commit: 25cc0b997697b8cb53f2e45e44c2bacfe6f96afc Author: Kenton Groombridge <concord <AT> gentoo <DOT> org> AuthorDate: Tue Apr 19 22:53:44 2022 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Mon Jun 6 15:14:58 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=25cc0b99
portage: allow portage to map ebuild files When portage syncs a repo with git, git will mmap() ebuild files. Allow portage to map ebuild files to fix permission denied errors on syncing. Bug: https://bugs.gentoo.org/833017 Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/admin/portage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 86966705..e3a19574 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t) files_manage_all_files(portage_t) # eselect uses file, which mmap()s its db files_map_usr_files(portage_t) +# portage executing git mmap()s ebuild files when syncing +allow portage_t portage_ebuild_t:file map; selinux_get_fs_mount(portage_t)
