[gentoo-hardened] SELinux: portage_ro_role

Hello, our portage policy includes a portage_ro_role interface to allow read-only access to portage data. As usual with _role interfaces, according to the documentation the interface takes a role as the first ($1) and a type as the second argument ($2). However, the directives in the interface act

[gentoo-hardened] [PATCH 4/4] portage: Add new interfaces to portage_ro_role

--- policy/modules/contrib/portage.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index 962dcca..e9de28e 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -410,6 +410,8 @@ inter

[gentoo-hardened] [PATCH 3/4] portage: New read-only interfaces for srcrepo and logs

Create portage_read_srcrepo and portage_read_log interfaces. --- policy/modules/contrib/portage.if | 40 +++ 1 file changed, 40 insertions(+) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index 4652319..962dcca 100644 --- a

[gentoo-hardened] [PATCH 2/4] portage: Fix the gen_require of the portage_compile_domain interface

The portage_compile_domain interface used portage_sandbox_t without requiring it. --- policy/modules/contrib/portage.if | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index c98a763..4652319 100644 --- a

[gentoo-hardened] [PATCH 1/4] portage: Dontaudit setattr in portage_dontaudit_write_cache

--- policy/modules/contrib/portage.if | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if index 640a63b..c98a763 100644 --- a/policy/modules/contrib/portage.if +++ b/policy/modules/contrib/portage.if @@ -511,6 +