Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 390881 - portage requests for netlink_route_socket privileges should be dontaudited
Summary: portage requests for netlink_route_socket privileges should be dontaudited
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-17 22:01 UTC by Stan Sander
Modified: 2012-01-29 11:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Patch to add netlink_route_socket permissions (portage.te.patch,556 bytes, patch)
2011-11-17 22:03 UTC, Stan Sander 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stan Sander 2011-11-17 22:01:27 UTC 
When running emerge using a strict policy portage needs to have access to netlink_route_socket permissions.  Reference the following log entry snippets:

avc:  denied  { bind } for  pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket

avc:  denied  { getattr } for  pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket

avc:  denied  { write } for  pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket

avc:  denied  { nlmsg_read } for  pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket

avc:  denied  { read } for  pid=17765 comm="emerge" scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=netlink_route_socket

avc:  denied  { create } for  pid=18067 comm="id" scontext=root:sysadm_r:portage_sandbox_t tcontext=root:sysadm_r:portage_sandbox_t tclass=netlink_route_socket

avc:  denied  { bind } for  pid=18067 comm="id" scontext=root:sysadm_r:portage_sandbox_t tcontext=root:sysadm_r:portage_sandbox_t tclass=netlink_route_socket

I will submit a patch that resolves these (and similar) entries.  There also appears to be a lack of permission during an emerge for the ldconfig_t to write to a portage_cache_t file.  I see a domain transition interface but no other permissions so am not sure how to proceed with this, perhaps adding

rw_files_pattern(ldconfig_t, portage_cache_t, portage_cache_t)

but that doesn't seem right.  Here is the log entry I am seeing:

avc:  denied  { read write } for  pid=16925 comm="ldconfig" path="/var/lib/portage/config" dev=sda1 ino=369227 scontext=root:sysadm_r:ldconfig_t tcontext=root:object_r:portage_cache_t tclass=file
Comment 1 Stan Sander 2011-11-17 22:03:12 UTC 
Created attachment 292951 [details, diff]
Patch to add netlink_route_socket permissions
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-18 06:35:09 UTC 
Hi Stan,

Why does it need these privileges?
Comment 3 Stan Sander 2011-11-18 13:58:04 UTC 
What I think is happening is that since all of the network support in my kernel is modular portage needs this to communicate with the correct modules.  Though I could be very mistaken, my knowledge in this area is limited, to say the least.  The audit entries showed up as soon as I began a sync.
Comment 4 Stan Sander 2011-11-19 21:36:39 UTC 
Marking as Invalid because portage does NOT in fact require these permissions to function.  Therefore my bug as submitted is not valid.  Sorry for the extra noise, but I think one could build a case for dontauditing these messages.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2011-11-20 09:16:47 UTC 
That's a valid request too ;-) Glad to hear that it wasn't necessary.
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-11 13:49:42 UTC 
In hardened-dev overlay
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2011-12-27 19:20:29 UTC 
~arch'ed since 2011-12-17
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2012-01-29 11:26:42 UTC 
Stabilized