I tried to run glsa-check on a shared portage mounted via nfs. It got sad. portage_use_nfs --> on test selinux # audit2allow -i glsa-check.log -m glsa module glsa 1.0; require { type portage_conf_t; type portage_cache_t; type nfs_t; type system_cronjob_t; type portage_ebuild_t; class dir write; class file { ioctl read open }; } #============= system_cronjob_t ============== allow system_cronjob_t nfs_t:file { read ioctl open }; allow system_cronjob_t portage_cache_t:dir write; allow system_cronjob_t portage_conf_t:file { read ioctl open }; allow system_cronjob_t portage_ebuild_t:file { read ioctl open }; I have tried to rlpkg -a -r, but that failed Here, have a log type=AVC msg=audit(1314693781.973:798): avc: denied { read open } for pid=30536 comm="glsa-check" name="parent" dev=0:15 ino=148600 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:nfs_t tclass=file type=SYSCALL msg=audit(1314693781.973:798): arch=c000003e syscall=2 success=yes exit=3 a0=1f92c1b754 a1=0 a2=1b6 a3=1 items=0 ppid=30534 pid=30536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glsa-check" exe="/usr/bin/python2.7" subj=system_u:system_r:system_cronjob_t key=(null) type=AVC msg=audit(1314693781.975:799): avc: denied { ioctl } for pid=30536 comm="glsa-check" path="/usr/portage/profiles/hardened/linux/amd64/no-multilib/selinux/parent" dev=0:15 ino=148600 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:nfs_t tclass=file type=SYSCALL msg=audit(1314693781.975:799): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=3c5e51ff5a0 a3=1 items=0 ppid=30534 pid=30536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glsa-check" exe="/usr/bin/python2.7" subj=system_u:system_r:system_cronjob_t key=(null) type=AVC msg=audit(1314693781.996:800): avc: denied { read } for pid=30536 comm="glsa-check" name="make.conf" dev=vda3 ino=7285 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:portage_conf_t tclass=file type=AVC msg=audit(1314693781.996:800): avc: denied { open } for pid=30536 comm="glsa-check" name="make.conf" dev=vda3 ino=7285 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:portage_conf_t tclass=file type=SYSCALL msg=audit(1314693781.996:800): arch=c000003e syscall=2 success=yes exit=3 a0=1f92bf9150 a1=0 a2=1b6 a3=0 items=0 ppid=30534 pid=30536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glsa-check" exe="/usr/bin/python2.7" subj=system_u:system_r:system_cronjob_t key=(null) type=AVC msg=audit(1314693782.005:801): avc: denied { read } for pid=30536 comm="glsa-check" name="make.conf" dev=dm-3 ino=2127 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:portage_ebuild_t tclass=file type=AVC msg=audit(1314693782.005:801): avc: denied { open } for pid=30536 comm="glsa-check" name="make.conf" dev=dm-3 ino=2127 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:portage_ebuild_t tclass=file type=SYSCALL msg=audit(1314693782.005:801): arch=c000003e syscall=2 success=yes exit=3 a0=1f92c40030 a1=0 a2=1b6 a3=0 items=0 ppid=30534 pid=30536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glsa-check" exe="/usr/bin/python2.7" subj=system_u:system_r:system_cronjob_t key=(null) type=AVC msg=audit(1314693782.084:802): avc: denied { ioctl } for pid=30536 comm="glsa-check" path="/var/lib/layman/hardened-development/profiles/repo_name" dev=dm-3 ino=132375 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:portage_ebuild_t tclass=file type=SYSCALL msg=audit(1314693782.084:802): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=3c5e51feff0 a3=1 items=0 ppid=30534 pid=30536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glsa-check" exe="/usr/bin/python2.7" subj=system_u:system_r:system_cronjob_t key=(null) type=AVC msg=audit(1314693782.090:803): avc: denied { ioctl } for pid=30536 comm="glsa-check" path="/etc/portage/package.keywords" dev=vda3 ino=6372 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:portage_conf_t tclass=file type=SYSCALL msg=audit(1314693782.090:803): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=3c5e51ff4e0 a3=1 items=0 ppid=30534 pid=30536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glsa-check" exe="/usr/bin/python2.7" subj=system_u:system_r:system_cronjob_t key=(null) type=AVC msg=audit(1314693782.445:804): avc: denied { write } for pid=30536 comm="glsa-check" name="dep" dev=dm-3 ino=8199 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:portage_cache_t tclass=dir type=SYSCALL msg=audit(1314693782.445:804): arch=c000003e syscall=21 success=yes exit=0 a0=1f92c76670 a1=2 a2=0 a3=3c5e5200850 items=0 ppid=30534 pid=30536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glsa-check" exe="/usr/bin/python2.7" subj=system_u:system_r:system_cronjob_t key=(null)
Yup, there's no transition for glsa-check yet. I'll look into it.
Okay, marking glsa-check as portage_exec_t does the trick functionality-wise. However, as you mentioned on IRC: 18:51 < prometheanfire> ya type=AVC msg=audit(1315075681.170:1071): avc: denied { write } for pid=25851 comm="glsa-check" path="pipe:[3876757]" dev=pipefs ino=3876757 scontext=system_u:system_r:portage_t tcontext=system_u:system_r:crond_t tclass=fifo_file This is for the output of glsa-check which is piped to the cron daemon which isn't allowed for now.
set glsa-check as portage_exec_t module glsa 1.0; require { type portage_t; type crond_t; class netlink_route_socket { write getattr read bind create nlmsg_read }; class fifo_file write; } #============= portage_t ============== allow portage_t crond_t:fifo_file write; allow portage_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
The portage_t crond_t fifo_file stuff should be okay in -r4. The netlink_route_socket I still need to check why/when that's necessary, but I need to setup glsa-check -m for that first, which'll take a while.
Can you check if you can send mails through "glsa-check -m all" when PORTAGE_ELOG_MAILURI is set to an IP address instead of hostname? I have the feeling that it (netlink_route_socket privileges as mentioned earlier) is needed to resolve DNS.
As per our discussion on #gentoo-hardened, the netlink_route_socket issue doesn't occur anymore: 15:04 < prometheanfire> test with IP works 15:04 < prometheanfire> testing with dns (glsa-check not being labeled was probably my problem 15:06 <@SwifT> I think with dns you'll get that netlink_route_socket denial 15:07 < prometheanfire> nope 15:08 < prometheanfire> works fine now The glsa-check (portage_exec_t) will be part of r5.
Change included in -r5, now in hardened-dev overlay.
In main tree, ~arch'ed
Stabilized.