From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 25 Aug 2011 07:37:11 -0400
Subject: [refpolicy] [PATCH 11/11] Allow portage to call GnuPG
In-Reply-To: <20110823134637.GL857@siphos.be>
References: <20110823133643.GA857@siphos.be> <20110823134637.GL857@siphos.be>
Message-ID: <4E5633E7.4090400@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/23/11 09:46, Sven Vermeulen wrote:
> Allow the portage domain to transition to the gpg_t domain (used for instance
> when validating signed manifests)
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/portage.te |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index beeeb81..af2d00e 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -192,6 +192,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	gpg_domtrans(portage_t)
> +')
> +
> +optional_policy(`
>  	modutils_domtrans_depmod(portage_t)
>  	modutils_domtrans_update_mods(portage_t)
>  	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;

Is this really necessary?  Gpg_t is oriented towards users; gpg_exec()
doesn't work?

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com