From: dac.override@gmail.com (Dominick Grift) Date: Tue, 12 Sep 2017 08:29:30 +0200 Subject: [refpolicy] [PATCH] portage: Grant the map permissions neccessary for git and install In-Reply-To: References: <20170911064021.6469-1-aranea@aixah.de> Message-ID: <20170912062930.GB6678@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Sep 11, 2017 at 08:12:51PM -0400, Chris PeBenito via refpolicy wrote: > On 09/11/2017 02:40 AM, Luis Ressel via refpolicy wrote: > > --- > > portage.if | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/portage.if b/portage.if > > index 5e8eb2ba..c0c7e9be 100644 > > --- a/portage.if > > +++ b/portage.if > > @@ -102,6 +102,7 @@ interface(`portage_compile_domain',` > > manage_dirs_pattern($1, portage_srcrepo_t, portage_srcrepo_t) > > manage_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) > > manage_lnk_files_pattern($1, portage_srcrepo_t, portage_srcrepo_t) > > + allow $1 portage_srcrepo_t:file map; > > When you say needed for git, is this when using an ebuild that builds > from a git repo rather than unpacking a tarball? What is it mapping? i think these are objects in .git, these are binaries and are always mapped by git client > > > > # run scripts out of the build directory > > can_exec(portage_sandbox_t, portage_tmp_t) > > @@ -187,6 +188,9 @@ interface(`portage_compile_domain',` > > # SELinux-enabled programs running in the sandbox > > seutil_libselinux_linked($1) > > > > + # required by install > > + seutil_read_file_contexts($1) > > + > > tunable_policy(`portage_use_nfs',` > > fs_getattr_nfs($1) > > fs_manage_nfs_dirs($1) > > > > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/e999c16c/attachment.bin