commit: 033ce53f9771f152d692d40b6d2582d9623ba4c9
Author: Rahul Sandhu <nvraxn <AT> gmail <DOT> com>
AuthorDate: Wed Oct 15 19:48:24 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov 16 00:22:34 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=033ce53f
portage: grant compile domains getattr on chr_files in /dev
Some ebuilds, such as app-emulation/qemu, attempt to check for the
existence of various character devices in /dev:
avc: denied { getattr } for pid=6062 comm="meson" path="/dev/kvm"
dev="devtmpfs" ino=80 scontext=superuser:sysadm_r:portage_sandbox_t
tcontext=system_u:object_r:kvm_device_t tclass=chr_file permissive=0
Signed-off-by: Rahul Sandhu <nvraxn <AT> gmail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/portage.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index 7a06daa43..ca29e2e9e 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -154,6 +154,9 @@ interface(`portage_compile_domain',`
dev_read_rand($1)
dev_read_urand($1)
+ # some packages test for nodes in /dev
+ dev_getattr_all_chr_files($1)
+
domain_use_interactive_fds($1)
domain_dontaudit_read_all_domains_state($1)
# SELinux-aware installs doing relabels in the sandbox
