Bug 833017

Summary:	dev-vcs/git: Receives SELinux permission denied under default policy when used by portage
Product:	Gentoo Linux	Reporter:	Andrew Athalye <andrewathalye>
Component:	SELinux	Assignee:	SE Linux Bugs <selinux>
Status:	IN_PROGRESS ---
Severity:	major	CC:	gentoo
Priority:	Normal
Version:	unspecified
Hardware:	AMD64
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Andrew Athalye 2022-02-10 03:08:19 UTC

(x86_64-musl-hardened-gcc)
Git is unable to be used to sync portage repositories unless the following policy rules are added:
allow portage_t portage_ebuild_t:file { map };
allow portage_t node_t:udp_socket { node_bind };
allow portage_t node_t:tcp_socket { node_bind };

These could certainly be restricted further, however I am rather inexperienced with SELinux and wanted to create rules which work and are not overly broad.

Reproducible: Always

Steps to Reproduce:
1. Emerge dev-vcs/git
2. eselect repository enable musl (or another git-using overlay)
3. emerge --sync musl
Actual Results:  
Permission denied is emitted, followed by errors in the audit log relating to the above types and permissions.

Expected Results:  
The overlay should sync successfully.

I am currently running the system in QEMU, so I cannot easily attach the info, however here are the essential versions:

selinux-base: 2.20210908-r1
sys-devel/gcc: 11.2.0
sys-libs/libselinux: 3.3
sys-libs/musl: 1.2.2-r6
dev-vcs/git: 2.34.1

POLICY_TYPES="strict"
setenforce 1 / permissive=0

Comment 1 Sam James archtester

2022-02-10 04:13:34 UTC

(In reply to Andrew Athalye from comment #0)
> (x86_64-musl-hardened-gcc)
> Git is unable to be used to sync portage repositories unless the following
> policy rules are added:
> allow portage_t portage_ebuild_t:file { map };
> allow portage_t node_t:udp_socket { node_bind };
> allow portage_t node_t:tcp_socket { node_bind };
> 
> These could certainly be restricted further, however I am rather
> inexperienced with SELinux and wanted to create rules which work and are not
> overly broad.
> 

It may be useful to share the full AVC denials too.

> I am currently running the system in QEMU, so I cannot easily attach the
> info, however here are the essential versions:

Can't SSH in / use wgetpaste? :(

> setenforce 1 / permissive=0

Comment 2 Andrew Athalye 2022-02-10 22:48:32 UTC

Portage 3.0.30 (python 3.9.9-final-0, default/linux/amd64/17.0/musl/hardened/selinux, gcc-11.2.0, musl-1.2.2-r7, 5.15.19-gentoo-dist-hardened x86_64)
=================================================================
System uname: Linux-5.15.19-gentoo-dist-hardened-x86_64-Intel-R-_Xeon-R-_E-2176G_CPU_@_3.70GHz-with-libc
KiB Mem:    32873640 total,  20932140 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Thu, 10 Feb 2022 22:00:01 +0000
Head commit of repository gentoo: a1de25aab10586750a82309884a48725f2560132
Timestamp of repository musl: Wed, 09 Feb 2022 09:54:11 +0000
Head commit of repository musl: ce598c92e60a5891a32cf7fd93507df1595bfe44

sh bash 5.1_p16
ld GNU ld (Gentoo 2.37_p1 p0) 2.37
app-misc/pax-utils:        1.3.3::gentoo
app-shells/bash:           5.1_p16::gentoo
dev-lang/perl:             5.34.0-r6::gentoo
dev-lang/python:           3.9.9-r1::gentoo, 3.10.0_p1-r1::gentoo
dev-lang/rust:             1.58.1::musl
dev-util/cmake:            3.22.2::gentoo
dev-util/meson:            0.60.3::gentoo
sec-policy/selinux-base:   2.20220106-r1::gentoo
sys-apps/baselayout:       2.7-r3::gentoo
sys-apps/openrc:           0.44.10::gentoo
sys-apps/sandbox:          2.25::gentoo
sys-devel/autoconf:        2.13-r1::gentoo, 2.71-r1::gentoo
sys-devel/automake:        1.16.4::gentoo
sys-devel/binutils:        2.37_p1::gentoo
sys-devel/binutils-config: 5.4::gentoo
sys-devel/clang:           13.0.0::gentoo
sys-devel/gcc:             11.2.0::gentoo
sys-devel/gcc-config:      2.5-r1::gentoo
sys-devel/libtool:         2.4.6-r6::gentoo
sys-devel/lld:             13.0.0::gentoo
sys-devel/llvm:            13.0.0::gentoo
sys-devel/make:            4.3::gentoo
sys-kernel/linux-headers:  5.15-r3::gentoo (virtual/os-headers)
sys-libs/libselinux:       3.3::gentoo
sys-libs/musl:             1.2.2-r7::gentoo
Repositories:

gentoo
    location: /var/db/repos/gentoo
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts:
    sync-rsync-verify-max-age: 24
    sync-rsync-verify-jobs: 1
    sync-rsync-verify-metamanifest: yes

musl
    location: /var/db/repos/musl
    sync-type: git
    sync-uri: https://github.com/gentoo-mirror/musl.git
    masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="@FREE"
CBUILD="x86_64-gentoo-linux-musl"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-gentoo-linux-musl"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/var/cache/distfiles"
ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME
XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-march=native -O2 -pipe"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildpkg-live config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync netwo
rk-sandbox news parallel-fetch preserve-libs protect-owned qa-unresolved-soname-deps sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orph
ans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-march=native -O2 -pipe"
GENTOO_MIRRORS=" rsync://rsync.mirrorservice.org/distfiles.gentoo.org/ rsync://rsync.gtlib.gatech.edu/gentoo rsync://mirrors.rit.edu/gentoo/"
INSTALL_MASK="charset.alias /usr/share/locale/locale.alias"
LANG="ru_RU.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j12"
PKGDIR="/var/cache/binpkgs"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclu
de=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
SHELL="/bin/fish"
USE="X acl amd64 audit bzip2 caps crypt dbus egl hardened hwaccel iconv ipv6 libglvnd libtirpc ncurses nls nptl openmp pam pcre pie pipewire pulseaudio readline screencast s
eccomp selinux split-usr ssl ssp unicode wayland xattr xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2020" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions ali
as auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid da
v dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvi
f speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLA
GS_X86="mmx mmxext sse sse2" ELIBC="musl" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanse
rver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="efi-64" INPUT_DEVICES="libinput" KERNEL="linux" L10N="ru
 fr en" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET=
"lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-4 php8-0" POSTGRES_TARGETS="postgres12 postgres13" PYTHON_SINGLE_TARGET="python3_9" PYTHO
N_TARGETS="python3_9" RUBY_TARGETS="ruby26 ruby27" USERLAND="GNU" VIDEO_CARDS="virgl" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuz
zy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  ADDR2LINE, AR, ARFLAGS, AS, ASFLAGS, CC, CCLD, CONFIG_SHELL, CPP, CPPFLAGS, CTARGET, CXX, CXXFILT, ELFEDIT, EMERGE_DEFAULT_OPTS, EXTRA_ECONF, F77FLAGS, FC, GCOV, GPR
OF, LC_ALL, LD, LEX, LFLAGS, LIBTOOL, LINGUAS, MAKE, MAKEFLAGS, NM, OBJCOPY, OBJDUMP, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, POR
TAGE_RSYNC_EXTRA_OPTS, RANLIB, READELF, RUSTFLAGS, SIZE, STRINGS, STRIP, YACC, YFLAGS

Comment 3 Andrew Athalye 2022-02-10 22:53:33 UTC

Relevant AVC messages:
type=AVC msg=audit(1644533322.753:946): avc:  denied  { node_bind } for  pid=22065 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t
 tclass=udp_socket permissive=0
type=AVC msg=audit(1644533322.926:947): avc:  denied  { node_bind } for  pid=22070 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t
 tclass=tcp_socket permissive=0
type=AVC msg=audit(1644533323.029:948): avc:  denied  { map } for  pid=22072 comm="git" path="/var/db/repos/musl/.git/objects/pack/pack-8a8776a1a7e280ffbbd46f77f8a00e9ac5f26
cf6.idx" dev="sda2" ino=10541190 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:portage_ebuild_t tclass=file permissive=0
type=AVC msg=audit(1644533343.596:952): avc:  denied  { node_bind } for  pid=22149 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t
 tclass=udp_socket permissive=0
type=AVC msg=audit(1644533343.769:953): avc:  denied  { node_bind } for  pid=22154 comm="emerge" saddr=::1 scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t
 tclass=tcp_socket permissive=0
type=AVC msg=audit(1644533343.879:954): avc:  denied  { node_bind } for  pid=22159 comm="git-remote-http" scontext=root:sysadm_r:portage_t tcontext=system_u:object_r:node_t
tclass=udp_socket permissive=0

Comment 4 Kenton Groombridge gentoo-dev

2022-04-19 23:34:19 UTC

This is caused by portage executing git which mmap()s ebuild files in the repository.

Comment 5 Larry the Git Cow gentoo-dev

2022-09-03 20:04:48 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=7d41f1b7b4f4d675b62835be6d2416eb2368a1a1

commit 7d41f1b7b4f4d675b62835be6d2416eb2368a1a1
Author:     Kenton Groombridge <concord@gentoo.org>
AuthorDate: 2022-04-19 22:53:44 +0000
Commit:     Kenton Groombridge <concord@gentoo.org>
CommitDate: 2022-09-03 20:04:23 +0000

    portage: allow portage to map ebuild files
    
    When portage syncs a repo with git, git will mmap() ebuild files. Allow
    portage to map ebuild files to fix permission denied errors on syncing.
    
    Bug: https://bugs.gentoo.org/833017
    Signed-off-by: Kenton Groombridge <concord@gentoo.org>

 policy/modules/admin/portage.te | 2 ++
 1 file changed, 2 insertions(+)