[refpolicy] [PATCH 0/6] Various small updates on contrib modules

[refpolicy] [PATCH 0/6] Various small updates on contrib modules

[Sven Vermeulen]

This patchset contains a list of smaller updates to various contrib modules

Sven Vermeulen (6):
  Mark glsa-check as portage_exec_t
  Allow gcc-config to work on NFS-mounted portage tree
  Reshuffle tunable/optional
  Do not mark java configuration tools as java entry points
  Allow portage fetch domain to show download progress
  Further enhance portage git support

 java.fc    |    2 +-
 portage.fc |    2 ++
 portage.if |    1 +
 portage.te |    6 ++++++
 telnet.te  |   10 +++++-----
 5 files changed, 15 insertions(+), 6 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH 1/6] Mark glsa-check as portage_exec_t

[Sven Vermeulen]

The glsa-check application is Gentoo's application for reporting on
security-vulnerable installed packages. It reads its input from the portage tree
and allows users to update just the affected packages.

For this it needs to run in the portage_t domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/portage.fc b/portage.fc
index 1d5b4e5..2f6b86b 100644
--- a/portage.fc
+++ b/portage.fc
@@ -4,6 +4,7 @@
 /etc/portage/gpg(/.*)?			gen_context(system_u:object_r:portage_gpg_t,s0)
 
 /usr/bin/gcc-config		--	gen_context(system_u:object_r:gcc_config_exec_t,s0)
+/usr/bin/glsa-check		--	gen_context(system_u:object_r:portage_exec_t,s0)
 /usr/bin/layman			--	gen_context(system_u:object_r:portage_fetch_exec_t,s0)
 /usr/bin/sandbox		--	gen_context(system_u:object_r:portage_exec_t,s0)
 
-- 
1.7.8.6

[refpolicy] [PATCH 2/6] Allow gcc-config to work on NFS-mounted portage tree

[Sven Vermeulen]

When the portage tree is mounted on an NFS mount, we already introduced the
portage_use_nfs tunable to allow the portage domains to handle NFS-labeled
files.

One other domain that also needs this is the gcc_config_t domain, responsible
for listing and updating a systems' gcc. The requirement stems from gcc-config
using portageq to query for information, which requires a readable portage tree.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/portage.te b/portage.te
index 2af04b9..7516f32 100644
--- a/portage.te
+++ b/portage.te
@@ -132,6 +132,10 @@ ifdef(`distro_gentoo',`
 	init_exec_rc(gcc_config_t)
 ')
 
+tunable_policy(`portage_use_nfs',`
+	fs_read_nfs_files(gcc_config_t)
+')
+
 optional_policy(`
 	seutil_use_newrole_fds(gcc_config_t)
 ')
-- 
1.7.8.6

[refpolicy] [PATCH 3/6] Reshuffle tunable/optional

[Sven Vermeulen]

As per the Reference Policy Style Guide, tunable_policy blocks need to go before
the optional_policy blocks.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 telnet.te |   10 +++++-----
 1 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/telnet.te b/telnet.te
index f40e67b..3858d35 100644
--- a/telnet.te
+++ b/telnet.te
@@ -86,11 +86,6 @@ remotelogin_domtrans(telnetd_t)
 userdom_search_user_home_dirs(telnetd_t)
 userdom_setattr_user_ptys(telnetd_t)
 
-optional_policy(`
-	kerberos_keytab_template(telnetd, telnetd_t)
-	kerberos_manage_host_rcache(telnetd_t)
-')
-
 tunable_policy(`use_nfs_home_dirs',`
 	fs_search_nfs(telnetd_t)
 ')
@@ -98,3 +93,8 @@ tunable_policy(`use_nfs_home_dirs',`
 tunable_policy(`use_samba_home_dirs',`
 	fs_search_cifs(telnetd_t)
 ')
+
+optional_policy(`
+	kerberos_keytab_template(telnetd, telnetd_t)
+	kerberos_manage_host_rcache(telnetd_t)
+')
-- 
1.7.8.6

[refpolicy] [PATCH 4/6] Do not mark java configuration tools as java entry points

[Sven Vermeulen]

Some java-supporting tools, like java-config and java-check-environment, are not
to be used as entry points for the java_t domain. Instead, these should run with
the privileges of the calling domain (and as such should remain bin_t).

The expression itself (java[^-]*) is to still support commonly found java
version binaries (java1.4, java5, java6).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 java.fc |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/java.fc b/java.fc
index 72f3df0..bc1a419 100644
--- a/java.fc
+++ b/java.fc
@@ -9,7 +9,7 @@
 #
 # /usr
 #
-/usr/(.*/)?bin/java.* 		--	gen_context(system_u:object_r:java_exec_t,s0)
+/usr/(.*/)?bin/java[^-]*	--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/fastjar		--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/frysk			--	gen_context(system_u:object_r:java_exec_t,s0)
 /usr/bin/gappletviewer		--	gen_context(system_u:object_r:java_exec_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH 5/6] Allow portage fetch domain to show download progress

[Sven Vermeulen]

When downloading software packages, the portage application is inside the
portage_fetch_t domain. At that point, Portage wants to show the fetch progress
of the software on the users' screen. For this, it needs proper access to
portage_devpts_t.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/portage.te b/portage.te
index 7516f32..9e9cc07 100644
--- a/portage.te
+++ b/portage.te
@@ -248,6 +248,8 @@ allow portage_fetch_t self:unix_stream_socket create_socket_perms;
 
 allow portage_fetch_t portage_conf_t:dir list_dir_perms;
 
+allow portage_fetch_t portage_devpts_t:chr_file { rw_chr_file_perms setattr };
+
 allow portage_fetch_t portage_gpg_t:dir rw_dir_perms;
 allow portage_fetch_t portage_gpg_t:file manage_file_perms;
 
-- 
1.7.8.6

[refpolicy] [PATCH 6/6] Further enhance portage git support

[Sven Vermeulen]

The git sources for ebuilds that use the git-2 eclass are stored in egit-src.

In this patch, we also allow connections towards git services.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.fc |    1 +
 portage.if |    1 +
 2 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/portage.fc b/portage.fc
index 2f6b86b..d9b2a90 100644
--- a/portage.fc
+++ b/portage.fc
@@ -18,6 +18,7 @@
 
 /usr/portage(/.*)?			gen_context(system_u:object_r:portage_ebuild_t,s0)
 /usr/portage/distfiles/cvs-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
+/usr/portage/distfiles/egit-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/git-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 /usr/portage/distfiles/svn-src(/.*)?	gen_context(system_u:object_r:portage_srcrepo_t,s0)
 
diff --git a/portage.if b/portage.if
index b4bb48a..08ac5af 100644
--- a/portage.if
+++ b/portage.if
@@ -151,6 +151,7 @@ interface(`portage_compile_domain',`
 	corenet_udp_sendrecv_all_ports($1)
 	corenet_tcp_connect_all_reserved_ports($1)
 	corenet_tcp_connect_distccd_port($1)
+	corenet_tcp_connect_git_port($1)
 
 	dev_read_sysfs($1)
 	dev_read_rand($1)
-- 
1.7.8.6

[refpolicy] [PATCH 0/6] Various small updates on contrib modules

[Christopher J. PeBenito]

On 07/03/12 15:18, Sven Vermeulen wrote:
> This patchset contains a list of smaller updates to various contrib modules
> 
> Sven Vermeulen (6):
>   Mark glsa-check as portage_exec_t
>   Allow gcc-config to work on NFS-mounted portage tree
>   Reshuffle tunable/optional
>   Do not mark java configuration tools as java entry points
>   Allow portage fetch domain to show download progress
>   Further enhance portage git support
> 
>  java.fc    |    2 +-
>  portage.fc |    2 ++
>  portage.if |    1 +
>  portage.te |    6 ++++++
>  telnet.te  |   10 +++++-----
>  5 files changed, 15 insertions(+), 6 deletions(-)
 
This set is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com