summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <pebenito@gentoo.org>2003-11-13 05:57:50 +0000
committerChris PeBenito <pebenito@gentoo.org>2003-11-13 05:57:50 +0000
commit61317bd7d08f74e2a2b71f532ecf3bcddd077ba8 (patch)
tree405019e07d79a66b821ea621e73ab75b95233ee7 /sec-policy
parentnew hotplug with delay fix and firmware.agent, mark stable for x86 and amd64 (diff)
downloadgentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.tar.gz
gentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.tar.bz2
gentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.zip
a few fixes from policy cvs
Diffstat (limited to 'sec-policy')
-rw-r--r--sec-policy/selinux-base-policy/ChangeLog11
-rw-r--r--sec-policy/selinux-base-policy/Manifest7
-rw-r--r--sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r11
-rw-r--r--sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff99
-rw-r--r--sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild58
5 files changed, 173 insertions, 3 deletions
diff --git a/sec-policy/selinux-base-policy/ChangeLog b/sec-policy/selinux-base-policy/ChangeLog
index a21566751ce9..fea845b3c04c 100644
--- a/sec-policy/selinux-base-policy/ChangeLog
+++ b/sec-policy/selinux-base-policy/ChangeLog
@@ -1,6 +1,15 @@
# ChangeLog for sec-policy/selinux-base-policy
# Copyright 2000-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.8 2003/10/29 03:44:15 pebenito Exp $
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.9 2003/11/13 05:57:48 pebenito Exp $
+
+*selinux-base-policy-20031010-r1 (12 Nov 2003)
+
+ 12 Nov 2003; Chris PeBenito <pebenito@gentoo.org>
+ selinux-base-policy-20031010-r1.ebuild,
+ files/selinux-base-policy-20031010-cvs.diff:
+ Add fixes from policy cvs for compilers, so non x86 and ppc compilers can
+ work. Also portage update as a side effect of updated setfiles code in
+ portage, from bug 31748.
28 Oct 2003; Chris PeBenito <pebenito@gentoo.org>
selinux-base-policy-20031010.ebuild:
diff --git a/sec-policy/selinux-base-policy/Manifest b/sec-policy/selinux-base-policy/Manifest
index e83a26e834c5..d83678630079 100644
--- a/sec-policy/selinux-base-policy/Manifest
+++ b/sec-policy/selinux-base-policy/Manifest
@@ -1,4 +1,7 @@
-MD5 c519322c7db7894c8e65375dfdb2e7e6 selinux-base-policy-20031010.ebuild 1708
-MD5 cee1f20c21efad06374bd8e492097be7 ChangeLog 3857
+MD5 311afe4aad267ff527fc23ab2c2be4ee ChangeLog 4223
MD5 808b5f7f5d6654666e9193672d463229 metadata.xml 473
+MD5 3f602ae1030080dc1c73bbb6e0deb7c9 selinux-base-policy-20031010-r1.ebuild 1794
+MD5 c519322c7db7894c8e65375dfdb2e7e6 selinux-base-policy-20031010.ebuild 1708
+MD5 58ed8d91932fc65a3cf102265e86ef3a files/digest-selinux-base-policy-20031010-r1 80
MD5 58ed8d91932fc65a3cf102265e86ef3a files/digest-selinux-base-policy-20031010 80
+MD5 73ed970a243dc34033a2f2c29f5b63e1 files/selinux-base-policy-20031010-cvs.diff 4268
diff --git a/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1 b/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1
new file mode 100644
index 000000000000..a5a9e2f5961f
--- /dev/null
+++ b/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1
@@ -0,0 +1 @@
+MD5 50cff5131904b9d20bae580edad5cd37 selinux-base-policy-20031010.tar.bz2 58084
diff --git a/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff b/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff
new file mode 100644
index 000000000000..655a8a406677
--- /dev/null
+++ b/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff
@@ -0,0 +1,99 @@
+diff --exclude=CVS -urN base-policy.old/domains/program/portage.te base-policy/domains/program/portage.te
+--- base-policy.old/domains/program/portage.te 2003-09-30 20:10:50.000000000 -0500
++++ base-policy/domains/program/portage.te 2003-11-01 22:55:33.000000000 -0600
+@@ -34,11 +34,12 @@
+ can_exec(portage_t,portage_lib_t)
+ can_network(portage_t)
+ can_create_pty(portage)
++general_domain_access(portage_t)
+ general_proc_read_access(portage_t)
+ can_tcp_connect(portage_t,portage_t)
+
+ allow portage_t self:process { fork setpgid setsched signal_perms };
+-allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
++allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override dac_read_search net_raw };
+ allow portage_t shell_exec_t:file entrypoint;
+ allow portage_t fs_t:filesystem getattr;
+ allow portage_t privfd:fd use;
+@@ -48,6 +49,9 @@
+ # read/write/create any files in the system
+ can_setfscreate(portage_t)
+ create_dir_notdevfile(portage_t,file_type)
++allow portage_t security_t:dir r_dir_perms;
++allow portage_t security_t:file getattr;
++allow portage_t shadow_t:file getattr;
+
+ # allow portage to compile and load policy, and run setfiles -r
+ ifdef(`setfiles.te',`
+@@ -90,11 +94,6 @@
+ #role_tty_type_change(portage,staff)
+ #role_tty_type_change(staff,portage)
+
+-# ZZZ uncomment to allow transitions between portage_r and user_r
+-# still need to give individual users role access in the users file
+-#role_tty_type_change(portage,user)
+-#role_tty_type_change(user,portage)
+-
+ # sysadm_t needs to access portage for qpkg, rlpkg.
+ allow sysadm_t { portage_cache_t portage_db_t }:file { read ioctl };
+ allow sysadm_t portage_lib_t:file rx_file_perms;
+@@ -102,15 +101,8 @@
+ dontaudit sysadm_t portage_cache_t:file write;
+
+ # various ipc and networking stuff (esp needed for compiling perl):
+-allow portage_t self:sem create_sem_perms;
+-allow portage_t self:shm create_shm_perms;
+-allow portage_t self:msgq create_msgq_perms;
+-allow portage_t self:unix_dgram_socket { create_socket_perms connect sendto };
+-allow portage_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow portage_t self:fifo_file { read write getattr };
+ allow portage_t self:rawip_socket { create ioctl };
+ allow portage_t self:udp_socket recvfrom;
+-allow portage_t self:msg { send receive };
+ allow portage_t syslogd_t:unix_dgram_socket sendto;
+
+ # /dev/null and zero access (gcc compile writes to zero, why?)
+@@ -119,13 +111,9 @@
+ allow portage_t random_device_t:chr_file r_file_perms;
+
+ # merging baselayout will need this:
+-r_dir_file(portage_t,proc_t)
+ allow portage_t proc_t:dir write;
+ can_exec(portage_t,init_exec_t)
+
+-# misc
+-allow portage_t portage_tmp_t:dir ioctl;
+-
+ # seems to work ok without these
+ dontaudit portage_t { sysctl_t sysctl_kernel_t device_t }:dir search;
+ dontaudit portage_t sysctl_kernel_t:file r_file_perms;
+@@ -134,3 +122,13 @@
+ dontaudit portage_t domain:dir r_dir_perms;
+ dontaudit portage_t domain:notdevfile_class_set r_file_perms;
+ dontaudit portage_t kernel_t:system syslog_read;
++
++# temp bandaid fixes for portage sloppiness
++dontaudit setfiles_t portage_cache_t:file read;
++dontaudit ldconfig_t portage_cache_t:file read;
++dontaudit checkpolicy_t portage_cache_t:file read;
++dontaudit useradd_t portage_cache_t:file read;
++dontaudit groupadd_t portage_cache_t:file read;
++dontaudit setfiles_t portage_db_t:file write;
++dontaudit useradd_t portage_db_t:file write;
++dontaudit groupadd_t portage_db_t:file write;
+diff --exclude=CVS -urN base-policy.old/file_contexts/types.fc base-policy/file_contexts/types.fc
+--- base-policy.old/file_contexts/types.fc 2003-10-07 14:07:44.000000000 -0500
++++ base-policy/file_contexts/types.fc 2003-10-19 23:05:47.000000000 -0500
+@@ -232,10 +279,8 @@
+ #
+ # gentoo-specific gcc stuff
+ #
+-/usr/i[3-6]86-pc-linux-gnu/bin(/.*)? system_u:object_r:bin_t
+-/usr/i[3-6]86-pc-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
+-/usr/powerpc-unknown-linux-gnu/bin(/.*)? system_u:object_r:bin_t
+-/usr/powerpc-unknown-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
++/usr/.*-.*-linux-gnu/bin(/.*)? system_u:object_r:bin_t
++/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
+
+ #
+ # /usr/.*glibc.*-linux/lib
diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild
new file mode 100644
index 000000000000..0e62d465dbad
--- /dev/null
+++ b/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild
@@ -0,0 +1,58 @@
+# Copyright 1999-2003 Gentoo Technologies, Inc.
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild,v 1.1 2003/11/13 05:57:48 pebenito Exp $
+
+IUSE=""
+
+DESCRIPTION="Gentoo base policy for SELinux"
+HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/"
+SRC_URI="mirror://gentoo/${P}.tar.bz2"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~x86 ~ppc ~sparc"
+DEPEND=""
+RDEPEND="sys-devel/m4
+ sys-devel/make"
+
+S=${WORKDIR}/base-policy
+
+[ -z ${POLICYDIR} ] && POLICYDIR="/etc/security/selinux/src/policy"
+
+src_unpack() {
+ unpack ${A}
+ cd ${S}
+ epatch ${FILESDIR}/${P}-cvs.diff
+}
+
+src_install() {
+ dodir /etc/security/selinux/src
+
+ insinto /etc/security
+ doins ${S}/appconfig/*
+
+ cp -a ${S} ${D}/${POLICYDIR}
+ rm -fR ${D}/${POLICYDIR}/appconfig
+}
+
+pkg_postinst() {
+ echo
+ einfo "This is the base policy for SELinux on Gentoo. This policy"
+ einfo "package only covers the applications in the system profile."
+ einfo "More policy may need to be added according to your requirements."
+ echo
+ eerror "It is STRONGLY suggested that you evaluate and merge the"
+ eerror "policy changes. If any of the file contexts (*.fc) have"
+ eerror "changed, you should also relabel."
+ echo
+ ewarn "Please check the Changelog, there may be important information."
+ echo
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1
+ sleep 8
+}