From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 9 Sep 2011 21:27:12 +0200 Subject: [refpolicy] [PATCH 1/1] Separate domtrans/run interfaces for portage_fetch Message-ID: <20110909192712.GA32612@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Since the introduction of the portage_fetch_t domain, access to the domain was governed through the portage_domtrans and portage_run interfaces. To support calling portage only (but no fetch domain) or vice versa, the interfaces need to be split up. In this patch, we introduce the interfaces portage_domtrans_fetch and portage_run_fetch which will be used later in the domains that need to call portage/layman/emerge-webrsync/... Signed-off-by: Sven Vermeulen --- portage.if | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 50 insertions(+), 0 deletions(-) diff --git a/portage.if b/portage.if index 9f7d652..ea892d1 100644 --- a/portage.if +++ b/portage.if @@ -213,6 +213,56 @@ interface(`portage_compile_domain',` ######################################## ## +## Execute tree management functions (fetching, layman, ...) +## in the portage_fetch_t domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`portage_domtrans_fetch',` + gen_require(` + type portage_fetch_t, portage_fetch_exec_t; + ') + + files_search_usr($1) + corecmd_search_bin($1) + + domtrans_pattern($1, portage_fetch_exec_t, portage_fetch_t) +') + +######################################## +## +## Execute tree management functions (fetching, layman, ...) +## in the portage_fetch_t domain, and allow the specified role +## the portage_fetch_t domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## The role to allow the portage domain. +## +## +## +# +interface(`portage_run_fetch',` + gen_require(` + type portage_fetch_t; + ') + + portage_domtrans_fetch($1) + role $2 types portage_fetch_t; +') + + +######################################## +## ## Execute gcc-config in the gcc_config domain. ## ## -- 1.7.3.4