commit: c33f11a936d20aa6ab8975386525a267656f8e1b
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Mon Sep 11 03:18:29 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Sep 14 19:34:43 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c33f11a9
portage: Allow portage_t and portage_sandbox_t to access locale_t
This didn't crop out until now due to portage's wideranging access, but
it's neccessary now for the map permission.
I'm aware adding the interface directly for portage_t is redundant, but
I'm doing it nevertheless in case we ever remove
portage_compile_domain(portage_t).
policy/modules/contrib/portage.if | 2 ++
policy/modules/contrib/portage.te | 2 ++
2 files changed, 4 insertions(+)
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index 70f657ab..9f7be361 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -186,6 +186,8 @@ interface(`portage_compile_domain',`
logging_send_syslog_msg($1)
+ miscfiles_read_localization($1)
+
userdom_use_user_terminals($1)
# SELinux-enabled programs running in the sandbox
diff --git a/policy/modules/contrib/portage.te
b/policy/modules/contrib/portage.te
index 2387c941..b0175d83 100644
--- a/policy/modules/contrib/portage.te
+++ b/policy/modules/contrib/portage.te
@@ -203,6 +203,8 @@ auth_manage_shadow(portage_t)
# merging baselayout will need this:
init_exec(portage_t)
+miscfiles_read_localization(portage_t)
+
# run setfiles -r
seutil_run_setfiles(portage_t, portage_roles)
# run semodule
