Looks like the changes to the cert security has broken live ebuilds in portage if they go over a secure connection. The following AVCs were the result of trying to fetch singularity (https://github.com/alunduil/singularity/tarball/1.0.2): type=AVC msg=audit(1352473452.133:3319): avc: denied { search } for pid=4423 comm="wget" name="alunduil" dev="xvda1" ino=163875 ipaddr=50.56.228.64 scontext=alunduil_u:sysadm_r:portage_fetch_t tcontext=alunduil_u:object_r:user_home_dir_t tclass=dir type=AVC msg=audit(1352473452.300:3320): avc: denied { search } for pid=4423 comm="wget" name="ca-certificates" dev="xvda1" ino=591862 ipaddr=50.56.228.64 scontext=alunduil_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:cert_t tclass=dir The error message from portage correlates with this: selinux alunduil # emerge -DuvaN world These are the packages that would be merged, in order: Calculating dependencies... done! [ebuild U ] app-emulation/singularity-1.0.2::alunduil-overlay [1.0.1::alunduil-overlay] USE="(selinux) xen" 34 kB Total: 1 package (1 upgrade), Size of downloads: 34 kB Would you like to merge these packages? [Yes/No] >>> Verifying ebuild manifests >>> Emerging (1 of 1) app-emulation/singularity-1.0.2 from alunduil-overlay >>> Downloading 'https://github.com/alunduil/singularity/tarball/1.0.2' --2012-11-09 09:07:21-- https://github.com/alunduil/singularity/tarball/1.0.2 Resolving github.com... 207.97.227.239 Connecting to github.com|207.97.227.239|:443... connected. ERROR: cannot verify github.com's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1’: Unable to locally verify the issuer's authority. To connect to github.com insecurely, use `--no-check-certificate'. !!! Couldn't download 'singularity-1.0.2.tar.gz'. Aborting. * Fetch failed for 'app-emulation/singularity-1.0.2', Log file: * '/var/tmp/portage/app-emulation/singularity-1.0.2/temp/build.log' >>> Failed to emerge app-emulation/singularity-1.0.2, Log file: >>> '/var/tmp/portage/app-emulation/singularity-1.0.2/temp/build.log' Looks like portage_fetch just needs access to cert_t? Reproducible: Always
Adding the following policy allowed the emerge to complete: miscfiles_read_generic_certs(portage_fetch_t)
committed to repo (live ebuilds) and will be part of r7
r7 is now in hardened-dev
In main tree, ~arch'ed
r8 is now stable