Whem attempting to emerge a package (ANY package) on an SELinux system with Targeted policy, portage will abort with something like the following: Traceback (most recent call last): File "/usr/lib64/portage/pym/_emerge/EbuildFetcher.py", line 113, in _spawn allow_missing_digests=False): File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 489, in fetch if _userpriv_test_write_file(mysettings, write_test_file): File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 122, in _userpriv_test_write_file returncode = _spawn_fetch(settings, args) File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 90, in _spawn_fetch rval = spawn_func(args, env=settings.environ(), **kwargs) File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func setexec(con) File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec if selinux.setexeccon(ctx) < 0: OSError: [Errno 22] Invalid argument This occurs whether the system is running permissive or enforcing. Reproducible: Always This problem LOOKS like an SELinux permission problem. The user is logged in via SSH, and selinux-sixtyfour ~# id -Z unconfined_u:unconfined_r:unconfined_t seems to indicate that the user is in fact, in the unconfined_t domain, meaning that this SHOULD work just fine. But it doesn't. Switching the system to strict mode allows things to work properly.
Created attachment 263867 [details] emerge --info
Created attachment 263869 [details] failed selinux-base-policy build log
Looks as if the current portage module doesn't support unconfined use (i.e. it requires proper transitioning through sysadm_t). Does it fix things with the following added to portage.te? optional_policy(` unconfined_domain(portage_t) ')
That doesn't seem to work. I added it to the portage.te file at line 17, but I'm still getting the errors.
Can you try installing selinux-base-policy-2.20101213-r9 (from hardened-dev overlay)? It allows the unconfined_t to transition to the portage_* domains (including portage_fetch_t, sandbox, ...). Previously, this wasn't the case. The error you received was from SELinux saying that a transition to unconfined_u:unconfined_r:portage_fetch_t isn't allowed (as unconfined_r has no access to the portage_fetch_t domain). I had two choices: either make the various portage domains part of the unconfined "cloud", or allow the unconfined domains to transition to the portage domains. I prefer the latter.
*** This bug has been marked as a duplicate of bug 355745 ***