From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-533358-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 9A5A6138202
	for <garchives@archives.gentoo.org>; Sun,  9 Dec 2012 22:26:21 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 398F7E0642;
	Sun,  9 Dec 2012 22:25:49 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 70CD7E0630
	for <gentoo-commits@lists.gentoo.org>; Sun,  9 Dec 2012 22:25:48 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 4E49933D990
	for <gentoo-commits@lists.gentoo.org>; Sun,  9 Dec 2012 22:25:47 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id DDB2AE543C
	for <gentoo-commits@lists.gentoo.org>; Sun,  9 Dec 2012 22:25:45 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1355052911.38e98ef0e4e916b29e435bd1654b6ba91a30ba41.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/portage.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 38e98ef0e4e916b29e435bd1654b6ba91a30ba41
X-VCS-Branch: master
Date: Sun,  9 Dec 2012 22:25:45 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b69a653a-e29c-4034-9dba-dffe626ebf4d
X-Archives-Hash: 0a64edcbda8a58013b829dd0a67e9397

commit:     38e98ef0e4e916b29e435bd1654b6ba91a30ba41
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Dec  9 11:35:11 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Sun Dec  9 11:35:11 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=38e98ef0

Move gentoo specific stuff to the end of the file

Some changing in the code are left in even though not accepted upstream yet.

---
 policy/modules/contrib/portage.te |   80 +++++++++++++++++++++----------------
 1 files changed, 46 insertions(+), 34 deletions(-)

diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index 7fcf296..aa05741 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -80,14 +80,6 @@ files_tmp_file(portage_tmp_t)
 type portage_tmpfs_t;
 files_tmpfs_file(portage_tmpfs_t)
 
-ifdef(`distro_gentoo',`
-	type gcc_config_tmp_t;
-	files_tmp_file(gcc_config_tmp_t)
-
-	# Assigned to domains that are managed by eselect
-	attribute portage_eselect_domain;
-')
-
 ########################################
 #
 # gcc-config policy
@@ -141,13 +133,7 @@ userdom_use_user_terminals(gcc_config_t)
 consoletype_exec(gcc_config_t)
 
 ifdef(`distro_gentoo',`
-	allow gcc_config_t gcc_config_tmp_t:file manage_file_perms;
-	files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
-
 	init_exec_rc(gcc_config_t)
-
-	files_manage_etc_runtime_files(gcc_config_t)
-	files_manage_etc_runtime_lnk_files(gcc_config_t)
 ')
 
 tunable_policy(`portage_use_nfs',`
@@ -164,8 +150,7 @@ optional_policy(`
 #
 
 # - setfscreate for merging to live fs
-# - setexec to run portage fetch
-allow portage_t self:process { setfscreate setexec };
+allow portage_t self:process { setfscreate };
 # - kill for mysql merging, at least
 allow portage_t self:capability { sys_nice kill setfcap };
 dontaudit portage_t self:capability { dac_read_search };
@@ -188,13 +173,8 @@ allow portage_fetch_t portage_t:process sigchld;
 dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
 
 # transition to sandbox for compiling
-domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
+spec_domtrans_pattern(portage_t, portage_exec_t, portage_sandbox_t)
 corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
-allow portage_sandbox_t portage_t:fd use;
-allow portage_sandbox_t portage_t:fifo_file rw_fifo_file_perms;
-allow portage_sandbox_t portage_t:process sigchld;
-allow portage_sandbox_t self:process ptrace;
-dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
 # run scripts out of the build directory
 can_exec(portage_t, portage_tmp_t)
@@ -224,10 +204,6 @@ portage_run_gcc_config(portage_t, portage_roles)
 # if sesandbox is disabled, compiling is performed in this domain
 portage_compile_domain(portage_t)
 
-ifdef(`distro_gentoo',`
-	allow portage_t self:capability2 block_suspend;
-')
-
 optional_policy(`
 	bootloader_run(portage_t, portage_roles)
 ')
@@ -335,12 +311,6 @@ userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
 rsync_exec(portage_fetch_t)
 
-ifdef(`distro_gentoo',`
-	dev_rw_autofs(portage_fetch_t)
-
-	fs_search_auto_mountpoints(portage_fetch_t)
-')
-
 ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;
 ')
@@ -362,6 +332,12 @@ optional_policy(`
 # - SELinux-enforced sandbox
 #
 
+allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
+
+allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
+logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
+
 portage_compile_domain(portage_sandbox_t)
 
 auth_use_nsswitch(portage_sandbox_t)
@@ -373,8 +349,44 @@ ifdef(`hide_broken_symptoms',`
 ')
 
 ifdef(`distro_gentoo',`
-	allow portage_sandbox_t portage_log_t:file { create_file_perms delete_file_perms setattr_file_perms append_file_perms };
-	logging_log_filetrans(portage_sandbox_t, portage_log_t, file)
+	allow portage_t self:capability2 block_suspend;
+
+	##########################################
+	#
+	# Type declarations
+	#
+
+	type gcc_config_tmp_t;
+	files_tmp_file(gcc_config_tmp_t)
+
+	# Assigned to domains that are managed by eselect
+	attribute portage_eselect_domain;
+
+	##########################################
+	# 
+	# Portage fetch local policy
+	#
+
+	dev_rw_autofs(portage_fetch_t)
+
+	fs_search_auto_mountpoints(portage_fetch_t)
+
+	##########################################
+	#
+	# GCC config local policy
+	#
+
+	allow gcc_config_t gcc_config_tmp_t:file manage_file_perms;
+	files_tmp_filetrans(gcc_config_t, gcc_config_tmp_t, file)
+
+
+	files_manage_etc_runtime_files(gcc_config_t)
+	files_manage_etc_runtime_lnk_files(gcc_config_t)
+
+	##########################################
+	#
+	# Portage sandbox local policy
+	#
 
 	##########################################
 	#