From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 13 Aug 2011 20:23:11 +0200 Subject: [refpolicy] [PATCH 2/4] Support emerge-webrsync through portage domain In-Reply-To: <20110813182048.GA12571@siphos.be> References: <20110813182048.GA12571@siphos.be> Message-ID: <20110813182311.GC12571@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The emerge-webrsync application fetches snapshots (archives), extracts them and then synchronizes the local tree with the snapshot. It uses portage code (and libraries) to do so, but is implemented as a wrapper as it also offers the possibility of verifying the GPG signature of the snapshot first. By putting emerge-webrsync in portage' domain, it is handled through the regular portage_run() and portage_domtrans() methods. It is also necessary to put it in this domain for unattended/automated calls, such as through cron and puppet. Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.fc | 2 ++ policy/modules/admin/portage.te | 4 ++++ 2 files changed, 6 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.fc b/policy/modules/admin/portage.fc index 38cc918..b1bb073 100644 --- a/policy/modules/admin/portage.fc +++ b/policy/modules/admin/portage.fc @@ -8,6 +8,7 @@ /usr/lib(64)?/portage/bin/ebuild -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/emerge -- gen_context(system_u:object_r:portage_exec_t,s0) +/usr/lib(64)?/portage/bin/emerge-webrsync -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/quickpkg -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/ebuild\.sh -- gen_context(system_u:object_r:portage_exec_t,s0) /usr/lib(64)?/portage/bin/regenworld -- gen_context(system_u:object_r:portage_exec_t,s0) @@ -22,5 +23,6 @@ /var/log/portage(/.*)? gen_context(system_u:object_r:portage_log_t,s0) /var/lib/layman(/.*)? gen_context(system_u:object_r:layman_var_lib_t,s0) /var/lib/portage(/.*)? gen_context(system_u:object_r:portage_cache_t,s0) +/var/tmp/emerge-webrsync(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) /var/tmp/portage-pkg(/.*)? gen_context(system_u:object_r:portage_tmp_t,s0) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 29130da..4a6e53e 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -239,6 +239,10 @@ optional_policy(` ') optional_policy(` + gpg_domtrans(portage_t) +') + +optional_policy(` modutils_domtrans_depmod(portage_t) modutils_domtrans_update_mods(portage_t) #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; -- 1.7.3.4