From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 19 Oct 2012 20:53:54 +0200 Subject: [refpolicy] [PATCH 1/7] Sandbox is an inherent part of the portage inner workings In-Reply-To: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be> References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1350672840-14590-2-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Portage sandbox is used while building software; whenever a user has the right to use portage, he needs the sandboxing as well. We add portage_sandbox_t towards the portage_roles instead of the portage_sandbox_roles, and remove the portage_sandbox_roles role attribute (as there is no immediate need to support it besides portage_roles). This also fixes the breakage in Portage not wanting to build anything (including SELinux policies) as the users who have portage_run didn't have access to the portage_sandbox_t domain (as introduced in commit d3144af9dffa9d1d918c68b1598c871e0b5baaa2). Signed-off-by: Sven Vermeulen --- portage.te | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diff --git a/portage.te b/portage.te index b4b3e9f..56e2e3c 100644 --- a/portage.te +++ b/portage.te @@ -16,7 +16,6 @@ gen_tunable(portage_use_nfs, false) attribute_role gcc_config_roles; attribute_role portage_roles; attribute_role portage_fetch_roles; -attribute_role portage_sandbox_roles; type gcc_config_t; type gcc_config_exec_t; @@ -38,7 +37,7 @@ application_domain(portage_sandbox_t, portage_exec_t) # the shell is the entrypoint if regular sandbox is disabled # portage_exec_t is the entrypoint if regular sandbox is enabled corecmd_shell_entry_type(portage_sandbox_t) -role portage_sandbox_roles types portage_sandbox_t; +role portage_roles types portage_sandbox_t; # portage package fetching domain type portage_fetch_t; -- 1.7.8.6