remove some old selinux ebuilds
This commit is contained in:
parent
88cfcf1f7b
commit
1a49b0ef2f
@ -1,13 +0,0 @@
|
||||
AUX allow_dbus_session_creation.patch 1315 BLAKE2B 5e028683e3c8f0db652dd54275e647935e744fb7c2561989c85d4ac52638d9af572792ba7c5f3aca1de729609a0ece6a973ec1ab97915bba1168f6812c5708b9 SHA512 095ee38d4668c2fe06e84fff5396fa99bdb4a1df1e49c939f0f29665bfceccc9b2aacc27834e1438bc4cfc91c50a32f2d504431d4b283c487c257dae286f94b9
|
||||
AUX cron_allow_watch_crontabs.patch 305 BLAKE2B bcc4c3663c7100c8c40531e5a5832efeaad3cfe8ba343dd29976f84e62676bf21a5e5aaf38edfb5e2e3fa960fcaa3f6b15bdf5ce8532ccc6c4c2d201b664e680 SHA512 8ddacea7990bdbfec2cbb4d542f739704fe6e8379877c3c6578f09f5a93aac1f57cfedc4e7d0ccf13eb9d4c9269fe5817b4b9ad74c8907831de353c06558e0fc
|
||||
AUX git_portage_repo_fix.patch 366 BLAKE2B d78d6fe0913a51071ba4a594cbfdc2c665e98c14789e2bcd45a691c5d4a62ccfd6f4f802dd32e6792a346cc3f44fbd164b5a72eaf04efc75ea57b4d4f9c45d5a SHA512 ce4b013d7038a40f9dc25803fe7af94cfbab9cc071f8334c241f1704b1d410c3843c42c3c57fb0f2ef1e8274237fcaf355a168593b7fe6e9e14ba24c19d2e777
|
||||
AUX init_nftables.patch 429 BLAKE2B 75d75dc54a52c3e2b31f51919e7623a97a9a8a0553af29a952df2b55a122fd0b3675517a8d4133856f0d619e08a4a2373470f55124553f0f77d3428792f2cb21 SHA512 882d16acd25156d190dc8fe491738651e2cb0213df76cfe646e41abf01e262700f8a1a9f84d1fa206add3ea4fd55359e63e5984a98b914095b9c53172473b0b6
|
||||
AUX init_paths.patch 509 BLAKE2B cac484800113f0cff5b710484ff11e3fd72e0611ccbe12f326704e5a2714d6b8a17fc91efef2c4bc785008098d3b499cb6d7266c43bd3e762b916e22aa8a2345 SHA512 8687a495f90aeeb1356ea3cfe2de4c35bab874744498f4624a95e717fabd989d999a22c572e8961a9235b5f38d9032d1ba6387d3b1d408b478bca315e7bcf16d
|
||||
AUX init_read_syslog_config.patch 422 BLAKE2B 41814137d275eec4e6d801a318586c4040e22a512187a91dea9440026e2dc01dacc46404b7592ca71970c886b2a99f7d98989bfffc9e4e096042f13738a3003e SHA512 11cbed7bda6992a292e88628598026f8b1703b7ae258188d43e98ae140463bb5e28cfa64a9cc3864356f34b9089f79f51db4b60f2faeb05c03f8246e81d06737
|
||||
AUX logging_init_read_config.patch 400 BLAKE2B 91899869ab8ba4923e4e26ec16317d4e23734043df0d27f7693e6445669fc21e3948cd3082a3193e01ef368a967ec2d43fd5d1e0ed3172637bce1a5dc3c1c495 SHA512 06b38922971178e45492bb1a29d0d18990b8e00cc492571d78b0aaca1514f5dc0540d692fe2159afe51c09717ec02f7ea2cf795f0cfe62f566a107092bd602a0
|
||||
AUX mta_user_mail_newaliases.patch 406 BLAKE2B b8b23b24790267f301de0d6e17f9a25ac455dc3f6f7dee9f291c1e122d39fa125e86a4c5d1b3a8ac575576eebc3683b15fa1f7b8dee3016a8f046bb644ac7f42 SHA512 1515d0d79e7f33c80cebc5bd0babc2731595f31105de86df84d4940167693a274ae2271de3607369956750f22ab469fea8b247ba34cc8bb61f6a0a15d56a9328
|
||||
AUX portage_paths.patch 1745 BLAKE2B ec0d213d13ac0e1d1d9bd52d2811b37814c00c2f385af4a074267144976634d2bce66fd0b530e61924c7f3fc0abd3b0c5a9c6aab72c2834ff1cf935dff91edae SHA512 31933e1f8588d16b4f336b571ce388bc2a6204db7c99f242826c172fe9417f88cc7c40030a0712315539b1dcc2b4a56d54a194852d6123d9ef5f58750fc87ef2
|
||||
AUX sysadm_allow_watch.patch 317 BLAKE2B 5b54c9bcc242d6a8bc5ffb77d7774f325bb54dec9e370d25ce01b8597f91dee19b16aff9dd50bb12aa1420cb09ff463b3dc2ea6322c5fcc16f8f55274a438699 SHA512 730c9ad70817216f122ed4a7fad8931b6aec42e6dcc72f7e97ab1986b4d3900daeb1403380028db009c640fa4f1d1fff97e9c03913f24ba0023638b0782eb059
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-base-policy-2.20190609-r1.ebuild 4193 BLAKE2B 12f7cebe92a2c0a3ace4b5949a6ae96741997b778da4b8824a27fad33f966cb06639b57786f29ed004bb93921637d4d1043e276b78a3875f6b1a7a927356979f SHA512 5656448bf301db211097c3c2b467cc616afa2a2955d78f9386da5bacc13993a60a02712bb0cd486243615751375285a9f861fd82f4449f162f8756f8db40e191
|
@ -1,25 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/system/systemd.te.orig 2020-05-23 10:09:48.508450458 +0200
|
||||
+++ work/refpolicy/policy/modules/system/systemd.te 2020-05-23 10:10:26.840453410 +0200
|
||||
@@ -490,6 +490,22 @@
|
||||
allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
|
||||
allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
|
||||
allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type system_dbusd_t;
|
||||
+ ')
|
||||
+ allow system_dbusd_t systemd_sessions_runtime_t:dir manage_dir_perms;
|
||||
+ allow system_dbusd_t systemd_sessions_runtime_t:file manage_file_perms;
|
||||
+ allow system_dbusd_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
|
||||
+
|
||||
+ manage_fifo_files_pattern(system_dbusd_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
||||
+ manage_files_pattern(system_dbusd_t, systemd_logind_runtime_t, systemd_logind_runtime_t)
|
||||
+ allow system_dbusd_t systemd_logind_runtime_t:dir manage_dir_perms;
|
||||
+
|
||||
+ allow system_dbusd_t systemd_machined_runtime_t:dir manage_dir_perms;
|
||||
+ manage_files_pattern(system_dbusd_t, systemd_machined_runtime_t, systemd_machined_runtime_t)
|
||||
+ allow system_dbusd_t systemd_machined_runtime_t:lnk_file manage_lnk_file_perms;
|
||||
+')
|
||||
|
||||
kernel_read_kernel_sysctls(systemd_logind_t)
|
||||
|
@ -1,8 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/services/cron.te.orig 2020-05-17 19:58:38.079815252 +0200
|
||||
+++ work/refpolicy/policy/modules/services/cron.te 2020-05-17 20:12:21.892774990 +0200
|
||||
@@ -779,3 +779,5 @@
|
||||
optional_policy(`
|
||||
unconfined_domain(unconfined_cronjob_t)
|
||||
')
|
||||
+
|
||||
+allow crond_t cron_spool_t:dir watch;
|
@ -1,9 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/admin/portage.te.orig 2020-05-17 16:34:20.542137399 +0200
|
||||
+++ work/refpolicy/policy/modules/admin/portage.te 2020-05-17 16:35:31.601142871 +0200
|
||||
@@ -538,3 +538,6 @@
|
||||
|
||||
files_manage_etc_runtime_files(portage_eselect_domain)
|
||||
')
|
||||
+
|
||||
+# required when using git to manage portage repositories
|
||||
+allow portage_t portage_ebuild_t:file map;
|
@ -1,10 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/system/iptables.te.orig 2020-05-30 16:29:42.783865689 +0200
|
||||
+++ work/refpolicy/policy/modules/system/iptables.te 2020-05-30 16:30:32.789863245 +0200
|
||||
@@ -85,6 +85,7 @@
|
||||
|
||||
init_use_fds(iptables_t)
|
||||
init_use_script_ptys(iptables_t)
|
||||
+init_read_script_pipes(iptables_t)
|
||||
# to allow rules to be saved on reboot:
|
||||
init_rw_script_tmp_files(iptables_t)
|
||||
init_rw_script_stream_sockets(iptables_t)
|
@ -1,11 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/system/init.fc.orig 2020-05-30 14:16:09.144257347 +0200
|
||||
+++ work/refpolicy/policy/modules/system/init.fc 2020-05-30 14:18:40.459249951 +0200
|
||||
@@ -104,6 +104,8 @@
|
||||
# /var
|
||||
#
|
||||
/var/lib/ip6?tables(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0)
|
||||
+/var/lib/ipset(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0)
|
||||
+/var/lib/nftables(/.*)? gen_context(system_u:object_r:initrc_tmp_t,s0)
|
||||
|
||||
/run/openrc(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
|
||||
')
|
@ -1,11 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/system/init.te.orig 2020-05-17 11:15:23.079663661 +0200
|
||||
+++ work/refpolicy/policy/modules/system/init.te 2020-05-17 11:16:09.014667199 +0200
|
||||
@@ -1527,3 +1527,8 @@
|
||||
userdom_dontaudit_rw_all_users_stream_sockets(systemprocess)
|
||||
userdom_dontaudit_write_user_tmp_files(systemprocess)
|
||||
')
|
||||
+
|
||||
+# allow openrc to read syslog config
|
||||
+optional_policy(`
|
||||
+ logging_read_syslog_config(initrc_t)
|
||||
+')
|
@ -1,10 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/system/logging.te.orig 2020-05-17 16:50:17.101211062 +0200
|
||||
+++ work/refpolicy/policy/modules/system/logging.te 2020-05-17 16:51:46.283217930 +0200
|
||||
@@ -631,4 +631,7 @@
|
||||
manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)
|
||||
|
||||
files_rw_var_lib_dirs(syslogd_t)
|
||||
+
|
||||
+ # openrc init script needs to read rsyslog config
|
||||
+ logging_read_syslog_config(initrc_t)
|
||||
')
|
@ -1,10 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/services/mta.te.orig 2020-05-17 11:00:52.011596582 +0200
|
||||
+++ work/refpolicy/policy/modules/services/mta.te 2020-05-17 11:02:31.536604246 +0200
|
||||
@@ -425,3 +425,7 @@
|
||||
at_rw_inherited_job_log_files(system_mail_t)
|
||||
')
|
||||
')
|
||||
+
|
||||
+mta_manage_aliases(user_mail_t)
|
||||
+manage_dirs_pattern(user_mail_t, etc_mail_t, etc_mail_t)
|
||||
+manage_files_pattern(user_mail_t, etc_mail_t, etc_mail_t)
|
@ -1,27 +0,0 @@
|
||||
--- a/refpolicy/policy/modules/admin/portage.fc.orig 2020-05-17 10:29:05.060449732 +0200
|
||||
+++ b/refpolicy/policy/modules/admin/portage.fc 2020-05-17 10:34:15.237473618 +0200
|
||||
@@ -19,6 +19,15 @@
|
||||
/usr/lib/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/usr/lib/portage/bin/sandbox -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
|
||||
+/var/db/repos(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
+/var/cache/binpkg(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
+/var/cache/distfiles(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
+/var/cache/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/egit-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/git[0-9]-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/go-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/hg-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
+/var/cache/distfiles/svn-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
|
||||
/usr/portage(/.*)? gen_context(system_u:object_r:portage_ebuild_t,s0)
|
||||
/usr/portage/distfiles/cvs-src(/.*)? gen_context(system_u:object_r:portage_srcrepo_t,s0)
|
||||
@@ -48,3 +57,8 @@
|
||||
/usr/lib/python-exec/python[0-9]\.[0-9]*/emerge -- gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
/var/log/sandbox(/.*)? gen_context(system_u:object_r:portage_log_t,s0)
|
||||
')
|
||||
+
|
||||
+# not strictly portage, maybe should have it's own policy?
|
||||
+/usr/bin/eix gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
+/usr/bin/eix-sync gen_context(system_u:object_r:portage_exec_t,s0)
|
||||
+/usr/bin/eix-update gen_context(system_u:object_r:portage_exec_t,s0)
|
@ -1,9 +0,0 @@
|
||||
--- work/refpolicy/policy/modules/roles/sysadm.te.orig 2020-05-17 20:18:02.631758336 +0200
|
||||
+++ work/refpolicy/policy/modules/roles/sysadm.te 2020-05-17 20:18:42.373756394 +0200
|
||||
@@ -1457,3 +1457,6 @@
|
||||
vde_role(sysadm_r, sysadm_t)
|
||||
')
|
||||
')
|
||||
+
|
||||
+allow sysadm_t file_type:file watch;
|
||||
+allow sysadm_t file_type:dir watch;
|
@ -1,139 +0,0 @@
|
||||
# Copyright 1999-2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="6"
|
||||
|
||||
if [[ ${PV} == 9999* ]]; then
|
||||
EGIT_REPO_URI="${SELINUX_GIT_REPO:-https://anongit.gentoo.org/git/proj/hardened-refpolicy.git}"
|
||||
EGIT_BRANCH="${SELINUX_GIT_BRANCH:-master}"
|
||||
EGIT_CHECKOUT_DIR="${WORKDIR}/refpolicy"
|
||||
|
||||
inherit git-r3
|
||||
else
|
||||
SRC_URI="https://github.com/SELinuxProject/refpolicy/releases/download/RELEASE_${PV/./_}/refpolicy-${PV}.tar.bz2
|
||||
https://dev.gentoo.org/~perfinion/patches/${PN}/patchbundle-${PN}-${PVR}.tar.bz2"
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
fi
|
||||
|
||||
HOMEPAGE="https://wiki.gentoo.org/wiki/Project:SELinux"
|
||||
DESCRIPTION="SELinux policy for core modules"
|
||||
|
||||
IUSE="systemd +unconfined"
|
||||
|
||||
PDEPEND="unconfined? ( sec-policy/selinux-unconfined )"
|
||||
DEPEND="=sec-policy/selinux-base-${PVR}[systemd?]"
|
||||
RDEPEND="$DEPEND"
|
||||
|
||||
MODS="application authlogin bootloader clock consoletype cron dmesg fstools getty hostname hotplug init iptables libraries locallogin logging lvm miscfiles modutils mount mta netutils nscd portage raid rsync selinuxutil setrans ssh staff storage su sysadm sysnetwork systemd tmpfiles udev userdomain usermanage unprivuser xdg"
|
||||
LICENSE="GPL-2"
|
||||
SLOT="0"
|
||||
S="${WORKDIR}/"
|
||||
|
||||
PATCHES=(
|
||||
${FILESDIR}/portage_paths.patch
|
||||
${FILESDIR}/init_read_syslog_config.patch
|
||||
${FILESDIR}/init_paths.patch
|
||||
${FILESDIR}/mta_user_mail_newaliases.patch
|
||||
${FILESDIR}/git_portage_repo_fix.patch
|
||||
${FILESDIR}/sysadm_allow_watch.patch
|
||||
${FILESDIR}/cron_allow_watch_crontabs.patch
|
||||
${FILESDIR}/allow_dbus_session_creation.patch
|
||||
${FILESDIR}/init_nftables.patch
|
||||
)
|
||||
|
||||
# Code entirely copied from selinux-eclass (cannot inherit due to dependency on
|
||||
# itself), when reworked reinclude it. Only postinstall (where -b base.pp is
|
||||
# added) needs to remain then.
|
||||
|
||||
pkg_pretend() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
if [[ "${i}" == "targeted" ]] && ! use unconfined; then
|
||||
die "If you use POLICY_TYPES=targeted, then USE=unconfined is mandatory."
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
src_prepare() {
|
||||
local modfiles
|
||||
|
||||
if [[ ${PV} != 9999* ]]; then
|
||||
einfo "Applying SELinux policy updates ... "
|
||||
eapply -p0 "${WORKDIR}/0001-full-patch-against-stable-release.patch"
|
||||
fi
|
||||
|
||||
default
|
||||
eapply_user
|
||||
|
||||
# Collect only those files needed for this particular module
|
||||
for i in ${MODS}; do
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.te) $modfiles"
|
||||
modfiles="$(find ${S}/refpolicy/policy/modules -iname $i.fc) $modfiles"
|
||||
done
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
mkdir "${S}"/${i} || die "Failed to create directory ${S}/${i}"
|
||||
cp "${S}"/refpolicy/doc/Makefile.example "${S}"/${i}/Makefile \
|
||||
|| die "Failed to copy Makefile.example to ${S}/${i}/Makefile"
|
||||
|
||||
cp ${modfiles} "${S}"/${i} \
|
||||
|| die "Failed to copy the module files to ${S}/${i}"
|
||||
done
|
||||
}
|
||||
|
||||
src_compile() {
|
||||
for i in ${POLICY_TYPES}; do
|
||||
emake NAME=$i SHAREDIR="${ROOT%/}"/usr/share/selinux -C "${S}"/${i}
|
||||
done
|
||||
}
|
||||
|
||||
src_install() {
|
||||
local BASEDIR="/usr/share/selinux"
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
for j in ${MODS}; do
|
||||
einfo "Installing ${i} ${j} policy package"
|
||||
insinto ${BASEDIR}/${i}
|
||||
doins "${S}"/${i}/${j}.pp
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
pkg_postinst() {
|
||||
# Set root path and don't load policy into the kernel when cross compiling
|
||||
local root_opts=""
|
||||
if [[ "${ROOT%/}" != "" ]]; then
|
||||
root_opts="-p ${ROOT%/} -n"
|
||||
fi
|
||||
|
||||
# Override the command from the eclass, we need to load in base as well here
|
||||
local COMMAND="-i base.pp"
|
||||
if has_version "<sys-apps/policycoreutils-2.5"; then
|
||||
COMMAND="-b base.pp"
|
||||
fi
|
||||
|
||||
for i in ${MODS}; do
|
||||
COMMAND="${COMMAND} -i ${i}.pp"
|
||||
done
|
||||
|
||||
for i in ${POLICY_TYPES}; do
|
||||
einfo "Inserting the following modules, with base, into the $i module store: ${MODS}"
|
||||
|
||||
cd "${ROOT%/}/usr/share/selinux/${i}"
|
||||
|
||||
semodule ${root_opts} -s ${i} ${COMMAND}
|
||||
done
|
||||
|
||||
# Don't relabel when cross compiling
|
||||
if [[ "${ROOT%/}" == "" ]]; then
|
||||
# Relabel depending packages
|
||||
local PKGSET="";
|
||||
if [[ -x /usr/bin/qdepends ]] ; then
|
||||
PKGSET=$(/usr/bin/qdepends -Cq -r -Q ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
|
||||
elif [[ -x /usr/bin/equery ]] ; then
|
||||
PKGSET=$(/usr/bin/equery -Cq depends ${CATEGORY}/${PN} | grep -v 'sec-policy/selinux-');
|
||||
fi
|
||||
if [[ -n "${PKGSET}" ]] ; then
|
||||
rlpkg ${PKGSET};
|
||||
fi
|
||||
fi
|
||||
}
|
@ -1,7 +1,7 @@
|
||||
# Copyright 2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI=6
|
||||
EAPI=7
|
||||
|
||||
DESCRIPTION="SELinux policies required by feffe for various reasons"
|
||||
HOMEPAGE="https://fulh.ax/feffe"
|
||||
|
@ -1,4 +0,0 @@
|
||||
AUX gentoonize.patch 3362 BLAKE2B b65ba85436b73a5f98e1d2a54462cea1d22c3ea2ded4628cf22763cc62b19f1e29b5e5e919b101efb7d3aaa67c2932ea78077007a8c3619eb4fcd515153b537e SHA512 9e1485d39f090d6387b905e2577dadf6de2720b576d413c719f9579547fcfba7a3e7ea1cd782b3df09debc673612913daa8975d6e256e17f38487073d854d918
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-puppet-2.20190609-r1.ebuild 329 BLAKE2B f6eda1b32e30ef32db8b6b0f49a4d159d956035f269255fbcaf18e56cad743e339ddc54b019aaf43106074f919a7a36bfb7cdf197a75f9e0e060d80f53e4e403 SHA512 248a7d43033b24e41d000305e1452991682223d9010b8de190a429d20eacbe5240de4e73b68b3f58021da7f28bb4e964eddcbdab4ca3040fce9d408f7b1ae73e
|
@ -1,96 +0,0 @@
|
||||
--- modules/admin/puppet.te.orig 2020-05-17 13:12:40.896205630 +0200
|
||||
+++ modules/admin/puppet.te 2020-05-17 13:27:57.725276233 +0200
|
||||
@@ -407,4 +407,69 @@
|
||||
portage_read_ebuild(puppet_t)
|
||||
portage_run(puppet_t, system_r)
|
||||
')
|
||||
+
|
||||
+')
|
||||
+## Feffestuff
|
||||
+#
|
||||
+gen_require(`
|
||||
+ type tmpfiles_t;
|
||||
+ type shadow_t;
|
||||
+ type sysadm_t;
|
||||
+ type auditd_initrc_exec_t;
|
||||
+ type syslogd_initrc_exec_t;
|
||||
+
|
||||
+ role sysadm_r;
|
||||
+')
|
||||
+# allow checkpath to create puppet log directory
|
||||
+allow tmpfiles_t self:capability { dac_override dac_read_search };
|
||||
+manage_dirs_pattern(tmpfiles_t, var_log_t, puppet_log_t)
|
||||
+
|
||||
+# and set its gid
|
||||
+allow puppet_t self:process setpgid;
|
||||
+
|
||||
+# allow puppet to inspect filesystems and block devices
|
||||
+fs_getattr_all_xattr_fs(puppet_t)
|
||||
+storage_getattr_fixed_disk_dev(puppet_t)
|
||||
+storage_getattr_removable_dev(puppet_t)
|
||||
+
|
||||
+# puppet needs to map etc_t files to start
|
||||
+mmap_rw_files_pattern(puppet_t, etc_t, etc_t)
|
||||
+
|
||||
+# required to check if password should change
|
||||
+auth_can_read_shadow_passwords(puppet_t)
|
||||
+read_files_pattern(puppet_t, etc_t, shadow_t)
|
||||
+
|
||||
+# allow puppet to execute some services
|
||||
+optional_policy(`
|
||||
+ iptables_domtrans(puppet_t)
|
||||
+')
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type sshd_exec_t;
|
||||
+ type sshd_t;
|
||||
+ ')
|
||||
+ domain_auto_transition_pattern(puppet_t, sshd_exec_t, sshd_t)
|
||||
+ can_exec(puppet_t, sshd_exec_t)
|
||||
+ allow sshd_t puppet_t:fd use;
|
||||
+')
|
||||
+
|
||||
+# allow sysadm to execute puppet without switching context (sysadm is not allowed to switch to system)
|
||||
+can_exec(sysadm_t, puppet_exec_t)
|
||||
+
|
||||
+# allow sysadm to read shadow, required to prevent unneccesary password changes
|
||||
+# when running puppet manually...
|
||||
+auth_can_read_shadow_passwords(sysadm_t)
|
||||
+read_files_pattern(sysadm_t, etc_t, shadow_t)
|
||||
+
|
||||
+init_startstop_service(sysadm_t, sysadm_r, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
|
||||
+init_startstop_service(sysadm_t, sysadm_r, syslogd_t, syslogd_initrc_exec_t, syslogd_unit_t)
|
||||
+
|
||||
+optional_policy(`
|
||||
+ gen_require(`
|
||||
+ type sshd_exec_t;
|
||||
+ type sshd_t;
|
||||
+ ')
|
||||
+ domain_auto_transition_pattern(sysadm_t, sshd_exec_t, sshd_t)
|
||||
+ can_exec(sysadm_t, sshd_exec_t)
|
||||
+ allow sshd_t sysadm_t:fd use;
|
||||
')
|
||||
--- modules/admin/puppet.fc.orig 2020-05-17 13:09:11.849189531 +0200
|
||||
+++ modules/admin/puppet.fc 2020-05-17 13:12:10.462203286 +0200
|
||||
@@ -1,7 +1,7 @@
|
||||
/etc/puppet(/.*)? gen_context(system_u:object_r:puppet_etc_t,s0)
|
||||
|
||||
-/etc/rc\.d/init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
||||
-/etc/rc\.d/init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
||||
+/etc/(rc\.d/)?init\.d/puppet -- gen_context(system_u:object_r:puppet_initrc_exec_t,s0)
|
||||
+/etc/(rc\.d/)?init\.d/puppetmaster -- gen_context(system_u:object_r:puppetmaster_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/puppetca -- gen_context(system_u:object_r:puppetca_exec_t,s0)
|
||||
/usr/bin/puppetd -- gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||
@@ -13,6 +13,10 @@
|
||||
|
||||
/var/lib/puppet(/.*)? gen_context(system_u:object_r:puppet_var_lib_t,s0)
|
||||
|
||||
-/var/log/puppet(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
||||
+/var/log/puppet(labs)?(/.*)? gen_context(system_u:object_r:puppet_log_t,s0)
|
||||
|
||||
/run/puppet(/.*)? gen_context(system_u:object_r:puppet_runtime_t,s0)
|
||||
+
|
||||
+/opt/puppetlabs/puppet/bin/wrapper.sh gen_context(system_u:object_r:puppet_exec_t,s0)
|
||||
+
|
||||
+/opt/puppetlabs/puppet/lib/virt-what/virt-what-cpuid-helper gen_context(system_u:object_r:bin_t,s0)
|
@ -1,19 +0,0 @@
|
||||
# Copyright 1999-2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="6"
|
||||
|
||||
IUSE=""
|
||||
MODS="puppet"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for puppet"
|
||||
|
||||
if [[ ${PV} != 9999* ]] ; then
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
fi
|
||||
|
||||
POLICY_PATCH=(
|
||||
${FILESDIR}/gentoonize.patch
|
||||
)
|
@ -1,4 +0,0 @@
|
||||
AUX gentoonize.patch 680 BLAKE2B d050110d3ad641c8ece916141b65d16d7fdbc9d6b784f46fd43a5f32d8fd03cf517019f459bb3b76e1ac6e8476c284a4b4db94dfa974a65fbf63c17d82872ff3 SHA512 d0c709c13eae5c7d4eda9ef7607943dfd4bdfdc6e0df5154749845c2a7eb83f49df7b1bcda90109f8062bebf8ceb232afef8fce924fa5700105549d3758f4d2c
|
||||
DIST patchbundle-selinux-base-policy-2.20190609-r1.tar.bz2 407664 BLAKE2B e6b6b56f990389365c062522582e2177bc3b70040c99948efad25737e69178f9f72149cc443cb9edacfdd1aa6bc29f637cc61939f66e5cc3841f83298b33c41e SHA512 16195b51bb414ac82821f93756b3b5d0ec206b7035a50379c1f796082d9c53b11369e15086e1e26521808944266364470c43dcfdd1818ba079fda1613b7ef9bd
|
||||
DIST refpolicy-2.20190609.tar.bz2 555882 BLAKE2B abc45d9c906e0c880b7c47b0fb8e33f4a277c73244e20e8a95c44452db817241110127a5f8a3347cfbf5e30bf91f9dd4e5dd826426eb88b383fdbff5963f5fcd SHA512 f05ca08d31e62b7bf7203d7b243cce9ba87dd68d13b30067b99a44d5007449078fa82d591faa88c2955d370a346e69faedc850c02bd77c5624a8c746a13467f3
|
||||
EBUILD selinux-stunnel-2.20190609-r1.ebuild 331 BLAKE2B 0c168ea0e2563b72d5ec093022949ecce9afca9ab0bd16c62162950fa25eadfc48194ff51a27a2d9bd000a30833da0c80e156422c44018d8ef33b9165623ab9a SHA512 744685c5934045cb0eb08c2786dd1e2d1373d747f86bcbd0a9748bc03d37df0e2ad7298b4de5b23053497131e26a9968dd8544f8504964a34e039f6ace2b917c
|
@ -1,16 +0,0 @@
|
||||
--- modules/services/stunnel.te.orig 2020-05-17 13:43:58.025350184 +0200
|
||||
+++ modules/services/stunnel.te 2020-05-17 13:44:55.968354646 +0200
|
||||
@@ -26,6 +26,7 @@
|
||||
allow stunnel_t self:capability { setgid setuid sys_chroot };
|
||||
dontaudit stunnel_t self:capability sys_tty_config;
|
||||
allow stunnel_t self:process signal_perms;
|
||||
+allow stunnel_t self:process setsched;
|
||||
allow stunnel_t self:fifo_file rw_fifo_file_perms;
|
||||
allow stunnel_t self:tcp_socket { accept listen };
|
||||
allow stunnel_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
|
||||
@@ -106,3 +107,5 @@
|
||||
type stunnel_port_t;
|
||||
')
|
||||
allow stunnel_t stunnel_port_t:tcp_socket name_bind;
|
||||
+
|
||||
+read_files_pattern(stunnel_t, usr_t, usr_t)
|
@ -1,19 +0,0 @@
|
||||
# Copyright 1999-2020 Gentoo Authors
|
||||
# Distributed under the terms of the GNU General Public License v2
|
||||
|
||||
EAPI="6"
|
||||
|
||||
IUSE=""
|
||||
MODS="stunnel"
|
||||
|
||||
inherit selinux-policy-2
|
||||
|
||||
DESCRIPTION="SELinux policy for stunnel"
|
||||
|
||||
if [[ ${PV} != 9999* ]] ; then
|
||||
KEYWORDS="~amd64 -arm ~arm64 ~mips ~x86"
|
||||
fi
|
||||
|
||||
POLICY_PATCH=(
|
||||
${FILESDIR}/gentoonize.patch
|
||||
)
|
Loading…
Reference in New Issue
Block a user