From: dac.override@gmail.com (Dominick Grift)
Date: Tue, 12 Sep 2017 08:29:30 +0200
Subject: [refpolicy] [PATCH] portage: Grant the map permissions
 neccessary for git and install
In-Reply-To: <fddd8796-3bc9-177a-7f2b-3753059c4e04@ieee.org>
References: <20170911064021.6469-1-aranea@aixah.de>
	<fddd8796-3bc9-177a-7f2b-3753059c4e04@ieee.org>
Message-ID: <20170912062930.GB6678@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Sep 11, 2017 at 08:12:51PM -0400, Chris PeBenito via refpolicy wrote:
> On 09/11/2017 02:40 AM, Luis Ressel via refpolicy wrote:
> > ---
> >   portage.if | 4 ++++
> >   1 file changed, 4 insertions(+)
> > 
> > diff --git a/portage.if b/portage.if
> > index 5e8eb2ba..c0c7e9be 100644
> > --- a/portage.if
> > +++ b/portage.if
> > @@ -102,6 +102,7 @@ interface(`portage_compile_domain',`
> >   	manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> >   	manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> >   	manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t)
> > +	allow $1 portage_srcrepo_t:file map;
> 
> When you say needed for git, is this when using an ebuild that builds 
> from a git repo rather than unpacking a tarball?  What is it mapping?

i think these are objects in .git, these are binaries and are always mapped by git client

> 
> 
> >   	# run scripts out of the build directory
> >   	can_exec(portage_sandbox_t, portage_tmp_t)
> > @@ -187,6 +188,9 @@ interface(`portage_compile_domain',`
> >   	# SELinux-enabled programs running in the sandbox
> >   	seutil_libselinux_linked($1)
> >   
> > +	# required by install
> > +	seutil_read_file_contexts($1)
> > +
> >   	tunable_policy(`portage_use_nfs',`
> >   		fs_getattr_nfs($1)
> >   		fs_manage_nfs_dirs($1)
> > 
> 
> 
> -- 
> Chris PeBenito
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/e999c16c/attachment.bin