From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sat, 3 Sep 2011 16:23:28 +0200
Subject: [refpolicy] [PATCH 8/8] Allow cron to execute portage commands
In-Reply-To: <20110903141833.GA25374@siphos.be>
References: <20110903141833.GA25374@siphos.be>
Message-ID: <20110903142328.GI25374@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Many users use portage from within cron (for instance to update the
portage tree or even automatically update their system). As such, we
allow to run portage from the (system) cronjob domains.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 429ffb0..32fbd7d 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -198,6 +198,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_system_entry(portage_t, portage_exec_t)
+	cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
+')
+
+optional_policy(`
 	modutils_domtrans_depmod(portage_t)
 	modutils_domtrans_update_mods(portage_t)
 	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
-- 
1.7.3.4