Support NFS mounts for portage related locations

When users want to use NFS mounted portage tree, distfiles, packages and
other locations, they need to use the proper context= mount option. However,
in the majority of cases, the users use a single NFS mount. In such
situation, context= cannot be used properly since it puts a label on the
entire mount (whereas we would then need other labels depending on
subdirectories).

Introducing a boolean "portage_use_nfs" which, when set (default off),
allows the necessary portage-related domains to manage files and directories
with the nfs_t label.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>

policy/modules/admin/portage.if

@@ -188,6 +188,13 @@ interface(`portage_compile_domain',`
 	# SELinux-enabled programs running in the sandbox
 	seutil_libselinux_linked($1)
 
+	tunable_policy(`portage_use_nfs',`
+		fs_getattr_nfs($1)
+		fs_manage_nfs_dirs($1)
+		fs_manage_nfs_files($1)
+		fs_manage_nfs_symlinks($1)
+	')
+
 	ifdef(`TODO',`
 	# some gui ebuilds want to interact with X server, like xawtv
 	optional_policy(`

policy/modules/admin/portage.te

@@ -5,6 +5,14 @@ policy_module(portage, 1.10.2)
 # Declarations
 #
 
+## <desc>
+## <p>
+##   Allow the portage domains to use NFS mounts (regular nfs_t)
+## </p>
+## </desc>
+gen_tunable(portage_use_nfs, false)
+
+
 type gcc_config_t;
 type gcc_config_exec_t;
 application_domain(gcc_config_t, gcc_config_exec_t)
@@ -258,6 +266,13 @@ sysnet_dns_name_resolve(portage_fetch_t)
 userdom_use_user_terminals(portage_fetch_t)
 userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
+tunable_policy(`portage_use_nfs',`
+	fs_getattr_nfs(portage_fetch_t)
+	fs_manage_nfs_dirs(portage_fetch_t)
+	fs_manage_nfs_files(portage_fetch_t)
+	fs_manage_nfs_symlinks(portage_fetch_t)
+')
+
 ifdef(`hide_broken_symptoms',`
 	dontaudit portage_fetch_t portage_cache_t:file read;
 ')