Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 162850 - selinux global use.mask masks acl
Summary: selinux global use.mask masks acl
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-01-19 21:59 UTC by Arthur Hagen
Modified: 2008-10-03 13:46 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arthur Hagen 2007-01-19 21:59:39 UTC 
The selinux profile parent use.mask should not block acl.  These are not competing but complimentary systems.  

Reproducible: Always

Steps to Reproduce:
1.
2.
3.



While it's more cumbersome to configure a system with both SELinux and posix acls, there is no technical reason not to, and reasons why some systems might want it.  For example, selinux has no provisions for a file owner to add or deny access to a single user, while posix acls have no way to enforce based on process.  The two complement each other, even though some of the functionality partially overlaps.
In addition, users might want to use acl while running an selinux system in permissive mode.

Workaround:
mkdir -p /etc/portage/profile && \
touch /etc/portage/profile/use.mask && \
echo "-acl" >>/etc/portage/profile/use.mask
Comment 1 petre rodan (RETIRED) gentoo-dev 2007-01-20 07:33:27 UTC 
I can't remember the exact details, but the acl USEFLAG was masked in the selinux profile about 2 years ago due to a problem in coreutils IIRC that made it's presence known once that package was compied with both selinux and acl.
Comment 2 Arthur Hagen 2007-01-20 18:43:14 UTC 
(In reply to comment #1)
> I can't remember the exact details, but the acl USEFLAG was masked in the
> selinux profile about 2 years ago due to a problem in coreutils IIRC that made
> it's presence known once that package was compied with both selinux and acl.

This was fixed in coreutils a long time ago:

*coreutils-5.0-r4 (12 Sep 2003)

  12 Sep 2003; Seemant Kulleen <seemant@gentoo.org> coreutils-5.0-r4.ebuild:
  ACL patches _finally_ added into coreutils.  A note about this.  If "acl"
  and "selinux" are both in USE, then "selinux" will be preferred and "acl"
  discarded.
Comment 3 Chris PeBenito (RETIRED) gentoo-dev 2008-10-03 13:46:39 UTC 
(In reply to comment #2)
> (In reply to comment #1)
> > I can't remember the exact details, but the acl USEFLAG was masked in the
> > selinux profile about 2 years ago due to a problem in coreutils IIRC that made
> > it's presence known once that package was compied with both selinux and acl.
> 
> This was fixed in coreutils a long time ago:
> 
> *coreutils-5.0-r4 (12 Sep 2003)
> 
>   12 Sep 2003; Seemant Kulleen <seemant@gentoo.org> coreutils-5.0-r4.ebuild:
>   ACL patches _finally_ added into coreutils.  A note about this.  If "acl"
>   and "selinux" are both in USE, then "selinux" will be preferred and "acl"
>   discarded.

There was a bug after that one, but I don't remember when it was fixed.  THe mask has been removed