[selinux-policy: 2407/3172] Misc portage fixes.

[Daniel J Walsh]

commit 15d80e36462d26e1d62804b5611610e7736d56b4
Author: Chris PeBenito <pebenito at gentoo.org>
Date:   Wed Feb 17 20:25:39 2010 -0500

    Misc portage fixes.

 policy/modules/admin/portage.if |   38 ++++++++++++++++++++++++++++++++++++++
 policy/modules/admin/portage.te |   13 +++++++++++--
 2 files changed, 49 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 798acbe..35161b2 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -243,3 +243,41 @@ interface(`portage_run_gcc_config',`
 	portage_domtrans_gcc_config($1)
 	role $2 types gcc_config_t;
 ')
+
+########################################
+## <summary>
+##	Do not audit attempts to search the
+##	portage temporary directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portage_dontaudit_search_tmp',`
+	gen_require(`
+		type portage_tmp_t;
+	')
+
+	dontaudit $1 portage_tmp_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	the portage temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`portage_dontaudit_rw_tmp_files',`
+	gen_require(`
+		type portage_tmp_t;
+	')
+
+	dontaudit $1 portage_tmp_t:file rw_file_perms;
+')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 6af6e8a..ba1a256 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
 
-policy_module(portage, 1.9.0)
+policy_module(portage, 1.9.1)
 
 ########################################
 #
@@ -82,8 +82,11 @@ corecmd_exec_shell(gcc_config_t)
 corecmd_exec_bin(gcc_config_t)
 corecmd_manage_bin_files(gcc_config_t)
 
+domain_use_interactive_fds(gcc_config_t)
+
 files_manage_etc_files(gcc_config_t)
 files_rw_etc_runtime_files(gcc_config_t)
+files_read_usr_files(gcc_config_t)
 files_search_var_lib(gcc_config_t)
 files_search_pids(gcc_config_t)
 # complains loudly about not being able to list
@@ -119,7 +122,11 @@ optional_policy(`
 # - setfscreate for merging to live fs
 # - setexec to run portage fetch
 allow portage_t self:process { setfscreate setexec };
-allow portage_t self:capability sys_nice;
+# - kill for mysql merging, at least
+allow portage_t self:capability { sys_nice kill };
+
+# user post-sync scripts
+can_exec(portage_t, portage_conf_t)
 
 allow portage_t portage_log_t:file manage_file_perms;
 logging_log_filetrans(portage_t, portage_log_t, file)
@@ -214,6 +221,8 @@ files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
 # portage makes home dir the portage tmp dir, so
 # wget looks for .wgetrc there
 dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
+# rsync server timestamp check
+allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
 
 kernel_read_system_state(portage_fetch_t)
 kernel_read_kernel_sysctls(portage_fetch_t)