[refpolicy] [PATCH 08/11] Introduce search_conf_dirs and read_tmp_files interfaces for Portage

[Sven Vermeulen]

We add support for searching through portage' configuration file locations
(which will be used in subsequent patches) for tools that provide additional
features on top of Portage and which integrate with it. For instance, gpg
(validating snapshots).

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 policy/modules/admin/portage.if |   39 +++++++++++++++++++++++++++++++++++++++
 1 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index a1bfbaa..4851e90 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -258,6 +258,25 @@ interface(`portage_run_gcc_config',`
 
 ########################################
 ## <summary>
+##   Allow a domain search privileges through portage configuration
+##   file directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow search privileges
+##	</summary>
+## </param>
+#
+interface(`portage_search_conf_dirs',`
+	gen_require(`
+		type portage_conf_t;
+	')
+
+	allow $1 portage_conf_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to search the
 ##	portage temporary directories.
 ## </summary>
@@ -277,6 +296,26 @@ interface(`portage_dontaudit_search_tmp',`
 
 ########################################
 ## <summary>
+##   Allow a domain to read portage_tmp_t files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow read privileges
+##	</summary>
+## </param>
+#
+interface(`portage_read_tmp_files',`
+	gen_require(`
+		type portage_tmp_t;
+	')
+
+	allow $1 portage_tmp_t:dir list_dir_perms;
+	allow $1 portage_tmp_t:file read_file_perms;
+')
+
+
+########################################
+## <summary>
 ##	Do not audit attempts to read and write
 ##	the portage temporary files.
 ## </summary>
-- 
1.7.3.4