commit: 8d39472678948b838904f31d1b3467b1fa427668
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 19:47:28 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 20:59:50 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d394726
Add portage_enable_test boolean for FEATURES=test
policy/modules/contrib/portage.te | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.te
b/policy/modules/contrib/portage.te
index 2e8ab9e..2f62eb6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -375,6 +375,13 @@ ifdef(`distro_gentoo',`
## </desc>
gen_tunable(portage_mount_fs, false)
+## <desc>
+## <p>
+## Extra rules which are sometimes needed when FEATURES=test is enabled
+## </p>
+## </desc>
+gen_tunable(portage_enable_test, false)
+
##########################################
#
@@ -388,7 +395,7 @@ gen_tunable(portage_mount_fs, false)
attribute portage_eselect_domain;
##########################################
- #
+ #
# Portage fetch local policy
#
@@ -476,6 +483,13 @@ gen_tunable(portage_mount_fs, false)
# install-xattr does listxattr() which throws a lot of this
dontaudit portage_sandbox_t self:capability sys_admin;
+ tunable_policy(`portage_enable_test',`
+ # lots of tests connect over loopback
+ corenet_tcp_bind_generic_node(portage_sandbox_t)
+ corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+ corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+ ')
+
##########################################
#
# Portage eselect module domain