Ok, I'm getting breakage, only in selinux, that looks like this: alpha policy-dev # emerge -Uu world Calculating world dependencies ...done! >>> emerge (1 of 1) app-admin/gentoolkit-0.1.23 to / Traceback (most recent call last): File "/usr/bin/emerge", line 1934, in ? mydepgraph.merge(mydepgraph.altlist()) File "/usr/bin/emerge", line 1189, in merge retval=portage.doebuild(y,"clean",myroot,edebug) File "/usr/lib/python2.2/site-packages/portage.py", line 1490, in doebuild myso=getstatusoutput("uname -r") File "/usr/lib/python2.2/commands.py", line 55, in getstatusoutput sts = pipe.close() IOError: [Errno 10] No child processes This is in permissive mode, so the selinux security policy is not enforced, therefore it isn't a policy problem. I created a test script to show the failure: #!/usr/bin/env python2.2 import commands commands.getstatusoutput("uname -r") I did some stracing, and diffed the outputs. The only interesting difference that I found was this: (- is the failing one) @@ -134,7 +134,7 @@ rt_sigaction(SIGALRM, NULL, {SIG_DFL}, 8) = 0 rt_sigaction(SIGTERM, NULL, {SIG_DFL}, 8) = 0 rt_sigaction(SIGSTKFLT, NULL, {SIG_DFL}, 8) = 0 -rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0 +rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0 rt_sigaction(SIGCONT, NULL, {SIG_DFL}, 8) = 0 rt_sigaction(SIGSTOP, NULL, {SIG_DFL}, 8) = 0 rt_sigaction(SIGTSTP, NULL, {SIG_DFL}, 8) = 0 It fails because the SIGCHLD signal is ignored. To verify that this is the case, I changed my test program to this: #!/usr/bin/env python2.2 import commands,signal signal.signal(signal.SIGCHLD,signal.SIG_DFL) commands.getstatusoutput("uname -r") and it ran successfully. I put the signal code into /usr/lib/portage/bin/emerge at the top, and then I was able to run emerge successfully. So the question is, why is portage deciding to ignore SIGCHLD? The thing that is odd, is that I get the breakage running in the sysadm_t and portage_t domains, but not in user_t domain. That makes it sound like it could be a selinux problem, but, again, its running in permissive mode. There aren't any denials either (shows what would have been denied if it was enforcing).
By the way, the same thing happens with ebuild. Same fix works too.
This one is fixed by the selinux code in 2.0.49.