From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 13 Sep 2011 20:21:43 +0200
Subject: [refpolicy] [PATCHv2 3/4] Allow sysadm_t to call all portage
	related services
In-Reply-To: <20110913181932.GA29878@siphos.be>
References: <20110913181932.GA29878@siphos.be>
Message-ID: <20110913182142.GD29878@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The system administrator (in sysadm_t) is the only "user" domain that is
allowed to call portage-related services. So it also gains the privilege
to execute portage tree management functions (and as such transition to
portage_fetch_t).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/roles/sysadm.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1e1d649..954417f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -253,6 +253,7 @@ optional_policy(`
 
 optional_policy(`
 	portage_run(sysadm_t, sysadm_r)
+	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
 ')
 
-- 
1.7.3.4