Summary: | selinux - emerge-webrsync with gpg fails to run in selinux | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Matthew Thode ( prometheanfire ) <prometheanfire> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
daily cron
auditd log |
Description
Matthew Thode ( prometheanfire )
2011-07-22 13:56:26 UTC
Created attachment 280617 [details]
daily cron
Created attachment 280619 [details]
auditd log
Thanks; this will be covered in r21. Are those the logs when you run the command from cron? logs are manual run while I am in the sysadm_r role Okay; apparently layman runs within the sysadm domain. When dealing with system administration from within say system_cronjob_t this isn't what we want, because that would mean we need to give system_cronjob_t "too generic" administrative rights. I'm going to put layman in its own domain, as part of the portage module, and make sure that whomever gets assigned portage_run() to also have the rights to work with layman. After all, they're both pretty interconnected. The layman files will then be marked as layman_var_lib_t. The portage_* domains will get read rights on this label. |