Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Robert Sharp <selinux@×××××××××××××××.org>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Portage-related AVCs
Date: Thu, 24 Nov 2016 21:13:46
Message-Id: 9be28879-5470-994b-eaa0-62456582daf5@sharp.homelinux.org
In Reply to: Re: [gentoo-hardened] Portage-related AVCs by Jason Zaman
1 On 24/11/16 17:07, Jason Zaman wrote:
2 > That warning is harmless, i'll remove the line from the policy later.
3 > for now ignore it or manually remove the line to silence the warning.
4 > http://blog.perfinion.com/2016/10/selinux-userspace-26-released/
5
6 Sorry Jason, but I am not making much progress. I have emerged as you
7 suggested with the 20151208-r6 versions (and setools4). When I repeat
8 the search for portage_sandbox I get the same results as before:
9
10 # sesearch -s portage_sandbox_t -t portage_tmp_t -A
11 allow portage_sandbox_t non_auth_file_type:dir { search read lock
12 getattr ioctl open };
13 allow portage_sandbox_t non_auth_file_type:file { read lock ioctl open
14 getattr };
15 allow portage_sandbox_t non_auth_file_type:lnk_file { read getattr };
16 allow portage_sandbox_t portage_tmp_t:dir { rename search setattr read
17 lock create reparent getattr write ioctl link rmdir remove_name unlink
18 open add_name };
19 allow portage_sandbox_t portage_tmp_t:fifo_file { rename setattr read
20 lock create getattr write ioctl link unlink open append };
21 allow portage_sandbox_t portage_tmp_t:file { rename execute setattr read
22 lock create getattr execute_no_trans write relabelfrom ioctl link
23 relabelto unlink open append };
24 allow portage_sandbox_t portage_tmp_t:lnk_file { rename setattr read
25 lock create getattr write ioctl link unlink };
26 allow portage_sandbox_t portage_tmp_t:sock_file { rename setattr read
27 lock create getattr write ioctl link unlink open append };
28
29 There is still no relableto/from in the dir rule. I am not sure the
30 module rebuild worked. I tried the semodule -B again with -v and it all
31 happens rather quickly:
32
33 # semodule -B -v
34 Committing changes:
35 libsemanage.add_user: user system_u not in password file
36 Ok: transaction number 0.
37
38 Doesn't seem like it spent long rebuilding all those policies, but then
39 I wouldn't know if it is supposed to be quick?
40
41 Also, there doesn't seem to be a very easy way to confirm what policy
42 version is in place? I once saw a listing from semodule -l that included
43 version information but it doesn't happen on my system.
44
45 Robert

Replies

Subject Author
Re: [gentoo-hardened] Portage-related AVCs Jason Zaman <perfinion@g.o>
Report Message
Find on MARC Find on Google Groups