[refpolicy] [PATCHv2 4/4] Allow unconfined users to call portage features

Sven Vermeulen sven.vermeulen at siphos.be
Tue Sep 13 13:22:44 CDT 2011


The unconfined user is currently not allowed to call portage-related
functions. However, in a targeted system (with unconfined domains
enabled), users (including administrators) should be allowed to
transition to the portage domain.

We position the portage-related calls outside the "ifdef(distro_gentoo)"
as other distributions support Portage as well.

Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
 policy/modules/system/unconfined.te |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..6195e6e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -150,6 +150,12 @@ optional_policy(`
 ')
 
 optional_policy(`
+	portage_run(unconfined_t, unconfined_r)
+	portage_run_fetch(unconfined_t, unconfined_r)
+	portage_run_gcc_config(unconfined_t, unconfined_r)A
+')
+
+optional_policy(`
 	prelink_run(unconfined_t, unconfined_r)
 ')
 
-- 
1.7.3.4



More information about the refpolicy mailing list