diff options
author | Chris PeBenito <pebenito@gentoo.org> | 2003-11-13 05:57:50 +0000 |
---|---|---|
committer | Chris PeBenito <pebenito@gentoo.org> | 2003-11-13 05:57:50 +0000 |
commit | 61317bd7d08f74e2a2b71f532ecf3bcddd077ba8 (patch) | |
tree | 405019e07d79a66b821ea621e73ab75b95233ee7 /sec-policy | |
parent | new hotplug with delay fix and firmware.agent, mark stable for x86 and amd64 (diff) | |
download | gentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.tar.gz gentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.tar.bz2 gentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.zip |
a few fixes from policy cvs
Diffstat (limited to 'sec-policy')
5 files changed, 173 insertions, 3 deletions
diff --git a/sec-policy/selinux-base-policy/ChangeLog b/sec-policy/selinux-base-policy/ChangeLog index a21566751ce9..fea845b3c04c 100644 --- a/sec-policy/selinux-base-policy/ChangeLog +++ b/sec-policy/selinux-base-policy/ChangeLog @@ -1,6 +1,15 @@ # ChangeLog for sec-policy/selinux-base-policy # Copyright 2000-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.8 2003/10/29 03:44:15 pebenito Exp $ +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/ChangeLog,v 1.9 2003/11/13 05:57:48 pebenito Exp $ + +*selinux-base-policy-20031010-r1 (12 Nov 2003) + + 12 Nov 2003; Chris PeBenito <pebenito@gentoo.org> + selinux-base-policy-20031010-r1.ebuild, + files/selinux-base-policy-20031010-cvs.diff: + Add fixes from policy cvs for compilers, so non x86 and ppc compilers can + work. Also portage update as a side effect of updated setfiles code in + portage, from bug 31748. 28 Oct 2003; Chris PeBenito <pebenito@gentoo.org> selinux-base-policy-20031010.ebuild: diff --git a/sec-policy/selinux-base-policy/Manifest b/sec-policy/selinux-base-policy/Manifest index e83a26e834c5..d83678630079 100644 --- a/sec-policy/selinux-base-policy/Manifest +++ b/sec-policy/selinux-base-policy/Manifest @@ -1,4 +1,7 @@ -MD5 c519322c7db7894c8e65375dfdb2e7e6 selinux-base-policy-20031010.ebuild 1708 -MD5 cee1f20c21efad06374bd8e492097be7 ChangeLog 3857 +MD5 311afe4aad267ff527fc23ab2c2be4ee ChangeLog 4223 MD5 808b5f7f5d6654666e9193672d463229 metadata.xml 473 +MD5 3f602ae1030080dc1c73bbb6e0deb7c9 selinux-base-policy-20031010-r1.ebuild 1794 +MD5 c519322c7db7894c8e65375dfdb2e7e6 selinux-base-policy-20031010.ebuild 1708 +MD5 58ed8d91932fc65a3cf102265e86ef3a files/digest-selinux-base-policy-20031010-r1 80 MD5 58ed8d91932fc65a3cf102265e86ef3a files/digest-selinux-base-policy-20031010 80 +MD5 73ed970a243dc34033a2f2c29f5b63e1 files/selinux-base-policy-20031010-cvs.diff 4268 diff --git a/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1 b/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1 new file mode 100644 index 000000000000..a5a9e2f5961f --- /dev/null +++ b/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1 @@ -0,0 +1 @@ +MD5 50cff5131904b9d20bae580edad5cd37 selinux-base-policy-20031010.tar.bz2 58084 diff --git a/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff b/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff new file mode 100644 index 000000000000..655a8a406677 --- /dev/null +++ b/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff @@ -0,0 +1,99 @@ +diff --exclude=CVS -urN base-policy.old/domains/program/portage.te base-policy/domains/program/portage.te +--- base-policy.old/domains/program/portage.te 2003-09-30 20:10:50.000000000 -0500 ++++ base-policy/domains/program/portage.te 2003-11-01 22:55:33.000000000 -0600 +@@ -34,11 +34,12 @@ + can_exec(portage_t,portage_lib_t) + can_network(portage_t) + can_create_pty(portage) ++general_domain_access(portage_t) + general_proc_read_access(portage_t) + can_tcp_connect(portage_t,portage_t) + + allow portage_t self:process { fork setpgid setsched signal_perms }; +-allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw }; ++allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override dac_read_search net_raw }; + allow portage_t shell_exec_t:file entrypoint; + allow portage_t fs_t:filesystem getattr; + allow portage_t privfd:fd use; +@@ -48,6 +49,9 @@ + # read/write/create any files in the system + can_setfscreate(portage_t) + create_dir_notdevfile(portage_t,file_type) ++allow portage_t security_t:dir r_dir_perms; ++allow portage_t security_t:file getattr; ++allow portage_t shadow_t:file getattr; + + # allow portage to compile and load policy, and run setfiles -r + ifdef(`setfiles.te',` +@@ -90,11 +94,6 @@ + #role_tty_type_change(portage,staff) + #role_tty_type_change(staff,portage) + +-# ZZZ uncomment to allow transitions between portage_r and user_r +-# still need to give individual users role access in the users file +-#role_tty_type_change(portage,user) +-#role_tty_type_change(user,portage) +- + # sysadm_t needs to access portage for qpkg, rlpkg. + allow sysadm_t { portage_cache_t portage_db_t }:file { read ioctl }; + allow sysadm_t portage_lib_t:file rx_file_perms; +@@ -102,15 +101,8 @@ + dontaudit sysadm_t portage_cache_t:file write; + + # various ipc and networking stuff (esp needed for compiling perl): +-allow portage_t self:sem create_sem_perms; +-allow portage_t self:shm create_shm_perms; +-allow portage_t self:msgq create_msgq_perms; +-allow portage_t self:unix_dgram_socket { create_socket_perms connect sendto }; +-allow portage_t self:unix_stream_socket { create_stream_socket_perms connectto }; +-allow portage_t self:fifo_file { read write getattr }; + allow portage_t self:rawip_socket { create ioctl }; + allow portage_t self:udp_socket recvfrom; +-allow portage_t self:msg { send receive }; + allow portage_t syslogd_t:unix_dgram_socket sendto; + + # /dev/null and zero access (gcc compile writes to zero, why?) +@@ -119,13 +111,9 @@ + allow portage_t random_device_t:chr_file r_file_perms; + + # merging baselayout will need this: +-r_dir_file(portage_t,proc_t) + allow portage_t proc_t:dir write; + can_exec(portage_t,init_exec_t) + +-# misc +-allow portage_t portage_tmp_t:dir ioctl; +- + # seems to work ok without these + dontaudit portage_t { sysctl_t sysctl_kernel_t device_t }:dir search; + dontaudit portage_t sysctl_kernel_t:file r_file_perms; +@@ -134,3 +122,13 @@ + dontaudit portage_t domain:dir r_dir_perms; + dontaudit portage_t domain:notdevfile_class_set r_file_perms; + dontaudit portage_t kernel_t:system syslog_read; ++ ++# temp bandaid fixes for portage sloppiness ++dontaudit setfiles_t portage_cache_t:file read; ++dontaudit ldconfig_t portage_cache_t:file read; ++dontaudit checkpolicy_t portage_cache_t:file read; ++dontaudit useradd_t portage_cache_t:file read; ++dontaudit groupadd_t portage_cache_t:file read; ++dontaudit setfiles_t portage_db_t:file write; ++dontaudit useradd_t portage_db_t:file write; ++dontaudit groupadd_t portage_db_t:file write; +diff --exclude=CVS -urN base-policy.old/file_contexts/types.fc base-policy/file_contexts/types.fc +--- base-policy.old/file_contexts/types.fc 2003-10-07 14:07:44.000000000 -0500 ++++ base-policy/file_contexts/types.fc 2003-10-19 23:05:47.000000000 -0500 +@@ -232,10 +279,8 @@ + # + # gentoo-specific gcc stuff + # +-/usr/i[3-6]86-pc-linux-gnu/bin(/.*)? system_u:object_r:bin_t +-/usr/i[3-6]86-pc-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t +-/usr/powerpc-unknown-linux-gnu/bin(/.*)? system_u:object_r:bin_t +-/usr/powerpc-unknown-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t ++/usr/.*-.*-linux-gnu/bin(/.*)? system_u:object_r:bin_t ++/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t + + # + # /usr/.*glibc.*-linux/lib diff --git a/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild b/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild new file mode 100644 index 000000000000..0e62d465dbad --- /dev/null +++ b/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild @@ -0,0 +1,58 @@ +# Copyright 1999-2003 Gentoo Technologies, Inc. +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/sec-policy/selinux-base-policy/selinux-base-policy-20031010-r1.ebuild,v 1.1 2003/11/13 05:57:48 pebenito Exp $ + +IUSE="" + +DESCRIPTION="Gentoo base policy for SELinux" +HOMEPAGE="http://www.gentoo.org/proj/en/hardened/selinux/" +SRC_URI="mirror://gentoo/${P}.tar.bz2" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~x86 ~ppc ~sparc" +DEPEND="" +RDEPEND="sys-devel/m4 + sys-devel/make" + +S=${WORKDIR}/base-policy + +[ -z ${POLICYDIR} ] && POLICYDIR="/etc/security/selinux/src/policy" + +src_unpack() { + unpack ${A} + cd ${S} + epatch ${FILESDIR}/${P}-cvs.diff +} + +src_install() { + dodir /etc/security/selinux/src + + insinto /etc/security + doins ${S}/appconfig/* + + cp -a ${S} ${D}/${POLICYDIR} + rm -fR ${D}/${POLICYDIR}/appconfig +} + +pkg_postinst() { + echo + einfo "This is the base policy for SELinux on Gentoo. This policy" + einfo "package only covers the applications in the system profile." + einfo "More policy may need to be added according to your requirements." + echo + eerror "It is STRONGLY suggested that you evaluate and merge the" + eerror "policy changes. If any of the file contexts (*.fc) have" + eerror "changed, you should also relabel." + echo + ewarn "Please check the Changelog, there may be important information." + echo + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + echo -ne "\a" ; sleep 0.1 ; echo -ne "\a" ; sleep 1 + sleep 8 +} |