Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 704188 - SELinux policy prohibits emerge from using sockets
Summary: SELinux policy prohibits emerge from using sockets
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-29 16:29 UTC by thomasb
Modified: 2020-12-12 02:35 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description thomasb 2019-12-29 16:29:46 UTC 
When emerging packages, the various emerge processes try to open sockets and fail.

The parent emerge process started cannot bind to sockets when running in portage_t domain:

type=AVC msg=audit(1577610998.054:41): avc:  denied  { node_bind } for  pid=6445 comm="emerge" saddr=::1 scontext=unconfined_u:unconfined_r:portage_t tcontext=system_u:object_r:node_t tclass=udp_socket permissive=1
type=SYSCALL msg=audit(1577610998.054:41): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=7ffccc49d100 a2=1c a3=7f17a9d1256a items=0 ppid=6407 pid=6445 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="emerge" exe="/usr/bin/python3.6m" subj=unconfined_u:unconfined_r:portage_t key=(null)

When in enforcing mode, emerge also also complains about it:

  >>> Emerging (1 of 1) app-editors/vim-8.1.1486::gentoo
  Unable to configure loopback interface: Permission denied

The later on started emerge child process runs in portage_sandbox_t domain and cannot connect to a socket file:

type=AVC msg=audit(1577611036.546:42): avc:  denied  { connectto } for  pid=18433 comm="x86_64-pc-linux" path="/var/tmp/portage/.portage.6454.net.sock" scontext=unconfined_u:unconfined_r:portage_sandbox_t tcontext=unconfined_u:unconfined_r:portage_t tclass=unix_stream_socket permissive=1
type=PATH msg=audit(1577611036.546:42): item=0 name="/var/tmp/portage/.portage.6454.net.sock" inode=1245198 dev=fd:04 mode=0140700 ouid=250 ogid=250 rdev=00:00 obj=unconfined_u:object_r:portage_tmp_t nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0

The ebuild seems to be successfully built and installed, but not sure if this has any side effects.


Reproducible: Always

Steps to Reproduce:
1. have SELinux in enforcing mode
2. run emerge to install something
3. find the "unable to configure loopback interface" messages in emerge output
4. find the SELinux deny messages in ausearch
Comment 1 Joel Parthemore 2020-11-10 00:20:10 UTC 
I am having the exact same problem.  As thomasb wrote, the ebuild appears to build and install successfully.  I'm wondering if this is an error message I can safely ignore.
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-11-10 00:37:25 UTC 
It'll be related to the network-sandbox. Whether or not this prevents it working effectively or not, I'm not sure. You could write an ebuild which tries to fetch something from the internet in e.g. src_compile and see if it is denied or not, I suspect it will be.