From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 28 Apr 2011 21:30:12 +0200
Subject: [refpolicy] [PATCH 2/4] Allow portage to set file capabilities,
 needed for installations like for wireshark
Message-ID: <20110428193012.GB29963@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The installation of the wireshark package (and perhaps others) requires
portage setting file capabilities (through the setcap binary).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 8f41c2e..d6697d3 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -125,7 +125,7 @@ optional_policy(`
 # - setexec to run portage fetch
 allow portage_t self:process { setfscreate setexec };
 # - kill for mysql merging, at least
-allow portage_t self:capability { sys_nice kill };
+allow portage_t self:capability { sys_nice kill setfcap };
 
 # user post-sync scripts
 can_exec(portage_t, portage_conf_t)
-- 
1.7.3.4