From: dominick.grift@gmail.com (Dominick Grift)
Date: Mon, 29 Oct 2012 20:11:48 +0100
Subject: [refpolicy] [PATCH v2 2/4] Remove transition to ldconfig
In-Reply-To: <1351536827-13200-3-git-send-email-sven.vermeulen@siphos.be>
References: <1351536827-13200-1-git-send-email-sven.vermeulen@siphos.be>
	<1351536827-13200-3-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1351537908.4200.4.camel@d30.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com



On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote:
> Up until now, we had ldconfig_t as the only domain that the portage compile
> domains (like portage_sandbox_t) can transition towards. But this is not
> necessary, and even lead to a few hickups (like sandbox requiring ptrace towards
> the ldconfig domain).
> 
> Remove the domain transition, and just execute ldconfig when needed. Everything
> remains within the sandbox domain.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.if |    4 +---
>  1 files changed, 1 insertions(+), 3 deletions(-)
> 
> diff --git a/portage.if b/portage.if
> index 1ae194e..67e8c12 100644
> --- a/portage.if
> +++ b/portage.if
> @@ -177,9 +177,7 @@ interface(`portage_compile_domain',`
>  	libs_exec_lib_files($1)
>  	# some config scripts use ldd
>  	libs_exec_ld_so($1)
> -	# this violates the idea of sandbox, but
> -	# regular sandbox allows it
> -	libs_domtrans_ldconfig($1)
> +	libs_exec_ldconfig($1)
>  
>  	logging_send_syslog_msg($1)
>  
applied, thanks