From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Fri, 19 Oct 2012 21:40:44 +0200 Subject: [refpolicy] [PATCH 1/7] Sandbox is an inherent part of the portage inner workings In-Reply-To: <1350675262.12496.30.camel@d30.localdomain> References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be> <1350672840-14590-2-git-send-email-sven.vermeulen@siphos.be> <1350675262.12496.30.camel@d30.localdomain> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, a clean-up is long due here. I will take a stab at this later. On Oct 19, 2012 9:34 PM, "Dominick Grift" wrote: > > > On Fri, 2012-10-19 at 20:53 +0200, Sven Vermeulen wrote: > > Portage sandbox is used while building software; whenever a user has the > right > > to use portage, he needs the sandboxing as well. > > > > We add portage_sandbox_t towards the portage_roles instead of the > > portage_sandbox_roles, and remove the portage_sandbox_roles role > attribute (as > > there is no immediate need to support it besides portage_roles). > > > > This also fixes the breakage in Portage not wanting to build anything > (including > > SELinux policies) as the users who have portage_run didn't have access > to the > > portage_sandbox_t domain (as introduced in commit > > d3144af9dffa9d1d918c68b1598c871e0b5baaa2). > > > > Signed-off-by: Sven Vermeulen > > --- > > portage.te | 3 +-- > > 1 files changed, 1 insertions(+), 2 deletions(-) > > > > diff --git a/portage.te b/portage.te > > index b4b3e9f..56e2e3c 100644 > > --- a/portage.te > > +++ b/portage.te > > @@ -16,7 +16,6 @@ gen_tunable(portage_use_nfs, false) > > attribute_role gcc_config_roles; > > attribute_role portage_roles; > > attribute_role portage_fetch_roles; > > -attribute_role portage_sandbox_roles; > > > > type gcc_config_t; > > type gcc_config_exec_t; > > @@ -38,7 +37,7 @@ application_domain(portage_sandbox_t, portage_exec_t) > > # the shell is the entrypoint if regular sandbox is disabled > > # portage_exec_t is the entrypoint if regular sandbox is enabled > > corecmd_shell_entry_type(portage_sandbox_t) > > -role portage_sandbox_roles types portage_sandbox_t; > > +role portage_roles types portage_sandbox_t; > > > > # portage package fetching domain > > type portage_fetch_t; > This was merged, thanks > > would be nice if you could clean up this module a bit > > maybe group some common policy using type attributes, etc? > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20121019/fe1feb47/attachment.html