added nsswitch for AVC denials
added search_auto_mountpoints for autofs support
added fs_getattr_nfs(portage_t) for nfs on autofs support
---
portage.te | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/portage.te b/portage.te
index 630f16f..321b1ac 100644
--- a/portage.te
+++ b/portage.te
@@ -193,6 +193,8 @@ files_manage_all_files(portage_t)
selinux_get_fs_mount(portage_t)
auth_manage_shadow(portage_t)
+auth_use_nsswitch(portage_fetch_t)
+auth_use_nsswitch(portage_sandbox_t)
# merging baselayout will need this:
init_exec(portage_t)
@@ -298,6 +300,8 @@ files_read_usr_files(portage_fetch_t)
files_search_var_lib(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
+fs_search_auto_mountpoints(portage_fetch_t)
+
logging_list_logs(portage_fetch_t)
logging_dontaudit_search_logs(portage_fetch_t)
@@ -318,6 +322,7 @@ ifdef(`hide_broken_symptoms',`
')
tunable_policy(`portage_use_nfs',`
+ fs_getattr_nfs(portage_t)
fs_getattr_nfs(portage_fetch_t)
fs_manage_nfs_dirs(portage_fetch_t)
fs_manage_nfs_files(portage_fetch_t)
--
1.7.8.6
On Tue, 2012-10-02 at 09:29 -0500, Matthew Thode wrote:
> added nsswitch for AVC denials
> added search_auto_mountpoints for autofs support
> added fs_getattr_nfs(portage_t) for nfs on autofs support
>
> ---
> portage.te | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index 630f16f..321b1ac 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -193,6 +193,8 @@ files_manage_all_files(portage_t)
> selinux_get_fs_mount(portage_t)
>
> auth_manage_shadow(portage_t)
> +auth_use_nsswitch(portage_fetch_t)
> +auth_use_nsswitch(portage_sandbox_t)
>
> # merging baselayout will need this:
> init_exec(portage_t)
> @@ -298,6 +300,8 @@ files_read_usr_files(portage_fetch_t)
> files_search_var_lib(portage_fetch_t)
> files_dontaudit_search_pids(portage_fetch_t)
>
> +fs_search_auto_mountpoints(portage_fetch_t)
> +
> logging_list_logs(portage_fetch_t)
> logging_dontaudit_search_logs(portage_fetch_t)
>
> @@ -318,6 +322,7 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> tunable_policy(`portage_use_nfs',`
> + fs_getattr_nfs(portage_t)
> fs_getattr_nfs(portage_fetch_t)
> fs_manage_nfs_dirs(portage_fetch_t)
> fs_manage_nfs_files(portage_fetch_t)
This patch was merged
fs_getattr_nfs(portage_t) turned out to be redundant. (portage is
already allowed to get attributes of nfs filesystems when
portage_use_nfs is toggled to true
I also remove some existing policy that became redundant due to addition
of auth_use_nsswitch() calls.
And i moved stuff around to the proper places