---
portage.if | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/portage.if b/portage.if
index 5e8eb2ba..c0c7e9be 100644
--- a/portage.if
+++ b/portage.if
@@ -102,6 +102,7 @@ interface(`portage_compile_domain',`
manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
+ allow $1 portage_srcrepo_t:file map;
# run scripts out of the build directory
can_exec(portage_sandbox_t, portage_tmp_t)
@@ -187,6 +188,9 @@ interface(`portage_compile_domain',`
# SELinux-enabled programs running in the sandbox
seutil_libselinux_linked($1)
+ # required by install
+ seutil_read_file_contexts($1)
+
tunable_policy(`portage_use_nfs',`
fs_getattr_nfs($1)
fs_manage_nfs_dirs($1)
--
2.14.1
On 09/11/2017 02:40 AM, Luis Ressel via refpolicy wrote:
> ---
> portage.if | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/portage.if b/portage.if
> index 5e8eb2ba..c0c7e9be 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -102,6 +102,7 @@ interface(`portage_compile_domain',`
> manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> + allow $1 portage_srcrepo_t:file map;
When you say needed for git, is this when using an ebuild that builds
from a git repo rather than unpacking a tarball? What is it mapping?
> # run scripts out of the build directory
> can_exec(portage_sandbox_t, portage_tmp_t)
> @@ -187,6 +188,9 @@ interface(`portage_compile_domain',`
> # SELinux-enabled programs running in the sandbox
> seutil_libselinux_linked($1)
>
> + # required by install
> + seutil_read_file_contexts($1)
> +
> tunable_policy(`portage_use_nfs',`
> fs_getattr_nfs($1)
> fs_manage_nfs_dirs($1)
>
--
Chris PeBenito
On Mon, 11 Sep 2017 20:12:51 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:
> On 09/11/2017 02:40 AM, Luis Ressel via refpolicy wrote:
> > ---
> > portage.if | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/portage.if b/portage.if
> > index 5e8eb2ba..c0c7e9be 100644
> > --- a/portage.if
> > +++ b/portage.if
> > @@ -102,6 +102,7 @@ interface(`portage_compile_domain',`
> > manage_dirs_pattern($1, portage_srcrepo_t,
> > portage_srcrepo_t) manage_files_pattern($1, portage_srcrepo_t,
> > portage_srcrepo_t) manage_lnk_files_pattern($1, portage_srcrepo_t,
> > portage_srcrepo_t)
> > + allow $1 portage_srcrepo_t:file map;
>
> When you say needed for git, is this when using an ebuild that builds
> from a git repo rather than unpacking a tarball? What is it mapping?
Exactly, this is for live ebuilds and other users of git repos. git
maps its packfiles, and doesn't fall back to read().
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/5c7ec51b/attachment.bin
On Mon, Sep 11, 2017 at 08:12:51PM -0400, Chris PeBenito via refpolicy wrote:
> On 09/11/2017 02:40 AM, Luis Ressel via refpolicy wrote:
> > ---
> > portage.if | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/portage.if b/portage.if
> > index 5e8eb2ba..c0c7e9be 100644
> > --- a/portage.if
> > +++ b/portage.if
> > @@ -102,6 +102,7 @@ interface(`portage_compile_domain',`
> > manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> > manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> > manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> > + allow $1 portage_srcrepo_t:file map;
>
> When you say needed for git, is this when using an ebuild that builds
> from a git repo rather than unpacking a tarball? What is it mapping?
i think these are objects in .git, these are binaries and are always mapped by git client
>
>
> > # run scripts out of the build directory
> > can_exec(portage_sandbox_t, portage_tmp_t)
> > @@ -187,6 +188,9 @@ interface(`portage_compile_domain',`
> > # SELinux-enabled programs running in the sandbox
> > seutil_libselinux_linked($1)
> >
> > + # required by install
> > + seutil_read_file_contexts($1)
> > +
> > tunable_policy(`portage_use_nfs',`
> > fs_getattr_nfs($1)
> > fs_manage_nfs_dirs($1)
> >
>
>
> --
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/e999c16c/attachment.bin
On 09/11/2017 02:40 AM, Luis Ressel via refpolicy wrote:
> ---
> portage.if | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/portage.if b/portage.if
> index 5e8eb2ba..c0c7e9be 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -102,6 +102,7 @@ interface(`portage_compile_domain',`
> manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> + allow $1 portage_srcrepo_t:file map;
>
> # run scripts out of the build directory
> can_exec(portage_sandbox_t, portage_tmp_t)
> @@ -187,6 +188,9 @@ interface(`portage_compile_domain',`
> # SELinux-enabled programs running in the sandbox
> seutil_libselinux_linked($1)
>
> + # required by install
> + seutil_read_file_contexts($1)
> +
> tunable_policy(`portage_use_nfs',`
> fs_getattr_nfs($1)
> fs_manage_nfs_dirs($1)
Merged.
--
Chris PeBenito