All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH 1/4] Support live ebuilds
@ 2011-04-28 19:25 Sven Vermeulen
  2011-05-02 15:25 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2011-04-28 19:25 UTC (permalink / raw)
  To: refpolicy

In Gentoo, live ebuilds exist (packages) which use the latest checkout of a
version controlled repository (git, svn, cvs, ...). During installation,
Portage checks out this repository in (by default)
/usr/portage/distfiles/svn-src. Currently, this is labelled portage_ebuild_t
but it is just plain wrong to allow the portage_sandbox_t to manage this
type (which, btw, it can't do currently, so live ebuild installations isn't
supported with the current policy).

To resolve this, create an additional type (portage_svnsrc_t) and label the
location accordingly. Also, allow portage_sandbox_t to manage the files,
directories and links that it checks out by allowing the necessary
privileges on portage_svnsrc_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.fc |    1 +
 policy/modules/admin/portage.if |    5 +++++
 policy/modules/admin/portage.te |    3 +++
 3 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..f6daba8 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -13,6 +13,7 @@
 /usr/lib(64)?/portage/bin/sandbox --	gen_context(system_u:object_r:portage_exec_t,s0)
 
 /usr/portage(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
+/usr/portage/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_svnsrc_t,s0)
 
 /var/db/pkg(/.*)?			gen_context(system_u:object_r:portage_db_t,s0)
 /var/cache/edb(/.*)?			gen_context(system_u:object_r:portage_cache_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 8aaa46d..a4026a9 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -123,6 +123,11 @@ interface(`portage_compile_domain',`
 	manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
 	fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+	# Support live ebuilds
+	manage_dirs_pattern($1, portage_svnsrc_t, portage_svnsrc_t)
+	manage_files_pattern($1, portage_svnsrc_t, portage_svnsrc_t)
+	manage_lnk_files_pattern($1, portage_svnsrc_t, portage_svnsrc_t)
+
 	kernel_read_system_state($1)
 	kernel_read_network_state($1)
 	kernel_read_software_raid_state($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index c633aea..8f41c2e 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -36,6 +36,9 @@ term_pty(portage_devpts_t)
 type portage_ebuild_t;
 files_type(portage_ebuild_t)
 
+type portage_svnsrc_t;
+files_type(portage_svnsrc_t)
+
 type portage_fetch_tmp_t;
 files_tmp_file(portage_fetch_tmp_t)
 
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-05-02 15:25 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-28 19:25 [refpolicy] [PATCH 1/4] Support live ebuilds Sven Vermeulen
2011-05-02 15:25 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.