From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 19 Jul 2011 23:31:00 +0200 Subject: [refpolicy] [PATCH 4/4] Support proxy server/cache servers and binpkg servers In-Reply-To: <20110719211641.GA14490@siphos.be> References: <20110719211641.GA14490@siphos.be> Message-ID: <20110719213100.GE14490@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Portage supports the use of proxy systems (which usually run on port 8080) for both the fetching of software archives as well as fetching binaries (in case of PORTAGE_BINHOST support). Hence the introduction of the connect_http_port & connect_http_cache_port for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives). In the latter case, connect_http_port is already available through connect_all_reserved_ports. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.te | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index e555e41..b11cdd2 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -166,6 +166,10 @@ can_exec(portage_t, portage_tmp_t) # merging baselayout will need this: kernel_write_proc_files(portage_t) +# allow emerge to fetch binpkgs from PORTAGE_BINHOST +corenet_tcp_connect_http_port(portage_t) +corenet_tcp_connect_http_cache_port(portage_t) + domain_dontaudit_read_all_domains_state(portage_t) # modify any files in the system @@ -258,6 +262,7 @@ corenet_tcp_sendrecv_all_ports(portage_fetch_t) # it occasionally comes up corenet_tcp_connect_all_reserved_ports(portage_fetch_t) corenet_tcp_connect_generic_port(portage_fetch_t) +corenet_tcp_connect_http_cache_port(portage_fetch_t) # In case of cache server connections/proxy dev_dontaudit_read_rand(portage_fetch_t) -- 1.7.3.4