[refpolicy] [PATCHv2 4/4] Allow unconfined users to call portage features
Sven Vermeulen
sven.vermeulen at siphos.be
Tue Sep 13 13:22:44 CDT 2011
The unconfined user is currently not allowed to call portage-related
functions. However, in a targeted system (with unconfined domains
enabled), users (including administrators) should be allowed to
transition to the portage domain.
We position the portage-related calls outside the "ifdef(distro_gentoo)"
as other distributions support Portage as well.
Signed-off-by: Sven Vermeulen <sven.vermeulen at siphos.be>
---
policy/modules/system/unconfined.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index eae5001..6195e6e 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -150,6 +150,12 @@ optional_policy(`
')
optional_policy(`
+ portage_run(unconfined_t, unconfined_r)
+ portage_run_fetch(unconfined_t, unconfined_r)
+ portage_run_gcc_config(unconfined_t, unconfined_r)A
+')
+
+optional_policy(`
prelink_run(unconfined_t, unconfined_r)
')
--
1.7.3.4
More information about the refpolicy
mailing list