21315 – Portage breakage in selinux

Bug 21315 - Portage breakage in selinux

Summary: Portage breakage in selinux

Status:	RESOLVED FIXED

Alias:	None

Product:	Portage Development
Classification:	Unclassified
Component:	Unclassified (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	Nicholas Jones (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-05-20 00:43 UTC by Chris PeBenito (RETIRED)
Modified:	2011-10-30 22:21 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris PeBenito (RETIRED) gentoo-dev

2003-05-20 00:43:43 UTC

Ok, I'm getting breakage, only in selinux, that looks like this:

alpha policy-dev # emerge -Uu world
Calculating world dependencies ...done!
>>> emerge (1 of 1) app-admin/gentoolkit-0.1.23 to /

Traceback (most recent call last):
  File "/usr/bin/emerge", line 1934, in ?
    mydepgraph.merge(mydepgraph.altlist())
  File "/usr/bin/emerge", line 1189, in merge
    retval=portage.doebuild(y,"clean",myroot,edebug)
  File "/usr/lib/python2.2/site-packages/portage.py", line 1490, in doebuild
    myso=getstatusoutput("uname -r")
  File "/usr/lib/python2.2/commands.py", line 55, in getstatusoutput
    sts = pipe.close()
IOError: [Errno 10] No child processes

This is in permissive mode, so the selinux security policy is not enforced,
therefore it isn't a policy problem.  I created a test script to show the failure:

#!/usr/bin/env python2.2
import commands
commands.getstatusoutput("uname -r")

I did some stracing, and diffed the outputs.  The only interesting difference
that I found was this: (- is the failing one)

@@ -134,7 +134,7 @@
 rt_sigaction(SIGALRM, NULL, {SIG_DFL}, 8) = 0
 rt_sigaction(SIGTERM, NULL, {SIG_DFL}, 8) = 0
 rt_sigaction(SIGSTKFLT, NULL, {SIG_DFL}, 8) = 0
-rt_sigaction(SIGCHLD, NULL, {SIG_IGN}, 8) = 0
+rt_sigaction(SIGCHLD, NULL, {SIG_DFL}, 8) = 0
 rt_sigaction(SIGCONT, NULL, {SIG_DFL}, 8) = 0
 rt_sigaction(SIGSTOP, NULL, {SIG_DFL}, 8) = 0
 rt_sigaction(SIGTSTP, NULL, {SIG_DFL}, 8) = 0

It fails because the SIGCHLD signal is ignored.  To verify that this is the
case, I changed my test program to this:

#!/usr/bin/env python2.2
import commands,signal
signal.signal(signal.SIGCHLD,signal.SIG_DFL)
commands.getstatusoutput("uname -r")

and it ran successfully.  I put the signal code into /usr/lib/portage/bin/emerge
at the top, and then I was able to run emerge successfully.

So the question is, why is portage deciding to ignore SIGCHLD?  The thing that
is odd, is that I get the breakage running in the sysadm_t and portage_t
domains, but not in user_t domain.  That makes it sound like it could be a
selinux problem, but, again, its running in permissive mode.  There aren't any
denials either (shows what would have been denied if it was enforcing).

Comment 1 Paul Kronenwetter 2003-05-23 21:23:35 UTC

By the way, the same thing happens with ebuild.  Same fix works too.

Comment 2 Chris PeBenito (RETIRED) gentoo-dev

2003-09-04 09:12:17 UTC

This one is fixed by the selinux code in 2.0.49.