From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-915542-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 580611395E2
	for <garchives@archives.gentoo.org>; Tue,  6 Dec 2016 14:21:54 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 99B06E0C37;
	Tue,  6 Dec 2016 14:21:53 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 765F1E0C37
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 14:21:53 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 6FD463412CB
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 14:21:52 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 5DD594A6
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 14:21:50 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1481032683.a2f1ba7050cdedf754c399f9c22375bff161b78f.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/portage.if
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: a2f1ba7050cdedf754c399f9c22375bff161b78f
X-VCS-Branch: master
Date: Tue,  6 Dec 2016 14:21:50 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: f90499f4-fd72-4818-881d-ece705f58a49
X-Archives-Hash: 617d9a57683f9113c958817f81919eec

commit:     a2f1ba7050cdedf754c399f9c22375bff161b78f
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Nov 26 18:05:35 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 13:58:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2f1ba70

Allow portage compile domains to relabel portage_tmp_t:dir's

This permission is requested by a 'cp' in the multibuild.eclass (see bug
600926). It's not actually required, but since we already allow the same
permission for files and allowing it for directories doesn't have any
security implications, I've chosen use "allow" instead of "dontaudit".

 policy/modules/contrib/portage.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 14c4fb6..e990d79 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -118,6 +118,7 @@ interface(`portage_compile_domain',`
 	files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
 	# SELinux-enabled programs running in the sandbox
 	allow $1 portage_tmp_t:file relabel_file_perms;
+	allow $1 portage_tmp_t:dir relabel_dir_perms;
 
 	manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
 	manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)


From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-915557-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id 4012C1395E3
	for <garchives@archives.gentoo.org>; Tue,  6 Dec 2016 14:25:19 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 87EB8E0C5A;
	Tue,  6 Dec 2016 14:25:06 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 66307E0C5A
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 14:25:06 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id A269C341643
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 14:25:04 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id E443524CB
	for <gentoo-commits@lists.gentoo.org>; Tue,  6 Dec 2016 14:25:00 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1481032683.a2f1ba7050cdedf754c399f9c22375bff161b78f.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/portage.if
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: a2f1ba7050cdedf754c399f9c22375bff161b78f
X-VCS-Branch: next
Date: Tue,  6 Dec 2016 14:25:00 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 22400b36-87f3-4ca1-8a5b-d55837b5e785
X-Archives-Hash: bf4fb8b431271e85fd724d26e713c79a
Message-ID: <20161206142500.Qo1-XfdKSm5dlUfD-BJ7MmMydguQy8f75SLS9O_DLmQ@z>

commit:     a2f1ba7050cdedf754c399f9c22375bff161b78f
Author:     Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Sat Nov 26 18:05:35 2016 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec  6 13:58:03 2016 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a2f1ba70

Allow portage compile domains to relabel portage_tmp_t:dir's

This permission is requested by a 'cp' in the multibuild.eclass (see bug
600926). It's not actually required, but since we already allow the same
permission for files and allowing it for directories doesn't have any
security implications, I've chosen use "allow" instead of "dontaudit".

 policy/modules/contrib/portage.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if
index 14c4fb6..e990d79 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -118,6 +118,7 @@ interface(`portage_compile_domain',`
 	files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
 	# SELinux-enabled programs running in the sandbox
 	allow $1 portage_tmp_t:file relabel_file_perms;
+	allow $1 portage_tmp_t:dir relabel_dir_perms;
 
 	manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
 	manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)