From be42fbd8d4015f0f7d1376ad53f00eeade2cccd5 Mon Sep 17 00:00:00 2001 From: Sven Vermeulen Date: Thu, 21 Jul 2011 11:10:03 +0200 Subject: [PATCH] Support live ebuilds through portage_srcrepo_t Portage supports the notion of "live ebuilds", which are packages that, when installed, update a repository checkout on a specific location. This means that a few portage-related domains need to have manage_* privileges on that location whereas they usually have much more limited rights (when live ebuilds aren't used). To support live ebuilds, we introduce another label called portage_srcrepo_t for those specific locations where the "higher" privileges are needed for, and grant the proper permissions on the compile domains (like portage_sandbox_t) to manage the checkouts. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.fc | 3 +++ policy/modules/admin/portage.if | 7 ++++++- policy/modules/admin/portage.te | 3 +++ 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index db4638777..909709226 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -12,6 +12,9 @@ /usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) +/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0) /usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0) /var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 6eff3754d..08b361bfd 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -71,7 +71,7 @@ interface(`portage_compile_domain',` gen_require(` class dbus send_msg; - type portage_devpts_t, portage_log_t, portage_tmp_t; + type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t; type portage_tmpfs_t; ') @@ -105,6 +105,11 @@ interface(`portage_compile_domain',` allow $1 portage_log_t:dir setattr; allow $1 portage_log_t:file { write_file_perms setattr }; + # Support live ebuilds (-9999) + manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) + # run scripts out of the build directory can_exec(portage_sandbox_t, portage_tmp_t) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 492d742e3..16524c74f 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -59,6 +59,9 @@ files_type(portage_cache_t) type portage_log_t; logging_log_file(portage_log_t) +type portage_srcrepo_t; +files_type(portage_srcrepo_t) + type portage_tmp_t; files_tmp_file(portage_tmp_t)