This simple patch adds an SELinux policy tunable (boolean) which allows Portage to use and write to a CIFS filesystem, for instance distfiles or binpkgs mounted via a Samba share. Reproducible: Always Steps to Reproduce: 1. Mount distfiles share via Samba on a SELinux-enabled Gentoo guest. 2. Try to download distfiles as guest. 3. SELinux AVC denial is generated thereby preventing guest from writing to share. Actual Results: SELinux policy prevents writing of file. Expected Results: After enabling boolean "portage_use_cifs", this action should be allowed. From 0463b8303d8d5fa9a7770815f582d37538ad00a6 Mon Sep 17 00:00:00 2001 From: Tully Gray <tully.gray@protonmail.com> Date: Tue, 15 Feb 2022 11:07:15 +1100 Subject: [PATCH 1/1] New policy tunable: Determine whether portage can use cifs filesystems. Signed-off-by: Tully Gray <tully.gray@protonmail.com> --- policy/modules/admin/portage.te | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index 9abbdc37..db7d2b19 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -13,6 +13,14 @@ policy_module(portage) ## </desc> gen_tunable(portage_use_nfs, false) +## <desc> +## <p> +## Determine whether portage can +## use cifs filesystems. +## </p> +## </desc> +gen_tunable(portage_use_cifs, false) + ## <desc> ## <p> ## Determine whether portage domains can read user content. @@ -148,6 +156,10 @@ tunable_policy(`portage_use_nfs',` fs_read_nfs_files(gcc_config_t) ') +tunable_policy(`portage_use_cifs',` + fs_read_cifs_files(gcc_config_t) +') + optional_policy(` consoletype_exec(gcc_config_t) ') @@ -340,6 +352,13 @@ tunable_policy(`portage_use_nfs',` fs_manage_nfs_symlinks(portage_fetch_t) ') +tunable_policy(`portage_use_cifs',` + fs_getattr_cifs(portage_fetch_t) + fs_manage_cifs_dirs(portage_fetch_t) + fs_manage_cifs_files(portage_fetch_t) + fs_manage_cifs_symlinks(portage_fetch_t) +') + tunable_policy(`portage_read_user_content',` userdom_read_user_home_content_files(portage_fetch_t) userdom_list_user_home_content(portage_fetch_t) -- 2.34.1
Created attachment 765140 [details, diff] 0001-tunable-portage-use-cifs
