1. nobody

    Why not just let it run at full privs? A compromised portage process already has enough privs to own the entire system (and even disable selinux), that allowing it to exec as another user isn’t really that big of a deal.

  2. Because I would like to use a least privilege concept for the policies. Yes, Portage already has quite a few rights (although load_policy and setenforce aren’t amongst those – but it does have the ability to transition to semanage_t and setfiles_t), but granting “full privs” is not an easy thing to do (unless you count unconfined domains).

    I also believe that emerge –config should work for roles that do not get the portage privileges. Consider a dbadm_r role (database administrator). It would make sense to allow the DBA to run “emerge –config dev-db/postgresql-server” in his own domain (dbadm_t) rather than granting him access to the (possibly higher privileged) portage_t.

Leave a Reply

Your email address will not be published. Required fields are marked *