## <summary>
## Portage Package Management System. The primary package management and
## distribution system for Gentoo.
## </summary>
########################################
## <summary>
## Execute emerge in the portage domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_t.merge, portage_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
# constraining domain
domain_trans($1,portage_exec_t,portage_t)
allow portage_t $1:fd use;
allow portage_t $1:fifo_file rw_fifo_file_perms;
allow portage_t $1:process sigchld;
# transition to portage
domtrans_pattern($1,portage_exec_t,portage_t.merge)
')
########################################
## <summary>
## Execute emerge in the portage domain, and
## allow the specified role the portage domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the portage domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow for portage to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`portage_run',`
gen_require(`
type portage_t;
type portage_t.merge, portage_t.fetch, portage_t.sandbox;
')
portage_domtrans($1)
# constraining access
role $2 types portage_t;
allow portage_t $3:chr_file rw_term_perms;
# specific access
role $2 types { portage_t.merge portage_t.fetch portage_t.sandbox };
allow portage_t.merge $3:chr_file rw_term_perms;
allow portage_t.fetch $3:chr_file rw_term_perms;
allow portage_t.sandbox $3:chr_file rw_term_perms;
')
########################################
## <summary>
## Template for portage sandbox.
## </summary>
## <desc>
## <p>
## Template for portage sandbox. Portage
## does all compiling in the sandbox.
## </p>
## </desc>
## <param name="domain">
## <summary>
## Domain Allowed Access
## </summary>
## </param>
#
interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1 self:fd use;
allow $1 self:fifo_file rw_fifo_file_perms;
allow $1 self:shm create_shm_perms;
allow $1 self:sem create_sem_perms;
allow $1 self:msgq create_msgq_perms;
allow $1 self:msg { send receive };
allow $1 self:unix_dgram_socket create_socket_perms;
allow $1 self:unix_stream_socket create_stream_socket_perms;
allow $1 self:unix_dgram_socket sendto;
allow $1 self:unix_stream_socket connectto;
# really shouldnt need this
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 self:udp_socket create_socket_perms;
# misc networking stuff (esp needed for compiling perl):
allow $1 self:rawip_socket { create ioctl };
# needed for merging dbus:
allow $1 self:netlink_selinux_socket { bind create read };
allow $1 self:dbus send_msg;
allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
term_create_pty($1,portage_devpts_t)
# write compile logs
allow $1 portage_log_t:dir setattr;
allow $1 portage_log_t:file { append write setattr };
# run scripts out of the build directory
can_exec(portage_sandbox_t,portage_tmp_t)
manage_dirs_pattern($1,portage_tmp_t,portage_tmp_t)
manage_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_lnk_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_fifo_files_pattern($1,portage_tmp_t,portage_tmp_t)
manage_sock_files_pattern($1,portage_tmp_t,portage_tmp_t)
files_tmp_filetrans($1,portage_tmp_t,{ dir file lnk_file sock_file fifo_file })
manage_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_lnk_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_fifo_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
manage_sock_files_pattern($1,portage_tmpfs_t,portage_tmpfs_t)
fs_tmpfs_filetrans($1,portage_tmpfs_t,{ dir file lnk_file sock_file fifo_file })
kernel_read_system_state($1)
kernel_read_network_state($1)
kernel_read_software_raid_state($1)
kernel_getattr_core_if($1)
kernel_getattr_message_if($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_all_executables($1)
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_udp_sendrecv_all_nodes($1)
corenet_raw_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
corenet_udp_sendrecv_all_ports($1)
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_distccd_port($1)
dev_read_sysfs($1)
dev_read_rand($1)
dev_read_urand($1)
domain_use_interactive_fds($1)
domain_dontaudit_read_all_domains_state($1)
files_exec_etc_files($1)
files_exec_usr_src_files($1)
fs_getattr_xattr_fs($1)
fs_list_noxattr_fs($1)
fs_read_noxattr_fs_files($1)
fs_read_noxattr_fs_symlinks($1)
fs_search_auto_mountpoints($1)
# needed for merging dbus:
selinux_compute_access_vector($1)
auth_read_all_dirs_except_shadow($1)
auth_read_all_files_except_shadow($1)
auth_read_all_symlinks_except_shadow($1)
libs_use_ld_so($1)
libs_use_shared_libs($1)
libs_exec_lib_files($1)
# some config scripts use ldd
libs_exec_ld_so($1)
# this violates the idea of sandbox, but
# regular sandbox allows it
libs_domtrans_ldconfig($1)
logging_send_syslog_msg($1)
ifdef(`TODO',`
# some gui ebuilds want to interact with X server, like xawtv
optional_policy(`
allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
')
') dnl end TODO
')
########################################
## <summary>
## Template for portage fetch.
## </summary>
## <param name="domain">
## <summary>
## Domain Allowed Access
## </summary>
## </param>
#
interface(`portage_fetch_domain',`
allow $1 self:capability { dac_override fowner fsetid };
allow $1 self:process signal;
allow $1 self:unix_stream_socket create_socket_perms;
allow $1 self:tcp_socket create_stream_socket_perms;
allow $1 portage_conf_t:dir list_dir_perms;
read_files_pattern($1,portage_conf_t,portage_conf_t)
manage_dirs_pattern($1,portage_ebuild_t,portage_ebuild_t)
manage_files_pattern($1,portage_ebuild_t,portage_ebuild_t)
manage_dirs_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
manage_files_pattern($1,portage_fetch_tmp_t,portage_fetch_tmp_t)
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit $1 portage_tmp_t:dir search_dir_perms;
kernel_read_system_state($1)
kernel_read_kernel_sysctls($1)
corecmd_exec_bin($1)
corenet_all_recvfrom_unlabeled($1)
corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
# would rather not connect to unspecified ports, but
# it occasionally comes up
corenet_tcp_connect_all_reserved_ports($1)
corenet_tcp_connect_generic_port($1)
dev_dontaudit_read_rand($1)
domain_use_interactive_fds($1)
files_read_etc_files($1)
files_read_etc_runtime_files($1)
files_search_var($1)
files_dontaudit_search_pids($1)
term_search_ptys($1)
libs_use_ld_so($1)
libs_use_shared_libs($1)
miscfiles_read_localization($1)
sysnet_read_config($1)
sysnet_dns_name_resolve($1)
sysadm_dontaudit_read_home_content_files($1)
ifdef(`hide_broken_symptoms',`
dontaudit $1 portage_cache_t:file read;
')
')
########################################
## <summary>
## Template for portage main.
## </summary>
## <param name="domain">
## <summary>
## Domain Allowed Access
## </summary>
## </param>
#
interface(`portage_main_domain',`
# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow $1 self:process { setfscreate setexec };
# if sesandbox is disabled, compiles are
# performed in the main domain
portage_compile_domain($1)
allow $1 portage_log_t:file manage_file_perms;
logging_log_filetrans($1,portage_log_t,file)
# run scripts out of the build directory
can_exec($1,portage_tmp_t)
# merging baselayout will need this:
kernel_write_proc_files($1)
domain_dontaudit_read_all_domains_state($1)
# modify any files in the system
files_manage_all_files($1)
selinux_get_fs_mount($1)
auth_manage_shadow($1)
# merging baselayout will need this:
init_exec($1)
# run setfiles -r
seutil_domtrans_setfiles($1)
# run semodule
seutil_domtrans_semanage($1)
portage_domtrans_gcc_config($1)
optional_policy(`
bootloader_domtrans($1)
')
optional_policy(`
modutils_domtrans_depmod($1)
modutils_domtrans_update_mods($1)
#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
')
optional_policy(`
usermanage_domtrans_groupadd($1)
usermanage_domtrans_useradd($1)
')
ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr;
dontaudit portage_t device_type:chr_file read_chr_file_perms;
dontaudit portage_t device_type:blk_file read_blk_file_perms;
')
')
########################################
## <summary>
## Execute gcc-config in the gcc_config domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`portage_domtrans_gcc_config',`
gen_require(`
type gcc_config_t, gcc_config_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
domtrans_pattern($1,gcc_config_exec_t,gcc_config_t)
')
########################################
## <summary>
## Execute gcc-config in the gcc_config domain, and
## allow the specified role the gcc_config domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to allow the gcc_config domain.
## </summary>
## </param>
## <param name="terminal">
## <summary>
## The type of the terminal allow for gcc_config to use.
## </summary>
## </param>
## <rolecap/>
#
interface(`portage_run_gcc_config',`
gen_require(`
type gcc_config_t;
')
portage_domtrans_gcc_config($1)
# constraining access
role $2 types gcc_config_t;
allow gcc_config_t $3:chr_file rw_term_perms;
')