Bug 453722

Comment 1 Sven Vermeulen (RETIRED) 2013-01-27 12:03:07 UTC

Does it suffice to add in the following?

userdom_search_user_home_content(portage_fetch_t)

Still there

# cat buglayman.te 
policy_module(buglayman , 1.0.0)

require {
	type portage_fetch_t;
}

userdom_search_user_home_content(portage_fetch_t)
# semodule -l | grep layman
buglayman	1.0.0	
# layman -S

 * Fetching remote list,...
 * Fetching new list... http://www.gentoo.org/proj/en/overlays/repositories.xml
 * Last-modified: Sat, 26 Jan 2013 21:30:02 GMT
 * Fetch Ok

 * Syncing selected overlays,...
 * Running Git... # ( cd /var/lib/layman/hardened-development  && /usr/bin/git pull )
fatal: unable to access '/root/.config/git/config': Permission denied
 * Failure result returned from Git
 * Running Git... # ( cd /var/lib/layman/x11  && /usr/bin/git pull )
fatal: unable to access '/root/.config/git/config': Permission denied
 * Failure result returned from Git
 * 
 * Errors:
 * ------
 * Failed to sync overlay "hardened-development".
 * Error was: Syncing overlay "hardened-development" returned status 128!
 * db.sync()
 * Failed to sync overlay "x11".
 * Error was: Syncing overlay "x11" returned status 128!
 * db.sync()
 * 

 * CLI: Errors occurred processing action sync_all
 * 
 * Errors:
 * ------
 * Failed to sync overlay "hardened-development".
 * Error was: Syncing overlay "hardened-development" returned status 128!
 * db.sync()
 * Failed to sync overlay "x11".
 * Error was: Syncing overlay "x11" returned status 128!
 * db.sync()
 * 
 * update_news() failed running portage news reporter function
 * Error was; stat('/etc/portage/make.profile')

Enforcing:
Jan 27 14:42:54 lain kernel: [ 2769.217533] type=1400 audit(1359294174.135:166): avc:  denied  { search } for  pid=21230 comm="python" name="env.d" dev="dm-0" ino=20972123 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:etc_runtime_t tclass=dir
Jan 27 14:42:54 lain kernel: [ 2769.288373] type=1400 audit(1359294174.206:167): avc:  denied  { search } for  pid=21230 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir
Jan 27 14:42:54 lain kernel: [ 2769.374797] type=1400 audit(1359294174.293:168): avc:  denied  { search } for  pid=21230 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir
Jan 27 14:42:56 lain kernel: [ 2771.568740] type=1400 audit(1359294176.491:169): avc:  denied  { search } for  pid=21245 comm="git" name=".config" dev="dm-0" ino=6160740 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_config_home_t tclass=dir
Jan 27 14:42:56 lain kernel: [ 2771.577601] type=1400 audit(1359294176.500:170): avc:  denied  { search } for  pid=21247 comm="git" name=".config" dev="dm-0" ino=6160740 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_config_home_t tclass=dir
Jan 27 14:42:56 lain kernel: [ 2771.680582] type=1400 audit(1359294176.603:171): avc:  denied  { getattr } for  pid=21230 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file
Jan 27 14:42:56 lain kernel: [ 2771.753135] type=1400 audit(1359294176.676:172): avc:  denied  { read } for  pid=21230 comm="layman" name="make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file

Comment 3 Sven Vermeulen (RETIRED) 2013-01-27 13:53:29 UTC

And with xdg_read_config_home_files(portage_fetch_t) set?

Yes, looks better

# layman -S

 * Fetching remote list,...
 * Remote list already up to date: http://www.gentoo.org/proj/en/overlays/repositories.xml
 * Last-modified: Sat, 26 Jan 2013 21:30:02 GMT
 * Fetch Ok

 * Syncing selected overlays,...
 * Running Git... # ( cd /var/lib/layman/hardened-development  && /usr/bin/git pull )
Already up-to-date.
 * Running Git... # ( cd /var/lib/layman/x11  && /usr/bin/git pull )
Already up-to-date.
 * 
 * Succeeded:
 * ------
 * Successfully synchronized overlay "hardened-development".
 * Successfully synchronized overlay "x11".
 * 

 * CLI: Errors occurred processing action sync_all
 * update_news() failed running portage news reporter function
 * Error was; stat('/etc/portage/make.profile')

# cat buglayman.te
policy_module(buglayman , 1.0.0)

require {
	type portage_fetch_t;
}

#userdom_search_user_home_content(portage_fetch_t)
xdg_read_config_home_files(portage_fetch_t)


Enforcing:
Jan 27 15:01:41 lain kernel: [ 3894.259090] type=1400 audit(1359295301.410:1415): avc:  denied  { search } for  pid=7257 comm="python" name="env.d" dev="dm-0" ino=20972123 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:etc_runtime_t tclass=dir
Jan 27 15:01:41 lain kernel: [ 3894.328330] type=1400 audit(1359295301.479:1416): avc:  denied  { search } for  pid=7257 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir
Jan 27 15:01:41 lain kernel: [ 3894.409290] type=1400 audit(1359295301.560:1417): avc:  denied  { search } for  pid=7257 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir
Jan 27 15:01:42 lain kernel: [ 3895.455898] type=1400 audit(1359295302.609:1418): avc:  denied  { getattr } for  pid=7257 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file
Jan 27 15:01:42 lain kernel: [ 3895.528238] type=1400 audit(1359295302.681:1419): avc:  denied  { read } for  pid=7257 comm="layman" name="make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file

Permissive:
Jan 27 15:02:23 lain kernel: [ 3936.073595] type=1400 audit(1359295343.307:1421): avc:  denied  { getattr } for  pid=7365 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file
Jan 27 15:02:23 lain kernel: [ 3936.073663] type=1400 audit(1359295343.307:1422): avc:  denied  { execute } for  pid=7365 comm="layman" name="sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file
Jan 27 15:02:23 lain kernel: [ 3936.140267] type=1400 audit(1359295343.374:1423): avc:  denied  { read } for  pid=7365 comm="layman" name="make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file
Jan 27 15:02:23 lain kernel: [ 3936.140388] type=1400 audit(1359295343.374:1424): avc:  denied  { getattr } for  pid=7365 comm="layman" path="/etc/portage/make.profile" dev="dm-0" ino=20971603 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_conf_t tclass=lnk_file
Jan 27 15:02:23 lain kernel: [ 3936.565012] type=1400 audit(1359295343.800:1425): avc:  denied  { getattr } for  pid=7365 comm="layman" path="/var/cache/edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 27 15:02:23 lain kernel: [ 3936.566369] type=1400 audit(1359295343.801:1426): avc:  denied  { write } for  pid=7365 comm="layman" name="dep" dev="dm-0" ino=6553662 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 27 15:02:23 lain kernel: [ 3936.568207] type=1400 audit(1359295343.803:1427): avc:  denied  { write } for  pid=7365 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir
Jan 27 15:02:23 lain kernel: [ 3936.568544] type=1400 audit(1359295343.803:1428): avc:  denied  { add_name } for  pid=7365 comm="layman" name=".news-hardened-dev.unread.portage_lockfile" scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir
Jan 27 15:02:23 lain kernel: [ 3936.568579] type=1400 audit(1359295343.803:1429): avc:  denied  { create } for  pid=7365 comm="layman" name=".news-hardened-dev.unread.portage_lockfile" scontext=staff_u:sysadm_r:portage_fetch_t tcontext=staff_u:object_r:var_lib_t tclass=file

Comment 5 Sven Vermeulen (RETIRED) 2013-01-27 19:20:23 UTC

Add in a "portage_read_config(portage_fetch_t)" and then the last bit on the news should be resolved as well.

Works now without warnings.

# cat buglayman.te                            
policy_module(buglayman , 1.0.0)

require {
	type portage_fetch_t;
}

xdg_read_config_home_files(portage_fetch_t)
portage_read_config(portage_fetch_t)
# layman -S

 * Fetching remote list,...
 * Remote list already up to date: http://www.gentoo.org/proj/en/overlays/repositories.xml
 * Last-modified: Sat, 26 Jan 2013 21:30:02 GMT
 * Fetch Ok

 * Syncing selected overlays,...
 * Running Git... # ( cd /var/lib/layman/hardened-development  && /usr/bin/git pull )
Already up-to-date.
 * Running Git... # ( cd /var/lib/layman/x11  && /usr/bin/git pull )
Already up-to-date.
 * 
 * Succeeded:
 * ------
 * Successfully synchronized overlay "hardened-development".
 * Successfully synchronized overlay "x11".
 * 

Enforcing:

Jan 28 11:41:24 lain kernel: [ 3847.300701] type=1400 audit(1359369684.093:20): avc:  denied  { search } for  pid=5627 comm="python" name="env.d" dev="dm-0" ino=20972123 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:etc_runtime_t tclass=dir
Jan 28 11:41:24 lain kernel: [ 3847.369515] type=1400 audit(1359369684.162:21): avc:  denied  { search } for  pid=5627 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir
Jan 28 11:41:24 lain kernel: [ 3847.443451] type=1400 audit(1359369684.236:22): avc:  denied  { search } for  pid=5627 comm="layman" name=".local" dev="dm-0" ino=6160747 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=root:object_r:xdg_data_home_t tclass=dir
Jan 28 11:41:27 lain kernel: [ 3851.006874] type=1400 audit(1359369687.807:23): avc:  denied  { getattr } for  pid=5627 comm="layman" path="/usr/bin/sandbox" dev="dm-0" ino=7357942 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_exec_t tclass=file
Jan 28 11:41:30 lain kernel: [ 3853.808523] type=1400 audit(1359369690.614:24): avc:  denied  { getattr } for  pid=5627 comm="layman" path="/var/cache/edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.808567] type=1400 audit(1359369690.614:25): avc:  denied  { search } for  pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.833313] type=1400 audit(1359369690.639:26): avc:  denied  { getattr } for  pid=5627 comm="layman" path="/var/cache/edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.833450] type=1400 audit(1359369690.639:27): avc:  denied  { search } for  pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.833557] type=1400 audit(1359369690.639:28): avc:  denied  { search } for  pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.833688] type=1400 audit(1359369690.639:29): avc:  denied  { search } for  pid=5627 comm="layman" name="edb" dev="dm-0" ino=6553661 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:portage_cache_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.845984] type=1400 audit(1359369690.651:30): avc:  denied  { write } for  pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.846726] type=1400 audit(1359369690.652:31): avc:  denied  { write } for  pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.847807] type=1400 audit(1359369690.653:32): avc:  denied  { write } for  pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir
Jan 28 11:41:30 lain kernel: [ 3853.848359] type=1400 audit(1359369690.654:33): avc:  denied  { write } for  pid=5627 comm="layman" name="news" dev="dm-0" ino=6553614 scontext=staff_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:var_lib_t tclass=dir

Comment 7 Sven Vermeulen (RETIRED) 2013-02-07 19:33:23 UTC

In repo and will be in rev12

Comment 8 Sven Vermeulen (RETIRED) 2013-03-09 12:40:03 UTC

r12 in main tree, ~arch'ed.

Comment 9 Sven Vermeulen (RETIRED) 2013-03-29 10:54:31 UTC

stabilized