From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 28 Apr 2011 21:34:57 +0200 Subject: [refpolicy] [PATCH 3/4] Allow portage_sandbox_t ptrace capabilities Message-ID: <20110428193457.GC29963@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com During installation of system packages like python, ustr, ... the portage_sandbox_t domain requires ptrace capabilities. If not allowed, the following error is returned: /sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64 ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied /usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812] /usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3] /usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595] /usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87] /usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de] /usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c] make(+0x1159e)[0x337b918159e] make(+0x11eec)[0x337b9181eec] make(+0x12b34)[0x337b9182b34] make(+0x1e759)[0x337b918e759] /proc/5977/cmdline: make -j4 install DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE= libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1 DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1 This seems to be during a standard "make install" of the package but part of Portage' sandbox usage (above error for ustr, but packages like python exhibit the same problem.) Signed-off-by: Sven Vermeulen --- policy/modules/admin/portage.te | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te index d6697d3..4ea154f 100644 --- a/policy/modules/admin/portage.te +++ b/policy/modules/admin/portage.te @@ -148,6 +148,7 @@ corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t) allow portage_sandbox_t portage_t:fd use; allow portage_sandbox_t portage_t:fifo_file rw_file_perms; allow portage_sandbox_t portage_t:process sigchld; +allow portage_sandbox_t self:process ptrace; # run scripts out of the build directory can_exec(portage_t, portage_tmp_t) -- 1.7.3.4