[refpolicy] [PATCH 4/13] Adding dontaudits for portage domains

Fri Apr 20 15:12:20 CDT 2012

On 03/22/12 16:08, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
> ---
>  portage.te |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)

Merged.

> diff --git a/portage.te b/portage.te
> index 4735035..88eac51 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -146,6 +146,8 @@ optional_policy(`
>  allow portage_t self:process { setfscreate setexec };
>  # - kill for mysql merging, at least
>  allow portage_t self:capability { sys_nice kill setfcap };
> +dontaudit portage_t self:capability { dac_read_search };
> +dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # user post-sync scripts
>  can_exec(portage_t, portage_conf_t)
> @@ -161,6 +163,7 @@ rsync_entry_domtrans(portage_t, portage_fetch_t)
>  allow portage_fetch_t portage_t:fd use;
>  allow portage_fetch_t portage_t:fifo_file rw_file_perms;
>  allow portage_fetch_t portage_t:process sigchld;
> +dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
>  
>  # transition to sandbox for compiling
>  domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
> @@ -169,10 +172,12 @@ allow portage_sandbox_t portage_t:fd use;
>  allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
>  allow portage_sandbox_t portage_t:process sigchld;
>  allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)
>  
> +kernel_dontaudit_request_load_module(portage_t)
>  # merging baselayout will need this:
>  kernel_write_proc_files(portage_t)
>  
> @@ -288,6 +293,7 @@ files_search_var_lib(portage_fetch_t)
>  files_dontaudit_search_pids(portage_fetch_t)
>  
>  logging_list_logs(portage_fetch_t)
> +logging_dontaudit_search_logs(portage_fetch_t)
>  
>  term_search_ptys(portage_fetch_t)
>  

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com