Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: Robert Sharp <selinux@×××××××××××××××.org>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] SELinux Portage and Python2.7
Date: Wed, 14 Dec 2016 18:55:05
Message-Id: de7af460-a57c-a45e-c24e-fc3105325263@sharp.homelinux.org
1 Hi again,
2
3 I noticed a bunch of AVCs during my weekly update that look like a
4 shortfall in the portage policy?
5
6 For example:
7
8 ----
9 time->Wed Dec 14 09:50:23 2016
10 type=PROCTITLE msg=audit(1481709023.487:245940):
11 proctitle=707974686F6E322E37002F7573722F6C696236342F707974686F6E322E372F736974652D7061636B616765732F696E636C7564655F7365727665722F696E636C7564655F7365727665722E7079002D2D706F7274002F746D702F6469737463632D70756D702E31676D4479492F736F636B6574002D2D7069645F66696C65002Ftype=PATH
12 msg=audit(1481709023.487:245940): item=1
13 name="/dev/shm/tmpdC4SvU.include_server-27263-1" inode=4596172 dev=00:13
14 mode=040700 ouid=250 ogid=250 rdev=00:00
15 obj=staff_u:object_r:portage_tmpfs_t nametype=CREATE
16 type=PATH msg=audit(1481709023.487:245940): item=0 name="/dev/shm/"
17 inode=8351 dev=00:13 mode=041777 ouid=0 ogid=0 rdev=00:00
18 obj=system_u:object_r:tmpfs_t nametype=PARENT
19 type=CWD msg=audit(1481709023.487:245940):
20 cwd="/var/tmp/portage/sys-devel/libtool-2.4.6-r2/work/libtool-2.4.6"
21 type=SYSCALL msg=audit(1481709023.487:245940): arch=c000003e syscall=83
22 success=yes exit=0 a0=c94da980 a1=1c0 a2=0 a3=1e1 items=2 ppid=27262
23 pid=27263 auid=4294967295 uid=250 gid=250 euid=250 suid=250 fsuid=250
24 egid=250 sgid=250 fsgid=250 tty=pts2 ses=4294967295 comm="python2.7"
25 exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)
26 type=AVC msg=audit(1481709023.487:245940): avc: denied { create } for
27 pid=27263 comm="python2.7" name="tmpdC4SvU.include_server-27263-1"
28 scontext=staff_u:sysadm_r:portage_sandbox_t
29 tcontext=staff_u:object_r:portage_tmpfs_t tclass=dir permissive=1
30
31 And another AVC:
32
33 > type=AVC msg=audit(1481709072.864:245941): avc: denied { rmdir }
34 for pid=27263 comm="python2.7" name="tmpdC4SvU.include_server-27263-1"
35 > dev="tmpfs" ino=4596172 scontext=staff_u:sysadm_r:portage_sandbox_t
36 tcontext=staff_u:object_r:portage_tmpfs_t tclass=dir permissive=1
37
38 Looks like python is trying to create/remove directories within
39 portage_tmpfs_t, and looking at the existing permissions:
40
41 > allow portage_sandbox_t portage_tmpfs_t:dir { search read lock
42 getattr write ioctl remove_name open add_name };
43
44 suggests that it does not have the necessary permissions (e.g. create)?
45
46 Thanks
47
48 Robert Sharp

Replies

Subject Author
Re: [gentoo-hardened] SELinux Portage and Python2.7 Sven Vermeulen <swift@g.o>
Report Message
Find on MARC Find on Google Groups