From: Zac Medico <zmedico@gentoo.org>
Date: Tue, 22 May 2007 05:26:33 +0000 (-0000)
Subject: Use bash to spawn FETCHCOMMAND under selinux since most other binaries are forbidden... 
X-Git-Tag: v2.2_pre1~1399
X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b37379d42e58bd5628feeaa0f06390e4c697efad;p=portage.git

Use bash to spawn FETCHCOMMAND under selinux since most other binaries are forbidden as entrypoints into the fetch domain. Thanks to Justin Heesemann <jh@ionium.org> for reporting.

svn path=/main/trunk/; revision=6566
---

diff --git a/pym/portage/__init__.py b/pym/portage/__init__.py
index 664f0a7d7..171806f7a 100644
--- a/pym/portage/__init__.py
+++ b/pym/portage/__init__.py
@@ -2687,6 +2687,8 @@ def fetch(myuris, mysettings, listonly=0, fetchonly=0, locks_in_subdir=".locks",
 							con = selinux.getcontext()
 							con = con.replace(mysettings["PORTAGE_T"], mysettings["PORTAGE_FETCH_T"])
 							selinux.setexec(con)
+							# bash is an allowed entrypoint, while most binaries are not
+							myfetch = ["bash", "-c", "exec \"$@\"", myfetch[0]] + myfetch
 
 						myret = portage.process.spawn(myfetch,
 							env=mysettings.environ(), **spawn_keywords)