Currently my goal is a zero-denial hardened system that I can run in full enforcing mode. This is proving to be a challenge worthy of the effort, emphasis on "challenge". With a stock base policy (less my own personal touches which don't hit the portage policy until now), there appear to be a few file labeling and domain execution issues. I am not filing separate bugs on this because life is too short. 1) emerge fails to make the domain transition to portage_sandbox_t: This is due to a label on the emerge script not being applied, giving it a basic usr_t domain which can't transition to portage_t. It was HARD to track this down. Bug #529146 is causing this. 2) gcc labeling issues in /usr Eg: Nov 13 05:44:00 testbed kernel: [ 9549.512205] audit: type=1400 audit(1415879040.116:681): avc: denied { execute } for pid=3297 comm="x86_64-pc-linux" name="x86_64-pc-linux-gnu-gcc" dev="dm-4" ino=301834 ipaddr=REDACTED scontext=root:sysadm_r:portage_sandbox_t tcontext=root:object_r:usr_t tclass=file permissive=1 Nov 13 05:44:00 testbed kernel: [ 9549.512307] audit: type=1400 audit(1415879040.116:682): avc: denied { execute_no_trans } for pid=3297 comm="x86_64-pc-linux" path="/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3/x86_64-pc-linux-gnu-gcc" dev="dm-4" ino=301834 ipaddr=REDACTED scontext=root:sysadm_r:portage_sandbox_t tcontext=root:object_r:usr_t tclass=file permissive=1 This is also related to bug #529146 ...plus some other nuisance issues that went away once #529146 was noticed. Reproducible: Always
Yes, with the 2.4 release candidate userspace we too are seeing that domains are not being assigned to the right role (which makes transitions forbidden). The file context mismatches are also in our visor but we don't know if they are related or not (the distro_gentoo mismatches we have not been able to reproduce yet, whereas the missing roletype assignments are).
If you've installed 2.4_rc6-r1 or higher and rebuild the policies, can you check if this issue still exist or not?
I'm on the 2.3 userspace at the moment.
No worries; I'll mark it as WORKSFORME for now and we'll see once you go to 2.4 again if this is still an issue or not.