514936 – install-xattr fails with "No such file or directory" if the binary to be installed has already been pax-marked

Bug 514936 - install-xattr fails with "No such file or directory" if the binary to be installed has already been pax-marked

Summary: install-xattr fails with "No such file or directory" if the binary to be inst...

Status:	RESOLVED UPSTREAM

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	High blocker (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	501534
	Show dependency tree

Reported:	2014-06-24 15:41 UTC by Jason Zaman
Modified:	2014-06-24 21:56 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
build.log with test enabled, resulting in a failure (file_514936.txt,59.95 KB, text/plain) 2014-06-24 15:44 UTC, Jason Zaman	Details
fix for install-xattr (file_514936.txt,695 bytes, patch) 2014-06-24 18:20 UTC, Jason Zaman	Details \| Diff
patch with fix as well as added a test case (file_514936.txt,2.13 KB, patch) 2014-06-24 19:23 UTC, Jason Zaman	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jason Zaman gentoo-dev

2014-06-24 15:41:27 UTC

Following the instructions from blueness' email[1]to make portage use install-xattr I get a failure during the install phase.

[1]: http://article.gmane.org/gmane.linux.gentoo.hardened/6242

I have narrowed the issue down to install-xattr is running inside portage_sandbox_t which is denied capability sys_admin.

Steps to reproduce:
1) make sure selinux is in enforcing mode. (this might work in permissive too)
2) make sure FEATURES has both sesandbox and test enabled.
3) emerge johntheripper
4) failure during install phase

if FEATURES=test is turned off, johntheripper will install normally.
The difference seems to be that john paxmarks during src_test, install-xattr will work if there are no pax-marks on the binary already but will fail if they exist.

This will almost certainly require a new domain (eg portage_helper_t) which is allowed cap sys_admin and which portage_sandbox_t is allowed to transition to.


I get the following avc's in audit.log:

type=AVC msg=audit(1403623979.254:4572): avc:  denied  { sys_admin } for  pid=8475 comm="install-xattr" capability=21  scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:sysadm_r:portage_sandbox_t tclass=capability
type=SYSCALL msg=audit(1403623979.254:4572): arch=c000003e syscall=194 success=yes exit=32 a0=3d853372509 a1=0 a2=0 a3=341d7c04618 items=1 ppid=8472 pid=8475 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="install-xattr" exe="/usr/bin/install-xattr" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)
type=CWD msg=audit(1403623979.254:4572):  cwd="/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/work/john-1.7.9"
type=PATH msg=audit(1403623979.254:4572): item=0 name="run/john" inode=1369033 dev=00:1e mode=0100755 ouid=250 ogid=250 rdev=00:00 obj=staff_u:object_r:portage_tmp_t nametype=NORMAL
type=AVC msg=audit(1403623979.254:4573): avc:  denied  { sys_admin } for  pid=8475 comm="install-xattr" capability=21  scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:sysadm_r:portage_sandbox_t tclass=capability
type=SYSCALL msg=audit(1403623979.254:4573): arch=c000003e syscall=194 success=yes exit=32 a0=3d853372509 a1=2c24db6c30 a2=20 a3=341d7c04618 items=1 ppid=8472 pid=8475 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="install-xattr" exe="/usr/bin/install-xattr" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)
type=CWD msg=audit(1403623979.254:4573):  cwd="/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/work/john-1.7.9"
type=PATH msg=audit(1403623979.254:4573): item=0 name="run/john" inode=1369033 dev=00:1e mode=0100755 ouid=250 ogid=250 rdev=00:00 obj=staff_u:object_r:portage_tmp_t nametype=NORMAL

Comment 1 Jason Zaman gentoo-dev

2014-06-24 15:44:52 UTC

Created attachment 379594 [details]
build.log with test enabled, resulting in a failure

Comment 2 Jason Zaman gentoo-dev

2014-06-24 18:20:21 UTC

Created attachment 379612 [details, diff]
fix for install-xattr

I put in an echo into the bash wrapper to get the exact command run,
then I strace'd it and the path on the setxattr is wrong. This patch fixes it.

command being run by the ebuild:
exec /usr/bin/install-xattr -m0755 -o 0 -g 0 run/john /var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/image//usr/sbin
install-xattr: setxattr() failed: No such file or directory

excerpt from strace'ing the above command:
setxattr("/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/image//usr/sbin/run/john", "user.pax.flags", "emr", 3, 0) = -1 ENOENT (No such f

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2014-06-24 18:28:45 UTC

I can confirm that the patch fixes the johntheripper build failure

Comment 4 Jason Zaman gentoo-dev

2014-06-24 19:23:10 UTC

Created attachment 379616 [details, diff]
patch with fix as well as added a test case

This fixes the issue for me. The test case fails without the basename patch and succeeds with it. Can someone else confirm the test script?

Comment 5 Anthony Basile gentoo-dev

2014-06-24 21:56:10 UTC

(In reply to Jason Zaman from comment #4)
> Created attachment 379616 [details, diff] [details, diff]
> patch with fix as well as added a test case
> 
> This fixes the issue for me. The test case fails without the basename patch
> and succeeds with it. Can someone else confirm the test script?

Committed.

http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=18586b8eef2dee0f432d7f57b642fa177aebc788

Keeping testing with install-xattr-9999.ebuild so we don't hit the same bug again.