policy_module(portage_additional, 0.0.7) require { type portage_fetch_t; type portage_sandbox_t; type portage_t; type etc_t; type ldconfig_cache_t; type unlabeled_t; type usr_t; type portage_conf_t; type portage_ebuild_t; type proc_t; type zero_device_t; type cert_t; } allow portage_fetch_t self:process execmem; corenet_tcp_bind_generic_node(portage_fetch_t) files_list_boot(portage_fetch_t) files_list_default(portage_fetch_t) files_rw_etc_files(portage_fetch_t) kernel_read_crypto_sysctls(portage_fetch_t) dev_read_urand(portage_fetch_t) files_manage_var_files(portage_fetch_t) files_manage_var_dirs(portage_fetch_t) files_search_src(portage_fetch_t) files_getattr_usr_src_files(portage_fetch_t) fs_getattr_xattr_fs(portage_fetch_t) files_manage_var_lib_dirs(portage_fetch_t) manage_files_pattern(portage_fetch_t, var_lib_t, var_lib_t) allow portage_fetch_t portage_conf_t:file write; allow portage_fetch_t etc_t:file link; allow portage_fetch_t portage_ebuild_t:file map; corenet_udp_bind_generic_node(portage_t) corenet_tcp_bind_generic_node(portage_t) files_manage_etc_files(portage_t) kernel_read_crypto_sysctls(portage_t) allow portage_t self:process ptrace; allow portage_t self:capability sys_resource; allow portage_t unlabeled_t:file { execute execute_no_trans map relabelfrom relabelto }; allow portage_t usr_t:file { execute execute_no_trans }; allow portage_t etc_t:file { relabelfrom relabelto }; allow portage_t self:dir { add_name write }; allow portage_t self:file create; allow portage_t proc_t:filesystem associate; allow portage_t cert_t:file map; allow portage_t portage_ebuild_t:file map; kernel_read_crypto_sysctls(portage_sandbox_t) auth_getattr_shadow(portage_sandbox_t) allow portage_sandbox_t ldconfig_cache_t:file map; dev_rw_zero(portage_sandbox_t) fs_getattr_cgroup(portage_sandbox_t) kernel_getattr_debugfs(portage_sandbox_t) dev_getattr_fs(portage_sandbox_t) fs_getattr_pstorefs(portage_sandbox_t) fs_getattr_tracefs(portage_sandbox_t) allow portage_sandbox_t zero_device_t:chr_file map;