update selinux-server-custom; add selinux-desktop-custom

2020-01-06 11:00:13 +03:00 · 2020-01-06 11:00:13 +03:00 · 2709fc60bb
parent 702954333d
commit 2709fc60bb
6 changed files with 47 additions and 2 deletions
--- a/sec-policy/selinux-desktop-custom/files/desktop-custom.fc
+++ b/sec-policy/selinux-desktop-custom/files/desktop-custom.fc
@ -0,0 +1,4 @@
+# Portage related
+/usr/bin/eix    --      gen_context(system_u:object_r:portage_exec_t)
+/usr/bin/eix-sync       --      gen_context(system_u:object_r:portage_exec_t)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/ebuild --      gen_context(system_u:object_r:portage_exec_t)
--- a/sec-policy/selinux-desktop-custom/files/desktop-custom.te
+++ b/sec-policy/selinux-desktop-custom/files/desktop-custom.te
@ -0,0 +1,14 @@
+policy_module(desktop-custom, 1.0.1)
+
+gen_require(`
+    type portage_t, portage_ebuild_t, cert_t;
+')
+
+####### Policy
+
+#============= portage_t ==============
+corenet_udp_bind_generic_node(portage_t)
+kernel_mounton_proc(portage_t)
+kernel_mount_proc(portage_t)
+allow portage_t portage_ebuild_t:file map;
+allow portage_t cert_t:file map;
--- a/sec-policy/selinux-desktop-custom/selinux-desktop-custom-2.20190201-r1.ebuild
+++ b/sec-policy/selinux-desktop-custom/selinux-desktop-custom-2.20190201-r1.ebuild
@ -0,0 +1,20 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Id$
+EAPI="5"
+
+IUSE=""
+MODS="desktop-custom"
+POLICY_FILES="desktop-custom.te desktop-custom.fc"
+
+inherit selinux-policy-2
+
+DESCRIPTION="SELinux policy for custom desktop related things"
+
+RDEPEND="sec-policy/selinux-base-policy"
+
+if [[ $PV == 9999* ]] ; then
+        KEYWORDS=""
+else
+        KEYWORDS="amd64 x86"
+fi
--- a/sec-policy/selinux-server-custom/files/server-custom.fc
+++ b/sec-policy/selinux-server-custom/files/server-custom.fc
@ -0,0 +1,4 @@
+# Portage related
+/usr/bin/eix    --      gen_context(system_u:object_r:portage_exec_t)
+/usr/bin/eix-sync       --      gen_context(system_u:object_r:portage_exec_t)
+/usr/lib/python-exec/python[0-9]\.[0-9]*/ebuild --      gen_context(system_u:object_r:portage_exec_t)
--- a/sec-policy/selinux-server-custom/files/server-custom.te
+++ b/sec-policy/selinux-server-custom/files/server-custom.te
@ -1,4 +1,4 @@
-policy_module(server-custom, 1.0.2)
+policy_module(server-custom, 1.0.3)

 gen_require(`
    type ping_t, rsync_t, nginx_t, syncthing_t;
@ -90,8 +90,11 @@ logging_send_syslog_msg(tmpfiles_t)

 # type=AVC msg=audit(1535383674.057:1263): avc:  denied  { write } for  pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0
 allow portage_t self:dir write;
+kernel_mounton_proc(portage_t)
+kernel_mount_proc(portage_t)
 # type=AVC msg=audit(1536753503.662:7355): avc:  denied  { map } for  pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0
 allow portage_t portage_ebuild_t:file map;
+allow portage_t cert_t:file map;

 #optional_policy(`
 #        nsd_admin(sysadm_t, sysadm_r)
--- a/sec-policy/selinux-server-custom/selinux-server-custom-2.20190201-r1.ebuild
+++ b/sec-policy/selinux-server-custom/selinux-server-custom-2.20190201-r1.ebuild
@ -5,7 +5,7 @@ EAPI="5"

 IUSE=""
 MODS="server-custom"
-POLICY_FILES="server-custom.te"
+POLICY_FILES="server-custom.te server-custom.fc"

 inherit selinux-policy-2