When emerging hardened-sources I'm getting..... - /usr/src/linux-2.6.14-hardened-r5/arch/mips/configs/e55_defconfig will be a world writable file. - This may or may not be a security problem, most of the time it is one. - Please double check that hardened-sources-2.6.14-r5 really needs a world writeable bit and file bugs accordingly. on every single file from the kernel source.
Hi. Firstly, please attach the output of "emerge --info" to this bug. Secondly, assuming that /usr/src/linux is a symlink to a freshly emerged hardened-sources tree, could you please run the following command and convey the contents? If the file turns out to be very large then it would probably be better if you bzip it and attach it to the bug as an octet-stream. # find /usr/src/linux -follow -printf '%m %p\n' | grep -Ev '^(644|755)' > /tmp/linux-tree-perms.out
Gentoo Base System version 1.6.14 Portage 2.0.54 (selinux/2005.1/x86/hardened, gcc-3.4.5, glibc-2.3.5-r2, 2.6.15-gentoo-r1 i686) ================================================================= System uname: 2.6.15-gentoo-r1 i686 Intel(R) Pentium(R) 4 CPU 3.06GHz dev-lang/python: 2.3.5, 2.4.2 sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 sys-devel/binutils: 2.16.1 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-Os -fomit-frame-pointer -march=i486 -mtune=pentium -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d" CXXFLAGS="-Os -fomit-frame-pointer -march=i486 -mtune=pentium -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks sandbox selinux sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="berkdb bzip2 cdr crypt dlloader expat gd gdbm gmp hardened ncurses nls pam pcre perl pic png python readline selinux ssl truetype udev usb x86 zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTDIR_OVERLAY
The find command produced a 0 length file.
the emerge --info output will be a little skewed because it's from a chroot environment.
I bet this is an selinu/policy thing disallowing a part of portage from reading permissions correctly which is leading to a false error msg. Switching security@ to CC: and assigning to selinux@ cuz I can't reproduce this bug in anyway. If I am in error please reassign.
It's interesting because at the start of 'emerge hardened-sources' I get this.... >>> Source unpacked. >>> Test phase [not enabled]: sys-kernel/hardened-sources-2.6.14-r5 >>> Install hardened-sources-2.6.14-r5 into /var/tmp/portage/hardened-sources-2.6.14-r5/image/ category sys-kernel >>> Copying sources ... shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory man: shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory prepallstrip: shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory find: cannot get current directory: No such file or directory and then all the security messages start bleeting out.
so, to sum up, the bug summary is: 'hardened-sources-2.6.14-r5 produces world writable files' (comment #1) # find /usr/src/linux -follow -printf '%m %p\n' | grep -Ev '^(644|755)' > /tmp/linux-tree-perms.out (comment #3) The find command produced a 0 length file. so this bug has no valid basis to begin with. (comment #6) shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory are you enforcing there? if yes, what are the exact avc denies you get?
Closing this as hardened-sources-2.6.16-r11 works fine.