From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Mon, 02 May 2011 11:33:38 -0400
Subject: [refpolicy] [PATCH 3/4] Allow portage_sandbox_t ptrace
	capabilities
In-Reply-To: <20110428193457.GC29963@siphos.be>
References: <20110428193457.GC29963@siphos.be>
Message-ID: <4DBECED2.6030600@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/28/11 15:34, Sven Vermeulen wrote:
> During installation of system packages like python, ustr, ... the
> portage_sandbox_t domain requires ptrace capabilities. 
> 
> If not allowed, the following error is returned:
> 
> /sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
> ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
> /usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
> /usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
> /usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
> /usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
> /usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
> /usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
> make(+0x1159e)[0x337b918159e]
> make(+0x11eec)[0x337b9181eec]
> make(+0x12b34)[0x337b9182b34]
> make(+0x1e759)[0x337b918e759]
> /proc/5977/cmdline: make -j4 install
> DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
> libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
> DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
> 
> This seems to be during a standard "make install" of the package but part of
> Portage' sandbox usage (above error for ustr, but packages like python exhibit
> the same problem.)

Merged.

> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/portage.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
> index d6697d3..4ea154f 100644
> --- a/policy/modules/admin/portage.te
> +++ b/policy/modules/admin/portage.te
> @@ -148,6 +148,7 @@ corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
>  allow portage_sandbox_t portage_t:fd use;
>  allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
>  allow portage_sandbox_t portage_t:process sigchld;
> +allow portage_sandbox_t self:process ptrace;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com