(x86_64-musl-hardened-gcc) Git is unable to be used to sync portage repositories unless the following policy rules are added: allow portage_t portage_ebuild_t:file { map }; allow portage_t node_t:udp_socket { node_bind }; allow portage_t node_t:tcp_socket { node_bind }; These could certainly be restricted further, however I am rather inexperienced with SELinux and wanted to create rules which work and are not overly broad. Reproducible: Always Steps to Reproduce: 1. Emerge dev-vcs/git 2. eselect repository enable musl (or another git-using overlay) 3. emerge --sync musl Actual Results: Permission denied is emitted, followed by errors in the audit log relating to the above types and permissions. Expected Results: The overlay should sync successfully. I am currently running the system in QEMU, so I cannot easily attach the info, however here are the essential versions: selinux-base: 2.20210908-r1 sys-devel/gcc: 11.2.0 sys-libs/libselinux: 3.3 sys-libs/musl: 1.2.2-r6 dev-vcs/git: 2.34.1 POLICY_TYPES="strict" setenforce 1 / permissive=0
(In reply to Andrew Athalye from comment #0) > (x86_64-musl-hardened-gcc) > Git is unable to be used to sync portage repositories unless the following > policy rules are added: > allow portage_t portage_ebuild_t:file { map }; > allow portage_t node_t:udp_socket { node_bind }; > allow portage_t node_t:tcp_socket { node_bind }; > > These could certainly be restricted further, however I am rather > inexperienced with SELinux and wanted to create rules which work and are not > overly broad. > It may be useful to share the full AVC denials too. > I am currently running the system in QEMU, so I cannot easily attach the > info, however here are the essential versions: Can't SSH in / use wgetpaste? :( > setenforce 1 / permissive=0
Portage 3.0.30 (python 3.9.9-final-0, default/linux/amd64/17.0/musl/hardened/selinux, gcc-11.2.0, musl-1.2.2-r7, 5.15.19-gentoo-dist-hardened x86_64) ================================================================= System uname: Linux-5.15.19-gentoo-dist-hardened-x86_64-Intel-R-_Xeon-R-_E-2176G_CPU_@_3.70GHz-with-libc KiB Mem: 32873640 total, 20932140 free KiB Swap: 0 total, 0 free Timestamp of repository gentoo: Thu, 10 Feb 2022 22:00:01 +0000 Head commit of repository gentoo: a1de25aab10586750a82309884a48725f2560132 Timestamp of repository musl: Wed, 09 Feb 2022 09:54:11 +0000 Head commit of repository musl: ce598c92e60a5891a32cf7fd93507df1595bfe44 sh bash 5.1_p16 ld GNU ld (Gentoo 2.37_p1 p0) 2.37 app-misc/pax-utils: 1.3.3::gentoo app-shells/bash: 5.1_p16::gentoo dev-lang/perl: 5.34.0-r6::gentoo dev-lang/python: 3.9.9-r1::gentoo, 3.10.0_p1-r1::gentoo dev-lang/rust: 1.58.1::musl dev-util/cmake: 3.22.2::gentoo dev-util/meson: 0.60.3::gentoo sec-policy/selinux-base: 2.20220106-r1::gentoo sys-apps/baselayout: 2.7-r3::gentoo sys-apps/openrc: 0.44.10::gentoo sys-apps/sandbox: 2.25::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.71-r1::gentoo sys-devel/automake: 1.16.4::gentoo sys-devel/binutils: 2.37_p1::gentoo sys-devel/binutils-config: 5.4::gentoo sys-devel/clang: 13.0.0::gentoo sys-devel/gcc: 11.2.0::gentoo sys-devel/gcc-config: 2.5-r1::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/lld: 13.0.0::gentoo sys-devel/llvm: 13.0.0::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.15-r3::gentoo (virtual/os-headers) sys-libs/libselinux: 3.3::gentoo sys-libs/musl: 1.2.2-r7::gentoo Repositories: gentoo location: /var/db/repos/gentoo sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-max-age: 24 sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes musl location: /var/db/repos/musl sync-type: git sync-uri: https://github.com/gentoo-mirror/musl.git masters: gentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-gentoo-linux-musl" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-gentoo-linux-musl" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/var/cache/distfiles" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-march=native -O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync netwo rk-sandbox news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orph ans userfetch userpriv usersandbox usersync xattr" FFLAGS="-march=native -O2 -pipe" GENTOO_MIRRORS=" rsync://rsync.mirrorservice.org/distfiles.gentoo.org/ rsync://rsync.gtlib.gatech.edu/gentoo rsync://mirrors.rit.edu/gentoo/" INSTALL_MASK="charset.alias /usr/share/locale/locale.alias" LANG="ru_RU.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j12" PKGDIR="/var/cache/binpkgs" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclu de=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" SHELL="/bin/fish" USE="X acl amd64 audit bzip2 caps crypt dbus egl hardened hwaccel iconv ipv6 libglvnd libtirpc ncurses nls nptl openmp pam pcre pie pipewire pulseaudio readline screencast s eccomp selinux split-usr ssl ssp unicode wayland xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2020" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions ali as auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid da v dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvi f speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLA GS_X86="mmx mmxext sse sse2" ELIBC="musl" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanse rver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" L10N="ru fr en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET= "lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHO N_TARGETS="python3_9" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="virgl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuz zy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPR OF, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, POR TAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS
Relevant AVC messages: type=AVC msg=audit(1644533322.753:946): avc: denied { node_bind } for pid=22065 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t tclass=udp_socket permissive=0 type=AVC msg=audit(1644533322.926:947): avc: denied { node_bind } for pid=22070 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=0 type=AVC msg=audit(1644533323.029:948): avc: denied { map } for pid=22072 comm="git" path="/var/db/repos/musl/.git/objects/pack/pack-8a8776a1a7e280ffbbd46f77f8a00e9ac5f26 cf6.idx" dev="sda2" ino=10541190 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:portage_ebuild_t tclass=file permissive=0 type=AVC msg=audit(1644533343.596:952): avc: denied { node_bind } for pid=22149 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t tclass=udp_socket permissive=0 type=AVC msg=audit(1644533343.769:953): avc: denied { node_bind } for pid=22154 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t tclass=tcp_socket permissive=0 type=AVC msg=audit(1644533343.879:954): avc: denied { node_bind } for pid=22159 comm="git-remote-http" scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t tclass=udp_socket permissive=0
This is caused by portage executing git which mmap()s ebuild files in the repository.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d41f1b7b4f4d675b62835be6d2416eb2368a1a1 commit 7d41f1b7b4f4d675b62835be6d2416eb2368a1a1 Author: Kenton Groombridge <concord@gentoo.org> AuthorDate: 2022-04-19 22:53:44 +0000 Commit: Kenton Groombridge <concord@gentoo.org> CommitDate: 2022-09-03 20:04:23 +0000 portage: allow portage to map ebuild files When portage syncs a repo with git, git will mmap() ebuild files. Allow portage to map ebuild files to fix permission denied errors on syncing. Bug: https://bugs.gentoo.org/833017 Signed-off-by: Kenton Groombridge <concord@gentoo.org> policy/modules/admin/portage.te | 2 ++ 1 file changed, 2 insertions(+)
