From: jason@perfinion.com (Jason Zaman) Date: Fri, 8 Jun 2018 19:26:51 +0800 Subject: [refpolicy] [PATCH 5/5] Allow portage to use GPG for tree signature verification In-Reply-To: <20180608095341.20837-5-jason@perfinion.com> References: <20180608095341.20837-1-jason@perfinion.com> <20180608095341.20837-5-jason@perfinion.com> Message-ID: <20180608112651.GA35435@baraddur.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com After talking to Dominick, I decided to change this around to use the portage_fetch_t domain instead, please dont apply patches 4/5 or 5/5, I am sending new patches instead. -- Jason On Fri, Jun 08, 2018 at 05:53:41PM +0800, Jason Zaman wrote: > --- > dirmngr.te | 6 ++++++ > gpg.te | 12 ++++++++++++ > portage.te | 4 ++++ > 3 files changed, 22 insertions(+) > > diff --git a/dirmngr.te b/dirmngr.te > index 983de0c..d087f0e 100644 > --- a/dirmngr.te > +++ b/dirmngr.te > @@ -89,3 +89,9 @@ optional_policy(` > gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir) > gpg_stream_connect_agent(dirmngr_t) > ') > + > +ifdef(`distro_gentoo',` > + optional_policy(` > + portage_manage_tmp(dirmngr_t) > + ') > +') > diff --git a/gpg.te b/gpg.te > index 3420a21..fe407f5 100644 > --- a/gpg.te > +++ b/gpg.te > @@ -193,6 +193,12 @@ optional_policy(` > xserver_rw_xdm_pipes(gpg_t) > ') > > +ifdef(`distro_gentoo',` > + optional_policy(` > + portage_manage_tmp(gpg_t) > + ') > +') > + > ######################################## > # > # Helper local policy > @@ -318,6 +324,12 @@ optional_policy(` > xserver_read_user_xauth(gpg_agent_t) > ') > > +ifdef(`distro_gentoo',` > + optional_policy(` > + portage_manage_tmp(gpg_agent_t) > + ') > +') > + > ############################## > # > # Pinentry local policy > diff --git a/portage.te b/portage.te > index 2146005..4b72a16 100644 > --- a/portage.te > +++ b/portage.te > @@ -218,6 +218,10 @@ optional_policy(` > cron_system_entry(portage_fetch_t, portage_fetch_exec_t) > ') > > +optional_policy(` > + gpg_domtrans(portage_t) > +') > + > optional_policy(` > modutils_run(portage_t, portage_roles) > #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms; > -- > 2.16.4 >