From: dominick.grift@gmail.com (Dominick Grift) Date: Fri, 19 Oct 2012 21:34:22 +0200 Subject: [refpolicy] [PATCH 1/7] Sandbox is an inherent part of the portage inner workings In-Reply-To: <1350672840-14590-2-git-send-email-sven.vermeulen@siphos.be> References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be> <1350672840-14590-2-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1350675262.12496.30.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote: > Portage sandbox is used while building software; whenever a user has the right > to use portage, he needs the sandboxing as well. > > We add portage_sandbox_t towards the portage_roles instead of the > portage_sandbox_roles, and remove the portage_sandbox_roles role attribute (as > there is no immediate need to support it besides portage_roles). > > This also fixes the breakage in Portage not wanting to build anything (including > SELinux policies) as the users who have portage_run didn't have access to the > portage_sandbox_t domain (as introduced in commit > d3144af9dffa9d1d918c68b1598c871e0b5baaa2). > > Signed-off-by: Sven Vermeulen > --- > portage.te | 3 +-- > 1 files changed, 1 insertions(+), 2 deletions(-) > > diff --git a/portage.te b/portage.te > index b4b3e9f..56e2e3c 100644 > --- a/portage.te > +++ b/portage.te > @@ -16,7 +16,6 @@ gen_tunable(portage_use_nfs, false) > attribute_role gcc_config_roles; > attribute_role portage_roles; > attribute_role portage_fetch_roles; > -attribute_role portage_sandbox_roles; > > type gcc_config_t; > type gcc_config_exec_t; > @@ -38,7 +37,7 @@ application_domain(portage_sandbox_t, portage_exec_t) > # the shell is the entrypoint if regular sandbox is disabled > # portage_exec_t is the entrypoint if regular sandbox is enabled > corecmd_shell_entry_type(portage_sandbox_t) > -role portage_sandbox_roles types portage_sandbox_t; > +role portage_roles types portage_sandbox_t; > > # portage package fetching domain > type portage_fetch_t; This was merged, thanks would be nice if you could clean up this module a bit maybe group some common policy using type attributes, etc?