Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* netutils: add file context for ss in /usr/binconcord-devKenton Groombridge2022-10-121-0/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* nginx: add file context for nginx in /usr/binKenton Groombridge2022-10-121-0/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* lvm: add file context for dmeventd in /usr/binKenton Groombridge2022-10-121-0/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* miscfiles: add file context for /usr/share/ca-certificates2.20221101-r12.20220520-r1Kenton Groombridge2022-09-031-0/+3
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* phpfpm: various fixes and new tunablesKenton Groombridge2022-09-031-0/+73
| | | | | | | Minor fixes for phpfpm and add several new tunables, primarily designed to get various webapps working under SELinux. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* nginx: various fixesKenton Groombridge2022-09-031-0/+15
| | | | | | | Various fixes for nginx, and also allow nginx to list and read user home content given that the httpd_read_user_content boolean is enabled. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* apache: add gentoo-specific interface to map httpd sys contentKenton Groombridge2022-09-031-0/+20
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* portage: allow portage to map ebuild filesKenton Groombridge2022-09-031-0/+2
| | | | | | | | When portage syncs a repo with git, git will mmap() ebuild files. Allow portage to map ebuild files to fix permission denied errors on syncing. Bug: https://bugs.gentoo.org/833017 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* iptables: add file context for /usr/libexec/nftables/nftables.shKenton Groombridge2022-09-031-0/+2
| | | | | Bug: https://bugs.gentoo.org/840230 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* iptables: add file context for saved rulesKenton Groombridge2022-09-032-1/+5
| | | | | Bug: https://bugs.gentoo.org/840230 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* xserver: Revert the rest of the sddm changesJason Zaman2022-09-034-14/+0
| | | | | | | Tried a partial revert in order to match upstream but validation still fails so fully revert again. Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Update generated policy and doc filesJason Zaman2022-09-035-7266/+8226
| | | | Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Merge upstreamJason Zaman2022-09-031-1/+1
| | | | Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: systemd-update-done fix startup issueDave Sugar2022-09-031-0/+1
| | | | | | | | | | | | | | | | | | | | | | | Seeing error: Failed to initalize SELinux labeling handle: No such file or directory but no denials. With strace (and looking at source) found it is opening /etc/selinux/config openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3 but that was dontaudited. allow systemd_update_done_t file_type:filesystem getattr; allow systemd_update_done_t selinux_config_t:dir { getattr open search }; dontaudit systemd_update_done_t selinux_config_t:dir { getattr open search }; dontaudit systemd_update_done_t selinux_config_t:file { getattr ioctl lock open read }; These changes fix the issue Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: init_t creates systemd-logind 'linger' directoryDave Sugar2022-09-032-0/+22
| | | | | | | node=localhost type=AVC msg=audit(1661480051.880:321): avc: denied { create } for pid=1027 comm="(d-logind)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* firewalld: firewalld-cmd uses dbusDave Sugar2022-09-031-0/+2
| | | | | | | | node=localhost type=USER_AVC msg=audit(1661536843.099:11666): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=system_u:system_r:firewalld_t:s0 tcontext=toor_u:sysadm_r:sysadm_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" node=localhost type=USER_AVC msg=audit(1661536101.833:8373): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=toor_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus" Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* firewalld: write tmpfs filesDave Sugar2022-09-031-0/+8
| | | | | | | | | node=localhost type=AVC msg=audit(1661536245.787:9531): avc: denied { write } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { map } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { read execute } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* firewalld: allow to load kernel modulesDave Sugar2022-09-031-0/+1
| | | | | | | node=localhost type=AVC msg=audit(1661468040.428:439): avc: denied { module_request } for pid=1009 comm="firewalld" kmod="nft-chain-1-nat" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* firewalld: create netfilter socketDave Sugar2022-09-031-0/+1
| | | | | | | | | | | node=localhost type=AVC msg=audit(1661396059.060:376): avc: denied { create } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1 node=localhost type=AVC msg=audit(1661396059.060:377): avc: denied { setopt } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1 node=localhost type=AVC msg=audit(1661396059.436:398): avc: denied { write } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1 node=localhost type=AVC msg=audit(1661396059.436:399): avc: denied { read } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1 node=localhost type=AVC msg=audit(1661396059.437:400): avc: denied { getopt } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* firewalld: read to read fips_enabled sysctlDave Sugar2022-09-031-0/+1
| | | | | | | | | | | node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { search } for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { read } for pid=1014 comm="firewalld" name="fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { open } for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661396058.361:318): avc: denied { getattr } for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661396058.664:340): avc: denied { search } for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* usbguard: Allow to read fips_enabled sysctlDave Sugar2022-09-031-0/+1
| | | | | | | | | | node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { search } for pid=1031 comm="usbguard-daemon" name="crypto" dev="proc" ino=20463 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { read } for pid=1031 comm="usbguard-daemon" name="fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { open } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661391275.238:340): avc: denied { getattr } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* chronyd: allow chronyd to read /usr/share/crypto-policiesDave Sugar2022-09-031-0/+2
| | | | | | | | | | | With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/* node=localhost type=AVC msg=audit(1661344395.351:395): avc: denied { getattr } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { read } for pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { open } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* chronyd: Allow to read fips_enabled sysctlDave Sugar2022-09-031-0/+1
| | | | | | | | | | node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { search } for pid=1014 comm="chronyd" name="crypto" dev="proc" ino=10742 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { read } for pid=1014 comm="chronyd" name="fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { open } for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661344394.902:356): avc: denied { getattr } for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* ssh: allow ssh_keygen to read /usr/share/crypto-policies/Dave Sugar2022-09-031-0/+1
| | | | | | | | | | | With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/* node=localhost type=AVC msg=audit(1661303919.946:335): avc: denied { getattr } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { read } for pid=1025 comm="ssh-keygen" name="opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { open } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* hypervkvp: Port updated module from Fedora policy.Chris PeBenito2022-09-038-7/+258
| | | | | | | Change to refpolicy interfaces and fix optional blocks. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Add cloud-init.Chris PeBenito2022-09-0311-2/+356
| | | | | | | | | This is used by cloud providers to set up VMs during deployment. https://github.com/canonical/cloud-init Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: Add interface for systemctl exec.Chris PeBenito2022-09-031-0/+31
| | | | | | | Adds necessary baseline permissions for the command. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Drop explicit calls to seutil and kernel module interfaces in broad files ↵Daniel Burgener2022-09-031-8/+0
| | | | | | | | | | | | | | interfaces Historically, these calls were needed because the interfaces provided an attribute used to check various assertions. However, that attribute was dropped in 2005 with commit 15fefa4. Keeping these calls in prevents removing these permissions from a call to files_manage_all_files() with the $2 argument. Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* mls: Add setsockcreate constraint.Chris PeBenito2022-09-031-1/+1
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* mcs: Reorganize file.Chris PeBenito2022-09-031-17/+36
| | | | | | | Add more comments. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* mcs: Remove duplicate node_bind constraint.Chris PeBenito2022-09-031-3/+0
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* mcs: Add missing process permission constraints.Chris PeBenito2022-09-031-1/+1
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* mcs: Add additional socket constraints.Chris PeBenito2022-09-031-0/+12
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* mcs: Collapse constraints.Chris PeBenito2022-09-031-32/+4
| | | | | | | Collapse file constraints as they are equivalent due to the same expresssions. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* mcs: Add additional SysV IPC constraints.Chris PeBenito2022-09-031-1/+10
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* filesystem: Move ecryptfs interface definitions.Chris PeBenito2022-09-031-78/+78
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: Boolean for ecryptfsPat Riehecky2022-09-032-0/+92
| | | | | Signed-off-by: Pat Riehecky <riehecky@fnal.gov> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: Misc updates.Chris PeBenito2022-09-032-4/+9
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* application: Allow apps to use init fds.Chris PeBenito2022-09-031-0/+5
| | | | | | | | | | | | This is needed for console/serial logins: avc: denied { use } for pid=767 comm="semodule" path="/dev/ttyS0" dev="devtmpfs" ino=83 scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0 Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: Getattr generic device nodes.Chris PeBenito2022-09-031-0/+2
| | | | | | | | | There should be no device_t device nodes, but add access in case they exist. Saw containerd fail to start containers if it couldn't stat() all devices. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container: Allow container engines to connect to http cache ports.Chris PeBenito2022-09-033-0/+23
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: Fixes for coredumps in containers.Chris PeBenito2022-09-032-4/+32
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* files: Make etc_runtime_t a config file.Chris PeBenito2022-09-031-1/+1
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* files: Add prerequisite access for files_mounton_non_security().Chris PeBenito2022-09-031-2/+2
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* storage: Add fc for /dev/ng*n* devices.Chris PeBenito2022-09-031-0/+1
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* devices: Add type for infiniband devices.Chris PeBenito2022-09-032-0/+8
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* iptables: Ioctl cgroup dirs.Chris PeBenito2022-09-032-0/+20
| | | | | | | | | avc: denied { ioctl } for pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* devices: Add file context for /dev/vhost-vsock.Chris PeBenito2022-09-031-0/+1
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* devices: Add type for SAS management devices.Chris PeBenito2022-09-032-0/+7
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* container, docker: Fixes for containerd and kubernetes testing.Chris PeBenito2022-09-034-0/+29
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>