commit: a2f1ba7050cdedf754c399f9c22375bff161b78f
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Nov 26 18:05:35 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 6 13:58:03 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2f1ba70
Allow portage compile domains to relabel portage_tmp_t:dir's
This permission is requested by a 'cp' in the multibuild.eclass (see bug
600926). It's not actually required, but since we already allow the same
permission for files and allowing it for directories doesn't have any
security implications, I've chosen use "allow" instead of "dontaudit".
policy/modules/contrib/portage.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index 14c4fb6..e990d79 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -118,6 +118,7 @@ interface(`portage_compile_domain',`
files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file
fifo_file })
# SELinux-enabled programs running in the sandbox
allow $1 portage_tmp_t:file relabel_file_perms;
+ allow $1 portage_tmp_t:dir relabel_dir_perms;
manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
