage_t.fetch)
+rsync_entry_type(portage_t.fetch)
+
+type portage_devpts_t;
+term_pty(portage_devpts_t)
 
 type portage_ebuild_t;
 files_type(portage_ebuild_t)
 
-type portage_fetch_t;
-domain_type(portage_fetch_t)
-
 type portage_fetch_tmp_t;
 files_tmp_file(portage_fetch_tmp_t)
 
@@ -39,73 +56,48 @@ files_type(portage_cache_t)
 type portage_log_t;
 logging_log_file(portage_log_t)
 
+type portage_tmp_t;
+files_tmp_file(portage_tmp_t)
+
+type portage_tmpfs_t;
+files_tmpfs_file(portage_tmpfs_t)
+
 ########################################
 #
-# Portage Rules
+# Portage Constraining Rules
 #
 
-# - setfscreate for merging to live fs
-# - setexec to run portage fetch
-allow portage_t self:process { setfscreate setexec };
+portage_main_domain(portage_t)
+portage_compile_domain(portage_t)
+portage_fetch_domain(portage_t)
+
+# transition between child domains on shells and rsync
+corecmd_shell_spec_domtrans(portage_t,portage_t)
+rsync_entry_spec_domtrans(portage_t,portage_t)
+
+########################################
+#
+# Portage Merging Rules
+#
+
+portage_main_domain(portage_t.merge)
+
+# if sesandbox is disabled, compiling is performed in this domain
+portage_compile_domain(portage_t.merge)
 
 # transition for rsync and wget
-corecmd_shell_spec_domtrans(portage_t,portage_fetch_t)
-allow portage_fetch_t portage_t:fd use;
-allow portage_fetch_t portage_t:fifo_file rw_file_perms;
-allow portage_fetch_t portage_t:process sigchld;
-
-allow portage_t portage_log_t:file create_file_perms;
-logging_log_filetrans(portage_t,portage_log_t,file)
+corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
+rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
+allow portage_t.fetch portage_t.merge:fd use;
+allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
+allow portage_t.fetch portage_t.merge:process sigchld;
 
 # transition to sandbox for compiling
-domain_trans(portage_t,portage_exec_t,portage_sandbox_t)
-corecmd_shell_spec_domtrans(portage_t,portage_sandbox_t)
-allow portage_sandbox_t portage_t:fd use;
-allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
-allow portage_sandbox_t portage_t:process sigchld;
-
-# run scripts out of the build directory
-can_exec(portage_t,portage_tmp_t)
-
-# merging baselayout will need this:
-kernel_write_proc_files(portage_t)
-
-domain_dontaudit_read_all_domains_state(portage_t)
-
-# modify any files in the system
-files_manage_all_files(portage_t)
-
-selinux_get_fs_mount(portage_t)
-
-auth_manage_shadow(portage_t)
-
-# merging baselayout will need this:
-init_exec(portage_t)
-
-# run setfiles -r
-seutil_domtrans_setfiles(portage_t)
-
-optional_policy(`
-	bootloader_domtrans(portage_t)
-')
-
-optional_policy(`
-	modutils_domtrans_depmod(portage_t)
-	modutils_domtrans_update_mods(portage_t)
-	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
-')
-
-optional_policy(`
-	usermanage_domtrans_groupadd(portage_t)
-	usermanage_domtrans_useradd(portage_t)
-')
-
-ifdef(`TODO',`
-# seems to work ok without these
-dontaudit portage_t device_t:{ blk_file chr_file } getattr;
-dontaudit portage_t proc_t:dir setattr;
-dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
-')
+domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
+corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
+allow portage_t.sandbox portage_t.merge:fd use;
+allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
+allow portage_t.sandbox portage_t.merge:process sigchld;
 
 ##########################################
 #
@@ -113,67 +105,10 @@ dontaudit portage_t device_type:{ chr_file blk_file } r_file_perms;
 # - for rsync and distfile fetching
 #
 
-allow portage_fetch_t self:capability dac_override;
-dontaudit portage_fetch_t self:capability { fowner fsetid };
-allow portage_fetch_t self:unix_stream_socket create_socket_perms;
-allow portage_fetch_t self:tcp_socket create_stream_socket_perms;
+portage_fetch_domain(portage_t.fetch)
 
-allow portage_fetch_t portage_conf_t:dir list_dir_perms;
-allow portage_fetch_t portage_conf_t:file r_file_perms;
-
-allow portage_fetch_t portage_ebuild_t:dir manage_dir_perms;
-allow portage_fetch_t portage_ebuild_t:file manage_file_perms;
-
-allow portage_fetch_t portage_fetch_tmp_t:dir create_dir_perms;
-allow portage_fetch_t portage_fetch_tmp_t:file create_file_perms;
-files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
-
-# portage makes home dir the portage tmp dir, so
-# wget looks for .wgetrc there
-dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
-
-kernel_read_system_state(portage_fetch_t)
-kernel_read_kernel_sysctls(portage_fetch_t)
-
-corecmd_exec_bin(portage_fetch_t)
-corecmd_exec_sbin(portage_fetch_t)
-
-corenet_non_ipsec_sendrecv(portage_fetch_t)
-corenet_tcp_sendrecv_generic_if(portage_fetch_t)
-corenet_tcp_sendrecv_all_nodes(portage_fetch_t)
-corenet_tcp_sendrecv_all_ports(portage_fetch_t)
-# would rather not connect to unspecified ports, but
-# it occasionally comes up
-corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
-corenet_tcp_connect_generic_port(portage_fetch_t)
-
-dev_dontaudit_read_rand(portage_fetch_t)
-
-domain_use_interactive_fds(portage_fetch_t)
-
-files_read_etc_files(portage_fetch_t)
-files_read_etc_runtime_files(portage_fetch_t)
-files_search_var(portage_fetch_t)
-files_dontaudit_search_pids(portage_fetch_t)
-
-term_search_ptys(portage_fetch_t)
-
-libs_use_ld_so(portage_fetch_t)
-libs_use_shared_libs(portage_fetch_t)
-
-miscfiles_read_localization(portage_fetch_t)
-
-sysnet_read_config(portage_fetch_t)
-sysnet_dns_name_resolve(portage_fetch_t)
-
-userdom_dontaudit_read_sysadm_home_content_files(portage_fetch_t)
-
-ifdef(`hide_broken_symptoms',`
-	dontaudit portage_fetch_t portage_cache_t:file read;
-')
-
-# TODO:
-#domain_auto_trans(portage_t, rsyncd_exec_t, portage_fetch_t)
+# rule outside of the above macro to fix conflicting type transitions
+files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
 
 ##########################################
 #
@@ -181,12 +116,10 @@ ifdef(`hide_broken_symptoms',`
 # - SELinux-enforced sandbox
 #
 
-# seems ok w/o this
-dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
-dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
+portage_compile_domain(portage_t.sandbox)
 
-allow portage_sandbox_t portage_tmp_t:dir manage_dir_perms;
-allow portage_sandbox_t portage_tmp_t:file manage_file_perms;
-allow portage_sandbox_t portage_tmp_t:lnk_file create_lnk_perms;
-# run scripts out of the build directory
-can_exec(portage_sandbox_t,portage_tmp_t)
+ifdef(`hide_broken_symptoms',`
+	# leaked descriptors
+	dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
+	dontaudit portage_t.sandbox portage_cache_t:file { setattr write };
+')
diff --git a/refpolicy/policy/modules/services/rsync.if b/refpolicy/policy/modules/services/rsync.if
index 84c701ff2..78e11fc4f 100644
--- a/refpolicy/policy/modules/services/rsync.if
+++ b/refpolicy/policy/modules/services/rsync.if
@@ -1 +1,86 @@
 ## <summary>Fast incremental file transfer for synchronization</summary>
+
+########################################
+## <summary>
+##	Make rsync an entry point for
+##	the specified domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain for which init scripts are an entrypoint.
+##	</summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_type',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	domain_entry_file($1,rsync_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+##      <p>
+##	Execute a rsync in a specified domain.
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain to transition from.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_spec_domtrans',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	domain_trans($1,rsync_exec_t,$2)
+')
+
+########################################
+## <summary>
+##	Execute a rsync in a specified domain.
+## </summary>
+## <desc>
+##      <p>
+##	Execute a rsync in a specified domain.
+##      </p>
+##      <p>
+##      No interprocess communication (signals, pipes,
+##      etc.) is provided by this interface since
+##      the domains are not owned by this module.
+##      </p>
+## </desc>
+## <param name="source_domain">
+##	<summary>
+##	Domain to transition from.
+##	</summary>
+## </param>
+## <param name="target_domain">
+##	<summary>
+##	Domain to transition to.
+##	</summary>
+## </param>
+# cjp: added for portage
+interface(`rsync_entry_domtrans',`
+	gen_require(`
+		type rsync_exec_t;
+	')
+
+	domain_auto_trans($1,rsync_exec_t,$2)
+')
diff --git a/refpolicy/policy/modules/services/rsync.te b/refpolicy/policy/modules/services/rsync.te
index e362e713e..7e4cba2cb 100644
--- a/refpolicy/policy/modules/services/rsync.te
+++ b/refpolicy/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
 
-policy_module(rsync,1.2.1)
+policy_module(rsync,1.2.2)
 
 ########################################
 #