nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Support live ebuilds through portage_srcrepo_t

Browse Source 
Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).

To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domains (like
portage_sandbox_t) to manage the checkouts.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This commit is contained in:
Sven Vermeulen 2011-07-21 11:10:03 +02:00 committed by Chris PeBenito
parent 77cefbf2b4
commit be42fbd8d4
3 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
policy/modules/admin/portage.fc
View File

@ -12,6 +12,9 @@
/usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/lib(64)?/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
/usr/portage/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/git-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
/var/db/pkg(/.*)? gen_context(system_u:object_r:portage_db_t,s0)

7
policy/modules/admin/portage.if
View File

@ -71,7 +71,7 @@ interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
type portage_devpts_t, portage_log_t, portage_tmp_t;
type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
type portage_tmpfs_t;
')
@ -105,6 +105,11 @@ interface(`portage_compile_domain',`
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { write_file_perms setattr };
# Support live ebuilds (-9999)
manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)

3
policy/modules/admin/portage.te
View File

@ -59,6 +59,9 @@ files_type(portage_cache_t)
type portage_log_t;
logging_log_file(portage_log_t)
type portage_srcrepo_t;
files_type(portage_srcrepo_t)
type portage_tmp_t;
files_tmp_file(portage_tmp_t)