[COMMIT]refpolicy branch, master, updated. contrib-12-g99a34d5

Reference Policy commits mail list refpolicy-commits at oss.tresys.com
Wed Sep 14 12:22:11 CDT 2011 

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "refpolicy".

The branch, master has been updated
       via  99a34d527e37e7d0a091881ef6176aa2e6a9b68c (commit)
       via  370081cc60b9979a3e8c577e22eebfa99c746d83 (commit)
       via  017b505110c52eb3333a940169c8bdcd9fdef810 (commit)
       via  c94b5e3d181ca05348bf084489c123c9316df2c1 (commit)
      from  a108d9db60747a887f626b99cce37738462dd3cd (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 99a34d527e37e7d0a091881ef6176aa2e6a9b68c
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Sep 14 12:48:13 2011 -0400

    eparate portage fetch rules out of portage_run() and portage_domtrans() from Sven Vermeulen.

commit 370081cc60b9979a3e8c577e22eebfa99c746d83
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Sep 14 12:46:56 2011 -0400

    Remove stray "A" from unconfined.

commit 017b505110c52eb3333a940169c8bdcd9fdef810
Author: Sven Vermeulen <sven.vermeulen at siphos.be>
Date:   Tue Sep 13 20:22:44 2011 +0200

    Allow unconfined users to call portage features
    
    The unconfined user is currently not allowed to call portage-related
    functions. However, in a targeted system (with unconfined domains
    enabled), users (including administrators) should be allowed to
    transition to the portage domain.
    
    We position the portage-related calls outside the "ifdef(distro_gentoo)"
    as other distributions support Portage as well.
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>

commit c94b5e3d181ca05348bf084489c123c9316df2c1
Author: Sven Vermeulen <sven.vermeulen at siphos.be>
Date:   Tue Sep 13 20:21:43 2011 +0200

    Allow sysadm_t to call all portage related services
    
    The system administrator (in sysadm_t) is the only "user" domain that is
    allowed to call portage-related services. So it also gains the privilege
    to execute portage tree management functions (and as such transition to
    portage_fetch_t).
    
    Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>

-----------------------------------------------------------------------

Summary of changes:
 Changelog                           |    2 ++
 policy/modules/contrib              |    2 +-
 policy/modules/roles/sysadm.te      |    1 +
 policy/modules/system/unconfined.te |    6 ++++++
 4 files changed, 10 insertions(+), 1 deletions(-)

Detailed diffset:
:100644 100644 338191c... c62267e... M	Changelog
:160000 160000 e6f073a... e9c74ec... M	policy/modules/contrib
:100644 100644 1e1d649... 954417f... M	policy/modules/roles/sysadm.te
:100644 100644 eefcba3... 6521f70... M	policy/modules/system/unconfined.te

diff --git a/Changelog b/Changelog
index 338191c..c62267e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Separate portage fetch rules out of portage_run() and portage_domtrans()
+  from Sven Vermeulen.
 - Enhance corenetwork network_port() macro to support ports that do not have
   a well defined port number, such as stunnel.
 - Opendkim support in dkim module from Paul Howarth.
diff --git a/policy/modules/contrib b/policy/modules/contrib
index e6f073a..e9c74ec 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit e6f073a7740ab4a4f322ed984f972282c401916e
+Subproject commit e9c74ec4e2b2ff9f92dbf2957e3f99ea9b2cdb81
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1e1d649..954417f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -253,6 +253,7 @@ optional_policy(`
 
 optional_policy(`
 	portage_run(sysadm_t, sysadm_r)
+	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)
 ')
 
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eefcba3..6521f70 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -150,6 +150,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	portage_run(unconfined_t, unconfined_r)
+	portage_run_fetch(unconfined_t, unconfined_r)
+	portage_run_gcc_config(unconfined_t, unconfined_r)
+')
+
+optional_policy(`
 	prelink_run(unconfined_t, unconfined_r)
 ')
 


hooks/post-receive
--
refpolicy

More information about the Refpolicy-commits mailing list