1 |
Hi again, |
2 |
|
3 |
I noticed a bunch of AVCs during my weekly update that look like a |
4 |
shortfall in the portage policy? |
5 |
|
6 |
For example: |
7 |
|
8 |
---- |
9 |
time->Wed Dec 14 09:50:23 2016 |
10 |
type=PROCTITLE msg=audit(1481709023.487:245940): |
11 |
proctitle=707974686F6E322E37002F7573722F6C696236342F707974686F6E322E372F736974652D7061636B616765732F696E636C7564655F7365727665722F696E636C7564655F7365727665722E7079002D2D706F7274002F746D702F6469737463632D70756D702E31676D4479492F736F636B6574002D2D7069645F66696C65002Ftype=PATH |
12 |
msg=audit(1481709023.487:245940): item=1 |
13 |
name="/dev/shm/tmpdC4SvU.include_server-27263-1" inode=4596172 dev=00:13 |
14 |
mode=040700 ouid=250 ogid=250 rdev=00:00 |
15 |
obj=staff_u:object_r:portage_tmpfs_t nametype=CREATE |
16 |
type=PATH msg=audit(1481709023.487:245940): item=0 name="/dev/shm/" |
17 |
inode=8351 dev=00:13 mode=041777 ouid=0 ogid=0 rdev=00:00 |
18 |
obj=system_u:object_r:tmpfs_t nametype=PARENT |
19 |
type=CWD msg=audit(1481709023.487:245940): |
20 |
cwd="/var/tmp/portage/sys-devel/libtool-2.4.6-r2/work/libtool-2.4.6" |
21 |
type=SYSCALL msg=audit(1481709023.487:245940): arch=c000003e syscall=83 |
22 |
success=yes exit=0 a0=c94da980 a1=1c0 a2=0 a3=1e1 items=2 ppid=27262 |
23 |
pid=27263 auid=4294967295 uid=250 gid=250 euid=250 suid=250 fsuid=250 |
24 |
egid=250 sgid=250 fsgid=250 tty=pts2 ses=4294967295 comm="python2.7" |
25 |
exe="/usr/bin/python2.7" subj=staff_u:sysadm_r:portage_sandbox_t key=(null) |
26 |
type=AVC msg=audit(1481709023.487:245940): avc: denied { create } for |
27 |
pid=27263 comm="python2.7" name="tmpdC4SvU.include_server-27263-1" |
28 |
scontext=staff_u:sysadm_r:portage_sandbox_t |
29 |
tcontext=staff_u:object_r:portage_tmpfs_t tclass=dir permissive=1 |
30 |
|
31 |
And another AVC: |
32 |
|
33 |
> type=AVC msg=audit(1481709072.864:245941): avc: denied { rmdir } |
34 |
for pid=27263 comm="python2.7" name="tmpdC4SvU.include_server-27263-1" |
35 |
> dev="tmpfs" ino=4596172 scontext=staff_u:sysadm_r:portage_sandbox_t |
36 |
tcontext=staff_u:object_r:portage_tmpfs_t tclass=dir permissive=1 |
37 |
|
38 |
Looks like python is trying to create/remove directories within |
39 |
portage_tmpfs_t, and looking at the existing permissions: |
40 |
|
41 |
> allow portage_sandbox_t portage_tmpfs_t:dir { search read lock |
42 |
getattr write ioctl remove_name open add_name }; |
43 |
|
44 |
suggests that it does not have the necessary permissions (e.g. create)? |
45 |
|
46 |
Thanks |
47 |
|
48 |
Robert Sharp |