|
|
@@ -1,4 +1,4 @@
|
|
|
-policy_module(portage_additional, 0.0.4)
|
|
|
+policy_module(portage_additional, 0.0.6)
|
|
|
|
|
|
require {
|
|
|
type portage_fetch_t;
|
|
|
@@ -8,8 +8,14 @@ require {
|
|
|
type ldconfig_cache_t;
|
|
|
type unlabeled_t;
|
|
|
type usr_t;
|
|
|
+ type portage_conf_t;
|
|
|
+ type portage_ebuild_t;
|
|
|
+ type proc_t;
|
|
|
}
|
|
|
|
|
|
+allow portage_fetch_t self:process execmem;
|
|
|
+
|
|
|
+corenet_tcp_bind_generic_node(portage_fetch_t)
|
|
|
files_list_boot(portage_fetch_t)
|
|
|
files_list_default(portage_fetch_t)
|
|
|
files_rw_etc_files(portage_fetch_t)
|
|
|
@@ -19,10 +25,16 @@ files_manage_var_files(portage_fetch_t)
|
|
|
files_manage_var_dirs(portage_fetch_t)
|
|
|
files_search_src(portage_fetch_t)
|
|
|
files_getattr_usr_src_files(portage_fetch_t)
|
|
|
+fs_getattr_xattr_fs(portage_fetch_t)
|
|
|
+files_manage_var_lib_dirs(portage_fetch_t)
|
|
|
+manage_files_pattern(portage_fetch_t, var_lib_t, var_lib_t)
|
|
|
|
|
|
+allow portage_fetch_t portage_conf_t:file write;
|
|
|
allow portage_fetch_t etc_t:file link;
|
|
|
+allow portage_fetch_t portage_ebuild_t:file map;
|
|
|
|
|
|
corenet_udp_bind_generic_node(portage_t)
|
|
|
+corenet_tcp_bind_generic_node(portage_t)
|
|
|
files_manage_etc_files(portage_t)
|
|
|
kernel_read_crypto_sysctls(portage_t)
|
|
|
allow portage_t self:process ptrace;
|
|
|
@@ -30,8 +42,13 @@ allow portage_t self:capability sys_resource;
|
|
|
allow portage_t unlabeled_t:file { execute execute_no_trans map relabelfrom relabelto };
|
|
|
allow portage_t usr_t:file { execute execute_no_trans };
|
|
|
allow portage_t etc_t:file { relabelfrom relabelto };
|
|
|
+allow portage_t self:dir { add_name write };
|
|
|
+allow portage_t self:file create;
|
|
|
+allow portage_t proc_t:filesystem associate;
|
|
|
|
|
|
|
|
|
|
|
|
+kernel_read_crypto_sysctls(portage_sandbox_t)
|
|
|
+auth_getattr_shadow(portage_sandbox_t)
|
|
|
allow portage_sandbox_t ldconfig_cache_t:file map;
|
|
|
dev_rw_zero(portage_sandbox_t)
|
