From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Tue, 13 Sep 2011 20:22:44 +0200
Subject: [refpolicy] [PATCHv2 4/4] Allow unconfined users to call portage
	features
In-Reply-To: <20110913181932.GA29878@siphos.be>
References: <20110913181932.GA29878@siphos.be>
Message-ID: <20110913182243.GE29878@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The unconfined user is currently not allowed to call portage-related
functions. However, in a targeted system (with unconfined domains
enabled), users (including administrators) should be allowed to
transition to the portage domain.

We position the portage-related calls outside the "ifdef(distro_gentoo)"
as other distributions support Portage as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/unconfined.te |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..6195e6e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -150,6 +150,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	portage_run(unconfined_t, unconfined_r)
+	portage_run_fetch(unconfined_t, unconfined_r)
+	portage_run_gcc_config(unconfined_t, unconfined_r)A
+')
+
+optional_policy(`
 	prelink_run(unconfined_t, unconfined_r)
 ')
 
-- 
1.7.3.4