[refpolicy] [PATCH 0/4] Gentoo/Portage related updates

[refpolicy] [PATCH 0/4] Gentoo/Portage related updates

[Sven Vermeulen]

A couple of patches that were introduced for Portage. No large changes:

1. Support NFS mounts (when NFS mounts using context= aren't possible)
2. Support live ebuilds (portage needs more privileges on particular
   locations then)
3. Allow gcc-config to call /sbin/rc (needed since openrc support)
4. Support proxy servers for Portage (and PORTAGE_BINHOST support too)

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 1/4] Support NFS mounts for portage-related locations

[Sven Vermeulen]

When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).

Introducing a boolean "portage_allow_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.te |   29 +++++++++++++++++++++++++++++
 1 files changed, 29 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d2ff138..a645c5d 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+##   Allow the portage domain to use NFS mounts (regular nfs_t) for its portage
+##   tree, distfiles, etc.
+## </p>
+## </desc>
+gen_tunable(portage_allow_nfs, false)
+
 type gcc_config_t;
 type gcc_config_exec_t;
 application_domain(gcc_config_t, gcc_config_exec_t)
@@ -174,6 +182,13 @@ portage_domtrans_gcc_config(portage_t)
 # if sesandbox is disabled, compiling is performed in this domain
 portage_compile_domain(portage_t)
 
+tunable_policy(`portage_allow_nfs',`
+	fs_getattr_nfs(portage_t)
+	fs_manage_nfs_dirs(portage_t)
+	fs_manage_nfs_files(portage_t)
+	fs_manage_nfs_symlinks(portage_t)
+')
+
 optional_policy(`
 	bootloader_domtrans(portage_t)
 ')
@@ -262,6 +277,13 @@ ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;
 ')
 
+tunable_policy(`portage_allow_nfs',`
+	fs_getattr_nfs(portage_fetch_t)
+	fs_manage_nfs_dirs(portage_fetch_t)
+	fs_manage_nfs_files(portage_fetch_t)
+	fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
 ##########################################
 #
 # Portage sandbox domain
@@ -275,3 +297,10 @@ ifdef(`hide_broken_symptoms',`
 	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
 	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
 ')
+
+tunable_policy(`portage_allow_nfs',`
+	fs_getattr_nfs(portage_sandbox_t)
+	fs_manage_nfs_dirs(portage_sandbox_t)
+	fs_manage_nfs_files(portage_sandbox_t)
+	fs_manage_nfs_symlinks(portage_sandbox_t)
+')
-- 
1.7.3.4

[refpolicy] [PATCH 2/4] Support live ebuilds through portage_srcrepo_t

[Sven Vermeulen]

Portage supports the notion of "live ebuilds", which are packages that, when
installed, update a repository checkout on a specific location. This means
that a few portage-related domains need to have manage_* privileges on that
location whereas they usually have much more limited rights (when live
ebuilds aren't used).

To support live ebuilds, we introduce another label called portage_srcrepo_t
for those specific locations where the "higher" privileges are needed for,
and grant the proper permissions on the compile domain (portage_sandbox_t)
to manage the checkouts.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.fc |    3 +++
 policy/modules/admin/portage.if |    5 +++++
 policy/modules/admin/portage.te |    3 +++
 3 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
index db46387..9097092 100644
--- a/policy/modules/admin/portage.fc
+++ b/policy/modules/admin/portage.fc
@@ -12,6 +12,9 @@
 /usr/lib(64)?/portage/bin/regenworld --	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/lib(64)?/portage/bin/sandbox --	gen_context(system_u:object_r:portage_exec_t,s0)
 
+/usr/portage/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/git-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
 
 /var/db/pkg(/.*)?			gen_context(system_u:object_r:portage_db_t,s0)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 0f27b1c..e327da3 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -123,6 +123,11 @@ interface(`portage_compile_domain',`
 	manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
 	fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
 
+	# Support live ebuilds (-9999)
+	manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+	manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+	manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+
 	kernel_read_system_state($1)
 	kernel_read_network_state($1)
 	kernel_read_software_raid_state($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index a645c5d..88c6d60 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -44,6 +44,9 @@ term_pty(portage_devpts_t)
 type portage_ebuild_t;
 files_type(portage_ebuild_t)
 
+type portage_srcrepo_t;
+files_type(portage_srcrepo_t)
+
 type portage_fetch_tmp_t;
 files_tmp_file(portage_fetch_tmp_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 3/4] gcc-config calls /sbin/rc

[Sven Vermeulen]

Since the introduction of OpenRC (init system), a few changes are made on
the general Gentoo related files and applications. gcc-config is one of
them. It calls /sbin/rc (the main "entrypoint" for all OpenRC-related
actions) which, with the current policy, wasn't allowed.

Allow gcc-config to call /sbin/rc (initrc_exec_t) without transitioning.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 88c6d60..e555e41 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -105,6 +105,8 @@ files_list_all(gcc_config_t)
 
 # seems to be ok without this
 init_dontaudit_read_script_status_files(gcc_config_t)
+# Since OpenRC, gcc-config calls rc (but transitioning isn't needed)
+init_exec_script_files(gcc_config_t)
 
 libs_read_lib_files(gcc_config_t)
 libs_domtrans_ldconfig(gcc_config_t)
-- 
1.7.3.4

[refpolicy] [PATCH 4/4] Support proxy server/cache servers and binpkg servers

[Sven Vermeulen]

Portage supports the use of proxy systems (which usually run on port 8080)
for both the fetching of software archives as well as fetching binaries (in
case of PORTAGE_BINHOST support).

Hence the introduction of the connect_http_port & connect_http_cache_port
for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).

In the latter case, connect_http_port is already available through
connect_all_reserved_ports.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index e555e41..b11cdd2 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -166,6 +166,10 @@ can_exec(portage_t, portage_tmp_t)
 # merging baselayout will need this:
 kernel_write_proc_files(portage_t)
 
+# allow emerge to fetch binpkgs from PORTAGE_BINHOST
+corenet_tcp_connect_http_port(portage_t)
+corenet_tcp_connect_http_cache_port(portage_t)
+
 domain_dontaudit_read_all_domains_state(portage_t)
 
 # modify any files in the system
@@ -258,6 +262,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
 # it occasionally comes up
 corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
 corenet_tcp_connect_generic_port(portage_fetch_t)
+corenet_tcp_connect_http_cache_port(portage_fetch_t) # In case of cache server connections/proxy
 
 dev_dontaudit_read_rand(portage_fetch_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 4/4] Support proxy server/cache servers and binpkg servers

[Christopher J. PeBenito]

On 07/19/11 17:31, Sven Vermeulen wrote:
> Portage supports the use of proxy systems (which usually run on port 8080)
> for both the fetching of software archives as well as fetching binaries (in
> case of PORTAGE_BINHOST support).
>
> Hence the introduction of the connect_http_port&  connect_http_cache_port
> for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
>
> In the latter case, connect_http_port is already available through
> connect_all_reserved_ports.

I presume portage is using wget to do this?  Why can't we update portage 
to do setexeccon, like when it is doing when downloading source files?

> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
>   policy/modules/admin/portage.te |    5 +++++
>   1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index e555e41..b11cdd2 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -166,6 +166,10 @@ can_exec(portage_t, portage_tmp_t)
>   # merging baselayout will need this:
>   kernel_write_proc_files(portage_t)
>
> +# allow emerge to fetch binpkgs from PORTAGE_BINHOST
> +corenet_tcp_connect_http_port(portage_t)
> +corenet_tcp_connect_http_cache_port(portage_t)
> +
>   domain_dontaudit_read_all_domains_state(portage_t)
>
>   # modify any files in the system
> @@ -258,6 +262,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t)
>   # it occasionally comes up
>   corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
>   corenet_tcp_connect_generic_port(portage_fetch_t)
> +corenet_tcp_connect_http_cache_port(portage_fetch_t) # In case of cache server connections/proxy
>
>   dev_dontaudit_read_rand(portage_fetch_t)
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/4] Support proxy server/cache servers and binpkg servers

[Sven Vermeulen]

On Wed, Jul 20, 2011 at 11:49:55AM -0400, Christopher J. PeBenito wrote:
> On 07/19/11 17:31, Sven Vermeulen wrote:
> > Portage supports the use of proxy systems (which usually run on port 8080)
> > for both the fetching of software archives as well as fetching binaries (in
> > case of PORTAGE_BINHOST support).
> >
> > Hence the introduction of the connect_http_port&  connect_http_cache_port
> > for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
> >
> > In the latter case, connect_http_port is already available through
> > connect_all_reserved_ports.
> 
> I presume portage is using wget to do this?  Why can't we update portage 
> to do setexeccon, like when it is doing when downloading source files?

You mean to have Portage transition to portage_fetch_t again so that the
privileges on portage_t aren't necessary? I don't think that would be a
problem.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 4/4] Support proxy server/cache servers and binpkg servers

[Christopher J. PeBenito]

On 07/20/11 13:12, Sven Vermeulen wrote:
> On Wed, Jul 20, 2011 at 11:49:55AM -0400, Christopher J. PeBenito wrote:
>> On 07/19/11 17:31, Sven Vermeulen wrote:
>>> Portage supports the use of proxy systems (which usually run on port 8080)
>>> for both the fetching of software archives as well as fetching binaries (in
>>> case of PORTAGE_BINHOST support).
>>>
>>> Hence the introduction of the connect_http_port&   connect_http_cache_port
>>> for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
>>>
>>> In the latter case, connect_http_port is already available through
>>> connect_all_reserved_ports.
>>
>> I presume portage is using wget to do this?  Why can't we update portage
>> to do setexeccon, like when it is doing when downloading source files?
>
> You mean to have Portage transition to portage_fetch_t again so that the
> privileges on portage_t aren't necessary? I don't think that would be a
> problem.

Yes.  As much as possible, we were trying to keep the network access in 
portage_fetch_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/4] Support NFS mounts for portage-related locations

[Christopher J. PeBenito]

On 07/19/11 17:23, Sven Vermeulen wrote:
> When users want to use NFS mounted portage tree, distfiles, packages and
> other locations, they need to use the proper context= mount option. However,
> in the majority of cases, the users use a single NFS mount. In such
> situation, context= cannot be used properly since it puts a label on the
> entire mount (whereas we would then need other labels depending on
> subdirectories).
>
> Introducing a boolean "portage_allow_nfs" which, when set (default off),
> allows the necessary portage-related domains to manage files and directories
> with the nfs_t label.
>
> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
>   policy/modules/admin/portage.te |   29 +++++++++++++++++++++++++++++
>   1 files changed, 29 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index d2ff138..a645c5d 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
>   # Declarations
>   #
>
> +##<desc>
> +##<p>
> +##   Allow the portage domain to use NFS mounts (regular nfs_t) for its portage
> +##   tree, distfiles, etc.
> +##</p>
> +##</desc>
> +gen_tunable(portage_allow_nfs, false)

I suspect portage_use_nfs is a clearer Boolean name.

>   type gcc_config_t;
>   type gcc_config_exec_t;
>   application_domain(gcc_config_t, gcc_config_exec_t)
> @@ -174,6 +182,13 @@ portage_domtrans_gcc_config(portage_t)
>   # if sesandbox is disabled, compiling is performed in this domain
>   portage_compile_domain(portage_t)
>
> +tunable_policy(`portage_allow_nfs',`
> +	fs_getattr_nfs(portage_t)
> +	fs_manage_nfs_dirs(portage_t)
> +	fs_manage_nfs_files(portage_t)
> +	fs_manage_nfs_symlinks(portage_t)
> +')

This and the similar block for sandbox should be in the 
portage_compile_domain() interface.

>   optional_policy(`
>   	bootloader_domtrans(portage_t)
>   ')
> @@ -262,6 +277,13 @@ ifdef(`hide_broken_symptoms',`
>   	dontaudit portage_fetch_t portage_cache_t:file read;
>   ')
>
> +tunable_policy(`portage_allow_nfs',`
> +	fs_getattr_nfs(portage_fetch_t)
> +	fs_manage_nfs_dirs(portage_fetch_t)
> +	fs_manage_nfs_files(portage_fetch_t)
> +	fs_manage_nfs_symlinks(portage_fetch_t)
> +')
> +
>   ##########################################
>   #
>   # Portage sandbox domain
> @@ -275,3 +297,10 @@ ifdef(`hide_broken_symptoms',`
>   	dontaudit portage_sandbox_t portage_cache_t:dir { setattr };
>   	dontaudit portage_sandbox_t portage_cache_t:file { setattr write };
>   ')
> +
> +tunable_policy(`portage_allow_nfs',`
> +	fs_getattr_nfs(portage_sandbox_t)
> +	fs_manage_nfs_dirs(portage_sandbox_t)
> +	fs_manage_nfs_files(portage_sandbox_t)
> +	fs_manage_nfs_symlinks(portage_sandbox_t)
> +')


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/4] Support live ebuilds through portage_srcrepo_t

[Christopher J. PeBenito]

On 07/19/11 17:26, Sven Vermeulen wrote:
> Portage supports the notion of "live ebuilds", which are packages that, when
> installed, update a repository checkout on a specific location. This means
> that a few portage-related domains need to have manage_* privileges on that
> location whereas they usually have much more limited rights (when live
> ebuilds aren't used).
>
> To support live ebuilds, we introduce another label called portage_srcrepo_t
> for those specific locations where the "higher" privileges are needed for,
> and grant the proper permissions on the compile domain (portage_sandbox_t)
> to manage the checkouts.
>
> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
>   policy/modules/admin/portage.fc |    3 +++
>   policy/modules/admin/portage.if |    5 +++++
>   policy/modules/admin/portage.te |    3 +++
>   3 files changed, 11 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc
> index db46387..9097092 100644
> --- a/policy/modules/admin/portage.fc
> +++ b/policy/modules/admin/portage.fc
> @@ -12,6 +12,9 @@
>   /usr/lib(64)?/portage/bin/regenworld --	gen_context(system_u:object_r:portage_exec_t,s0)
>   /usr/lib(64)?/portage/bin/sandbox --	gen_context(system_u:object_r:portage_exec_t,s0)
>
> +/usr/portage/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
> +/usr/portage/distfiles/git-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
> +/usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
>   /usr/portage(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
>
>   /var/db/pkg(/.*)?			gen_context(system_u:object_r:portage_db_t,s0)
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 0f27b1c..e327da3 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -123,6 +123,11 @@ interface(`portage_compile_domain',`
>   	manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
>   	fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })
>
> +	# Support live ebuilds (-9999)
> +	manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> +	manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> +	manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> +
>   	kernel_read_system_state($1)
>   	kernel_read_network_state($1)
>   	kernel_read_software_raid_state($1)
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index a645c5d..88c6d60 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -44,6 +44,9 @@ term_pty(portage_devpts_t)
>   type portage_ebuild_t;
>   files_type(portage_ebuild_t)
>
> +type portage_srcrepo_t;
> +files_type(portage_srcrepo_t)
> +
>   type portage_fetch_tmp_t;
>   files_tmp_file(portage_fetch_tmp_t)

The content of the patch is fine, but the ordering of the lines/blocks 
needs to be fixed (eg srcrepo comes before tmp).

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/4] gcc-config calls /sbin/rc

[Christopher J. PeBenito]

On 07/19/11 17:28, Sven Vermeulen wrote:
> Since the introduction of OpenRC (init system), a few changes are made on
> the general Gentoo related files and applications. gcc-config is one of
> them. It calls /sbin/rc (the main "entrypoint" for all OpenRC-related
> actions) which, with the current policy, wasn't allowed.
>
> Allow gcc-config to call /sbin/rc (initrc_exec_t) without transitioning.

I'm going to hold on this one until resolution of what to do with /sbin/rc.

> Signed-off-by: Sven Vermeulen<sven.vermeulen@siphos.be>
> ---
>   policy/modules/admin/portage.te |    2 ++
>   1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index 88c6d60..e555e41 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -105,6 +105,8 @@ files_list_all(gcc_config_t)
>
>   # seems to be ok without this
>   init_dontaudit_read_script_status_files(gcc_config_t)
> +# Since OpenRC, gcc-config calls rc (but transitioning isn't needed)
> +init_exec_script_files(gcc_config_t)
>
>   libs_read_lib_files(gcc_config_t)
>   libs_domtrans_ldconfig(gcc_config_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com