gonna attach the auditd logs and the cron script that it spawned.
drwxr-xr-x. 2 root root system_u:object_r:file_t 4096 Jul 22 09:34 /var/tmp/emerge-webrsync
Steps to Reproduce:
1. set up gpg and add webrsync-gpg to FEATURES in make.conf
2. run emerge-webrsync
3. if you are set to enforcing it will fail
Created attachment 280617 [details]
Created attachment 280619 [details]
Thanks; this will be covered in r21. Are those the logs when you run the command from cron?
logs are manual run while I am in the sysadm_r role
Okay; apparently layman runs within the sysadm domain. When dealing with system administration from within say system_cronjob_t this isn't what we want, because that would mean we need to give system_cronjob_t "too generic" administrative rights.
I'm going to put layman in its own domain, as part of the portage module, and make sure that whomever gets assigned portage_run() to also have the rights to work with layman. After all, they're both pretty interconnected.
The layman files will then be marked as layman_var_lib_t. The portage_* domains will get read rights on this label.