selinux-policy/policy/modules/admin/portage.if

## <summary>
##	Portage Package Management System. The primary package management and
##	distribution system for Gentoo.
## </summary>

########################################
## <summary>
##	Execute emerge in the portage domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`portage_domtrans',`
	gen_require(`
		type portage_t, portage_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)

	# transition to portage
	domtrans_pattern($1, portage_exec_t, portage_t)
')

########################################
## <summary>
##	Execute emerge in the portage domain, and
##	allow the specified role the portage domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to allow the portage domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`portage_run',`
	gen_require(`
		type portage_t, portage_fetch_t, portage_sandbox_t;
	')

	portage_domtrans($1)
	role $2 types { portage_t portage_fetch_t portage_sandbox_t };
')

########################################
## <summary>
##	Template for portage sandbox.
## </summary>
## <desc>
##	<p>
##	Template for portage sandbox.  Portage
##	does all compiling in the sandbox.
##	</p>
## </desc>
## <param name="domain">
##	<summary>
##	Domain Allowed Access
##	</summary>
## </param>
#
interface(`portage_compile_domain',`

	gen_require(`
		class dbus send_msg;
		type portage_devpts_t, portage_log_t, portage_tmp_t;
		type portage_tmpfs_t;
	')

	allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };
	dontaudit $1 self:capability sys_chroot;
	allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };
	allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
	allow $1 self:fd use;
	allow $1 self:fifo_file rw_fifo_file_perms;
	allow $1 self:shm create_shm_perms;
	allow $1 self:sem create_sem_perms;
	allow $1 self:msgq create_msgq_perms;
	allow $1 self:msg { send receive };
	allow $1 self:unix_dgram_socket create_socket_perms;
	allow $1 self:unix_stream_socket create_stream_socket_perms;
	allow $1 self:unix_dgram_socket sendto;
	allow $1 self:unix_stream_socket connectto;
	# really shouldnt need this
	allow $1 self:tcp_socket create_stream_socket_perms;
	allow $1 self:udp_socket create_socket_perms;
	# misc networking stuff (esp needed for compiling perl):
	allow $1 self:rawip_socket { create ioctl };
	# needed for merging dbus:
	allow $1 self:netlink_selinux_socket { bind create read };
	allow $1 self:dbus send_msg;

	allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };
	term_create_pty($1, portage_devpts_t)

	# write compile logs
	allow $1 portage_log_t:dir setattr;
	allow $1 portage_log_t:file { write_file_perms setattr };

	# run scripts out of the build directory
	can_exec(portage_sandbox_t, portage_tmp_t)

	manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)
	manage_files_pattern($1, portage_tmp_t, portage_tmp_t)
	manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)
	manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
	manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
	files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
	# SELinux-enabled programs running in the sandbox
	allow $1 portage_tmp_t:file relabel_file_perms;

	manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
	manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
	manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
	manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
	fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })

	kernel_read_system_state($1)
	kernel_read_network_state($1)
	kernel_read_software_raid_state($1)
	kernel_getattr_core_if($1)
	kernel_getattr_message_if($1)
	kernel_read_kernel_sysctls($1)

	corecmd_exec_all_executables($1)

	# really shouldnt need this but some packages test
	# network access, such as during configure
	# also distcc--need to reinvestigate confining distcc client
	corenet_all_recvfrom_unlabeled($1)
	corenet_all_recvfrom_netlabel($1)
	corenet_tcp_sendrecv_generic_if($1)
	corenet_udp_sendrecv_generic_if($1)
	corenet_raw_sendrecv_generic_if($1)
	corenet_tcp_sendrecv_generic_node($1)
	corenet_udp_sendrecv_generic_node($1)
	corenet_raw_sendrecv_generic_node($1)
	corenet_tcp_sendrecv_all_ports($1)
	corenet_udp_sendrecv_all_ports($1)
	corenet_tcp_connect_all_reserved_ports($1)
	corenet_tcp_connect_distccd_port($1)

	dev_read_sysfs($1)
	dev_read_rand($1)
	dev_read_urand($1)

	domain_use_interactive_fds($1)
	domain_dontaudit_read_all_domains_state($1)
	# SELinux-aware installs doing relabels in the sandbox
	domain_obj_id_change_exemption($1)

	files_exec_etc_files($1)
	files_exec_usr_src_files($1)

	fs_getattr_xattr_fs($1)
	fs_list_noxattr_fs($1)
	fs_read_noxattr_fs_files($1)
	fs_read_noxattr_fs_symlinks($1)
	fs_search_auto_mountpoints($1)

	selinux_validate_context($1)
	# needed for merging dbus:
	selinux_compute_access_vector($1)

	auth_read_all_dirs_except_shadow($1)
	auth_read_all_files_except_shadow($1)
	auth_read_all_symlinks_except_shadow($1)

	libs_exec_lib_files($1)
	# some config scripts use ldd
	libs_exec_ld_so($1)
	# this violates the idea of sandbox, but
	# regular sandbox allows it
	libs_domtrans_ldconfig($1)

	logging_send_syslog_msg($1)

	userdom_use_user_terminals($1)

	# SELinux-enabled programs running in the sandbox
	seutil_libselinux_linked($1)

	ifdef(`TODO',`
	# some gui ebuilds want to interact with X server, like xawtv
	optional_policy(`
		allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };
		allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };
	')
	') dnl end TODO
')

########################################
## <summary>
##	Execute gcc-config in the gcc_config domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`portage_domtrans_gcc_config',`
	gen_require(`
		type gcc_config_t, gcc_config_exec_t;
	')

	files_search_usr($1)
	corecmd_search_bin($1)

	domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)
')

########################################
## <summary>
##	Execute gcc-config in the gcc_config domain, and
##	allow the specified role the gcc_config domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	The role to allow the gcc_config domain.
##	</summary>
## </param>
## <rolecap/>
#
interface(`portage_run_gcc_config',`
	gen_require(`
		type gcc_config_t;
	')

	portage_domtrans_gcc_config($1)
	role $2 types gcc_config_t;
')

########################################
## <summary>
##	Do not audit attempts to search the
##	portage temporary directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`portage_dontaudit_search_tmp',`
	gen_require(`
		type portage_tmp_t;
	')

	dontaudit $1 portage_tmp_t:dir search_dir_perms;
')

########################################
## <summary>
##	Do not audit attempts to read and write
##	the portage temporary files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
#
interface(`portage_dontaudit_rw_tmp_files',`
	gen_require(`
		type portage_tmp_t;
	')

	dontaudit $1 portage_tmp_t:file rw_file_perms;
')
add portage from gentoo 2006-01-18 14:48:24 +00:00			`## <summary>`
			`## Portage Package Management System. The primary package management and`
			`## distribution system for Gentoo.`
			`## </summary>`

			`########################################`
			`## <summary>`
			`## Execute emerge in the portage domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain allowed to transition.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`## </param>`
			`#`
			interface(`portage_domtrans',`
			gen_require(`
trunk: Remove hierarchy from portage module as it is not a good example of hieararchy. 2008-10-15 19:56:33 +00:00			`type portage_t, portage_exec_t;`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`')`

			`files_search_usr($1)`
			`corecmd_search_bin($1)`

fixes 2006-04-21 18:00:51 +00:00			`# transition to portage`
trunk: Remove hierarchy from portage module as it is not a good example of hieararchy. 2008-10-15 19:56:33 +00:00			`domtrans_pattern($1, portage_exec_t, portage_t)`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Execute emerge in the portage domain, and`
			`## allow the specified role the portage domain.`
			`## </summary>`
			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain allowed to transition.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`## </param>`
			`## <param name="role">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`## The role to allow the portage domain.`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`#`
			interface(`portage_run',`
			gen_require(`
trunk: Remove hierarchy from portage module as it is not a good example of hieararchy. 2008-10-15 19:56:33 +00:00			`type portage_t, portage_fetch_t, portage_sandbox_t;`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`')`

			`portage_domtrans($1)`
trunk: Remove hierarchy from portage module as it is not a good example of hieararchy. 2008-10-15 19:56:33 +00:00			`role $2 types { portage_t portage_fetch_t portage_sandbox_t };`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Template for portage sandbox.`
			`## </summary>`
			`## <desc>`
			`## <p>`
			`## Template for portage sandbox. Portage`
			`## does all compiling in the sandbox.`
			`## </p>`
			`## </desc>`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`## <param name="domain">`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## <summary>`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`## Domain Allowed Access`
xml building changes, add desc tag to booleans, add summary tag to bools 2006-02-10 18:41:53 +00:00			`## </summary>`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`## </param>`
			`#`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			interface(`portage_compile_domain',`

need send_msg for merging dbus 2006-06-20 17:32:21 +00:00			gen_require(`
			`class dbus send_msg;`
trunk: a pile of misc fixes, mainly sync xml docs with interface implementation. 2008-05-15 13:10:34 +00:00			`type portage_devpts_t, portage_log_t, portage_tmp_t;`
			`type portage_tmpfs_t;`
need send_msg for merging dbus 2006-06-20 17:32:21 +00:00			`')`

first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`allow $1 self:capability { fowner fsetid mknod setgid setuid chown dac_override net_raw };`
dontaudit chroot, glibc compile is ok without it 2006-05-08 13:21:36 +00:00			`dontaudit $1 self:capability sys_chroot;`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`allow $1 self:process { setpgid setsched setrlimit signal_perms execmem };`
			`allow $1 self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };`
			`allow $1 self:fd use;`
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 self:fifo_file rw_fifo_file_perms;`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`allow $1 self:shm create_shm_perms;`
			`allow $1 self:sem create_sem_perms;`
			`allow $1 self:msgq create_msgq_perms;`
			`allow $1 self:msg { send receive };`
			`allow $1 self:unix_dgram_socket create_socket_perms;`
			`allow $1 self:unix_stream_socket create_stream_socket_perms;`
			`allow $1 self:unix_dgram_socket sendto;`
			`allow $1 self:unix_stream_socket connectto;`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`# really shouldnt need this`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`allow $1 self:tcp_socket create_stream_socket_perms;`
			`allow $1 self:udp_socket create_socket_perms;`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`# misc networking stuff (esp needed for compiling perl):`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`allow $1 self:rawip_socket { create ioctl };`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`# needed for merging dbus:`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`allow $1 self:netlink_selinux_socket { bind create read };`
need send_msg for merging dbus 2006-06-20 17:32:21 +00:00			`allow $1 self:dbus send_msg;`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
merge policy patterns to trunk 2006-12-12 20:08:08 +00:00			`allow $1 portage_devpts_t:chr_file { rw_chr_file_perms setattr };`
trunk: whitespace fixes 2009-06-26 14:40:13 +00:00			`term_create_pty($1, portage_devpts_t)`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
			`# write compile logs`
			`allow $1 portage_log_t:dir setattr;`
trunk: more open perm fixes. 2008-10-20 16:10:42 +00:00			`allow $1 portage_log_t:file { write_file_perms setattr };`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
			`# run scripts out of the build directory`
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`can_exec(portage_sandbox_t, portage_tmp_t)`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`manage_dirs_pattern($1, portage_tmp_t, portage_tmp_t)`
			`manage_files_pattern($1, portage_tmp_t, portage_tmp_t)`
			`manage_lnk_files_pattern($1, portage_tmp_t, portage_tmp_t)`
			`manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)`
			`manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)`
			`files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })`
Portage fixes for installing SELinux-aware programs. 2010-02-18 01:23:41 +00:00			`# SELinux-enabled programs running in the sandbox`
			`allow $1 portage_tmp_t:file relabel_file_perms;`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)`
			`manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)`
			`manage_fifo_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)`
			`manage_sock_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)`
			`fs_tmpfs_filetrans($1, portage_tmpfs_t, { dir file lnk_file sock_file fifo_file })`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
			`kernel_read_system_state($1)`
			`kernel_read_network_state($1)`
			`kernel_read_software_raid_state($1)`
			`kernel_getattr_core_if($1)`
			`kernel_getattr_message_if($1)`
			`kernel_read_kernel_sysctls($1)`

			`corecmd_exec_all_executables($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00
fixes 2006-04-21 18:00:51 +00:00			`# really shouldnt need this but some packages test`
			`# network access, such as during configure`
			`# also distcc--need to reinvestigate confining distcc client`
trunk: Unified labeled networking policy from Paul Moore. The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes. 2007-06-27 15:23:21 +00:00			`corenet_all_recvfrom_unlabeled($1)`
			`corenet_all_recvfrom_netlabel($1)`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`corenet_tcp_sendrecv_generic_if($1)`
			`corenet_udp_sendrecv_generic_if($1)`
			`corenet_raw_sendrecv_generic_if($1)`
trunk: Remove node definitions and change node usage to generic nodes. 2009-01-09 19:48:02 +00:00			`corenet_tcp_sendrecv_generic_node($1)`
			`corenet_udp_sendrecv_generic_node($1)`
			`corenet_raw_sendrecv_generic_node($1)`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`corenet_tcp_sendrecv_all_ports($1)`
			`corenet_udp_sendrecv_all_ports($1)`
			`corenet_tcp_connect_all_reserved_ports($1)`
			`corenet_tcp_connect_distccd_port($1)`

			`dev_read_sysfs($1)`
			`dev_read_rand($1)`
			`dev_read_urand($1)`

			`domain_use_interactive_fds($1)`
gentoo testing fixes. 2006-10-13 21:44:02 +00:00			`domain_dontaudit_read_all_domains_state($1)`
Portage fixes for installing SELinux-aware programs. 2010-02-18 01:23:41 +00:00			`# SELinux-aware installs doing relabels in the sandbox`
			`domain_obj_id_change_exemption($1)`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
			`files_exec_etc_files($1)`
			`files_exec_usr_src_files($1)`

			`fs_getattr_xattr_fs($1)`
			`fs_list_noxattr_fs($1)`
			`fs_read_noxattr_fs_files($1)`
			`fs_read_noxattr_fs_symlinks($1)`
			`fs_search_auto_mountpoints($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00
Portage fixes for installing SELinux-aware programs. 2010-02-18 01:23:41 +00:00			`selinux_validate_context($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`# needed for merging dbus:`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`selinux_compute_access_vector($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`auth_read_all_dirs_except_shadow($1)`
			`auth_read_all_files_except_shadow($1)`
			`auth_read_all_symlinks_except_shadow($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`libs_exec_lib_files($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`# some config scripts use ldd`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`libs_exec_ld_so($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`# this violates the idea of sandbox, but`
			`# regular sandbox allows it`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`libs_domtrans_ldconfig($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`logging_send_syslog_msg($1)`
add portage from gentoo 2006-01-18 14:48:24 +00:00
trunk: merge UBAC. 2008-11-05 16:10:46 +00:00			`userdom_use_user_terminals($1)`

Portage fixes for installing SELinux-aware programs. 2010-02-18 01:23:41 +00:00			`# SELinux-enabled programs running in the sandbox`
			`seutil_libselinux_linked($1)`

add portage from gentoo 2006-01-18 14:48:24 +00:00			ifdef(`TODO',`
			`# some gui ebuilds want to interact with X server, like xawtv`
deprecate module name as first parameter of optional_policy() 2006-03-24 16:13:54 +00:00			optional_policy(`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00			`allow $1 xdm_xserver_tmp_t:dir { add_name remove_name write };`
			`allow $1 xdm_xserver_tmp_t:sock_file { create getattr unlink write };`
add portage from gentoo 2006-01-18 14:48:24 +00:00			`')`
			`') dnl end TODO`
			`')`
first cut of hierarchical policy 2006-04-21 15:08:21 +00:00
add gcc-config to portage 2006-05-29 14:16:22 +00:00			`########################################`
			`## <summary>`
			`## Execute gcc-config in the gcc_config domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain allowed to transition.`
add gcc-config to portage 2006-05-29 14:16:22 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`portage_domtrans_gcc_config',`
			gen_require(`
			`type gcc_config_t, gcc_config_exec_t;`
			`')`

			`files_search_usr($1)`
			`corecmd_search_bin($1)`

trunk: massive whitespace cleanup from dominick grift. 2008-07-23 21:38:39 +00:00			`domtrans_pattern($1, gcc_config_exec_t, gcc_config_t)`
add gcc-config to portage 2006-05-29 14:16:22 +00:00			`')`

			`########################################`
			`## <summary>`
			`## Execute gcc-config in the gcc_config domain, and`
			`## allow the specified role the gcc_config domain.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain allowed to transition.`
add gcc-config to portage 2006-05-29 14:16:22 +00:00			`## </summary>`
			`## </param>`
			`## <param name="role">`
			`## <summary>`
			`## The role to allow the gcc_config domain.`
			`## </summary>`
			`## </param>`
add main part of role-o-matic 2006-09-06 22:07:25 +00:00			`## <rolecap/>`
add gcc-config to portage 2006-05-29 14:16:22 +00:00			`#`
			interface(`portage_run_gcc_config',`
			gen_require(`
			`type gcc_config_t;`
			`')`

			`portage_domtrans_gcc_config($1)`
			`role $2 types gcc_config_t;`
			`')`
Misc portage fixes. 2010-02-18 01:25:39 +00:00
			`########################################`
			`## <summary>`
			`## Do not audit attempts to search the`
			`## portage temporary directories.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain to not audit.`
Misc portage fixes. 2010-02-18 01:25:39 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`portage_dontaudit_search_tmp',`
			gen_require(`
			`type portage_tmp_t;`
			`')`

			`dontaudit $1 portage_tmp_t:dir search_dir_perms;`
			`')`

			`########################################`
			`## <summary>`
			`## Do not audit attempts to read and write`
			`## the portage temporary files.`
			`## </summary>`
			`## <param name="domain">`
			`## <summary>`
Admin layer xml fixes. Signed-off-by: Dominick Grift <domg472@gmail.com> 2010-08-05 12:45:31 +00:00			`## Domain to not audit.`
Misc portage fixes. 2010-02-18 01:25:39 +00:00			`## </summary>`
			`## </param>`
			`#`
			interface(`portage_dontaudit_rw_tmp_files',`
			gen_require(`
			`type portage_tmp_t;`
			`')`

			`dontaudit $1 portage_tmp_t:file rw_file_perms;`
			`')`