diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 798acbe..35161b2 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -243,3 +243,41 @@ interface(`portage_run_gcc_config',`
portage_domtrans_gcc_config($1)
role $2 types gcc_config_t;
')
+
+########################################
+##
+## Do not audit attempts to search the
+## portage temporary directories.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_dontaudit_search_tmp',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ dontaudit $1 portage_tmp_t:dir search_dir_perms;
+')
+
+########################################
+##
+## Do not audit attempts to read and write
+## the portage temporary files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`portage_dontaudit_rw_tmp_files',`
+ gen_require(`
+ type portage_tmp_t;
+ ')
+
+ dontaudit $1 portage_tmp_t:file rw_file_perms;
+')
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 6af6e8a..ba1a256 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage, 1.9.0)
+policy_module(portage, 1.9.1)
########################################
#
@@ -82,8 +82,11 @@ corecmd_exec_shell(gcc_config_t)
corecmd_exec_bin(gcc_config_t)
corecmd_manage_bin_files(gcc_config_t)
+domain_use_interactive_fds(gcc_config_t)
+
files_manage_etc_files(gcc_config_t)
files_rw_etc_runtime_files(gcc_config_t)
+files_read_usr_files(gcc_config_t)
files_search_var_lib(gcc_config_t)
files_search_pids(gcc_config_t)
# complains loudly about not being able to list
@@ -119,7 +122,11 @@ optional_policy(`
# - setfscreate for merging to live fs
# - setexec to run portage fetch
allow portage_t self:process { setfscreate setexec };
-allow portage_t self:capability sys_nice;
+# - kill for mysql merging, at least
+allow portage_t self:capability { sys_nice kill };
+
+# user post-sync scripts
+can_exec(portage_t, portage_conf_t)
allow portage_t portage_log_t:file manage_file_perms;
logging_log_filetrans(portage_t, portage_log_t, file)
@@ -214,6 +221,8 @@ files_tmp_filetrans(portage_fetch_t, portage_fetch_tmp_t, { file dir })
# portage makes home dir the portage tmp dir, so
# wget looks for .wgetrc there
dontaudit portage_fetch_t portage_tmp_t:dir search_dir_perms;
+# rsync server timestamp check
+allow portage_fetch_t portage_tmp_t:file { read_file_perms delete_file_perms };
kernel_read_system_state(portage_fetch_t)
kernel_read_kernel_sysctls(portage_fetch_t)