[refpolicy] [PATCH] Added support for python-support

Manoj Srivastava srivasta at golden-gryphon.com
Tue Jul 14 14:35:15 CDT 2009 

From: Manoj Srivastava <srivasta at debian.org>

Debian uses the python-support module infrastructure to conditionally
byte compile python files during installation. This commit adds
support for the package, which is critical for Python library package
installation on Debian machines.

Signed-off-by: Russell Coker <russell at coker.com.au>
Acked-By: Manoj Srivastava <srivasta at debian.org>
---
 policy/modules/admin/apt.te            |    4 ++
 policy/modules/system/pythonsupport.fc |    2 +
 policy/modules/system/pythonsupport.if |   55 ++++++++++++++++++++++++++++++++
 policy/modules/system/pythonsupport.te |   44 +++++++++++++++++++++++++
 policy/modules/system/selinuxutil.te   |   10 ++++++
 policy/modules/system/userdomain.if    |    4 ++
 6 files changed, 119 insertions(+), 0 deletions(-)
 create mode 100644 policy/modules/system/pythonsupport.fc
 create mode 100644 policy/modules/system/pythonsupport.if
 create mode 100644 policy/modules/system/pythonsupport.te

diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index c79157a..1ffa5b3 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -127,6 +127,10 @@ userdom_use_user_terminals(apt_t)
 #')
 
 optional_policy(`
+	pythonsupport_domtrans(apt_t)
+')
+
+optional_policy(`
 	# dpkg interaction
 	dpkg_read_db(apt_t)
 	dpkg_domtrans(apt_t)
diff --git a/policy/modules/system/pythonsupport.fc b/policy/modules/system/pythonsupport.fc
new file mode 100644
index 0000000..95a0998
--- /dev/null
+++ b/policy/modules/system/pythonsupport.fc
@@ -0,0 +1,2 @@
+/usr/sbin/update-python-modules	--	gen_context(system_u:object_r:pythoncompile_exec_t,s0)
+/var/lib/python-support(/.*)?		gen_context(system_u:object_r:python_compiled_t,s0)
diff --git a/policy/modules/system/pythonsupport.if b/policy/modules/system/pythonsupport.if
new file mode 100644
index 0000000..f5b154b
--- /dev/null
+++ b/policy/modules/system/pythonsupport.if
@@ -0,0 +1,55 @@
+## <summary>Support for precompiling python modules</summary>
+## <desc>
+##	<p>
+##		Debians python-support will precompile installed python
+##		packages for installed python versions. This way,
+##		the python2.3-foobar and python2.4-foobar (and 2.5) packages
+##		could be merged into one python-foobar while keeping the
+##		dependency information useful.
+##	</p>
+## </desc>
+#
+
+########################################
+## <summary>
+##	Execute the python-support utility to precompile modules.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`pythonsupport_domtrans',`
+	gen_require(`
+		type pythoncompile_t, pythoncompile_exec_t;
+	')
+
+	domain_auto_trans($1,pythoncompile_exec_t,pythoncompile_t)
+
+	allow $1 pythoncompile_t:fd use;
+	allow pythoncompile_t $1:fd use;
+	allow $1 pythoncompile_t:fifo_file rw_file_perms;
+	allow $1 pythoncompile_t:process sigchld;
+')
+
+########################################
+## <summary>
+##	Read compiled python modules
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to read the compiled python modules.
+##	</summary>
+## </param>
+#
+interface(`pythonsupport_compiled_read',`
+	gen_require(`
+		type python_compiled_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 python_compiled_t:dir list_dir_perms;
+	allow $1 python_compiled_t:file read_file_perms;
+	allow $1 python_compiled_t:lnk_file read_lnk_file_perms;
+')
diff --git a/policy/modules/system/pythonsupport.te b/policy/modules/system/pythonsupport.te
new file mode 100644
index 0000000..69c1bc6
--- /dev/null
+++ b/policy/modules/system/pythonsupport.te
@@ -0,0 +1,44 @@
+policy_module(pythonsupport,0.0.1)
+
+########################################
+#
+# Declarations
+#
+
+type pythoncompile_t;
+type pythoncompile_exec_t;
+domain_type(pythoncompile_t)
+domain_entry_file(pythoncompile_t, pythoncompile_exec_t)
+
+role system_r types pythoncompile_t;
+role sysadm_r types pythoncompile_t;
+
+type python_compiled_t;
+files_type(python_compiled_t)
+
+########################################
+#
+# python-support local policy
+#
+
+kernel_read_system_state(pythoncompile_t)
+kernel_read_kernel_sysctls(pythoncompile_t)
+
+corecmd_exec_bin(pythoncompile_t)
+corecmd_exec_sbin(pythoncompile_t)
+
+files_read_etc_files(pythoncompile_t)
+files_read_usr_files(pythoncompile_t)
+
+libs_use_ld_so(pythoncompile_t)
+libs_use_shared_libs(pythoncompile_t)
+libs_use_lib_files(pythoncompile_t)
+
+miscfiles_read_localization(pythoncompile_t)
+
+
+# create compiled python modules
+allow pythoncompile_t python_compiled_t:dir manage_dir_perms;
+allow pythoncompile_t python_compiled_t:file manage_file_perms;
+allow pythoncompile_t python_compiled_t:lnk_file manage_lnk_file_perms;
+files_var_lib_filetrans(pythoncompile_t, python_compiled_t, dir)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index f706ef0..90e0245 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -425,6 +425,7 @@ allow semanage_t self:capability { dac_override audit_write };
 allow semanage_t self:unix_stream_socket create_stream_socket_perms;
 allow semanage_t self:unix_dgram_socket create_socket_perms;
 allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+fs_getattr_xattr_fs(semanage_t)
 
 allow semanage_t policy_config_t:file rw_file_perms;
 
@@ -432,6 +433,10 @@ allow semanage_t semanage_tmp_t:dir manage_dir_perms;
 allow semanage_t semanage_tmp_t:file manage_file_perms;
 files_tmp_filetrans(semanage_t, semanage_tmp_t, { file dir })
 
+ifdef(`targeted_policy',`
+	allow semanage_t initrc_t:fd use;
+')
+
 kernel_read_system_state(semanage_t)
 kernel_read_kernel_sysctls(semanage_t)
 
@@ -449,6 +454,7 @@ files_list_pids(semanage_t)
 mls_file_write_all_levels(semanage_t)
 mls_file_read_all_levels(semanage_t)
 
+selinux_get_fs_mount(semanage_t)
 selinux_validate_context(semanage_t)
 selinux_get_enforce_mode(semanage_t)
 selinux_getattr_fs(semanage_t)
@@ -499,6 +505,10 @@ ifdef(`enable_mls',`
 	userdom_read_user_tmp_files(semanage_t)
 ')
 
+optional_policy(`
+	pythonsupport_compiled_read(semanage_t)
+')
+
 ########################################
 #
 # Setfiles local policy
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 8634334..a30aeee 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		pythonsupport_compiled_read($1_t)
+	')
+
+	optional_policy(`
 		pcscd_read_pub_files($1_t)
 		pcscd_stream_connect($1_t)
 	')
-- 
1.6.3.3

More information about the refpolicy mailing list