commit:     8d39472678948b838904f31d1b3467b1fa427668
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Mon Jul 13 19:47:28 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 20:59:50 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8d394726

Add portage_enable_test boolean for FEATURES=test

 policy/modules/contrib/portage.te | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/portage.te 
b/policy/modules/contrib/portage.te
index 2e8ab9e..2f62eb6 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -375,6 +375,13 @@ ifdef(`distro_gentoo',`
 ## </desc>
 gen_tunable(portage_mount_fs, false)
 
+## <desc>
+##     <p>
+##     Extra rules which are sometimes needed when FEATURES=test is enabled
+##     </p>
+## </desc>
+gen_tunable(portage_enable_test, false)
+
 
        ##########################################
        #
@@ -388,7 +395,7 @@ gen_tunable(portage_mount_fs, false)
        attribute portage_eselect_domain;
 
        ##########################################
-       # 
+       #
        # Portage fetch local policy
        #
 
@@ -476,6 +483,13 @@ gen_tunable(portage_mount_fs, false)
        # install-xattr does listxattr() which throws a lot of this
        dontaudit portage_sandbox_t self:capability sys_admin;
 
+       tunable_policy(`portage_enable_test',`
+               # lots of tests connect over loopback
+               corenet_tcp_bind_generic_node(portage_sandbox_t)
+               corenet_tcp_bind_all_unreserved_ports(portage_sandbox_t)
+               corenet_tcp_connect_all_unreserved_ports(portage_sandbox_t)
+       ')
+
        ##########################################
        #
        # Portage eselect module domain

Reply via email to