I have just installed Portage 2.1.7.1 (selinux/2007.0/amd64, gcc-4.4.1, glibc-2.10.1-r0, 2.6.31-gentoo-r1-090930 x86_64). After that "emerge <package>" fails with the following log: Emerging 1 of 1 <package> Traceback (most recent call last): File "/usr/lib64/portage/bin/ebuild", line 267, in <module> debug=debug, tree=mytree) File "/usr/lib64/portage/pym/portage/__init__.py", line 7121, in doebuild fetchme, mysettings, listonly=listonly, fetchonly=fetchonly): File "/usr/lib64/portage/pym/portage/__init__.py", line 4557, in fetch if _userpriv_test_write_file(mysettings, write_test_file): File "/usr/lib64/portage/pym/portage/__init__.py", line 4192, in _userpriv_test_write_file returncode = _spawn_fetch(settings, args) File "/usr/lib64/portage/pym/portage/__init__.py", line 4165, in _spawn_fetch rval = spawn_func(args, env=dict(iter(settings.items())), **kwargs) File "/usr/lib64/portage/pym/portage/_selinux.py", line 89, in wrapper_func setexec(con) File "/usr/lib64/portage/pym/portage/_selinux.py", line 73, in setexec raise OSError(_("setexec: Failed setting exec() context \"%s\".") % ctx) OSError: setexec: Failed setting exec() context "unconfined_u:unconfined_r:portage_fetch_t". Reproducible: Always Steps to Reproduce: emerge <package> Actual Results: errors Expected Results: <package> installed host9 ~ # emerge --info Portage 2.1.7.1 (selinux/2007.0/amd64, gcc-4.4.1, glibc-2.10.1-r0, 2.6.31-gentoo-r1-090930 x86_64) ================================================================= System uname: Linux-2.6.31-gentoo-r1-090930-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9400_@_2.66GHz-with-gentoo-2.0.1 Timestamp of tree: Wed, 14 Oct 2009 11:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p33 dev-java/java-config: 2.1.9-r1 dev-lang/python: 2.6.3, 3.1.1-r1 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.5.1 sys-apps/sandbox: 2.1 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.9.6-r2, 1.10.2, 1.11 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6a virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="amd64 ~amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=core2 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-march=core2 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache collision-protect distlocks fixpackages loadpolicy metadata-transfer news parallel-fetch protect-owned sandbox selinux sesandbox sfperms splitdebug strict suidctl unmerge-logs unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://distfiles.gentoo.org" INSTALL_MASK="TODO.bz2 ChangeLog.bz2 AUTHORS.bz2 TODO.gz ChangeLog.gz AUTHORS.gz" LDFLAGS="-Wl,-O1" LINGUAS="it it_IT en en_GB en_UK en_US" MAKEOPTS="-j6" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="# X acl ada alsa amd64 bash-completion berkdb cli cracklib crypt cxx dbus doc dri examples fortran gif git hal htmlhandbook hvm iconv inotify ipv6 isdnlog java java6 jpeg jpeg2k kde laptop latex lm_sensors mmap mmx mng modules mplayer mudflap mysql mysqli ncurses nls nptl nptlonly nvidia odbc opengl openmp pam pcre perl png posix postgres pppd python qt4 readline reflection sdl selinux session sharedmem sockets spl sqlite sqlite3 sse sse2 ssl syslog sysvipc tcpd threads tiff unicode vim-syntax vnc wifi xattr xcb xorg xvmc zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache doc env expires ext_filter file_cache filter headers ident imagemap include info innodb log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling ssl status threads unique_id userdir usertrack vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="it it_IT en en_GB en_UK en_US" USERLAND="GNU" VIDEO_CARDS="nvidia vesa" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
# newrole -r sysadm_r And everything fine for me
I'm not sure why this would fail. Maybe it's something about the selinux policies.
What makes me not so sure it's entirely a SELinux issue is that the problem also exists with "permissive" enforcement.
Any workaround? I can't anymore build any package.
Created attachment 207352 [details, diff] try to fix selinux spawn_wrapper context usage Looking at the difference from portage-2.1.6, I think this patch might fix it, but I don't use selinux so I need someone to test it for me. If this patch is saved as /tmp/selinux_spawn.patch, then it can be applied as follows: patch /usr/lib/portage/pym/portage/__init__.py /tmp/selinux_spawn.patch
If the above patch doesn't work and you want to downgrade to a working version of portage, here are instructions for manual portage installation: http://www.gentoo.org/proj/en/portage/doc/manually-fixing-portage.xml
(In reply to comment #5) > Created an attachment (id=207352) [details] > try to fix selinux spawn_wrapper context usage > > Looking at the difference from portage-2.1.6, I think this patch might fix it, > but I don't use selinux so I need someone to test it for me. > > [skip] > Unfortunately it didn't work. The last two lines of the traceback have changed: OSError: setexec: Failed setting exec() context "unconfined_u:unconfined_r:unconfined_u:unconfined_r:unconfined_t".
(In reply to comment #7) > Unfortunately it didn't work. The last two lines of the traceback have changed: > > OSError: setexec: Failed setting exec() context > "unconfined_u:unconfined_r:unconfined_u:unconfined_r:unconfined_t". Thanks anyway for testing. Reviewing the patches from bug 280998 and bug 280521 seems to suggest that the existing code is as intended, so I'm not sure what's wrong.
Created attachment 207366 [details, diff] try to use setexec from the selinux_aux module (requires python-selinux package) If you have the first patch applied, you should revert it since it's wrong. Please test this patch instead. If this patch is saved as /tmp/selinux_aux_setexec.patch, then it can be applied as follows: patch /usr/lib/portage/pym/portage/_selinux.py /tmp/selinux_aux_setexec.patch
(In reply to comment #9) > patch /usr/lib/portage/pym/portage/_selinux.py /tmp/selinux_aux_setexec.patch I tried this too. Unfortunately it didn't work. Same issue, the latest lines of the bt have changed to: File "/usr/lib64/portage/pym/portage/_selinux.py", line 75, in setexec selinux_aux.setexec(ctx) File "selinux_aux.prx", line 255, in selinux_aux.setexec TypeError: exceptions must be strings, classes, or instances, not exceptions.OSError Thanks for your attention.
I'm going to create a qemu image for a gentoo selinux system, so I can use it for reproducing and fixing.
I followed the selinux handbook and I've got a qemu image running with selinux now, but I don't know how to use it yet. When I run emerge the context is showing as root:staff_r:staff_t, but I was expecting the context to have portage_t.merge as the type because of the PORTAGE_T=portage_t.merge setting that I see in the profiles/selinux/2007.0/make.defaults. So, apparently I need to learn how to get the correct context when I run emerge...
I found that I needed to use 'newrole -r sysadm_r', and then emerge was running in the correct 'root:sysadm_r:portage_t.merge' context. I installed portage-2.1.7.1 and I was not able to reproduce the problem that you report in comment #0. So, now I'm not sure why it would work for me and not some other people. I guess I can add some exception handling code so that the error that you are getting is only treated as a warning. Hopefully that will make this issue less bothersome for anyone who triggers it for whatever reason.
(In reply to comment #0) > File "/usr/lib64/portage/pym/portage/_selinux.py", line 73, in setexec > raise OSError(_("setexec: Failed setting exec() context \"%s\".") % ctx) > OSError: setexec: Failed setting exec() context > "unconfined_u:unconfined_r:portage_fetch_t". On my system, the context would be 'root:sysadm_r:portage_fetch_t', because my login shell has context 'root:sysadm_r:sysadm_t', and the emerge process is executed with context 'root:sysadm_r:portage_t.merge', and emerge changes the context to 'root:sysadm_r:portage_fetch_t' for fetch processes. Maybe if you put yourself in the sysadm_r role then that will help? I'm just guessing because I have very little SELinux experience.
(In reply to comment #14) > > Maybe if you put yourself in the sysadm_r role then that will help? I'm just > guessing because I have very little SELinux experience. > I cannot put myself in the sysadm role. I have tryed "# newrole -r sysadm_r" but it resulted in an invalid context's error (unfortunately I don't remember details). fabio
(In reply to comment #15) > (In reply to comment #14) > > > > Maybe if you put yourself in the sysadm_r role then that will help? I'm just > > guessing because I have very little SELinux experience. > > > > I cannot put myself in the sysadm role. I have tryed "# newrole -r sysadm_r" > but it resulted in an invalid context's error (unfortunately I don't remember > details). > > fabio > The exact error is "system_u:sysadm_r:sysadm_t is not a valid context".
(In reply to comment #16) > The exact error is "system_u:sysadm_r:sysadm_t is not a valid context". I'm not sure exactly where that context is supposed to be defined, but sec-policy/selinux-base-policy seems like a logical place. what version of this package do you have? You might need to go through the "Converting to Gentoo SELinux" portion of the Gentoo SELinux Handbook, and make sure that you've done everything described there.
*** This bug has been marked as a duplicate of bug 286497 ***