From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 23 Aug 2011 15:44:21 +0200 Subject: [refpolicy] [PATCH 08/11] Introduce search_conf_dirs and read_tmp_files interfaces for Portage In-Reply-To: <20110823133643.GA857@siphos.be> References: <20110823133643.GA857@siphos.be> Message-ID: <20110823134421.GI857@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com We add support for searching through portage' configuration file locations (which will be used in subsequent patches) for tools that provide additional features on top of Portage and which integrate with it. For instance, gpg (validating snapshots). Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.if | 39 +++++++++++++++++++++++++++++++++++++++ 1 files changed, 39 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index a1bfbaa..4851e90 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -258,6 +258,25 @@ interface(`portage_run_gcc_config',` ######################################## ## +## Allow a domain search privileges through portage configuration +## file directories +## +## +## +## Domain to allow search privileges +## +## +# +interface(`portage_search_conf_dirs',` + gen_require(` + type portage_conf_t; + ') + + allow $1 portage_conf_t:dir search_dir_perms; +') + +######################################## +## ## Do not audit attempts to search the ## portage temporary directories. ## @@ -277,6 +296,26 @@ interface(`portage_dontaudit_search_tmp',` ######################################## ## +## Allow a domain to read portage_tmp_t files +## +## +## +## Domain to allow read privileges +## +## +# +interface(`portage_read_tmp_files',` + gen_require(` + type portage_tmp_t; + ') + + allow $1 portage_tmp_t:dir list_dir_perms; + allow $1 portage_tmp_t:file read_file_perms; +') + + +######################################## +## ## Do not audit attempts to read and write ## the portage temporary files. ## -- 1.7.3.4