From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-691801-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id C14C21381FA
	for <garchives@archives.gentoo.org>; Thu,  1 May 2014 20:22:11 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E9E97E09A4;
	Thu,  1 May 2014 20:22:08 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 7D871E09A4
	for <gentoo-commits@lists.gentoo.org>; Thu,  1 May 2014 20:22:07 +0000 (UTC)
Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id C7FF03400B9
	for <gentoo-commits@lists.gentoo.org>; Thu,  1 May 2014 20:22:05 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by spoonbill.gentoo.org (Postfix) with ESMTP id 715F31818D
	for <gentoo-commits@lists.gentoo.org>; Thu,  1 May 2014 20:22:04 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1398975575.3622f0211f17555747da2bf7acb6d8aba7785d1e.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/portage.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: 3622f0211f17555747da2bf7acb6d8aba7785d1e
X-VCS-Branch: master
Date: Thu,  1 May 2014 20:22:04 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 9bbd5c9f-951c-4075-9ee6-c56c98a435f0
X-Archives-Hash: 31561e58ffc6fa4eb0990c068c63555d

commit:     3622f0211f17555747da2bf7acb6d8aba7785d1e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Thu May  1 20:19:15 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Thu May  1 20:19:35 2014 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3622f021

emerge-webrsync updates

Two small changes for emerge-webrsync.

The first one is that portage_fetch_t must be able to execute
portage_fetch_tmp_t. This is because portage_fetch_t calls portageq,
which (as a Python app) creates a temporary executable file to parse.

The second change allows portage_fetch_t to read user content (when an
overlay is in /home) optionally through the portage_read_user_content
boolean.

---
 policy/modules/contrib/portage.te | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/portage.te b/policy/modules/contrib/portage.te
index d5b29d6..443460b 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -13,6 +13,14 @@ policy_module(portage, 1.14.0)
 ## </desc>
 gen_tunable(portage_use_nfs, false)
 
+## <desc>
+##	<p>
+##	Determine whether portage domains can read user content.
+##	This is for non-portage_t domains as portage_t can manage the entire file system.
+##	</p>
+## </desc>
+gen_tunable(portage_read_user_content, false)
+
 attribute_role gcc_config_roles;
 attribute_role portage_roles;
 attribute_role portage_fetch_roles;
@@ -262,6 +270,8 @@ manage_files_pattern(portage_fetch_t, portage_ebuild_t, portage_ebuild_t)
 manage_dirs_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
 manage_files_pattern(portage_fetch_t, portage_fetch_tmp_t, portage_fetch_tmp_t)
 files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
+# Needed as otherwise we get large Python tracebacks when using emerge-webrsync (portageq failure)
+can_exec(portage_fetch_t, portage_fetch_tmp_t)
 
 kernel_read_system_state(portage_fetch_t)
 kernel_read_kernel_sysctls(portage_fetch_t)
@@ -307,7 +317,6 @@ miscfiles_read_generic_certs(portage_fetch_t)
 miscfiles_read_localization(portage_fetch_t)
 
 userdom_use_user_terminals(portage_fetch_t)
-userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
 
 rsync_exec(portage_fetch_t)
 
@@ -322,6 +331,13 @@ tunable_policy(`portage_use_nfs',`
 	fs_manage_nfs_symlinks(portage_fetch_t)
 ')
 
+tunable_policy(`portage_read_user_content',`
+	userdom_read_user_home_content_files(portage_fetch_t)
+	userdom_list_user_home_content(portage_fetch_t)
+',`
+	userdom_dontaudit_read_user_home_content_files(portage_fetch_t)
+')
+
 optional_policy(`
 	gpg_exec(portage_fetch_t)
 ')