Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109291 - selinux-apache-20050211 breaks portage
Summary: selinux-apache-20050211 breaks portage
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-14 11:10 UTC by Andy Dustman
Modified: 2006-01-04 22:26 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andy Dustman 2005-10-14 11:10:36 UTC 
After emerging selinux-apache, Portage was no unable to fetch files via http in
SELinux enforcing mode.

Reproducible: Always
Steps to Reproduce:
1. emerge selinux-apache (or apache) on SELinux enforcing system
2. try to emerge something else that requires fetching files
3. profit! (or lack thereof)

Actual Results:  
wget (invoked by emerge) fails to connect with http, producing error message:

failed: Permission denied.

Expected Results:  
Download the file and proceed with build.

The denials look like this:

Oct 14 13:56:17 dynamo audit(1129312577.381:697): avc:  denied  { name_connect }
for  pid=6364 comm="wget" dest=80 scontext=adustman:sysadm_r:portage_fetch_t
tcontext=system_u:object_r:http_port_t tclass=tcp_socket

Note that macros/programs/portage_macros.te defines:

can_network($1_t)
allow $1_t reserved_port_type:tcp_socket name_connect;

domains/programs/apache.te defines:

type http_port_t, port_type;

net_contexts defines:

ifdef(`use_http', `
portcon tcp 80  system_u:object_r:http_port_t
portcon tcp 443  system_u:object_r:http_port_t
')

It appears http_port_t is taking precedence over reserved_port_type.

And yes, the policy has been rebuilt and reloaded and the machine even rebooted.

Removing the apache policies and reloading allows portage to fetch files again.

System is a new installation from 2005.1 hardened livecd and the most recent
stage3 I could find, updated to current portage tree.

Portage 2.0.51.22-r3 (selinux/2005.1/x86/hardened, gcc-3.3.6, glibc-2.3.5-r2,
2.6.13-gentoo-r3
i686)=================================================================
System uname: 2.6.13-gentoo-r3 i686 Pentium III (Coppermine)
Gentoo Base System version 1.6.13
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-mcpu=i686 -O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-mcpu=i686 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks loadpolicy sandbox selinux sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://gentoo.terry.uga.edu/gentoo-portage"
USE="berkdb crypt dlloader hardened mysql ncurses nls pam perl pic python
readline samba selinux ssl x86 zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Comment 1 petre rodan (RETIRED) gentoo-dev 2005-10-14 11:32:57 UTC 
@andy:

add the following rule to your customized 'te' file:

allow portage_fetch_t http_port_t:tcp_socket name_connect;

@pebenito:

maybe we should add something like

allow portage_fetch_t port_type:tcp_socket name_connect;

to portage.te? - because we can find all kind of kinky ports where packages are
downloaded from

or else we have to selectively allow at least
allow portage_fetch_t http_cache_port_t:tcp_socket name_connect;
allow portage_fetch_t http_port_t:tcp_socket name_connect;
allow portage_fetch_t ftp_port_t:tcp_socket name_connect;
Comment 2 Andy Dustman 2005-10-14 11:51:03 UTC 
Adding:

ifdef(`use_http', `
allow portage_fetch_t http_port_t:tcp_socket name_connect;
')

to domains/program/portage.te after the can_network() line seems to fix the problem.
Comment 3 Stephen Bennett (RETIRED) gentoo-dev 2005-10-16 10:22:41 UTC 
In theory at least ebuilds shouldn't be fetching from anything other than a
small number of ports (IIRC http, https, and ftp), so from one point of view
restricting portage_fetch_t to just those ports could be desirable, and at the
very least i see no reason to allow it access to port_type. Those three ports,
and probably http_cache_port_t and various proxy ports should be allowed though.
Comment 4 Chris PeBenito (RETIRED) gentoo-dev 2006-01-04 22:26:16 UTC 
I beleive the original problem is that http_port_t does not have the reserved_port_type attribute, which looks like its been fixed.  This is also fixed in reference policy upstream, and will be in the 2006* policies.