[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Thu, 01 May 2014 13:22:39 -0700 

commit:     3622f0211f17555747da2bf7acb6d8aba7785d1e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May  1 20:19:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May  1 20:19:35 2014 +0000
URL:        
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3622f021

emerge-webrsync updates

Two small changes for emerge-webrsync.

The first one is that portage_fetch_t must be able to execute
portage_fetch_tmp_t. This is because portage_fetch_t calls portageq,
which (as a Python app) creates a temporary executable file to parse.

The second change allows portage_fetch_t to read user content (when an
overlay is in /home) optionally through the portage_read_user_content
boolean.

---
 policy/modules/contrib/portage.te | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/portage.te 
b/policy/modules/contrib/portage.te
index d5b29d6..443460b 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -13,6 +13,14 @@ policy_module(portage, 1.14.0)
 ## </desc>
 gen_tunable(portage_use_nfs, false)
 
+## <desc>
+##     <p>
+##     Determine whether portage domains can read user content.
+##     This is for non-portage_t domains as portage_t can manage the entire 
file system.
+##     </p>
+## </desc>
+gen_tunable(portage_read_user_content, false)
+
 attribute_role gcc_config_roles;
 attribute_role portage_roles;
 attribute_role portage_fetch_roles;
@@ -262,6 +270,8 @@ manage_files_pattern(portage_fetch_t, portage_ebuild_t, 
portage_ebuild_t)
 manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
 manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
 files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+# Needed as otherwise we get large Python tracebacks when using 
emerge-webrsync (portageq failure)
+can_exec(portage_fetch_t, portage_fetch_tmp_t)
 
 kernel_read_system_state(portage_fetch_t)
 kernel_read_kernel_sysctls(portage_fetch_t)
@@ -307,7 +317,6 @@ miscfiles_read_generic_certs(portage_fetch_t)
 miscfiles_read_localization(portage_fetch_t)
 
 userdom_use_user_terminals(portage_fetch_t)
-userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
 rsync_exec(portage_fetch_t)
 
@@ -322,6 +331,13 @@ tunable_policy(`portage_use_nfs',`
        fs_manage_nfs_symlinks(portage_fetch_t)
 ')
 
+tunable_policy(`portage_read_user_content',`
+       userdom_read_user_home_content_files(portage_fetch_t)
+       userdom_list_user_home_content(portage_fetch_t)
+',`
+       userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+')
+
 optional_policy(`
        gpg_exec(portage_fetch_t)
 ')

Reply via email to