In the www-client/chromium ebuilds, the src_prepare() phase tries to copy nacl-toolchain-newlib from /usr/lib into the build location (${S}). This copying uses the "-a" argument for cp. However, this implies that the SELinux contexts of the source (nacl-toolchain-newlib) are copied as well. Sadly, this is not allowed by SELinux policy since the build location has to remain portage_tmp_t as context (the portage_sandbox_t domain, which is used while building software, should not get any rights on other contexts). Changing the command from "cp -a" to "cp -dRp" works as it uses the portage_tmp_t context for newly created files and directories while retaining mode and ownership. Reproducible: Always
Created attachment 341392 [details, diff] chromium ebuild fix to use "cp -dRp" Suggested fix on the ebuilds to use "cp -dRp" instead of "cp -a"
Instead of effectively expanding "-a" which doesn't seem very future-proof, could you confirm whether using cp -a --no-preserve=context works?
Yes that works as well!
Thanks for reporting, fixed in CVS. 13 Mar 2013; Pawel Hajdan jr chromium-26.0.1410.28.ebuild, chromium-27.0.1438.7.ebuild, chromium-9999-r1.ebuild: Fix build with SELinux, bug #460892 by swift.
