[refpolicy] [PATCHv2 3/4] Allow sysadm_t to call all portage related services

Sven Vermeulen sven.vermeulen at siphos.be
Tue Sep 13 13:21:43 CDT 2011

The system administrator (in sysadm_t) is the only "user" domain that is
allowed to call portage-related services. So it also gains the privilege
to execute portage tree management functions (and as such transition to

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
 policy/modules/roles/sysadm.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 1e1d649..954417f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -253,6 +253,7 @@ optional_policy(`
 	portage_run(sysadm_t, sysadm_r)
+	portage_run_fetch(sysadm_t, sysadm_r)
 	portage_run_gcc_config(sysadm_t, sysadm_r)

More information about the refpolicy mailing list