gonna attach the auditd logs and the cron script that it spawned. also, drwxr-xr-x. 2 root root system_u:object_r:file_t 4096 Jul 22 09:34 /var/tmp/emerge-webrsync Reproducible: Always Steps to Reproduce: 1. set up gpg and add webrsync-gpg to FEATURES in make.conf 2. run emerge-webrsync 3. if you are set to enforcing it will fail
Created attachment 280617 [details] daily cron
Created attachment 280619 [details] auditd log
Thanks; this will be covered in r21. Are those the logs when you run the command from cron?
logs are manual run while I am in the sysadm_r role
Okay; apparently layman runs within the sysadm domain. When dealing with system administration from within say system_cronjob_t this isn't what we want, because that would mean we need to give system_cronjob_t "too generic" administrative rights. I'm going to put layman in its own domain, as part of the portage module, and make sure that whomever gets assigned portage_run() to also have the rights to work with layman. After all, they're both pretty interconnected. The layman files will then be marked as layman_var_lib_t. The portage_* domains will get read rights on this label.