After upgrading to portage 2.2 the SELinux module is not found by portage anymore. Reproducible: Always Steps to Reproduce: Portage 2.1.4.4 (selinux/2007.0/x86, gcc-4.1.2, glibc-2.6.1-r0, 2.6.23-hardened-r12 i686) ================================================================= System uname: 2.6.23-hardened-r12 i686 Pentium III (Coppermine) Timestamp of tree: Sun, 06 Jul 2008 07:00:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-lang/python: 2.5.2-r5 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r2 sys-devel/automake: 1.7.9-r1, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -march=pentium3 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/init.d /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-Os -march=pentium3 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--usepkg" FEATURES="ccache distcc distlocks loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" LANG="en_US.utf8" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/www/localhost/htdocs/pub/gentoo/portage-overlay/local-overlay" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="acpi apache apache2 authdaemond bash-completion berkdb bzip2 cli cracklib crypt curl cvsgraph dbus dri enscript fam gdbm geoip gif gpm hardened iconv idn imap ipv6 isdnlog jpeg libwww maildir mailwrapper midi mime mmx mudflap mysql ncurses nls nptl nptlonly openmp pam pcre pdf perl php png pppd python readline reflection sasl selinux session snmp spl ssl svg symlink tcpd tiff truetype unicode x86 xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif so speling status unique_id userdir usertrack vhost_alias version" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="none dummy nvidia" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Same here; downgrading portage to stable (as shown) makes it work correctly again. Portage 2.1.4.4 (selinux/2007.0/x86/hardened, gcc-3.4.6, glibc-2.6.1-r0, 2.6.25-hardened-r2 i686) ================================================================= System uname: 2.6.25-hardened-r2 i686 Celeron (Coppermine) Timestamp of tree: Thu, 10 Jul 2008 09:46:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p17 dev-lang/python: 2.4.4-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.9-r2 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r1 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.18-r1 sys-devel/gcc-config: 1.3.16 sys-devel/libtool: 1.5.24 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=i686 -mtune=i686 -O2 -pipe -fomit-frame-pointer -fforce-addr" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-march=i686 -mtune=i686 -O2 -pipe -fomit-frame-pointer -fforce-addr" DISTDIR="/usr/portage/distfiles" FEATURES="buildpkg ccache distlocks loadpolicy metadata-transfer selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://kuroshin.arnolds.bogus/gentoo/" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://kuroshin.arnolds.bogus/gentoo-portage" USE="apache2 berkdb bzip2 cli cracklib crypt cups curl dri expat foomaticdb fortran gd gdbm gmp gpm graphviz gs hardened hardenedphp iconv imlib innodb ipv6 isdnlog jbig jpeg lm_sensors logrotate midi mudflap mysql ncurses nls openmp pam pcre perl php pic pie png ppds pppd python readline reflection samba sasl selinux session snmp spamassassin spell spl ssl tcpd threads tiff truetype unicode usb x86 xorg zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="i810 vesa fbdev" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
This warning message is actually harmless in most cases. The problem is that many places in portage check for the value of selinux_enabled() well before the selinux module actually gets loaded. The two places this happens most often are during the initialization of the global variable proxies (in init_legacy_globals), and when setting up logging (in prepare_build_dirs). I've gotten rid of the warnings using the attached patch but I'm very doubtful that it's the best solution. Mostly it just demonstrates where the problem arises and what needs to be fixed.
Created attachment 161359 [details, diff] Remove spurious SELinux warnings. There are at least two places where portage is displaying a spurious "!!! SELinux module not found" warning. In both cases, portage is calling selinux_enabled(), but isn't actually planning to use the selinux module. These checks are often done before the module is imported, so always fail and generate the warning, but do not adversely affect SELinux behavior later on. This patch simply silences the warnings in those two cases.
To clarify some, I do get warnings but I also get nonworking packages. They do not work because they are not marked (or what it is called) by selinux and thus are forbidden to run. Workaround is to either use a stable portage or to manually tell selinux about the newly emerged packages.
The error in portage is that the line in pym/portage/selinux.py: from selinux import is_selinux_enabled fails to locate the is_selinux_enabled module. This leads to selinux being disabled. Why this happens is a mystery to me as the code is identical to the one in <portage-2.2.
these aren't spurious warnings as far as I can tell. I don't get correct labels on merged packages
(In reply to comment #5) > The error in portage is that the line in pym/portage/selinux.py: > from selinux import is_selinux_enabled > fails to locate the is_selinux_enabled module. This leads to selinux being > disabled. Why this happens is a mystery to me as the code is identical to the > one in <portage-2.2. Yes, I can see this, I get "ImportError: cannot import name is_selinux_enabled". I wonder if there is a namespace issue, since the libselinux python wrapper is also "selinux".
Created attachment 166121 [details, diff] Rename selinux.py to _selinux.py With the name changes of all the portage modules from portage_foo to portage/foo, there's now a conflict between the portage/selinux.py wrapper for portage, and the selinux wrapper from libselinux. The internal portage module just needs to be renamed -- something as simple as _selinux.py as per this patch.
Created attachment 166125 [details, diff] Rename selinux.py to _selinux.py This one actually renames things properly, and restores proper error handling when libselinux isn't installed.
(In reply to comment #9) > Created an attachment (id=166125) [edit] > Rename selinux.py to _selinux.py That's perfect, thanks. It's in svn r11535.
This is fixed in 2.2_rc10.
