Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Robert Sharp <selinux@×××××××××××××××.org>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Portage-related AVCs
Date: Wed, 23 Nov 2016 12:58:46
Message-Id: 5b2c7e77-61f2-b5f7-d365-09d5d6608587@sharp.homelinux.org
1 Hi,
2
3 just done my weekly update and I noticed the following AVCs occurred
4 that suggest something missing in the portage policy?
5
6 type=PROCTITLE msg=audit(1479900756.052:3548):
7 proctitle=6370002D61002D2D7265666C696E6B3D6175746F002F7661722F746D702F706F72746167652F6465762D707974686F6E2F70797061782D302E392E322F696D6167652F5F707974686F6E322E372F2E002F7661722F746D702F706F72746167652F6465762D707974686F6E2F70797061782D302E392E322F696D6167652F2F
8 type=PATH msg=audit(1479900756.052:3548): item=0
9 name="/var/tmp/portage/dev-python/pypax-0.9.2/image/." inode=1182893
10 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00
11 obj=staff_u:object_r:portage_tmp_t nametype=NORMAL
12 type=CWD msg=audit(1479900756.052:3548):
13 cwd="/var/tmp/portage/dev-python/pypax-0.9.2/work/elfix-0.9.2/scripts"
14 type=SYSCALL msg=audit(1479900756.052:3548): arch=c000003e syscall=189
15 success=yes exit=0 a0=44b69d9c40 a1=36fe2f5a763 a2=44b69d9df0 a3=1f
16 items=1 ppid=21441 pid=21661 auid=4294967295 uid=0 gid=0 euid=0 suid=0
17 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4294967295 comm="cp"
18 exe="/bin/cp" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)
19 type=AVC msg=audit(1479900756.052:3548): avc: denied { relabelto }
20 for pid=21661 comm="cp" name="image" dev="dm-0" ino=1182893
21 scontext=staff_u:sysadm_r:portage_sandbox_t
22 tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1
23 type=AVC msg=audit(1479900756.052:3548): avc: denied { relabelfrom }
24 for pid=21661 comm="cp" name="image" dev="dm-0" ino=1182893
25 scontext=staff_u:sysadm_r:portage_sandbox_t
26 tcontext=staff_u:object_r:portage_tmp_t tclass=dir permissive=1
27
28 I checked the policy for source=portage_sandbox_t and
29 target=portage_tmp_t and it is:
30
31 # sesearch -s portage_sandbox_t -t portage_tmp_t -Ad
32 Found 5 semantic av rules:
33 allow portage_sandbox_t portage_tmp_t : lnk_file { ioctl read write
34 create getattr setattr lock unlink link rename } ;
35 allow portage_sandbox_t portage_tmp_t : dir { ioctl read write
36 create getattr setattr lock unlink link rename add_name remove_name
37 reparent search rmdir open } ;
38 allow portage_sandbox_t portage_tmp_t : fifo_file { ioctl read write
39 create getattr setattr lock append unlink link rename open } ;
40 allow portage_sandbox_t portage_tmp_t : file { ioctl read write
41 create getattr setattr lock relabelfrom relabelto append unlink link
42 rename execute execute_no_trans open } ;
43 allow portage_sandbox_t portage_tmp_t : sock_file { ioctl read write
44 create getattr setattr lock append unlink link rename open } ;
45
46 It looks to me like portage was trying to relabelto/from a directory but
47 these ops are only allowed for files?
48
49 I also spotted AVCs involving directory access to portage_tmpfs_t (and
50 sandbox as the source), such as:
51
52 type=PROCTITLE msg=audit(1479900586.938:3542):
53 proctitle=707974686F6E322E37002F7573722F6C696236342F707974686F6E322E372F736974652D7061636B616765732F696E636C7564655F7365727665722F696E636C7564655F7365727665722E7079002D2D706F7274002F746D702F6469737463632D70756D702E656B6A3330372F736F636B6574002D2D7069645F66696C65002F
54 type=PATH msg=audit(1479900586.938:3542): item=1
55 name="/dev/shm/tmpgk84Lo.include_server-16244-1" inode=1246573 dev=00:13
56 mode=040700 ouid=250 ogid=250 rdev=00:00
57 obj=staff_u:object_r:portage_tmpfs_t nametype=DELETE
58 type=PATH msg=audit(1479900586.938:3542): item=0 name="/dev/shm/"
59 inode=8351 dev=00:13 mode=041777 ouid=0 ogid=0 rdev=00:00
60 obj=system_u:object_r:tmpfs_t nametype=PARENT
61 type=CWD msg=audit(1479900586.938:3542):
62 cwd="/var/tmp/portage/dev-python/cffi-1.5.2/work/cffi-1.5.2"
63 type=SYSCALL msg=audit(1479900586.938:3542): arch=c000003e syscall=84
64 success=yes exit=0 a0=3a6d7c7770 a1=0 a2=0 a3=36b items=2 ppid=1
65 pid=16244 auid=4294967295 uid=250 gid=250 euid=250 suid=250 fsuid=250
66 egid=250 sgid=250 fsgid=250 tty=pts0 ses=4294967295 comm="python2.7"
67 exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)
68 type=AVC msg=audit(1479900586.938:3542): avc: denied { rmdir } for
69 pid=16244 comm="python2.7" name="tmpgk84Lo.include_server-16244-1"
70 dev="tmpfs" ino=1246573 scontext=staff_u:sysadm_r:portage_sandbox_t
71 tcontext=staff_u:object_r:portage_tmpfs_t tclass=dir permissive=1
72
73 And a similar AVC for creating the same directory.
74
75 Is this likely to be a policy gap or have I done something wrong or
76 failed to do something I should have. I cannot provide more details
77 about what was happening at the time, other than in the audit snippets
78 above - it was the middle of a lengthy update process.
79
80 Thanks,
81
82 Robert Sharp

Replies

Subject Author
Re: [gentoo-hardened] Portage-related AVCs Jason Zaman <jason@×××××××××.com>
Report Message
Find on MARC Find on Google Groups