update selinux-server-custom; add selinux-desktop-custom

This commit is contained in:
Alexander Miroshnichenko 2020-01-06 11:00:13 +03:00
parent 702954333d
commit 2709fc60bb
6 changed files with 47 additions and 2 deletions

View File

@ -0,0 +1,4 @@
# Portage related
/usr/bin/eix -- gen_context(system_u:object_r:portage_exec_t)
/usr/bin/eix-sync -- gen_context(system_u:object_r:portage_exec_t)
/usr/lib/python-exec/python[0-9]\.[0-9]*/ebuild -- gen_context(system_u:object_r:portage_exec_t)

View File

@ -0,0 +1,14 @@
policy_module(desktop-custom, 1.0.1)
gen_require(`
type portage_t, portage_ebuild_t, cert_t;
')
####### Policy
#============= portage_t ==============
corenet_udp_bind_generic_node(portage_t)
kernel_mounton_proc(portage_t)
kernel_mount_proc(portage_t)
allow portage_t portage_ebuild_t:file map;
allow portage_t cert_t:file map;

View File

@ -0,0 +1,20 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Id$
EAPI="5"
IUSE=""
MODS="desktop-custom"
POLICY_FILES="desktop-custom.te desktop-custom.fc"
inherit selinux-policy-2
DESCRIPTION="SELinux policy for custom desktop related things"
RDEPEND="sec-policy/selinux-base-policy"
if [[ $PV == 9999* ]] ; then
KEYWORDS=""
else
KEYWORDS="amd64 x86"
fi

View File

@ -0,0 +1,4 @@
# Portage related
/usr/bin/eix -- gen_context(system_u:object_r:portage_exec_t)
/usr/bin/eix-sync -- gen_context(system_u:object_r:portage_exec_t)
/usr/lib/python-exec/python[0-9]\.[0-9]*/ebuild -- gen_context(system_u:object_r:portage_exec_t)

View File

@ -1,4 +1,4 @@
policy_module(server-custom, 1.0.2) policy_module(server-custom, 1.0.3)
gen_require(` gen_require(`
type ping_t, rsync_t, nginx_t, syncthing_t; type ping_t, rsync_t, nginx_t, syncthing_t;
@ -90,8 +90,11 @@ logging_send_syslog_msg(tmpfiles_t)
# type=AVC msg=audit(1535383674.057:1263): avc: denied { write } for pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0 # type=AVC msg=audit(1535383674.057:1263): avc: denied { write } for pid=19064 comm="ebuild.sh" name="fd" dev="proc" ino=1054984 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=staff_u:sysadm_r:portage_t:s0 tclass=dir permissive=0
allow portage_t self:dir write; allow portage_t self:dir write;
kernel_mounton_proc(portage_t)
kernel_mount_proc(portage_t)
# type=AVC msg=audit(1536753503.662:7355): avc: denied { map } for pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0 # type=AVC msg=audit(1536753503.662:7355): avc: denied { map } for pid=19388 comm="eix-update" path="/var/lib/layman/musl/sys-apps/sandbox/sandbox-2.12.ebuild" dev="dm-0" ino=749977658 scontext=staff_u:sysadm_r:portage_t:s0 tcontext=system_u:object_r:portage_ebuild_t:s0 tclass=file permissive=0
allow portage_t portage_ebuild_t:file map; allow portage_t portage_ebuild_t:file map;
allow portage_t cert_t:file map;
#optional_policy(` #optional_policy(`
# nsd_admin(sysadm_t, sysadm_r) # nsd_admin(sysadm_t, sysadm_r)

View File

@ -5,7 +5,7 @@ EAPI="5"
IUSE="" IUSE=""
MODS="server-custom" MODS="server-custom"
POLICY_FILES="server-custom.te" POLICY_FILES="server-custom.te server-custom.fc"
inherit selinux-policy-2 inherit selinux-policy-2