[refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dominick.grift@gmail.com (grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section
Date: Tue, 27 Nov 2012 13:53:04 +0100	[thread overview]
Message-ID: <1354020784.1888.6.camel@localhost> (raw)
In-Reply-To: <1353612118-9745-2-git-send-email-sven.vermeulen@siphos.be>

On Thu, 2012-11-22 at 20:21 +0100, Sven Vermeulen wrote:
> Some portage_sandbox_t code is sitting in the main portage_t section. Moving
> this to its own sandbox location.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |   11 ++++++-----
>  1 files changed, 6 insertions(+), 5 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index 7d2fc08..074828c 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -176,11 +176,6 @@ dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
>  # transition to sandbox for compiling
>  domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
>  corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
> -allow portage_sandbox_t portage_t:fd use;
> -allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> -allow portage_sandbox_t portage_t:process sigchld;
> -allow portage_sandbox_t self:process ptrace;
> -dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)
> @@ -338,6 +333,12 @@ optional_policy(`
>  # - SELinux-enforced sandbox
>  #
>  
> +allow portage_sandbox_t portage_t:fd use;
> +allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
> +allow portage_sandbox_t portage_t:process sigchld;
> +allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
> +
>  portage_compile_domain(portage_sandbox_t)
>  
>  auth_use_nsswitch(portage_sandbox_t)

I guess i could merge this but this could be better

instead of domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
you could use: spec_domtrans_pattern(portage_t, portage_exec_t,
portage_sandbox_t)

That allows you to be able to remove:

+allow portage_sandbox_t portage_t:fd use;
+allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
+allow portage_sandbox_t portage_t:process sigchld;

Since that is included in the spec_domtrans_pattern()

it also allows you to remove the explicit setexec since that is also
included in this pattern.

If you do that then the ordering of rules is also cleaned up
since self rules should be on top.

next prev parent reply	other threads:[~2012-11-27 12:53 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-22 19:21 [refpolicy] [PATCH 0/7] Updates on contrib Sven Vermeulen
2012-11-22 19:21 ` [refpolicy] [PATCH 1/7] Moving sandbox code to sandbox section Sven Vermeulen
2012-11-27 12:53   ` grift [this message]
2012-11-22 19:21 ` [refpolicy] [PATCH 2/7] Allow sandbox to log violations Sven Vermeulen
2012-11-27 12:59   ` grift
2012-11-27 20:05     ` Sven Vermeulen
2012-11-22 19:21 ` [refpolicy] [PATCH 3/7] Fix typo in clockspeed comment Sven Vermeulen
2012-11-27 13:33   ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 4/7] Support openvpn status file Sven Vermeulen
2012-11-27 13:35   ` grift
2012-11-27 13:36     ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 5/7] Asterisk voicemail messages are generated from tmp Sven Vermeulen
2012-11-27 13:37   ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 6/7] Make rtkit calls optional Sven Vermeulen
2012-11-27 13:39   ` grift
2012-11-22 19:21 ` [refpolicy] [PATCH 7/7] Gentoo installs dovecot certs in /etc/ssl/dovecot Sven Vermeulen
2012-11-27 13:40   ` grift

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1354020784.1888.6.camel@localhost \
    --to=dominick.grift@gmail.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.