* [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache
@ 2015-10-15 10:44 Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 2/4] portage: Fix the gen_require of the portage_compile_domain interface Luis Ressel
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Luis Ressel @ 2015-10-15 10:44 UTC (permalink / raw
To: gentoo-hardened
---
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 640a63b..c98a763 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -511,6 +511,6 @@ interface(`portage_dontaudit_write_cache',`
type portage_cache_t;
')
- dontaudit $1 portage_cache_t:dir { write };
+ dontaudit $1 portage_cache_t:dir { setattr write };
')
--
2.6.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-hardened] [PATCH 2/4] portage: Fix the gen_require of the portage_compile_domain interface
2015-10-15 10:44 [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Luis Ressel
@ 2015-10-15 10:44 ` Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 3/4] portage: New read-only interfaces for srcrepo and logs Luis Ressel
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Luis Ressel @ 2015-10-15 10:44 UTC (permalink / raw
To: gentoo-hardened
The portage_compile_domain interface used portage_sandbox_t without
requiring it.
---
policy/modules/contrib/portage.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index c98a763..4652319 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -68,8 +68,8 @@ interface(`portage_run',`
interface(`portage_compile_domain',`
gen_require(`
class dbus send_msg;
- type portage_devpts_t, portage_log_t, portage_srcrepo_t, portage_tmp_t;
- type portage_tmpfs_t;
+ type portage_devpts_t, portage_log_t, portage_sandbox_t, portage_srcrepo_t;
+ type portage_tmp_t, portage_tmpfs_t;
')
allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
--
2.6.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-hardened] [PATCH 3/4] portage: New read-only interfaces for srcrepo and logs
2015-10-15 10:44 [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 2/4] portage: Fix the gen_require of the portage_compile_domain interface Luis Ressel
@ 2015-10-15 10:44 ` Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 4/4] portage: Add new interfaces to portage_ro_role Luis Ressel
2015-10-17 17:03 ` [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Jason Zaman
3 siblings, 0 replies; 5+ messages in thread
From: Luis Ressel @ 2015-10-15 10:44 UTC (permalink / raw
To: gentoo-hardened
Create portage_read_srcrepo and portage_read_log interfaces.
---
policy/modules/contrib/portage.if | 40 +++++++++++++++++++++++++++++++++++++++
1 file changed, 40 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 4652319..962dcca 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -498,6 +498,46 @@ interface(`portage_read_ebuild',`
########################################
## <summary>
+## Read portage log files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_log',`
+ gen_require(`
+ type portage_log_t;
+ ')
+
+ logging_search_logs($1)
+ read_files_pattern($1, portage_log_t, portage_log_t)
+')
+
+########################################
+## <summary>
+## Read portage src repository files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`portage_read_srcrepo',`
+ gen_require(`
+ type portage_ebuild_t, portage_srcrepo_t;
+ ')
+
+ files_search_usr($1)
+ list_dirs_pattern($1, portage_ebuild_t, portage_srcrepo_t)
+ read_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ read_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+')
+
+########################################
+## <summary>
## Do not audit writing portage cache files
## </summary>
## <param name="domain">
--
2.6.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [gentoo-hardened] [PATCH 4/4] portage: Add new interfaces to portage_ro_role
2015-10-15 10:44 [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 2/4] portage: Fix the gen_require of the portage_compile_domain interface Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 3/4] portage: New read-only interfaces for srcrepo and logs Luis Ressel
@ 2015-10-15 10:44 ` Luis Ressel
2015-10-17 17:03 ` [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Jason Zaman
3 siblings, 0 replies; 5+ messages in thread
From: Luis Ressel @ 2015-10-15 10:44 UTC (permalink / raw
To: gentoo-hardened
---
policy/modules/contrib/portage.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 962dcca..e9de28e 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -410,6 +410,8 @@ interface(`portage_ro_role',`
portage_read_config($1)
portage_read_db($1)
portage_read_ebuild($1)
+ portage_read_log($1)
+ portage_read_srcrepo($1)
portage_dontaudit_write_cache($1)
')
--
2.6.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache
2015-10-15 10:44 [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Luis Ressel
` (2 preceding siblings ...)
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 4/4] portage: Add new interfaces to portage_ro_role Luis Ressel
@ 2015-10-17 17:03 ` Jason Zaman
3 siblings, 0 replies; 5+ messages in thread
From: Jason Zaman @ 2015-10-17 17:03 UTC (permalink / raw
To: gentoo-hardened
On Thu, Oct 15, 2015 at 12:44:40PM +0200, Luis Ressel wrote:
> ---
> policy/modules/contrib/portage.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
> index 640a63b..c98a763 100644
> --- a/policy/modules/contrib/portage.if
> +++ b/policy/modules/contrib/portage.if
> @@ -511,6 +511,6 @@ interface(`portage_dontaudit_write_cache',`
> type portage_cache_t;
> ')
>
> - dontaudit $1 portage_cache_t:dir { write };
> + dontaudit $1 portage_cache_t:dir { setattr write };
> ')
>
> --
> 2.6.1
Applied this set, thanks!
-- Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-10-17 17:03 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-10-15 10:44 [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 2/4] portage: Fix the gen_require of the portage_compile_domain interface Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 3/4] portage: New read-only interfaces for srcrepo and logs Luis Ressel
2015-10-15 10:44 ` [gentoo-hardened] [PATCH 4/4] portage: Add new interfaces to portage_ro_role Luis Ressel
2015-10-17 17:03 ` [gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox