[refpolicy] [PATCH 5/5] Allow portage to use GPG for tree signature verification

Jason Zaman jason at perfinion.com
Fri Jun 8 11:26:51 UTC 2018


After talking to Dominick, I decided to change this around to use the
portage_fetch_t domain instead, please dont apply patches 4/5 or 5/5, I
am sending new patches instead.

-- Jason

On Fri, Jun 08, 2018 at 05:53:41PM +0800, Jason Zaman wrote:
> ---
>  dirmngr.te |  6 ++++++
>  gpg.te     | 12 ++++++++++++
>  portage.te |  4 ++++
>  3 files changed, 22 insertions(+)
> 
> diff --git a/dirmngr.te b/dirmngr.te
> index 983de0c..d087f0e 100644
> --- a/dirmngr.te
> +++ b/dirmngr.te
> @@ -89,3 +89,9 @@ optional_policy(`
>  	gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
>  	gpg_stream_connect_agent(dirmngr_t)
>  ')
> +
> +ifdef(`distro_gentoo',`
> +	optional_policy(`
> +		portage_manage_tmp(dirmngr_t)
> +	')
> +')
> diff --git a/gpg.te b/gpg.te
> index 3420a21..fe407f5 100644
> --- a/gpg.te
> +++ b/gpg.te
> @@ -193,6 +193,12 @@ optional_policy(`
>  	xserver_rw_xdm_pipes(gpg_t)
>  ')
>  
> +ifdef(`distro_gentoo',`
> +	optional_policy(`
> +		portage_manage_tmp(gpg_t)
> +	')
> +')
> +
>  ########################################
>  #
>  # Helper local policy
> @@ -318,6 +324,12 @@ optional_policy(`
>  	xserver_read_user_xauth(gpg_agent_t)
>  ')
>  
> +ifdef(`distro_gentoo',`
> +	optional_policy(`
> +		portage_manage_tmp(gpg_agent_t)
> +	')
> +')
> +
>  ##############################
>  #
>  # Pinentry local policy
> diff --git a/portage.te b/portage.te
> index 2146005..4b72a16 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -218,6 +218,10 @@ optional_policy(`
>  	cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
>  ')
>  
> +optional_policy(`
> +	gpg_domtrans(portage_t)
> +')
> +
>  optional_policy(`
>  	modutils_run(portage_t, portage_roles)
>  	#dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
> -- 
> 2.16.4
> 


More information about the refpolicy mailing list