From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 9 Oct 2012 10:09:33 -0400
Subject: [refpolicy] [PATCH] removed the rw autofs stuff added nfs
 search for portage_t and allowed use of nsswitch
In-Reply-To: <1349186357-19745-1-git-send-email-mthode@mthode.org>
References: <1349168126.25773.2.camel@d30.localdomain>
	<1349186357-19745-1-git-send-email-mthode@mthode.org>
Message-ID: <5074301D.1040508@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 10/02/12 09:59, Matthew Thode wrote:
> subject more or less speaks for itself, lessened the permissions needed from autofs and fixed a couple of AVC denials with grifts help in irc, thanks :D
> 
> ---
>  portage.te |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/portage.te b/portage.te
> index 128e7d6..321b1ac 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -193,6 +193,8 @@ files_manage_all_files(portage_t)
>  selinux_get_fs_mount(portage_t)
>  
>  auth_manage_shadow(portage_t)
> +auth_use_nsswitch(portage_fetch_t)
> +auth_use_nsswitch(portage_sandbox_t)
>  
>  # merging baselayout will need this:
>  init_exec(portage_t)
[cut]
> @@ -321,6 +322,7 @@ ifdef(`hide_broken_symptoms',`
>  ')
>  
>  tunable_policy(`portage_use_nfs',`
> +	fs_getattr_nfs(portage_t)
>  	fs_getattr_nfs(portage_fetch_t)
>  	fs_manage_nfs_dirs(portage_fetch_t)
>  	fs_manage_nfs_files(portage_fetch_t)
 
The lines should go with the sections, i.e. the portage_fetch_t addition should go in the portage_fetch_t section, and the portage_sandbox_t addition should go in the portage_sandbox_t section.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com