diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if index 83a36fc0a..798acbe4a 100644 --- a/policy/modules/admin/portage.if +++ b/policy/modules/admin/portage.if @@ -114,6 +114,8 @@ interface(`portage_compile_domain',` manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t) manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t) files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file }) + # SELinux-enabled programs running in the sandbox + allow $1 portage_tmp_t:file relabel_file_perms; manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t) @@ -152,6 +154,8 @@ interface(`portage_compile_domain',` domain_use_interactive_fds($1) domain_dontaudit_read_all_domains_state($1) + # SELinux-aware installs doing relabels in the sandbox + domain_obj_id_change_exemption($1) files_exec_etc_files($1) files_exec_usr_src_files($1) @@ -162,6 +166,7 @@ interface(`portage_compile_domain',` fs_read_noxattr_fs_symlinks($1) fs_search_auto_mountpoints($1) + selinux_validate_context($1) # needed for merging dbus: selinux_compute_access_vector($1) @@ -180,6 +185,9 @@ interface(`portage_compile_domain',` userdom_use_user_terminals($1) + # SELinux-enabled programs running in the sandbox + seutil_libselinux_linked($1) + ifdef(`TODO',` # some gui ebuilds want to interact with X server, like xawtv optional_policy(`