diff --git a/sec-policy/selinux-desktop-custom/files/desktop-custom.fc b/sec-policy/selinux-desktop-custom/files/desktop-custom.fc new file mode 100644 index 0000000..cb2650f --- /dev/null +++ b/sec-policy/selinux-desktop-custom/files/desktop-custom.fc @@ -0,0 +1,4 @@ +# Portage related +/usr/bin/eix -- gen_context(system_u:object_r:portage_exec_t) +/usr/bin/eix-sync -- gen_context(system_u:object_r:portage_exec_t) +/usr/lib/python-exec/python[0-9]\.[0-9]*/ebuild -- gen_context(system_u:object_r:portage_exec_t) diff --git a/sec-policy/selinux-desktop-custom/files/desktop-custom.te b/sec-policy/selinux-desktop-custom/files/desktop-custom.te new file mode 100644 index 0000000..0223b4b --- /dev/null +++ b/sec-policy/selinux-desktop-custom/files/desktop-custom.te @@ -0,0 +1,14 @@ +policy_module(desktop-custom, 1.0.1) + +gen_require(` + type portage_t, portage_ebuild_t, cert_t; +') + +####### Policy + +#============= portage_t ============== +corenet_udp_bind_generic_node(portage_t) +kernel_mounton_proc(portage_t) +kernel_mount_proc(portage_t) +allow portage_t portage_ebuild_t:file map; +allow portage_t cert_t:file map; diff --git a/sec-policy/selinux-desktop-custom/selinux-desktop-custom-2.20190201-r1.ebuild b/sec-policy/selinux-desktop-custom/selinux-desktop-custom-2.20190201-r1.ebuild new file mode 100644 index 0000000..b335c42 --- /dev/null +++ b/sec-policy/selinux-desktop-custom/selinux-desktop-custom-2.20190201-r1.ebuild @@ -0,0 +1,20 @@ +# Copyright 1999-2015 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ +EAPI="5" + +IUSE="" +MODS="desktop-custom" +POLICY_FILES="desktop-custom.te desktop-custom.fc" + +inherit selinux-policy-2 + +DESCRIPTION="SELinux policy for custom desktop related things" + +RDEPEND="sec-policy/selinux-base-policy" + +if [[ $PV == 9999* ]] ; then + KEYWORDS="" +else + KEYWORDS="amd64 x86" +fi diff --git a/sec-policy/selinux-server-custom/files/server-custom.fc b/sec-policy/selinux-server-custom/files/server-custom.fc new file mode 100644 index 0000000..cb2650f --- /dev/null +++ b/sec-policy/selinux-server-custom/files/server-custom.fc @@ -0,0 +1,4 @@ +# Portage related +/usr/bin/eix -- gen_context(system_u:object_r:portage_exec_t) +/usr/bin/eix-sync -- gen_context(system_u:object_r:portage_exec_t) +/usr/lib/python-exec/python[0-9]\.[0-9]*/ebuild -- gen_context(system_u:object_r:portage_exec_t) diff --git a/sec-policy/selinux-server-custom/files/server-custom.te b/sec-policy/selinux-server-custom/files/server-custom.te index 7d54f57..7480f82 100644 --- a/sec-policy/selinux-server-custom/files/server-custom.te +++ b/sec-policy/selinux-server-custom/files/server-custom.te @@ -1,4 +1,4 @@ -policy_module(server-custom, 1.0.2) +policy_module(server-custom, 1.0.3) gen_require(` type ping_t, rsync_t, nginx_t, syncthing_t; @@ -90,8 +90,11 @@ logging_send_syslog_msg(tmpfiles_t) # type=AVC msg=audit(1535383674.057:1263): avc: denied { write } for pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0 allow portage_t self:dir write; +kernel_mounton_proc(portage_t) +kernel_mount_proc(portage_t) # type=AVC msg=audit(1536753503.662:7355): avc: denied { map } for pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0 allow portage_t portage_ebuild_t:file map; +allow portage_t cert_t:file map; #optional_policy(` # nsd_admin(sysadm_t, sysadm_r) diff --git a/sec-policy/selinux-server-custom/selinux-server-custom-2.20180701-r1.ebuild b/sec-policy/selinux-server-custom/selinux-server-custom-2.20190201-r1.ebuild similarity index 87% rename from sec-policy/selinux-server-custom/selinux-server-custom-2.20180701-r1.ebuild rename to sec-policy/selinux-server-custom/selinux-server-custom-2.20190201-r1.ebuild index 938ec87..6e07cb7 100644 --- a/sec-policy/selinux-server-custom/selinux-server-custom-2.20180701-r1.ebuild +++ b/sec-policy/selinux-server-custom/selinux-server-custom-2.20190201-r1.ebuild @@ -5,7 +5,7 @@ EAPI="5" IUSE="" MODS="server-custom" -POLICY_FILES="server-custom.te" +POLICY_FILES="server-custom.te server-custom.fc" inherit selinux-policy-2