From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sun, 24 Jul 2011 12:43:46 +0200 Subject: [refpolicy] [PATCH 2/2] Support emerge-webrsync through portage domain In-Reply-To: <20110724104149.GA6581@siphos.be> References: <20110724104149.GA6581@siphos.be> Message-ID: <20110724104346.GC6581@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The emerge-webrsync application fetches snapshots (archives), extracts them and then synchronizes the local tree with the snapshot. It uses portage code (and libraries) to do so, but is implemented as a wrapper as it also offers the possibility of verifying the GPG signature of the snapshot first. By putting emerge-webrsync in portage' domain, it is handled through the regular portage_run() and portage_domtrans() methods. It is also necessary to put it in this domain for unattended/automated calls, such as through cron and puppet. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.fc | 2 ++ policy/modules/admin/portage.te | 4 ++++ 2 files changed, 6 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 38cc918..b1bb073 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -8,6 +8,7 @@ /usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) @@ -22,5 +23,6 @@ /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) /var/lib/layman(/.*)? gen_context(system_u:object_r:layman_var_lib_t,s0) /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 7d7242d..d392124 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -240,6 +240,10 @@ optional_policy(` ') optional_policy(` + gpg_domtrans(portage_t) +') + +optional_policy(` modutils_domtrans_depmod(portage_t) modutils_domtrans_update_mods(portage_t) #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -- 1.7.3.4