From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 1/4] Support NFS mounts for portage-related locations
Date: Wed, 20 Jul 2011 14:06:19 -0400 [thread overview]
Message-ID: <4E27191B.3000908@tresys.com> (raw)
In-Reply-To: <20110719212317.GB14490@siphos.be>
On 07/19/11 17:23, Sven Vermeulen wrote:
> When users want to use NFS mounted portage tree, distfiles, packages and
> other locations, they need to use the proper context= mount option. However,
> in the majority of cases, the users use a single NFS mount. In such
> situation, context= cannot be used properly since it puts a label on the
> entire mount (whereas we would then need other labels depending on
> subdirectories).
>
> Introducing a boolean "portage_allow_nfs" which, when set (default off),
> allows the necessary portage-related domains to manage files and directories
> with the nfs_t label.
>
> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
> policy/modules/admin/portage.te | 29 +++++++++++++++++++++++++++++
> 1 files changed, 29 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index d2ff138..a645c5d 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
> # Declarations
> #
>
> +##<desc>
> +##<p>
> +## Allow the portage domain to use NFS mounts (regular nfs_t) for its portage
> +## tree, distfiles, etc.
> +##</p>
> +##</desc>
> +gen_tunable(portage_allow_nfs, false)
I suspect portage_use_nfs is a clearer Boolean name.
> type gcc_config_t;
> type gcc_config_exec_t;
> application_domain(gcc_config_t, gcc_config_exec_t)
> @@ -174,6 +182,13 @@ portage_domtrans_gcc_config(portage_t)
> # if sesandbox is disabled, compiling is performed in this domain
> portage_compile_domain(portage_t)
>
> +tunable_policy(`portage_allow_nfs',`
> + fs_getattr_nfs(portage_t)
> + fs_manage_nfs_dirs(portage_t)
> + fs_manage_nfs_files(portage_t)
> + fs_manage_nfs_symlinks(portage_t)
> +')
This and the similar block for sandbox should be in the
portage_compile_domain() interface.
> optional_policy(`
> bootloader_domtrans(portage_t)
> ')
> @@ -262,6 +277,13 @@ ifdef(`hide_broken_symptoms',`
> dontaudit portage_fetch_t portage_cache_t:file read;
> ')
>
> +tunable_policy(`portage_allow_nfs',`
> + fs_getattr_nfs(portage_fetch_t)
> + fs_manage_nfs_dirs(portage_fetch_t)
> + fs_manage_nfs_files(portage_fetch_t)
> + fs_manage_nfs_symlinks(portage_fetch_t)
> +')
> +
> ##########################################
> #
> # Portage sandbox domain
> @@ -275,3 +297,10 @@ ifdef(`hide_broken_symptoms',`
> dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
> dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
> ')
> +
> +tunable_policy(`portage_allow_nfs',`
> + fs_getattr_nfs(portage_sandbox_t)
> + fs_manage_nfs_dirs(portage_sandbox_t)
> + fs_manage_nfs_files(portage_sandbox_t)
> + fs_manage_nfs_symlinks(portage_sandbox_t)
> +')
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2011-07-20 18:06 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-19 21:16 [refpolicy] [PATCH 0/4] Gentoo/Portage related updates Sven Vermeulen
2011-07-19 21:23 ` [refpolicy] [PATCH 1/4] Support NFS mounts for portage-related locations Sven Vermeulen
2011-07-20 18:06 ` Christopher J. PeBenito [this message]
2011-07-19 21:26 ` [refpolicy] [PATCH 2/4] Support live ebuilds through portage_srcrepo_t Sven Vermeulen
2011-07-20 18:07 ` Christopher J. PeBenito
2011-07-19 21:28 ` [refpolicy] [PATCH 3/4] gcc-config calls /sbin/rc Sven Vermeulen
2011-07-20 18:08 ` Christopher J. PeBenito
2011-07-19 21:31 ` [refpolicy] [PATCH 4/4] Support proxy server/cache servers and binpkg servers Sven Vermeulen
2011-07-20 15:49 ` Christopher J. PeBenito
2011-07-20 17:12 ` Sven Vermeulen
2011-07-20 17:17 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E27191B.3000908@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.