Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442454 - =sec-policy/selinux-*-9999 blocks emerge_fetch from accessing certs
Summary: =sec-policy/selinux-*-9999 blocks emerge_fetch from accessing certs
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r7
Depends on:
Reported: 2012-11-09 15:08 UTC by Alex Brandt (RETIRED)
Modified: 2012-12-13 10:10 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Alex Brandt (RETIRED) gentoo-dev 2012-11-09 15:08:26 UTC
Looks like the changes to the cert security has broken live ebuilds in portage if they go over a secure connection.  The following AVCs were the result of trying to fetch singularity (

type=AVC msg=audit(1352473452.133:3319): avc:  denied  { search } for  pid=4423 comm="wget" name="alunduil" dev="xvda1" ino=163875 ipaddr= scontext=alunduil_u:sysadm_r:portage_fetch_t tcontext=alunduil_u:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1352473452.300:3320): avc:  denied  { search } for  pid=4423 comm="wget" name="ca-certificates" dev="xvda1" ino=591862 ipaddr= scontext=alunduil_u:sysadm_r:portage_fetch_t tcontext=system_u:object_r:cert_t tclass=dir

The error message from portage correlates with this:

selinux alunduil # emerge -DuvaN world

These are the packages that would be merged, in order:

Calculating dependencies... done!
[ebuild     U  ] app-emulation/singularity-1.0.2::alunduil-overlay [1.0.1::alunduil-overlay] USE="(selinux) xen" 34 kB

Total: 1 package (1 upgrade), Size of downloads: 34 kB

Would you like to merge these packages? [Yes/No] 

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) app-emulation/singularity-1.0.2 from alunduil-overlay
>>> Downloading ''
--2012-11-09 09:07:21--
Connecting to||:443... connected.
ERROR: cannot verify's certificate, issued by ‘/C=US/O=DigiCert Inc/ High Assurance EV CA-1’:
  Unable to locally verify the issuer's authority.
To connect to insecurely, use `--no-check-certificate'.
!!! Couldn't download 'singularity-1.0.2.tar.gz'. Aborting.
 * Fetch failed for 'app-emulation/singularity-1.0.2', Log file:
 *  '/var/tmp/portage/app-emulation/singularity-1.0.2/temp/build.log'

>>> Failed to emerge app-emulation/singularity-1.0.2, Log file:

>>>  '/var/tmp/portage/app-emulation/singularity-1.0.2/temp/build.log'

Looks like portage_fetch just needs access to cert_t?

Reproducible: Always
Comment 1 Alex Brandt (RETIRED) gentoo-dev 2012-11-09 15:11:31 UTC
Adding the following policy allowed the emerge to complete:

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-12 21:58:58 UTC
committed to repo (live ebuilds) and will be part of r7
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-14 21:10:49 UTC
r7 is now in hardened-dev
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:24:08 UTC
In main tree, ~arch'ed
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:10:45 UTC
r8 is now stable