Bug 376005

Summary:	selinux - emerge-webrsync with gpg fails to run in selinux
Product:	Gentoo Linux	Reporter:	Matthew Thode ( prometheanfire ) <prometheanfire>
Component:	Hardened	Assignee:	The Gentoo Linux Hardened Team <hardened>
Status:	VERIFIED FIXED
Severity:	normal	CC:	selinux
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	daily cron auditd log

Description Matthew Thode ( prometheanfire ) archtester

2011-07-22 13:56:26 UTC

gonna attach the auditd logs and the cron script that it spawned.


also,
drwxr-xr-x. 2 root    root    system_u:object_r:file_t             4096 Jul 22 09:34 /var/tmp/emerge-webrsync

Reproducible: Always

Steps to Reproduce:
1. set up gpg and add webrsync-gpg to FEATURES in make.conf
2. run emerge-webrsync
3. if you are set to enforcing it will fail

Comment 1 Matthew Thode ( prometheanfire ) archtester

2011-07-22 13:58:58 UTC

Created attachment 280617 [details]
daily cron

Comment 2 Matthew Thode ( prometheanfire ) archtester

2011-07-22 14:00:06 UTC

Created attachment 280619 [details]
auditd log

Comment 3 Sven Vermeulen 2011-07-22 14:53:30 UTC

Thanks; this will be covered in r21. Are those the logs when you run the command from cron?

Comment 4 Matthew Thode ( prometheanfire ) archtester

2011-07-22 14:54:59 UTC

logs are manual run while I am in the sysadm_r role

Comment 5 Sven Vermeulen 2011-07-23 17:50:59 UTC

Okay; apparently layman runs within the sysadm domain. When dealing with system administration from within say system_cronjob_t this isn't what we want, because that would mean we need to give system_cronjob_t "too generic" administrative rights.

I'm going to put layman in its own domain, as part of the portage module, and make sure that whomever gets assigned portage_run() to also have the rights to work with layman. After all, they're both pretty interconnected.

The layman files will then be marked as layman_var_lib_t. The portage_* domains will get read rights on this label.