From: jason@perfinion.com (Jason Zaman)
Date: Fri, 8 Jun 2018 19:26:51 +0800
Subject: [refpolicy] [PATCH 5/5] Allow portage to use GPG for tree
 signature verification
In-Reply-To: <20180608095341.20837-5-jason@perfinion.com>
References: <20180608095341.20837-1-jason@perfinion.com>
	<20180608095341.20837-5-jason@perfinion.com>
Message-ID: <20180608112651.GA35435@baraddur.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

After talking to Dominick, I decided to change this around to use the
portage_fetch_t domain instead, please dont apply patches 4/5 or 5/5, I
am sending new patches instead.

-- Jason

On Fri, Jun 08, 2018 at 05:53:41PM +0800, Jason Zaman wrote:
> ---
>  dirmngr.te |  6 ++++++
>  gpg.te     | 12 ++++++++++++
>  portage.te |  4 ++++
>  3 files changed, 22 insertions(+)
> 
> diff --git a/dirmngr.te b/dirmngr.te
> index 983de0c..d087f0e 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -89,3 +89,9 @@ optional_policy(`
>  	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
>  	gpg_stream_connect_agent(dirmngr_t)
>  ')
> +
> +ifdef(`distro_gentoo',`
> +	optional_policy(`
> +		portage_manage_tmp(dirmngr_t)
> +	')
> +')
> diff --git a/gpg.te b/gpg.te
> index 3420a21..fe407f5 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -193,6 +193,12 @@ optional_policy(`
>  	xserver_rw_xdm_pipes(gpg_t)
>  ')
>  
> +ifdef(`distro_gentoo',`
> +	optional_policy(`
> +		portage_manage_tmp(gpg_t)
> +	')
> +')
> +
>  ########################################
>  #
>  # Helper local policy
> @@ -318,6 +324,12 @@ optional_policy(`
>  	xserver_read_user_xauth(gpg_agent_t)
>  ')
>  
> +ifdef(`distro_gentoo',`
> +	optional_policy(`
> +		portage_manage_tmp(gpg_agent_t)
> +	')
> +')
> +
>  ##############################
>  #
>  # Pinentry local policy
> diff --git a/portage.te b/portage.te
> index 2146005..4b72a16 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -218,6 +218,10 @@ optional_policy(`
>  	cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
>  ')
>  
> +optional_policy(`
> +	gpg_domtrans(portage_t)
> +')
> +
>  optional_policy(`
>  	modutils_run(portage_t, portage_roles)
>  	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
> -- 
> 2.16.4
>