Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/sec-policy/selinux-base-policy/files
diff options
context:
space:
mode:
authorChris PeBenito <pebenito@gentoo.org>2003-11-13 05:57:50 +0000
committerChris PeBenito <pebenito@gentoo.org>2003-11-13 05:57:50 +0000
commit61317bd7d08f74e2a2b71f532ecf3bcddd077ba8 (patch)
tree405019e07d79a66b821ea621e73ab75b95233ee7 /sec-policy/selinux-base-policy/files
parentnew hotplug with delay fix and firmware.agent, mark stable for x86 and amd64 (diff)
downloadgentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.tar.gz
gentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.tar.bz2
gentoo-2-61317bd7d08f74e2a2b71f532ecf3bcddd077ba8.zip
a few fixes from policy cvs
Diffstat (limited to 'sec-policy/selinux-base-policy/files')
-rw-r--r--sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r11
-rw-r--r--sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff99
2 files changed, 100 insertions, 0 deletions
diff --git a/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1 b/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1
new file mode 100644
index 000000000000..a5a9e2f5961f
--- /dev/null
+++ b/sec-policy/selinux-base-policy/files/digest-selinux-base-policy-20031010-r1
@@ -0,0 +1 @@
+MD5 50cff5131904b9d20bae580edad5cd37 selinux-base-policy-20031010.tar.bz2 58084
diff --git a/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff b/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff
new file mode 100644
index 000000000000..655a8a406677
--- /dev/null
+++ b/sec-policy/selinux-base-policy/files/selinux-base-policy-20031010-cvs.diff
@@ -0,0 +1,99 @@
+diff --exclude=CVS -urN base-policy.old/domains/program/portage.te base-policy/domains/program/portage.te
+--- base-policy.old/domains/program/portage.te 2003-09-30 20:10:50.000000000 -0500
++++ base-policy/domains/program/portage.te 2003-11-01 22:55:33.000000000 -0600
+@@ -34,11 +34,12 @@
+ can_exec(portage_t,portage_lib_t)
+ can_network(portage_t)
+ can_create_pty(portage)
++general_domain_access(portage_t)
+ general_proc_read_access(portage_t)
+ can_tcp_connect(portage_t,portage_t)
+
+ allow portage_t self:process { fork setpgid setsched signal_perms };
+-allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
++allow portage_t portage_t:capability { fowner fsetid mknod setgid setuid chown dac_override dac_read_search net_raw };
+ allow portage_t shell_exec_t:file entrypoint;
+ allow portage_t fs_t:filesystem getattr;
+ allow portage_t privfd:fd use;
+@@ -48,6 +49,9 @@
+ # read/write/create any files in the system
+ can_setfscreate(portage_t)
+ create_dir_notdevfile(portage_t,file_type)
++allow portage_t security_t:dir r_dir_perms;
++allow portage_t security_t:file getattr;
++allow portage_t shadow_t:file getattr;
+
+ # allow portage to compile and load policy, and run setfiles -r
+ ifdef(`setfiles.te',`
+@@ -90,11 +94,6 @@
+ #role_tty_type_change(portage,staff)
+ #role_tty_type_change(staff,portage)
+
+-# ZZZ uncomment to allow transitions between portage_r and user_r
+-# still need to give individual users role access in the users file
+-#role_tty_type_change(portage,user)
+-#role_tty_type_change(user,portage)
+-
+ # sysadm_t needs to access portage for qpkg, rlpkg.
+ allow sysadm_t { portage_cache_t portage_db_t }:file { read ioctl };
+ allow sysadm_t portage_lib_t:file rx_file_perms;
+@@ -102,15 +101,8 @@
+ dontaudit sysadm_t portage_cache_t:file write;
+
+ # various ipc and networking stuff (esp needed for compiling perl):
+-allow portage_t self:sem create_sem_perms;
+-allow portage_t self:shm create_shm_perms;
+-allow portage_t self:msgq create_msgq_perms;
+-allow portage_t self:unix_dgram_socket { create_socket_perms connect sendto };
+-allow portage_t self:unix_stream_socket { create_stream_socket_perms connectto };
+-allow portage_t self:fifo_file { read write getattr };
+ allow portage_t self:rawip_socket { create ioctl };
+ allow portage_t self:udp_socket recvfrom;
+-allow portage_t self:msg { send receive };
+ allow portage_t syslogd_t:unix_dgram_socket sendto;
+
+ # /dev/null and zero access (gcc compile writes to zero, why?)
+@@ -119,13 +111,9 @@
+ allow portage_t random_device_t:chr_file r_file_perms;
+
+ # merging baselayout will need this:
+-r_dir_file(portage_t,proc_t)
+ allow portage_t proc_t:dir write;
+ can_exec(portage_t,init_exec_t)
+
+-# misc
+-allow portage_t portage_tmp_t:dir ioctl;
+-
+ # seems to work ok without these
+ dontaudit portage_t { sysctl_t sysctl_kernel_t device_t }:dir search;
+ dontaudit portage_t sysctl_kernel_t:file r_file_perms;
+@@ -134,3 +122,13 @@
+ dontaudit portage_t domain:dir r_dir_perms;
+ dontaudit portage_t domain:notdevfile_class_set r_file_perms;
+ dontaudit portage_t kernel_t:system syslog_read;
++
++# temp bandaid fixes for portage sloppiness
++dontaudit setfiles_t portage_cache_t:file read;
++dontaudit ldconfig_t portage_cache_t:file read;
++dontaudit checkpolicy_t portage_cache_t:file read;
++dontaudit useradd_t portage_cache_t:file read;
++dontaudit groupadd_t portage_cache_t:file read;
++dontaudit setfiles_t portage_db_t:file write;
++dontaudit useradd_t portage_db_t:file write;
++dontaudit groupadd_t portage_db_t:file write;
+diff --exclude=CVS -urN base-policy.old/file_contexts/types.fc base-policy/file_contexts/types.fc
+--- base-policy.old/file_contexts/types.fc 2003-10-07 14:07:44.000000000 -0500
++++ base-policy/file_contexts/types.fc 2003-10-19 23:05:47.000000000 -0500
+@@ -232,10 +279,8 @@
+ #
+ # gentoo-specific gcc stuff
+ #
+-/usr/i[3-6]86-pc-linux-gnu/bin(/.*)? system_u:object_r:bin_t
+-/usr/i[3-6]86-pc-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
+-/usr/powerpc-unknown-linux-gnu/bin(/.*)? system_u:object_r:bin_t
+-/usr/powerpc-unknown-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
++/usr/.*-.*-linux-gnu/bin(/.*)? system_u:object_r:bin_t
++/usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)? system_u:object_r:bin_t
+
+ #
+ # /usr/.*glibc.*-linux/lib