356533 – SELinux kills portage when emerging under targeted policy while logged in via SSH user

Bug 356533 - SELinux kills portage when emerging under targeted policy while logged in via SSH user

Summary: SELinux kills portage when emerging under targeted policy while logged in via...

Status:	RESOLVED DUPLICATE of bug 355745

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2011-02-26 03:46 UTC by Chris Richards
Modified:	2011-03-11 21:11 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
emerge --info (blueness-emerge.info,3.72 KB, text/plain) 2011-02-26 03:47 UTC, Chris Richards	Details
failed selinux-base-policy build log (build.log,1.58 KB, text/plain) 2011-02-26 03:54 UTC, Chris Richards	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Richards 2011-02-26 03:46:14 UTC

Whem attempting to emerge a package (ANY package) on an SELinux system with Targeted policy, portage will abort with something like the following:

Traceback (most recent call last):
  File "/usr/lib64/portage/pym/_emerge/EbuildFetcher.py", line 113, in _spawn
    allow_missing_digests=False):
  File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 489, in fetch
    if _userpriv_test_write_file(mysettings, write_test_file):
  File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 122, in _userpriv_test_write_file
    returncode = _spawn_fetch(settings, args)
  File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 90, in _spawn_fetch
    rval = spawn_func(args, env=settings.environ(), **kwargs)
  File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
    setexec(con)
  File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
    if selinux.setexeccon(ctx) < 0:
OSError: [Errno 22] Invalid argument

This occurs whether the system is running permissive or enforcing.

Reproducible: Always




This problem LOOKS like an SELinux permission problem.  The user is logged in via SSH, and

selinux-sixtyfour ~# id -Z
unconfined_u:unconfined_r:unconfined_t

seems to indicate that the user is in fact, in the unconfined_t domain, meaning that this SHOULD work just fine.  But it doesn't.

Switching the system to strict mode allows things to work properly.

Comment 1 Chris Richards 2011-02-26 03:47:30 UTC

Created attachment 263867 [details]
emerge --info

Comment 2 Chris Richards 2011-02-26 03:54:21 UTC

Created attachment 263869 [details]
failed selinux-base-policy build log

Comment 3 Sven Vermeulen 2011-02-27 14:46:22 UTC

Looks as if the current portage module doesn't support unconfined use (i.e. it requires proper transitioning through sysadm_t). 

Does it fix things with the following added to portage.te?

optional_policy(`
  unconfined_domain(portage_t)
')

Comment 4 Chris Richards 2011-03-01 02:09:44 UTC

That doesn't seem to work.  I added it to the portage.te file at line 17, but I'm still getting the errors.

Comment 5 Sven Vermeulen 2011-03-02 17:24:11 UTC

Can you try installing selinux-base-policy-2.20101213-r9 (from hardened-dev overlay)? It allows the unconfined_t to transition to the portage_* domains (including portage_fetch_t, sandbox, ...). Previously, this wasn't the case.

The error you received was from SELinux saying that a transition to unconfined_u:unconfined_r:portage_fetch_t isn't allowed (as unconfined_r has no access to the portage_fetch_t domain).

I had two choices: either make the various portage domains part of the unconfined "cloud", or allow the unconfined domains to transition to the portage domains. I prefer the latter.

Comment 6 Anthony Basile gentoo-dev

2011-03-11 21:11:25 UTC


*** This bug has been marked as a duplicate of bug 355745 ***