2
policy_module(portage,1.5.0)
4
########################################
10
type gcc_config_exec_t;
11
application_domain(gcc_config_t,gcc_config_exec_t)
16
application_domain(portage_t,portage_exec_t)
17
rsync_entry_type(portage_t)
18
corecmd_shell_entry_type(portage_t)
20
# portage domain for merging packages to the live fs
22
application_domain(portage_t.merge,portage_exec_t)
23
domain_obj_id_change_exemption(portage_t.merge)
25
# portage compile sandbox domain
26
type portage_t.sandbox alias portage_sandbox_t;
27
application_domain(portage_t.sandbox,portage_exec_t)
28
# the shell is the entrypoint if regular sandbox is disabled
29
# portage_exec_t is the entrypoint if regular sandbox is enabled
30
corecmd_shell_entry_type(portage_t.sandbox)
32
# portage package fetching domain
33
type portage_t.fetch alias portage_fetch_t;
34
application_type(portage_t.fetch)
35
corecmd_shell_entry_type(portage_t.fetch)
36
rsync_entry_type(portage_t.fetch)
38
type portage_devpts_t;
39
term_pty(portage_devpts_t)
41
type portage_ebuild_t;
42
files_type(portage_ebuild_t)
44
type portage_fetch_tmp_t;
45
files_tmp_file(portage_fetch_tmp_t)
48
files_type(portage_db_t)
51
files_type(portage_conf_t)
54
files_type(portage_cache_t)
57
logging_log_file(portage_log_t)
60
files_tmp_file(portage_tmp_t)
63
files_tmpfs_file(portage_tmpfs_t)
65
########################################
70
allow gcc_config_t self:capability { chown fsetid };
71
allow gcc_config_t self:fifo_file rw_file_perms;
73
manage_files_pattern(gcc_config_t,portage_cache_t,portage_cache_t)
75
read_files_pattern(gcc_config_t,portage_conf_t,portage_conf_t)
77
allow gcc_config_t portage_ebuild_t:dir list_dir_perms;
78
read_files_pattern(gcc_config_t,portage_ebuild_t,portage_ebuild_t)
80
allow gcc_config_t portage_exec_t:file { execute getattr };
82
kernel_read_system_state(gcc_config_t)
83
kernel_read_kernel_sysctls(gcc_config_t)
85
corecmd_exec_shell(gcc_config_t)
86
corecmd_exec_bin(gcc_config_t)
87
corecmd_manage_bin_files(gcc_config_t)
89
files_manage_etc_files(gcc_config_t)
90
files_rw_etc_runtime_files(gcc_config_t)
91
files_search_var_lib(gcc_config_t)
92
files_search_pids(gcc_config_t)
93
# complains loudly about not being able to list
94
# the directory it is being run from
95
files_list_all(gcc_config_t)
97
term_search_ptys(gcc_config_t)
99
# seems to be ok without this
100
init_dontaudit_read_script_status_files(gcc_config_t)
102
libs_use_ld_so(gcc_config_t)
103
libs_use_shared_libs(gcc_config_t)
104
libs_read_lib_files(gcc_config_t)
105
libs_domtrans_ldconfig(gcc_config_t)
106
libs_manage_shared_libs(gcc_config_t)
107
# gcc-config creates a temp dir for the libs
108
libs_manage_lib_dirs(gcc_config_t)
110
logging_send_syslog_msg(gcc_config_t)
112
miscfiles_read_localization(gcc_config_t)
114
consoletype_exec(gcc_config_t)
117
seutil_use_newrole_fds(gcc_config_t)
120
########################################
122
# Portage Constraining Rules
125
portage_main_domain(portage_t)
126
portage_compile_domain(portage_t)
127
portage_fetch_domain(portage_t)
129
# transition between child domains on shells and rsync
130
corecmd_shell_spec_domtrans(portage_t,portage_t)
131
rsync_entry_spec_domtrans(portage_t,portage_t)
133
########################################
135
# Portage Merging Rules
138
portage_main_domain(portage_t.merge)
140
# if sesandbox is disabled, compiling is performed in this domain
141
portage_compile_domain(portage_t.merge)
143
allow portage_t.merge { portage_t.fetch portage_t.sandbox }:process signal;
145
# transition for rsync and wget
146
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.fetch)
147
rsync_entry_domtrans(portage_t.merge,portage_t.fetch)
148
allow portage_t.fetch portage_t.merge:fd use;
149
allow portage_t.fetch portage_t.merge:fifo_file rw_file_perms;
150
allow portage_t.fetch portage_t.merge:process sigchld;
152
# transition to sandbox for compiling
153
domain_trans(portage_t.merge,portage_exec_t,portage_t.sandbox)
154
corecmd_shell_spec_domtrans(portage_t.merge,portage_t.sandbox)
155
allow portage_t.sandbox portage_t.merge:fd use;
156
allow portage_t.sandbox portage_t.merge:fifo_file rw_file_perms;
157
allow portage_t.sandbox portage_t.merge:process sigchld;
159
##########################################
161
# Portage fetch domain
162
# - for rsync and distfile fetching
165
portage_fetch_domain(portage_t.fetch)
167
# this rule is outside of the above macro to fix conflicting type
168
# transitions seen in the rules for the constraining type (portage_t)
169
files_tmp_filetrans(portage_t.fetch, portage_fetch_tmp_t, { file dir })
171
##########################################
173
# Portage sandbox domain
174
# - SELinux-enforced sandbox
177
portage_compile_domain(portage_t.sandbox)
179
ifdef(`hide_broken_symptoms',`
181
dontaudit portage_t.sandbox portage_cache_t:dir { setattr };
182
dontaudit portage_t.sandbox portage_cache_t:file { setattr write };