Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 529150 - portage domain transition & execution issues
Summary: portage domain transition & execution issues
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on: 529146 529366
Blocks:
  Show dependency tree
 
Reported: 2014-11-13 13:42 UTC by Eric Gisse
Modified: 2014-11-24 16:33 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2014-11-13 13:42:28 UTC 
Currently my goal is a zero-denial hardened system that I can run in full enforcing mode. This is proving to be a challenge worthy of the effort, emphasis on "challenge".

With a stock base policy (less my own personal touches which don't hit the portage policy until now), there appear to be a few file labeling and domain execution issues. I am not filing separate bugs on this because life is too short.

1) emerge fails to make the domain transition to portage_sandbox_t:

This is due to a label on the emerge script not being applied, giving it a basic usr_t domain which can't transition to portage_t.

It was HARD to track this down.

Bug #529146 is causing this.

2) gcc labeling issues in /usr

Eg:

Nov 13 05:44:00 testbed kernel: [ 9549.512205] audit: type=1400 audit(1415879040.116:681): avc:  denied  { execute } for  pid=3297 comm="x86_64-pc-linux" name="x86_64-pc-linux-gnu-gcc" dev="dm-4" ino=301834 ipaddr=REDACTED scontext=root:sysadm_r:portage_sandbox_t tcontext=root:object_r:usr_t tclass=file permissive=1
Nov 13 05:44:00 testbed kernel: [ 9549.512307] audit: type=1400 audit(1415879040.116:682): avc:  denied  { execute_no_trans } for  pid=3297 comm="x86_64-pc-linux" path="/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.3/x86_64-pc-linux-gnu-gcc" dev="dm-4" ino=301834 ipaddr=REDACTED scontext=root:sysadm_r:portage_sandbox_t tcontext=root:object_r:usr_t tclass=file permissive=1

This is also related to bug #529146

...plus some other nuisance issues that went away once #529146 was noticed.

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-14 21:23:04 UTC 
Yes, with the 2.4 release candidate userspace we too are seeing that domains are not being assigned to the right role (which makes transitions forbidden). The file context mismatches are also in our visor but we don't know if they are related or not (the distro_gentoo mismatches we have not been able to reproduce yet, whereas the missing roletype assignments are).
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-22 16:56:10 UTC 
If you've installed 2.4_rc6-r1 or higher and rebuild the policies, can you check if this issue still exist or not?
Comment 3 Eric Gisse 2014-11-24 11:48:00 UTC 
I'm on the 2.3 userspace at the moment.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-24 16:33:08 UTC 
No worries; I'll mark it as WORKSFORME for now and we'll see once you go to 2.4 again if this is still an issue or not.