commit: 7d41f1b7b4f4d675b62835be6d2416eb2368a1a1 Author: Kenton Groombridge <concord <AT> gentoo <DOT> org> AuthorDate: Tue Apr 19 22:53:44 2022 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Sat Sep 3 20:04:23 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d41f1b7
portage: allow portage to map ebuild files When portage syncs a repo with git, git will mmap() ebuild files. Allow portage to map ebuild files to fix permission denied errors on syncing. Bug: https://bugs.gentoo.org/833017 Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/admin/portage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 86966705..e3a19574 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -200,6 +200,8 @@ domain_dontaudit_read_all_domains_state(portage_t) files_manage_all_files(portage_t) # eselect uses file, which mmap()s its db files_map_usr_files(portage_t) +# portage executing git mmap()s ebuild files when syncing +allow portage_t portage_ebuild_t:file map; selinux_get_fs_mount(portage_t)