Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 376005 - selinux - emerge-webrsync with gpg fails to run in selinux
Summary: selinux - emerge-webrsync with gpg fails to run in selinux
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-07-22 13:56 UTC by Matthew Thode ( prometheanfire )
Modified: 2011-10-23 13:17 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
daily cron (cron-eix-sync,357 bytes, text/plain)
2011-07-22 13:58 UTC, Matthew Thode ( prometheanfire ) 		Details
auditd log (emerge-webrsync.log,3.35 KB, text/plain)
2011-07-22 14:00 UTC, Matthew Thode ( prometheanfire ) 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-07-22 13:56:26 UTC 
gonna attach the auditd logs and the cron script that it spawned.


also,
drwxr-xr-x. 2 root    root    system_u:object_r:file_t             4096 Jul 22 09:34 /var/tmp/emerge-webrsync

Reproducible: Always

Steps to Reproduce:
1. set up gpg and add webrsync-gpg to FEATURES in make.conf
2. run emerge-webrsync
3. if you are set to enforcing it will fail
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-07-22 13:58:58 UTC 
Created attachment 280617 [details]
daily cron
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-07-22 14:00:06 UTC 
Created attachment 280619 [details]
auditd log
Comment 3 Sven Vermeulen 2011-07-22 14:53:30 UTC 
Thanks; this will be covered in r21. Are those the logs when you run the command from cron?
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2011-07-22 14:54:59 UTC 
logs are manual run while I am in the sysadm_r role
Comment 5 Sven Vermeulen 2011-07-23 17:50:59 UTC 
Okay; apparently layman runs within the sysadm domain. When dealing with system administration from within say system_cronjob_t this isn't what we want, because that would mean we need to give system_cronjob_t "too generic" administrative rights.

I'm going to put layman in its own domain, as part of the portage module, and make sure that whomever gets assigned portage_run() to also have the rights to work with layman. After all, they're both pretty interconnected.

The layman files will then be marked as layman_var_lib_t. The portage_* domains will get read rights on this label.