From f13b5638911958158edbd40c857f26cb9e82cfe8 Mon Sep 17 00:00:00 2001
From: Sven Vermeulen <sven.vermeulen@siphos.be>
Date: Thu, 28 Apr 2011 15:39:21 -0400
Subject: [PATCH] setfscreate privilege is needed to be able to install
 java-config package

During the installation of for instance java-config, Portage wants to set
its default file creation context to root:object_r:portage_tmp_t which isn't
allowed:

creating /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild
copying src/revdep-rebuild/60-java -> /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild/
running install_egg_info
Writing /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/usr/lib64/python3.1/site-packages/java_config-2.1.11-py3.1.egg-info
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
...
ERROR: dev-java/java-config-2.1.11-r3 failed:
   Merging of intermediate installation image for Python ABI '2.6 into installation image failed

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 8aaa46d82..9a2c2a170 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -77,8 +77,8 @@ interface(`portage_compile_domain',`
 
 	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
 	dontaudit $1 self:capability sys_chroot;
-	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
-	allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem setfscreate };
+	allow $1 self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
 	allow $1 self:fd use;
 	allow $1 self:fifo_file rw_fifo_file_perms;
 	allow $1 self:shm create_shm_perms;