Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff
blob: 655a8a406677b7bae9f82f5ed9a5d87e14ab5242 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99

diff --exclude=CVS -urN base-policy.old/domains/program/portage.te base-policy/domains/program/portage.te
--- base-policy.old/domains/program/portage.te	2003-09-30 20:10:50.000000000 -0500
+++ base-policy/domains/program/portage.te	2003-11-01 22:55:33.000000000 -0600
@@ -34,11 +34,12 @@
 can_exec(portage_t,portage_lib_t)
 can_network(portage_t)
 can_create_pty(portage)
+general_domain_access(portage_t)
 general_proc_read_access(portage_t)
 can_tcp_connect(portage_t,portage_t)
 
 allow portage_t self:process { fork setpgid setsched signal_perms };
-allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
+allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override dac_read_search net_raw };
 allow portage_t shell_exec_t:file entrypoint;
 allow portage_t fs_t:filesystem getattr;
 allow portage_t privfd:fd use;
@@ -48,6 +49,9 @@
 # read/write/create any files in the system
 can_setfscreate(portage_t)
 create_dir_notdevfile(portage_t,file_type)
+allow portage_t security_t:dir r_dir_perms;
+allow portage_t security_t:file getattr;
+allow portage_t shadow_t:file getattr;
 
 # allow portage to compile and load policy, and run setfiles -r
 ifdef(`setfiles.te',`
@@ -90,11 +94,6 @@
 #role_tty_type_change(portage,staff)
 #role_tty_type_change(staff,portage)
 
-# ZZZ uncomment to allow transitions between portage_r and user_r
-# still need to give individual users role access in the users file
-#role_tty_type_change(portage,user)
-#role_tty_type_change(user,portage)
-
 # sysadm_t needs to access portage for qpkg, rlpkg.
 allow sysadm_t { portage_cache_t portage_db_t }:file { read ioctl };
 allow sysadm_t portage_lib_t:file rx_file_perms;
@@ -102,15 +101,8 @@
 dontaudit sysadm_t portage_cache_t:file write;
 
 # various ipc and networking stuff (esp needed for compiling perl):
-allow portage_t self:sem create_sem_perms;
-allow portage_t self:shm create_shm_perms;
-allow portage_t self:msgq create_msgq_perms;
-allow portage_t self:unix_dgram_socket { create_socket_perms connect sendto };
-allow portage_t self:unix_stream_socket { create_stream_socket_perms connectto };
-allow portage_t self:fifo_file { read write getattr };
 allow portage_t self:rawip_socket { create ioctl };
 allow portage_t self:udp_socket recvfrom;
-allow portage_t self:msg { send receive };
 allow portage_t syslogd_t:unix_dgram_socket sendto;
 
 # /dev/null and zero access (gcc compile writes to zero, why?)
@@ -119,13 +111,9 @@
 allow portage_t random_device_t:chr_file r_file_perms;
 
 # merging baselayout will need this:
-r_dir_file(portage_t,proc_t)
 allow portage_t proc_t:dir write;
 can_exec(portage_t,init_exec_t)
 
-# misc
-allow portage_t portage_tmp_t:dir ioctl;
-
 # seems to work ok without these
 dontaudit portage_t { sysctl_t sysctl_kernel_t device_t  }:dir search;
 dontaudit portage_t sysctl_kernel_t:file r_file_perms;
@@ -134,3 +122,13 @@
 dontaudit portage_t domain:dir r_dir_perms;
 dontaudit portage_t domain:notdevfile_class_set r_file_perms;
 dontaudit portage_t kernel_t:system syslog_read;
+
+# temp bandaid fixes for portage sloppiness
+dontaudit setfiles_t portage_cache_t:file read;
+dontaudit ldconfig_t portage_cache_t:file read;
+dontaudit checkpolicy_t portage_cache_t:file read;
+dontaudit useradd_t portage_cache_t:file read;
+dontaudit groupadd_t portage_cache_t:file read;
+dontaudit setfiles_t portage_db_t:file write;
+dontaudit useradd_t portage_db_t:file write;
+dontaudit groupadd_t portage_db_t:file write;
diff --exclude=CVS -urN base-policy.old/file_contexts/types.fc base-policy/file_contexts/types.fc
--- base-policy.old/file_contexts/types.fc	2003-10-07 14:07:44.000000000 -0500
+++ base-policy/file_contexts/types.fc	2003-10-19 23:05:47.000000000 -0500
@@ -232,10 +279,8 @@
 #
 # gentoo-specific gcc stuff
 #
-/usr/i[3-6]86-pc-linux-gnu/bin(/.*)?			system_u:object_r:bin_t
-/usr/i[3-6]86-pc-linux-gnu/gcc-bin/.*(/.*)?		system_u:object_r:bin_t
-/usr/powerpc-unknown-linux-gnu/bin(/.*)?		system_u:object_r:bin_t
-/usr/powerpc-unknown-linux-gnu/gcc-bin/.*(/.*)?		system_u:object_r:bin_t
+/usr/.*-.*-linux-gnu/bin(/.*)?				system_u:object_r:bin_t
+/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?			system_u:object_r:bin_t
 
 #
 # /usr/.*glibc.*-linux/lib