From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 20 Jul 2011 13:17:42 -0400
Subject: [refpolicy] [PATCH 4/4] Support proxy server/cache servers and
 binpkg servers
In-Reply-To: <20110720171206.GC18951@siphos.be>
References: <20110719211641.GA14490@siphos.be>
	<20110719213100.GE14490@siphos.be> <4E26F923.7060307@tresys.com>
	<20110720171206.GC18951@siphos.be>
Message-ID: <4E270DB6.4070102@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 07/20/11 13:12, Sven Vermeulen wrote:
> On Wed, Jul 20, 2011 at 11:49:55AM -0400, Christopher J. PeBenito wrote:
>> On 07/19/11 17:31, Sven Vermeulen wrote:
>>> Portage supports the use of proxy systems (which usually run on port 8080)
>>> for both the fetching of software archives as well as fetching binaries (in
>>> case of PORTAGE_BINHOST support).
>>>
>>> Hence the introduction of the connect_http_port&   connect_http_cache_port
>>> for portage_t (PORTAGE_BINHOST) and portage_fetch_t (software archives).
>>>
>>> In the latter case, connect_http_port is already available through
>>> connect_all_reserved_ports.
>>
>> I presume portage is using wget to do this?  Why can't we update portage
>> to do setexeccon, like when it is doing when downloading source files?
>
> You mean to have Portage transition to portage_fetch_t again so that the
> privileges on portage_t aren't necessary? I don't think that would be a
> problem.

Yes.  As much as possible, we were trying to keep the network access in 
portage_fetch_t.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com