From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id F31451381F3 for ; Wed, 25 Sep 2013 18:06:01 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8E962E0A76; Wed, 25 Sep 2013 18:05:58 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 1ED60E0A76 for ; Wed, 25 Sep 2013 18:05:58 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id ED2F533EDA9 for ; Wed, 25 Sep 2013 18:05:56 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id A0973E5309 for ; Wed, 25 Sep 2013 18:05:55 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1380132273.c2d10ed6ad80c4c442bc939a97996159b8eec3c3.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/portage.if X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: c2d10ed6ad80c4c442bc939a97996159b8eec3c3 X-VCS-Branch: master Date: Wed, 25 Sep 2013 18:05:55 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: cd0f91e5-b97a-4986-a225-a1392a88a3fb X-Archives-Hash: 7cd6d52425e0a8856d1c0cff8ae7b04f commit: c2d10ed6ad80c4c442bc939a97996159b8eec3c3 Author: Sven Vermeulen siphos be> AuthorDate: Wed Sep 25 18:04:33 2013 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Wed Sep 25 18:04:33 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=c2d10ed6 Add portage_ro_role to allow read-only access to Portage files The portage_ro_role() can be assigned to users who are allowed to view Portage related files but not touch them or switch to the portage domains. Patch initially brought forward by Luis Ressel, adapted to match coding style & separate dontaudit into its own interface. --- policy/modules/contrib/portage.if | 61 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index fd1ae2a..fe656fa 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -385,6 +385,49 @@ interface(`portage_eselect_module',` ######################################## ## +## Read all portage files +## +## +## +## Role allowed access +## +## +## +## +## Domain allowed access +## +## +# +interface(`portage_ro_role',` + portage_read_cache($1) + portage_read_config($1) + portage_read_db($1) + portage_read_ebuild($1) + portage_dontaudit_write_cache($1) +') + +######################################## +## +## Read portage db files +## +## +## +## Domain allowed access +## +## +# +interface(`portage_read_db',` + gen_require(` + type portage_db_t; + ') + + files_search_var($1) + list_dirs_pattern($1, portage_db_t, portage_db_t) + read_files_pattern($1, portage_db_t, portage_db_t) +') + +######################################## +## ## Read portage cache files ## ## @@ -446,3 +489,21 @@ interface(`portage_read_ebuild',` read_lnk_files_pattern($1, portage_ebuild_t, portage_ebuild_t) ') +######################################## +## +## Do not audit writing portage cache files +## +## +## +## Domain allowed access +## +## +# +interface(`portage_dontaudit_write_cache',` + gen_require(` + type portage_cache_t; + ') + + dontaudit $1 portage_cache_t:dir { write }; +') +