From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 6 Sep 2011 14:09:45 -0400
Subject: [refpolicy] [PATCHv2 5/8] Introduce portage_fetch_t as an
 application domain
In-Reply-To: <20110903142147.GF25374@siphos.be>
References: <20110903141833.GA25374@siphos.be>
	<20110903142147.GF25374@siphos.be>
Message-ID: <4E6661E9.2060705@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/03/11 10:21, Sven Vermeulen wrote:
> diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
> index 3dd9f65..9f7d652 100644
> --- a/policy/modules/admin/portage.if
> +++ b/policy/modules/admin/portage.if
> @@ -16,6 +16,7 @@
>  interface(`portage_domtrans',`
>  	gen_require(`
>  		type portage_t, portage_exec_t;
> +		type portage_fetch_t, portage_fetch_exec_t;
>  	')
>  
>  	files_search_usr($1)
> @@ -23,6 +24,7 @@ interface(`portage_domtrans',`
>  
>  	# transition to portage
>  	domtrans_pattern($1, portage_exec_t, portage_t)
> +	domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t)
>  ')

This needs to be moved into its own interface.  Otherwise there is no option to only run portage or only run fetch.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com