When running emerge using a strict policy portage needs to have access to netlink_route_socket permissions. Reference the following log entry snippets: avc: denied { bind } for pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket avc: denied { getattr } for pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket avc: denied { write } for pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket avc: denied { nlmsg_read } for pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket avc: denied { read } for pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket avc: denied { create } for pid=18067 comm="id" scontext=root:sysadm_r:portage_sandbox_t tcontext=root:sysadm_r:portage_sandbox_t tclass=netlink_route_socket avc: denied { bind } for pid=18067 comm="id" scontext=root:sysadm_r:portage_sandbox_t tcontext=root:sysadm_r:portage_sandbox_t tclass=netlink_route_socket I will submit a patch that resolves these (and similar) entries. There also appears to be a lack of permission during an emerge for the ldconfig_t to write to a portage_cache_t file. I see a domain transition interface but no other permissions so am not sure how to proceed with this, perhaps adding rw_files_pattern(ldconfig_t, portage_cache_t, portage_cache_t) but that doesn't seem right. Here is the log entry I am seeing: avc: denied { read write } for pid=16925 comm="ldconfig" path="/var/lib/portage/config" dev=sda1 ino=369227 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:portage_cache_t tclass=file
Created attachment 292951 [details, diff] Patch to add netlink_route_socket permissions
Hi Stan, Why does it need these privileges?
What I think is happening is that since all of the network support in my kernel is modular portage needs this to communicate with the correct modules. Though I could be very mistaken, my knowledge in this area is limited, to say the least. The audit entries showed up as soon as I began a sync.
Marking as Invalid because portage does NOT in fact require these permissions to function. Therefore my bug as submitted is not valid. Sorry for the extra noise, but I think one could build a case for dontauditing these messages.
That's a valid request too ;-) Glad to hear that it wasn't necessary.
In hardened-dev overlay
~arch'ed since 2011-12-17
Stabilized