[COMMIT]refpolicy-contrib branch, master, updated. e9c74ec4e2b2ff9f92dbf2957e3f99ea9b2cdb81
Reference Policy commits mail list
refpolicy-commits at oss.tresys.com
Wed Sep 14 12:19:08 CDT 2011
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy-contrib".
The branch, master has been updated
via e9c74ec4e2b2ff9f92dbf2957e3f99ea9b2cdb81 (commit)
via 8914142ed98d4e00d73a1d15002b981a291e054c (commit)
via dd4050a3be4c8041fa36f316f551324648da3c5f (commit)
from e6f073a7740ab4a4f322ed984f972282c401916e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit e9c74ec4e2b2ff9f92dbf2957e3f99ea9b2cdb81
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Sep 14 12:44:55 2011 -0400
Module version bump for portage/puppet patches from Sven Vermeulen.
commit 8914142ed98d4e00d73a1d15002b981a291e054c
Author: Sven Vermeulen <sven.vermeulen at siphos.be>
Date: Tue Sep 13 20:21:08 2011 +0200
Allow puppet to call portage
Puppet is a configuration management and system management tool. Part of
its job is to manage the package deployments on systems. As such, it
needs the privilege to call and transition to the various portage
domains.
Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
commit dd4050a3be4c8041fa36f316f551324648da3c5f
Author: Sven Vermeulen <sven.vermeulen at siphos.be>
Date: Tue Sep 13 20:20:28 2011 +0200
Separate domtrans/run interfaces for portage_fetch
Since the introduction of the portage_fetch_t domain, access to the
domain was governed through the portage_domtrans and portage_run
interfaces. To support calling portage only (but no fetch domain) or
vice versa, the interfaces need to be split up.
In this patch, we introduce the interfaces portage_domtrans_fetch and
portage_run_fetch which will be used later in the domains that need to
call portage/layman/emerge-webrsync/...
The portage_domtrans and portage_run interfaces are updated not to
include anything for portage_fetch_t anymore.
Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
-----------------------------------------------------------------------
Summary of changes:
portage.if | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++-----
portage.te | 2 +-
puppet.te | 8 +++++++-
3 files changed, 60 insertions(+), 7 deletions(-)
Detailed diffset:
:100644 100644 9f7d652... 22c6e17... M portage.if
:100644 100644 276edb3... 1588d0d... M portage.te
:100644 100644 941f6e1... 8c9115c... M puppet.te
diff --git a/portage.if b/portage.if
index 9f7d652..22c6e17 100644
--- a/portage.if
+++ b/portage.if
@@ -16,15 +16,12 @@
interface(`portage_domtrans',`
gen_require(`
type portage_t, portage_exec_t;
- type portage_fetch_t, portage_fetch_exec_t;
')
files_search_usr($1)
corecmd_search_bin($1)
- # transition to portage
domtrans_pattern($1, portage_exec_t, portage_t)
- domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
')
########################################
@@ -46,11 +43,11 @@ interface(`portage_domtrans',`
#
interface(`portage_run',`
gen_require(`
- type portage_t, portage_fetch_t, portage_sandbox_t;
+ type portage_t, portage_sandbox_t;
')
portage_domtrans($1)
- role $2 types { portage_t portage_fetch_t portage_sandbox_t };
+ role $2 types { portage_t portage_sandbox_t };
')
########################################
@@ -213,6 +210,56 @@ interface(`portage_compile_domain',`
########################################
## <summary>
+## Execute tree management functions (fetching, layman, ...)
+## in the portage_fetch_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`portage_domtrans_fetch',`
+ gen_require(`
+ type portage_fetch_t, portage_fetch_exec_t;
+ ')
+
+ files_search_usr($1)
+ corecmd_search_bin($1)
+
+ domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
+')
+
+########################################
+## <summary>
+## Execute tree management functions (fetching, layman, ...)
+## in the portage_fetch_t domain, and allow the specified role
+## the portage_fetch_t domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to allow the portage_fetch domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`portage_run_fetch',`
+ gen_require(`
+ type portage_fetch_t;
+ ')
+
+ portage_domtrans_fetch($1)
+ role $2 types portage_fetch_t;
+')
+
+
+########################################
+## <summary>
## Execute gcc-config in the gcc_config domain.
## </summary>
## <param name="domain">
diff --git a/portage.te b/portage.te
index 276edb3..1588d0d 100644
--- a/portage.te
+++ b/portage.te
@@ -1,4 +1,4 @@
-policy_module(portage, 1.11.2)
+policy_module(portage, 1.11.3)
########################################
#
diff --git a/puppet.te b/puppet.te
index 941f6e1..8c9115c 100644
--- a/puppet.te
+++ b/puppet.te
@@ -1,4 +1,4 @@
-policy_module(puppet, 1.1.1)
+policy_module(puppet, 1.1.2)
########################################
#
@@ -146,6 +146,12 @@ optional_policy(`
')
optional_policy(`
+ portage_domtrans(puppet_t)
+ portage_domtrans_fetch(puppet_t)
+ portage_domtrans_gcc_config(puppet_t)
+')
+
+optional_policy(`
files_rw_var_files(puppet_t)
rpm_domtrans(puppet_t)
hooks/post-receive
--
refpolicy-contrib
More information about the Refpolicy-commits
mailing list