442454 – =sec-policy/selinux-*-9999 blocks emerge_fetch from accessing certs

Bug 442454 - =sec-policy/selinux-*-9999 blocks emerge_fetch from accessing certs

Summary: =sec-policy/selinux-*-9999 blocks emerge_fetch from accessing certs

Status:	VERIFIED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r7
Keywords:

Depends on:
Blocks:

Reported:	2012-11-09 15:08 UTC by Alex Brandt (RETIRED)
Modified:	2012-12-13 10:10 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alex Brandt (RETIRED) gentoo-dev

2012-11-09 15:08:26 UTC

Looks like the changes to the cert security has broken live ebuilds in portage if they go over a secure connection.  The following AVCs were the result of trying to fetch singularity (https://github.com/alunduil/singularity/tarball/1.0.2):

type=AVC msg=audit(1352473452.133:3319): avc:  denied  { search } for  pid=4423 comm="wget" name="alunduil" dev="xvda1" ino=163875 ipaddr=50.56.228.64 scontext=alunduil_u:sysadm_r:portage_fetch_t tcontext=alunduil_u:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1352473452.300:3320): avc:  denied  { search } for  pid=4423 comm="wget" name="ca-certificates" dev="xvda1" ino=591862 ipaddr=50.56.228.64 scontext=alunduil_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:cert_t tclass=dir

The error message from portage correlates with this:

selinux alunduil # emerge -DuvaN world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U  ] app-emulation/singularity-1.0.2::alunduil-overlay [1.0.1::alunduil-overlay] USE="(selinux) xen" 34 kB

Total: 1 package (1 upgrade), Size of downloads: 34 kB

Would you like to merge these packages? [Yes/No] 

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) app-emulation/singularity-1.0.2 from alunduil-overlay
>>> Downloading 'https://github.com/alunduil/singularity/tarball/1.0.2'
--2012-11-09 09:07:21--  https://github.com/alunduil/singularity/tarball/1.0.2
Resolving github.com... 207.97.227.239
Connecting to github.com|207.97.227.239|:443... connected.
ERROR: cannot verify github.com's certificate, issued by ‘/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV CA-1’:
  Unable to locally verify the issuer's authority.
To connect to github.com insecurely, use `--no-check-certificate'.
!!! Couldn't download 'singularity-1.0.2.tar.gz'. Aborting.
 * Fetch failed for 'app-emulation/singularity-1.0.2', Log file:
 *  '/var/tmp/portage/app-emulation/singularity-1.0.2/temp/build.log'

>>> Failed to emerge app-emulation/singularity-1.0.2, Log file:

>>>  '/var/tmp/portage/app-emulation/singularity-1.0.2/temp/build.log'

Looks like portage_fetch just needs access to cert_t?

Reproducible: Always

Comment 1 Alex Brandt (RETIRED) gentoo-dev

2012-11-09 15:11:31 UTC

Adding the following policy allowed the emerge to complete:

miscfiles_read_generic_certs(portage_fetch_t)

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-12 21:58:58 UTC

committed to repo (live ebuilds) and will be part of r7

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-14 21:10:49 UTC

r7 is now in hardened-dev

Comment 4 Sven Vermeulen (RETIRED) gentoo-dev

2012-11-18 15:24:08 UTC

In main tree, ~arch'ed

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2012-12-13 10:10:45 UTC

r8 is now stable