Allow portage_sandbox_t ptrace capabilities

During installation of system packages like python, ustr, ... the portage_sandbox_t domain requires ptrace capabilities. If not allowed, the following error is returned: /sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64 ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied /usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812] /usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3] /usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595] /usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87] /usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de] /usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c] make(+0x1159e)[0x337b918159e] make(+0x11eec)[0x337b9181eec] make(+0x12b34)[0x337b9182b34] make(+0x1e759)[0x337b918e759] /proc/5977/cmdline: make -j4 install DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE= libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1 DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1 This seems to be during a standard "make install" of the package but part of Portage' sandbox usage (above error for ustr, but packages like python exhibit the same problem.) Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2011-04-28 15:34:57 -04:00 · 2011-04-28 15:34:57 -04:00 · fd9ec1f728
parent 4061b06a4a
commit fd9ec1f728
1 changed files with 1 additions and 0 deletions
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@ -145,6 +145,7 @@ corecmd_shell_spec_domtrans(portage_t, portage_sandbox_t)
 allow portage_sandbox_t portage_t:fd use;
 allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
 allow portage_sandbox_t portage_t:process sigchld;
+allow portage_sandbox_t self:process ptrace;

 # run scripts out of the build directory
 can_exec(portage_t, portage_tmp_t)