Summary: | layman -S doesn't work on -9999 | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r12 | ||
Package list: | Runtime testing required: | --- |
Description
Amadeusz Sławiński
2013-01-23 19:21:57 UTC
Does it suffice to add in the following? userdom_search_user_home_content(portage_fetch_t) Still there # cat buglayman.te policy_module(buglayman , 1.0.0) require { type portage_fetch_t; } userdom_search_user_home_content(portage_fetch_t) # semodule -l | grep layman buglayman 1.0.0 # layman -S * Fetching remote list,... * Fetching new list... http://www.gentoo.org/proj/en/overlays/repositories.xml * Last-modified: Sat, 26 Jan 2013 21:30:02 GMT * Fetch Ok * Syncing selected overlays,... * Running Git... # ( cd /var/lib/layman/hardened-development && /usr/bin/git pull ) fatal: unable to access '/root/.config/git/config': Permission denied * Failure result returned from Git * Running Git... # ( cd /var/lib/layman/x11 && /usr/bin/git pull ) fatal: unable to access '/root/.config/git/config': Permission denied * Failure result returned from Git * * Errors: * ------ * Failed to sync overlay "hardened-development". * Error was: Syncing overlay "hardened-development" returned status 128! * db.sync() * Failed to sync overlay "x11". * Error was: Syncing overlay "x11" returned status 128! * db.sync() * * CLI: Errors occurred processing action sync_all * * Errors: * ------ * Failed to sync overlay "hardened-development". * Error was: Syncing overlay "hardened-development" returned status 128! * db.sync() * Failed to sync overlay "x11". * Error was: Syncing overlay "x11" returned status 128! * db.sync() * * update_news() failed running portage news reporter function * Error was; stat('/etc/portage/make.profile') Enforcing: Jan 27 14:42:54 lain kernel: [ 2769.217533] type=1400 audit(1359294174.135:166): avc: denied { search } for pid=21230 comm="python" name="env.d" dev="dm-0" ino=20972123 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:etc_runtime_t tclass=dir Jan 27 14:42:54 lain kernel: [ 2769.288373] type=1400 audit(1359294174.206:167): avc: denied { search } for pid=21230 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir Jan 27 14:42:54 lain kernel: [ 2769.374797] type=1400 audit(1359294174.293:168): avc: denied { search } for pid=21230 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir Jan 27 14:42:56 lain kernel: [ 2771.568740] type=1400 audit(1359294176.491:169): avc: denied { search } for pid=21245 comm="git" name=".config" dev="dm-0" ino=6160740 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_config_home_t tclass=dir Jan 27 14:42:56 lain kernel: [ 2771.577601] type=1400 audit(1359294176.500:170): avc: denied { search } for pid=21247 comm="git" name=".config" dev="dm-0" ino=6160740 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_config_home_t tclass=dir Jan 27 14:42:56 lain kernel: [ 2771.680582] type=1400 audit(1359294176.603:171): avc: denied { getattr } for pid=21230 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file Jan 27 14:42:56 lain kernel: [ 2771.753135] type=1400 audit(1359294176.676:172): avc: denied { read } for pid=21230 comm="layman" name="make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file And with xdg_read_config_home_files(portage_fetch_t) set? Yes, looks better # layman -S * Fetching remote list,... * Remote list already up to date: http://www.gentoo.org/proj/en/overlays/repositories.xml * Last-modified: Sat, 26 Jan 2013 21:30:02 GMT * Fetch Ok * Syncing selected overlays,... * Running Git... # ( cd /var/lib/layman/hardened-development && /usr/bin/git pull ) Already up-to-date. * Running Git... # ( cd /var/lib/layman/x11 && /usr/bin/git pull ) Already up-to-date. * * Succeeded: * ------ * Successfully synchronized overlay "hardened-development". * Successfully synchronized overlay "x11". * * CLI: Errors occurred processing action sync_all * update_news() failed running portage news reporter function * Error was; stat('/etc/portage/make.profile') # cat buglayman.te policy_module(buglayman , 1.0.0) require { type portage_fetch_t; } #userdom_search_user_home_content(portage_fetch_t) xdg_read_config_home_files(portage_fetch_t) Enforcing: Jan 27 15:01:41 lain kernel: [ 3894.259090] type=1400 audit(1359295301.410:1415): avc: denied { search } for pid=7257 comm="python" name="env.d" dev="dm-0" ino=20972123 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:etc_runtime_t tclass=dir Jan 27 15:01:41 lain kernel: [ 3894.328330] type=1400 audit(1359295301.479:1416): avc: denied { search } for pid=7257 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir Jan 27 15:01:41 lain kernel: [ 3894.409290] type=1400 audit(1359295301.560:1417): avc: denied { search } for pid=7257 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir Jan 27 15:01:42 lain kernel: [ 3895.455898] type=1400 audit(1359295302.609:1418): avc: denied { getattr } for pid=7257 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file Jan 27 15:01:42 lain kernel: [ 3895.528238] type=1400 audit(1359295302.681:1419): avc: denied { read } for pid=7257 comm="layman" name="make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file Permissive: Jan 27 15:02:23 lain kernel: [ 3936.073595] type=1400 audit(1359295343.307:1421): avc: denied { getattr } for pid=7365 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file Jan 27 15:02:23 lain kernel: [ 3936.073663] type=1400 audit(1359295343.307:1422): avc: denied { execute } for pid=7365 comm="layman" name="sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file Jan 27 15:02:23 lain kernel: [ 3936.140267] type=1400 audit(1359295343.374:1423): avc: denied { read } for pid=7365 comm="layman" name="make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file Jan 27 15:02:23 lain kernel: [ 3936.140388] type=1400 audit(1359295343.374:1424): avc: denied { getattr } for pid=7365 comm="layman" path="/etc/portage/make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file Jan 27 15:02:23 lain kernel: [ 3936.565012] type=1400 audit(1359295343.800:1425): avc: denied { getattr } for pid=7365 comm="layman" path="/var/cache/edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 27 15:02:23 lain kernel: [ 3936.566369] type=1400 audit(1359295343.801:1426): avc: denied { write } for pid=7365 comm="layman" name="dep" dev="dm-0" ino=6553662 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 27 15:02:23 lain kernel: [ 3936.568207] type=1400 audit(1359295343.803:1427): avc: denied { write } for pid=7365 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir Jan 27 15:02:23 lain kernel: [ 3936.568544] type=1400 audit(1359295343.803:1428): avc: denied { add_name } for pid=7365 comm="layman" name=".news-hardened-dev.unread.portage_lockfile" scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir Jan 27 15:02:23 lain kernel: [ 3936.568579] type=1400 audit(1359295343.803:1429): avc: denied { create } for pid=7365 comm="layman" name=".news-hardened-dev.unread.portage_lockfile" scontext=staff_u:sysadm_r:portage_fetch_t tcontext=staff_u:object_r:var_lib_t tclass=file Add in a "portage_read_config(portage_fetch_t)" and then the last bit on the news should be resolved as well. Works now without warnings. # cat buglayman.te policy_module(buglayman , 1.0.0) require { type portage_fetch_t; } xdg_read_config_home_files(portage_fetch_t) portage_read_config(portage_fetch_t) # layman -S * Fetching remote list,... * Remote list already up to date: http://www.gentoo.org/proj/en/overlays/repositories.xml * Last-modified: Sat, 26 Jan 2013 21:30:02 GMT * Fetch Ok * Syncing selected overlays,... * Running Git... # ( cd /var/lib/layman/hardened-development && /usr/bin/git pull ) Already up-to-date. * Running Git... # ( cd /var/lib/layman/x11 && /usr/bin/git pull ) Already up-to-date. * * Succeeded: * ------ * Successfully synchronized overlay "hardened-development". * Successfully synchronized overlay "x11". * Enforcing: Jan 28 11:41:24 lain kernel: [ 3847.300701] type=1400 audit(1359369684.093:20): avc: denied { search } for pid=5627 comm="python" name="env.d" dev="dm-0" ino=20972123 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:etc_runtime_t tclass=dir Jan 28 11:41:24 lain kernel: [ 3847.369515] type=1400 audit(1359369684.162:21): avc: denied { search } for pid=5627 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir Jan 28 11:41:24 lain kernel: [ 3847.443451] type=1400 audit(1359369684.236:22): avc: denied { search } for pid=5627 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir Jan 28 11:41:27 lain kernel: [ 3851.006874] type=1400 audit(1359369687.807:23): avc: denied { getattr } for pid=5627 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file Jan 28 11:41:30 lain kernel: [ 3853.808523] type=1400 audit(1359369690.614:24): avc: denied { getattr } for pid=5627 comm="layman" path="/var/cache/edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.808567] type=1400 audit(1359369690.614:25): avc: denied { search } for pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.833313] type=1400 audit(1359369690.639:26): avc: denied { getattr } for pid=5627 comm="layman" path="/var/cache/edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.833450] type=1400 audit(1359369690.639:27): avc: denied { search } for pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.833557] type=1400 audit(1359369690.639:28): avc: denied { search } for pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.833688] type=1400 audit(1359369690.639:29): avc: denied { search } for pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.845984] type=1400 audit(1359369690.651:30): avc: denied { write } for pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.846726] type=1400 audit(1359369690.652:31): avc: denied { write } for pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.847807] type=1400 audit(1359369690.653:32): avc: denied { write } for pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir Jan 28 11:41:30 lain kernel: [ 3853.848359] type=1400 audit(1359369690.654:33): avc: denied { write } for pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir In repo and will be in rev12 r12 in main tree, ~arch'ed. stabilized |