[refpolicy] [PATCH 3/4] Allow emerge-webrsync to copy extracted files to the tree
Sven Vermeulen
sven.vermeulen at siphos.be
Sat Aug 13 13:24:07 CDT 2011
The emerge-webrsync application, part of Portage, is responsible for fetching
a tree snapshot, having it extracted in a temporary location (portage_tmp_t)
and then copied over to the main portage tree. However, its domain
(portage_fetch_t) has no read rights on the temporary location.
To allow this, we need to define an interface (portage_read_tmp_files) since
we need to allow this both to portage_fetch_t (the emerge-webrsync application)
as well as gpg (to verify the GnuPG signature of the downloaded snapshot).
Also, portage_read_tmp_files doesn't use read_files_pattern since the
read-permission on the dir class is needed too.
Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
policy/modules/admin/portage.if | 19 +++++++++++++++++++
policy/modules/admin/portage.te | 3 +++
policy/modules/apps/gpg.te | 4 ++++
3 files changed, 26 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index faf2eba..86948c7 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -250,6 +250,25 @@ interface(`portage_run_gcc_config',`
########################################
## <summary>
+## Allow a domain to read portage_tmp_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to allow search privileges
+## </summary>
+## </param>
+#
+interface(`portage_read_tmp_files',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ allow $1 portage_tmp_t:dir list_dir_perms;
+ allow $1 portage_tmp_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to search the
## portage temporary directories.
## </summary>
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 4a6e53e..050202f 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -322,6 +322,9 @@ sysnet_dns_name_resolve(portage_fetch_t)
userdom_use_user_terminals(portage_fetch_t)
userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+
+portage_read_tmp_files(portage_fetch_t)
+
ifdef(`hide_broken_symptoms',`
dontaudit portage_fetch_t portage_cache_t:file read;
')
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index 9050e8c..469dc93 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -147,6 +147,10 @@ optional_policy(`
')
optional_policy(`
+ portage_read_tmp_files(gpg_t)
+')
+
+optional_policy(`
xserver_use_xdm_fds(gpg_t)
xserver_rw_xdm_pipes(gpg_t)
')
--
1.7.3.4
More information about the refpolicy
mailing list