After emerging selinux-apache, Portage was no unable to fetch files via http in SELinux enforcing mode. Reproducible: Always Steps to Reproduce: 1. emerge selinux-apache (or apache) on SELinux enforcing system 2. try to emerge something else that requires fetching files 3. profit! (or lack thereof) Actual Results: wget (invoked by emerge) fails to connect with http, producing error message: failed: Permission denied. Expected Results: Download the file and proceed with build. The denials look like this: Oct 14 13:56:17 dynamo audit(1129312577.381:697): avc: denied { name_connect } for pid=6364 comm="wget" dest=80 scontext=adustman:sysadm_r:portage_fetch_t tcontext=system_u:object_r:http_port_t tclass=tcp_socket Note that macros/programs/portage_macros.te defines: can_network($1_t) allow $1_t reserved_port_type:tcp_socket name_connect; domains/programs/apache.te defines: type http_port_t, port_type; net_contexts defines: ifdef(`use_http', ` portcon tcp 80 system_u:object_r:http_port_t portcon tcp 443 system_u:object_r:http_port_t ') It appears http_port_t is taking precedence over reserved_port_type. And yes, the policy has been rebuilt and reloaded and the machine even rebooted. Removing the apache policies and reloading allows portage to fetch files again. System is a new installation from 2005.1 hardened livecd and the most recent stage3 I could find, updated to current portage tree. Portage 2.0.51.22-r3 (selinux/2005.1/x86/hardened, gcc-3.3.6, glibc-2.3.5-r2, 2.6.13-gentoo-r3 i686)================================================================= System uname: 2.6.13-gentoo-r3 i686 Pentium III (Coppermine) Gentoo Base System version 1.6.13 dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.20 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-mcpu=i686 -O2 -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mcpu=i686 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks loadpolicy sandbox selinux sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://gentoo.terry.uga.edu/gentoo-portage" USE="berkdb crypt dlloader hardened mysql ncurses nls pam perl pic python readline samba selinux ssl x86 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
@andy: add the following rule to your customized 'te' file: allow portage_fetch_t http_port_t:tcp_socket name_connect; @pebenito: maybe we should add something like allow portage_fetch_t port_type:tcp_socket name_connect; to portage.te? - because we can find all kind of kinky ports where packages are downloaded from or else we have to selectively allow at least allow portage_fetch_t http_cache_port_t:tcp_socket name_connect; allow portage_fetch_t http_port_t:tcp_socket name_connect; allow portage_fetch_t ftp_port_t:tcp_socket name_connect;
Adding: ifdef(`use_http', ` allow portage_fetch_t http_port_t:tcp_socket name_connect; ') to domains/program/portage.te after the can_network() line seems to fix the problem.
In theory at least ebuilds shouldn't be fetching from anything other than a small number of ports (IIRC http, https, and ftp), so from one point of view restricting portage_fetch_t to just those ports could be desirable, and at the very least i see no reason to allow it access to port_type. Those three ports, and probably http_cache_port_t and various proxy ports should be allowed though.
I beleive the original problem is that http_port_t does not have the reserved_port_type attribute, which looks like its been fixed. This is also fixed in reference policy upstream, and will be in the 2006* policies.