During installation of system packages like python, ustr, ... the
portage_sandbox_t domain requires ptrace capabilities.
If not allowed, the following error is returned:
/sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
/usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
/usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
/usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
/usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
/usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
/usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
make(+0x1159e)[0x337b918159e]
make(+0x11eec)[0x337b9181eec]
make(+0x12b34)[0x337b9182b34]
make(+0x1e759)[0x337b918e759]
/proc/5977/cmdline: make -j4 install
DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
This seems to be during a standard "make install" of the package but part of
Portage' sandbox usage (above error for ustr, but packages like python exhibit
the same problem.)
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/portage.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index d6697d3..4ea154f 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -148,6 +148,7 @@ corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;
# run scripts out of the build directory
can_exec(portage_t, portage_tmp_t)
--
1.7.3.4
On 04/28/11 15:34, Sven Vermeulen wrote:
> During installation of system packages like python, ustr, ... the
> portage_sandbox_t domain requires ptrace capabilities.
>
> If not allowed, the following error is returned:
>
> /sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
> ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
> /usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
> /usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
> /usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
> /usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
> /usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
> /usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
> make(+0x1159e)[0x337b918159e]
> make(+0x11eec)[0x337b9181eec]
> make(+0x12b34)[0x337b9182b34]
> make(+0x1e759)[0x337b918e759]
> /proc/5977/cmdline: make -j4 install
> DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
> libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
> DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
>
> This seems to be during a standard "make install" of the package but part of
> Portage' sandbox usage (above error for ustr, but packages like python exhibit
> the same problem.)
Merged.
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/portage.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index d6697d3..4ea154f 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -148,6 +148,7 @@ corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
> allow portage_sandbox_t portage_t:fd use;
> allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
> allow portage_sandbox_t portage_t:process sigchld;
> +allow portage_sandbox_t self:process ptrace;
>
> # run scripts out of the build directory
> can_exec(portage_t, portage_tmp_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com