From: pebenito@ieee.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/2] portage: allow gpg for tree signature verification
Date: Sun, 10 Jun 2018 13:09:40 -0400 [thread overview]
Message-ID: <249e1d45-a3f6-3efa-e48b-d5c8db6a2834@ieee.org> (raw)
In-Reply-To: <20180608112400.34685-2-jason@perfinion.com>
On 06/08/2018 07:24 AM, Jason Zaman wrote:
> ---
> portage.te | 17 +++++++++++++++--
> 1 file changed, 15 insertions(+), 2 deletions(-)
>
> diff --git a/portage.te b/portage.te
> index 2146005..b762d87 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -218,6 +218,10 @@ optional_policy(`
> cron_system_entry(portage_fetch_t, portage_fetch_exec_t)
> ')
>
> +optional_policy(`
> + gpg_spec_domtrans(portage_t, portage_fetch_t)
> +')
> +
> optional_policy(`
> modutils_run(portage_t, portage_roles)
> #dontaudit update_modules_t portage_tmp_t:dir search_dir_perms;
> @@ -244,7 +248,7 @@ allow portage_fetch_t self:process signal;
> allow portage_fetch_t self:capability { chown dac_override fowner fsetid };
> allow portage_fetch_t self:fifo_file rw_fifo_file_perms;
> allow portage_fetch_t self:tcp_socket { accept listen };
> -allow portage_fetch_t self:unix_stream_socket create_socket_perms;
> +allow portage_fetch_t self:unix_stream_socket { connectto create_stream_socket_perms };
>
> allow portage_fetch_t portage_conf_t:dir list_dir_perms;
>
> @@ -255,6 +259,7 @@ allow portage_fetch_t portage_gpg_t:file manage_file_perms;
>
> allow portage_fetch_t portage_tmp_t:dir manage_dir_perms;
> allow portage_fetch_t portage_tmp_t:file manage_file_perms;
> +allow portage_fetch_t portage_tmp_t:sock_file manage_sock_file_perms;
>
> read_files_pattern(portage_fetch_t, portage_conf_t, portage_conf_t)
>
> @@ -287,8 +292,10 @@ corenet_sendrecv_rsync_client_packets(portage_fetch_t)
> # it occasionally comes up
> corenet_tcp_connect_all_reserved_ports(portage_fetch_t)
> corenet_tcp_connect_generic_port(portage_fetch_t)
> +corenet_udp_bind_generic_node(portage_fetch_t)
> +corenet_udp_bind_all_unreserved_ports(portage_fetch_t)
>
> -dev_dontaudit_read_rand(portage_fetch_t)
> +dev_read_rand(portage_fetch_t)
>
> domain_use_interactive_fds(portage_fetch_t)
>
> @@ -325,7 +332,13 @@ tunable_policy(`portage_use_nfs',`
> ')
>
> optional_policy(`
> + gpg_entry_type(portage_fetch_t)
> gpg_exec(portage_fetch_t)
> + gpg_exec_agent(portage_fetch_t)
> +')
> +
> +optional_policy(`
> + dirmngr_exec(portage_fetch_t)
> ')
>
> ##########################################
Merged.
--
Chris PeBenito
next prev parent reply other threads:[~2018-06-10 17:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-08 11:23 [refpolicy] [PATCH 1/2] gpg: Introduce gpg_exec_agent() Jason Zaman
2018-06-08 11:24 ` [refpolicy] [PATCH 2/2] portage: allow gpg for tree signature verification Jason Zaman
2018-06-10 17:09 ` Chris PeBenito [this message]
2018-06-10 17:09 ` [refpolicy] [PATCH 1/2] gpg: Introduce gpg_exec_agent() Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=249e1d45-a3f6-3efa-e48b-d5c8db6a2834@ieee.org \
--to=pebenito@ieee.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).