Allow unconfined users to call portage features

The unconfined user is currently not allowed to call portage-related functions. However, in a targeted system (with unconfined domains enabled), users (including administrators) should be allowed to transition to the portage domain. We position the portage-related calls outside the "ifdef(distro_gentoo)" as other distributions support Portage as well. Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-09-13 20:22:44 +02:00 · 2011-09-13 20:22:44 +02:00 · 017b505110
commit 017b505110
parent c94b5e3d18
1 changed files with 6 additions and 0 deletions
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@ -149,6 +149,12 @@ optional_policy(`
 	oddjob_domtrans_mkhomedir(unconfined_t)
 ')

+optional_policy(`
+	portage_run(unconfined_t, unconfined_r)
+	portage_run_fetch(unconfined_t, unconfined_r)
+	portage_run_gcc_config(unconfined_t, unconfined_r)A
+')
+
 optional_policy(`
 	prelink_run(unconfined_t, unconfined_r)
 ')