From #gentoo-hardened: Hello @all. I set up a new server w/ SELinux enabled and if I try to emerge anything as sysadm_r, I get: avc: denied { name_connect } for pid=5274 comm="wget" dest=26213 ipaddr=XX.XX.XXX. scontext=root:sysadm_r:portage_fetch_t tcontext=system_u:object_r:unreserved_port_t tclass=tcp_socket permissive=0, so wget fails to connect to the ftp data port and thus the download fails. Is this a known problem? And more Probably need to allow corenet_tcp_connect_all_unreserved_ports(portage_fetch_t) to fix. Reproducible: Always
yes this is a problem with PASV mode in FTP I have previously hit it too. I assume there is no way other than just allowing all ports? Is the port range for PASV standardized in any meaningful way?
should this be a boolean? im thinking not since it is a fairly specific domain which can already connect to quite a few things and not much runs in it.
Added to master. will be in -r6
r6 policy is in ~arch
Now stable