Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 833369

Summary: sec-policy/selinux-base-policy (patch) tunable allow portage to use cifs filesystems
Product: Gentoo Linux Reporter: Tully Gray <tully.gray>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: UNCONFIRMED ---    
Severity: normal CC: tully.gray
Priority: Normal Keywords: PATCH
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: 0001-tunable-portage-use-cifs

Description Tully Gray 2022-02-15 00:34:59 UTC 
This simple patch adds an SELinux policy tunable (boolean) which allows Portage to use and write to a CIFS filesystem, for instance distfiles or binpkgs mounted via a Samba share.

Reproducible: Always

Steps to Reproduce:
1. Mount distfiles share via Samba on a SELinux-enabled Gentoo guest.
2. Try to download distfiles as guest.
3. SELinux AVC denial is generated thereby preventing guest from writing to share.
Actual Results:  
SELinux policy prevents writing of file.

Expected Results:  
After enabling boolean "portage_use_cifs", this action should be allowed.

From 0463b8303d8d5fa9a7770815f582d37538ad00a6 Mon Sep 17 00:00:00 2001
From: Tully Gray <tully.gray@protonmail.com>
Date: Tue, 15 Feb 2022 11:07:15 +1100
Subject: [PATCH 1/1] New policy tunable: Determine whether portage can use
 cifs filesystems.

Signed-off-by: Tully Gray <tully.gray@protonmail.com>
---
 policy/modules/admin/portage.te | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 9abbdc37..db7d2b19 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -13,6 +13,14 @@ policy_module(portage)
 ## </desc>
 gen_tunable(portage_use_nfs, false)
 
+## <desc>
+##	<p>
+##	Determine whether portage can
+##	use cifs filesystems.
+##	</p>
+## </desc>
+gen_tunable(portage_use_cifs, false)
+
 ## <desc>
 ##	<p>
 ##	Determine whether portage domains can read user content.
@@ -148,6 +156,10 @@ tunable_policy(`portage_use_nfs',`
 	fs_read_nfs_files(gcc_config_t)
 ')
 
+tunable_policy(`portage_use_cifs',`
+	fs_read_cifs_files(gcc_config_t)
+')
+
 optional_policy(`
 	consoletype_exec(gcc_config_t)
 ')
@@ -340,6 +352,13 @@ tunable_policy(`portage_use_nfs',`
 	fs_manage_nfs_symlinks(portage_fetch_t)
 ')
 
+tunable_policy(`portage_use_cifs',`
+	fs_getattr_cifs(portage_fetch_t)
+	fs_manage_cifs_dirs(portage_fetch_t)
+	fs_manage_cifs_files(portage_fetch_t)
+	fs_manage_cifs_symlinks(portage_fetch_t)
+')
+
 tunable_policy(`portage_read_user_content',`
 	userdom_read_user_home_content_files(portage_fetch_t)
 	userdom_list_user_home_content(portage_fetch_t)
-- 
2.34.1
Comment 1 Tully Gray 2022-02-15 00:36:28 UTC 
Created attachment 765140 [details, diff]
0001-tunable-portage-use-cifs