Portage fixes for installing SELinux-aware programs.

policy/modules/admin/portage.if

@@ -114,6 +114,8 @@ interface(`portage_compile_domain',`
 	manage_fifo_files_pattern($1, portage_tmp_t, portage_tmp_t)
 	manage_sock_files_pattern($1, portage_tmp_t, portage_tmp_t)
 	files_tmp_filetrans($1, portage_tmp_t, { dir file lnk_file sock_file fifo_file })
+	# SELinux-enabled programs running in the sandbox
+	allow $1 portage_tmp_t:file relabel_file_perms;
 
 	manage_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
 	manage_lnk_files_pattern($1, portage_tmpfs_t, portage_tmpfs_t)
@@ -152,6 +154,8 @@ interface(`portage_compile_domain',`
 
 	domain_use_interactive_fds($1)
 	domain_dontaudit_read_all_domains_state($1)
+	# SELinux-aware installs doing relabels in the sandbox
+	domain_obj_id_change_exemption($1)
 
 	files_exec_etc_files($1)
 	files_exec_usr_src_files($1)
@@ -162,6 +166,7 @@ interface(`portage_compile_domain',`
 	fs_read_noxattr_fs_symlinks($1)
 	fs_search_auto_mountpoints($1)
 
+	selinux_validate_context($1)
 	# needed for merging dbus:
 	selinux_compute_access_vector($1)
 
@@ -180,6 +185,9 @@ interface(`portage_compile_domain',`
 
 	userdom_use_user_terminals($1)
 
+	# SELinux-enabled programs running in the sandbox
+	seutil_libselinux_linked($1)
+
 	ifdef(`TODO',`
 	# some gui ebuilds want to interact with X server, like xawtv
 	optional_policy(`