531994 – sys-apps/portage-2.2.15 - emerge-webrsync can't verify gpg signature

Bug 531994 - sys-apps/portage-2.2.15 - emerge-webrsync can't verify gpg signature

Summary: sys-apps/portage-2.2.15 - emerge-webrsync can't verify gpg signature

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:	sec-policy r2
Keywords:

Depends on:
Blocks:

Reported:	2014-12-08 16:47 UTC by Amadeusz Sławiński
Modified:	2015-01-29 10:35 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amadeusz Sławiński 2014-12-08 16:47:45 UTC

# emerge-webrsync
Fetching most recent snapshot ...
Trying to retrieve 20141207 snapshot from http://distfiles.gentoo.org ...
Fetching file portage-20141207.tar.xz.md5sum ...
Fetching file portage-20141207.tar.xz.gpgsig ...
Fetching file portage-20141207.tar.xz ...
Checking digest ...
Checking signature ...
gpg: keyblock resource `/etc/portage/gpg/pubring.gpg': Permission denied
gpg: can't open `/var/tmp/portage/webrsync-dMgLXN/portage-20141207.tar.xz.gpgsig': Permission denied
gpg: verify signatures failed: Permission denied


Dec  8 17:07:33 maelstrom kernel: [34392.087016] audit: type=1400 audit(1418054853.056:118): avc:  denied  { search } for  pid=53716 comm="claws-mail" name="vm" dev="proc" ino=7789 scontext=staff_u:staff_r:staff_t tcontext=system_u:object_r:sysctl_vm_t tclass=dir permissive=0


Dec  8 17:43:18 maelstrom kernel: [36538.038765] audit: type=1400 audit(1418056998.520:136): avc:  denied  { search } for  pid=54087 comm="gpg" name="gpg" dev="dm-0" ino=3146654 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=dir permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.038877] audit: type=1400 audit(1418056998.520:137): avc:  denied  { read } for  pid=54087 comm="gpg" name="gpg.conf" dev="dm-0" ino=3146656 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=file permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.038905] audit: type=1400 audit(1418056998.520:138): avc:  denied  { getattr } for  pid=54087 comm="gpg" path="/etc/portage/gpg" dev="dm-0" ino=3146654 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=dir permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.038921] audit: type=1400 audit(1418056998.520:139): avc:  denied  { getattr } for  pid=54087 comm="gpg" path="/etc/portage" dev="dm-0" ino=3146644 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_conf_t tclass=dir permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.038943] audit: type=1400 audit(1418056998.520:140): avc:  denied  { open } for  pid=54087 comm="gpg" path="/etc/portage/gpg/gpg.conf" dev="dm-0" ino=3146656 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=file permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.038966] audit: type=1400 audit(1418056998.520:141): avc:  denied  { getattr } for  pid=54087 comm="gpg" path="/etc/portage/gpg/gpg.conf" dev="dm-0" ino=3146656 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=file permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.090904] audit: type=1400 audit(1418056998.572:142): avc:  denied  { search } for  pid=54087 comm="gpg" name="webrsync-RPLoda" dev="dm-0" ino=23593770 scontext=staff_u:sysadm_r:gpg_t tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.090928] audit: type=1400 audit(1418056998.572:143): avc:  denied  { read } for  pid=54087 comm="gpg" name="portage-20141207.tar.xz.gpgsig" dev="dm-0" ino=23602680 scontext=staff_u:sysadm_r:gpg_t tcontext=staff_u:object_r:portage_tmp_t tclass=file permissive=1
Dec  8 17:43:18 maelstrom kernel: [36538.090941] audit: type=1400 audit(1418056998.572:144): avc:  denied  { open } for  pid=54087 comm="gpg" path="/var/tmp/portage/webrsync-RPLoda/portage-20141207.tar.xz.gpgsig" dev="dm-0" ino=23602680 scontext=staff_u:sysadm_r:gpg_t tcontext=staff_u:object_r:portage_tmp_t tclass=file permissive=1
Dec  8 17:43:19 maelstrom kernel: [36538.655962] audit: type=1400 audit(1418056999.137:145): avc:  denied  { write } for  pid=54087 comm="gpg" name="gpg" dev="dm-0" ino=3146654 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_gpg_t tclass=dir permissive=1


Reproducible: Always

Comment 1 Amadeusz Sławiński 2014-12-08 16:50:06 UTC

Sorry, for enforcing should have been this one:

Dec  8 17:39:11 maelstrom kernel: [36290.836958] audit: type=1400 audit(1418056751.375:119): avc:  denied  { search } for  pid=53966 comm="gpg" name="portage" dev="dm-0" ino=3146644 scontext=staff_u:sysadm_r:gpg_t tcontext=system_u:object_r:portage_conf_t tclass=dir permissive=0

Comment 2 Amadeusz Sławiński 2014-12-08 17:10:37 UTC

So it seems like emerge-webrsync was moved to /usr/bin, after changing it's context from bin_t to portage_fetch_exec_t it works.

Comment 3 Jason Zaman gentoo-dev

2014-12-20 12:47:28 UTC

added in commit 2e785432171dbe3d277641b67f95081d7fe5d84e,
thanks

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2014-12-21 14:09:38 UTC

r2 is in tree, ~arch

Comment 5 Jason Zaman gentoo-dev

2015-01-29 10:35:13 UTC

stable