[refpolicy] [PATCH 3/4] Allow portage_sandbox

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH 3/4] Allow portage_sandbox_t ptrace capabilities
@ 2011-04-28 19:34 Sven Vermeulen
  2011-05-02 15:33 ` Christopher J. PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Sven Vermeulen @ 2011-04-28 19:34 UTC (permalink / raw)
  To: refpolicy

During installation of system packages like python, ustr, ... the
portage_sandbox_t domain requires ptrace capabilities. 

If not allowed, the following error is returned:

/sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
/usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
/usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
/usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
/usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
/usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
/usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
make(+0x1159e)[0x337b918159e]
make(+0x11eec)[0x337b9181eec]
make(+0x12b34)[0x337b9182b34]
make(+0x1e759)[0x337b918e759]
/proc/5977/cmdline: make -j4 install
DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1

This seems to be during a standard "make install" of the package but part of
Portage' sandbox usage (above error for ustr, but packages like python exhibit
the same problem.)

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/portage.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d6697d3..4ea154f 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -148,6 +148,7 @@ corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
 allow portage_sandbox_t portage_t:fd use;
 allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
 allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;
 
 # run scripts out of the build directory
 can_exec(portage_t, portage_tmp_t)
-- 
1.7.3.4

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [refpolicy] [PATCH 3/4] Allow portage_sandbox_t ptrace capabilities
  2011-04-28 19:34 [refpolicy] [PATCH 3/4] Allow portage_sandbox_t ptrace capabilities Sven Vermeulen
@ 2011-05-02 15:33 ` Christopher J. PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2011-05-02 15:33 UTC (permalink / raw)
  To: refpolicy

On 04/28/11 15:34, Sven Vermeulen wrote:
> During installation of system packages like python, ustr, ... the
> portage_sandbox_t domain requires ptrace capabilities. 
> 
> If not allowed, the following error is returned:
> 
> /sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
> ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
> /usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
> /usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
> /usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
> /usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
> /usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
> /usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
> make(+0x1159e)[0x337b918159e]
> make(+0x11eec)[0x337b9181eec]
> make(+0x12b34)[0x337b9182b34]
> make(+0x1e759)[0x337b918e759]
> /proc/5977/cmdline: make -j4 install
> DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
> libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
> DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
> 
> This seems to be during a standard "make install" of the package but part of
> Portage' sandbox usage (above error for ustr, but packages like python exhibit
> the same problem.)

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/portage.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index d6697d3..4ea154f 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -148,6 +148,7 @@ corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
>  allow portage_sandbox_t portage_t:fd use;
>  allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
>  allow portage_sandbox_t portage_t:process sigchld;
> +allow portage_sandbox_t self:process ptrace;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-05-02 15:33 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-04-28 19:34 [refpolicy] [PATCH 3/4] Allow portage_sandbox_t ptrace capabilities Sven Vermeulen
2011-05-02 15:33 ` Christopher J. PeBenito

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.