# emerge-webrsync Fetching most recent snapshot ... Trying to retrieve 20141207 snapshot from http://distfiles.gentoo.org ... Fetching file portage-20141207.tar.xz.md5sum ... Fetching file portage-20141207.tar.xz.gpgsig ... Fetching file portage-20141207.tar.xz ... Checking digest ... Checking signature ... gpg: keyblock resource `/etc/portage/gpg/pubring.gpg': Permission denied gpg: can't open `/var/tmp/portage/webrsync-dMgLXN/portage-20141207.tar.xz.gpgsig': Permission denied gpg: verify signatures failed: Permission denied Dec 8 17:07:33 maelstrom kernel: [34392.087016] audit: type=1400 audit(1418054853.056:118): avc: denied { search } for pid=53716 comm="claws-mail" name="vm" dev="proc" ino=7789 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:sysctl_vm_t tclass=dir permissive=0 Dec 8 17:43:18 maelstrom kernel: [36538.038765] audit: type=1400 audit(1418056998.520:136): avc: denied { search } for pid=54087 comm="gpg" name="gpg" dev="dm-0" ino=3146654 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=dir permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.038877] audit: type=1400 audit(1418056998.520:137): avc: denied { read } for pid=54087 comm="gpg" name="gpg.conf" dev="dm-0" ino=3146656 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=file permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.038905] audit: type=1400 audit(1418056998.520:138): avc: denied { getattr } for pid=54087 comm="gpg" path="/etc/portage/gpg" dev="dm-0" ino=3146654 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=dir permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.038921] audit: type=1400 audit(1418056998.520:139): avc: denied { getattr } for pid=54087 comm="gpg" path="/etc/portage" dev="dm-0" ino=3146644 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_conf_t tclass=dir permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.038943] audit: type=1400 audit(1418056998.520:140): avc: denied { open } for pid=54087 comm="gpg" path="/etc/portage/gpg/gpg.conf" dev="dm-0" ino=3146656 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=file permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.038966] audit: type=1400 audit(1418056998.520:141): avc: denied { getattr } for pid=54087 comm="gpg" path="/etc/portage/gpg/gpg.conf" dev="dm-0" ino=3146656 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=file permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.090904] audit: type=1400 audit(1418056998.572:142): avc: denied { search } for pid=54087 comm="gpg" name="webrsync-RPLoda" dev="dm-0" ino=23593770 scontext=staff_u:sysadm_r:gpg_t tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.090928] audit: type=1400 audit(1418056998.572:143): avc: denied { read } for pid=54087 comm="gpg" name="portage-20141207.tar.xz.gpgsig" dev="dm-0" ino=23602680 scontext=staff_u:sysadm_r:gpg_t tcontext=staff_u:object_r:portage_tmp_t tclass=file permissive=1 Dec 8 17:43:18 maelstrom kernel: [36538.090941] audit: type=1400 audit(1418056998.572:144): avc: denied { open } for pid=54087 comm="gpg" path="/var/tmp/portage/webrsync-RPLoda/portage-20141207.tar.xz.gpgsig" dev="dm-0" ino=23602680 scontext=staff_u:sysadm_r:gpg_t tcontext=staff_u:object_r:portage_tmp_t tclass=file permissive=1 Dec 8 17:43:19 maelstrom kernel: [36538.655962] audit: type=1400 audit(1418056999.137:145): avc: denied { write } for pid=54087 comm="gpg" name="gpg" dev="dm-0" ino=3146654 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=dir permissive=1 Reproducible: Always
Sorry, for enforcing should have been this one: Dec 8 17:39:11 maelstrom kernel: [36290.836958] audit: type=1400 audit(1418056751.375:119): avc: denied { search } for pid=53966 comm="gpg" name="portage" dev="dm-0" ino=3146644 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_conf_t tclass=dir permissive=0
So it seems like emerge-webrsync was moved to /usr/bin, after changing it's context from bin_t to portage_fetch_exec_t it works.
added in commit 2e785432171dbe3d277641b67f95081d7fe5d84e, thanks
r2 is in tree, ~arch
stable