From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 02 May 2011 11:30:53 -0400
Subject: [refpolicy] [PATCH 2/4] Allow portage to set file capabilities,
 needed for installations like for wireshark
In-Reply-To: <20110428193012.GB29963@siphos.be>
References: <20110428193012.GB29963@siphos.be>
Message-ID: <4DBECE2D.4040302@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/28/11 15:30, Sven Vermeulen wrote:
> The installation of the wireshark package (and perhaps others) requires
> portage setting file capabilities (through the setcap binary).

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/portage.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index 8f41c2e..d6697d3 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -125,7 +125,7 @@ optional_policy(`
>  # - setexec to run portage fetch
>  allow portage_t self:process { setfscreate setexec };
>  # - kill for mysql merging, at least
> -allow portage_t self:capability { sys_nice kill };
> +allow portage_t self:capability { sys_nice kill setfcap };
>  
>  # user post-sync scripts
>  can_exec(portage_t, portage_conf_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com