I use hardened kernel (PaX, GRsec, SElinux) $ uname -a Linux circular 2.6.24-hardened-r3-circular-prod.2 #1 SMP Sat Jul 19 00:45:19 CEST 2008 x86_64 Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz GenuineIntel GNU/Linux can't "# emerge -uDNa", emerge fails Reproducible: Always Steps to Reproduce: 1. "# emerge -uDN mrtg" Actual Results: Script started on Sat Jul 19 04:22:52 2008 _root@circular:~\[01;31mcircular[01;34m ~ #[00m emerge -uDN mrtg ]0;Started emerge on: Jul 19, 2008 04:22:59]0; *** emerge --newuse --deep --update mrtgCalculating dependencies - - - - \ \ |... done! >>> Verifying ebuild Manifests... >>> Emerging ([33;01m1[39;49;00m of [33;01m1[39;49;00m) [32;01mnet-analyzer/mrtg-2.16.1[39;49;00m to / ]0; >>> emerge (1 of 1) net-analyzer/mrtg-2.16.1 to /]0;emerge: (1 of 1) net-analyzer/mrtg-2.16.1 Clean]0;emerge: (1 of 1) net-analyzer/mrtg-2.16.1 Compile[32;01m * [39;49;00mmrtg-2.16.1.tar.gz RMD160 SHA1 SHA256 size ;-) ... [34;01m[ [39;49;00m[32;01mok[39;49;00m[34;01m ][39;49;00m [32;01m * [39;49;00mchecking ebuild checksums ;-) ... [34;01m[ [39;49;00m[32;01mok[39;49;00m[34;01m ][39;49;00m [32;01m * [39;49;00mchecking auxfile checksums ;-) ... [34;01m[ [39;49;00m[32;01mok[39;49;00m[34;01m ][39;49;00m [32;01m * [39;49;00mchecking miscfile checksums ;-) ... [34;01m[ [39;49;00m[32;01mok[39;49;00m[34;01m ][39;49;00m [32;01m * [39;49;00mchecking mrtg-2.16.1.tar.gz ;-) ... [34;01m[ [39;49;00m[32;01mok[39;49;00m[34;01m ][39;49;00m >>> Unpacking source... >>> Unpacking mrtg-2.16.1.tar.gz to /var/tmp/portage/net-analyzer/mrtg-2.16.1/work >>> Source unpacked. >>> Compiling source in /var/tmp/portage/net-analyzer/mrtg-2.16.1/work/mrtg-2.16.1 ... ./configure --prefix=/usr --host=x86_64-pc-linux-gnu --mandir=/usr/share/man --infodir=/usr/share/info --datadir=/usr/share --sysconfdir=/etc --localstatedir=/var/lib --libdir=/usr/lib64 --build=x86_64-pc-linux-gnu checking for x86_64-pc-linux-gnu-gcc... x86_64-pc-linux-gnu-gcc checking for C compiler default output file name... a.out checking whether the C compiler works... yes checking whether we are cross compiling... no checking for suffix of executables... checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether x86_64-pc-linux-gnu-gcc accepts -g... yes checking for x86_64-pc-linux-gnu-gcc option to accept ISO C89... none needed checking how to run the C preprocessor... x86_64-pc-linux-gnu-gcc -E checking whether make sets $(MAKE)... yes checking for a BSD-compatible install... /usr/bin/install -c checking for perl... /usr/bin/perl checking for groff... /usr/bin/groff checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes checking for inttypes.h... yes checking for stdint.h... yes checking for unistd.h... yes checking for inttypes.h... (cached) yes checking for unsigned long long... yes checking for long long... yes checking for strtoll... yes checking for printf long long format specifier... %lld checking for pow in -lm... yes checking for gdImageGif in -lgd... yes checking for gdImagePng in -lgd... yes checking for gdImagePng_jpg in -lgd... no checking for gdImagePng_jpg_ft in -lgd... no checking for gdImageGd in -lgd... yes checking gd.h usability... yes checking gd.h presence... yes checking for gd.h... yes checking the weather... (cached) it's fine checking if we can use GCC-specific compiler options... yes configure: creating ./config.status config.status: creating Makefile config.status: WARNING: Makefile.in seems to ignore the --datarootdir setting config.status: creating config.h ordering CD from http://tobi.oetiker.ch/wish .... just kidding ;-) ---------------------------------------------------------------- Config is DONE! Type 'make' to compile the software ... that wishlist mentioned above does really exist. So if you feel like showing your appreciation for MRTG, this is the place to go. I just love CDs and DVDs -- Tobi Oetiker <tobi@oetiker.ch> ---------------------------------------------------------------- x86_64-pc-linux-gnu-gcc -DGFORM_GD=gdImagePng -O2 -march=nocona -pipe -Wall -Wpointer-arith -Wcast-align -Wmissing-declarations -Wnested-externs -Winline -W -DHAVE_CONFIG_H -c ./src/rateup.c -o bin/rateup.o /usr/bin/perl -0777 -p -i~ -e "s'^#!\s*/\S*perl'#! /usr/bin/perl'" ./bin/cfgmaker ./bin/indexmaker ./bin/mrtg /usr/bin/perl -0777 -p -i~ -e 's@GRAPHFMT="...";@GRAPHFMT="png";@' ./bin/mrtg ./bin/indexmaker ./src/rateup.c: In function 'update': ./src/rateup.c:1576: warning: comparison between signed and unsigned ./src/rateup.c:1613: warning: comparison between signed and unsigned ./src/rateup.c:1650: warning: comparison between signed and unsigned ./src/rateup.c:1687: warning: comparison between signed and unsigned LD_RUN_PATH= x86_64-pc-linux-gnu-gcc bin/rateup.o -o bin/rateup -Wl,-Bstatic -lgd -lpng -lz -Wl,-Bdynamic -lm >>> Source compiled. >>> Test phase [not enabled]: net-analyzer/mrtg-2.16.1 >>> Install mrtg-2.16.1 into /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/ category net-analyzer /usr/bin/perl -0777 -p -i~ -e "s'^#!\s*/\S*perl'#! /usr/bin/perl'" ./bin/cfgmaker ./bin/indexmaker ./bin/mrtg /usr/bin/perl -0777 -p -i~ -e 's@GRAPHFMT="...";@GRAPHFMT="png";@' ./bin/mrtg ./bin/indexmaker /bin/sh ./mkinstalldirs /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/bin mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/bin for x in ./bin/mrtg ./bin/cfgmaker ./bin/indexmaker ./bin/mrtg-traffic-sum; do \ /usr/bin/install -c -m 755 $x /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/bin; done for x in bin/rateup; do \ /usr/bin/install -c -m 755 $x /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/bin; done /bin/sh ./mkinstalldirs /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/lib64/mrtg2/Pod mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/lib64 mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/lib64/mrtg2 mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/lib64/mrtg2/Pod for x in ./lib/mrtg2/*.pm; do \ /usr/bin/install -c -m 644 $x /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/lib64/mrtg2; done for x in ./lib/mrtg2/Pod/*.pm; do \ /usr/bin/install -c -m 644 $x /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/lib64/mrtg2/Pod; done /bin/sh ./mkinstalldirs /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/share/mrtg2/icons mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/share mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/share/mrtg2 mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/share/mrtg2/icons for x in ./images/*.gif ./images/*.png; do \ /usr/bin/install -c -m 644 $x /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/share/mrtg2/icons; done /bin/sh ./mkinstalldirs /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/share/doc/mrtg2 mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/share/doc mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/share/doc/mrtg2 (cd .; for x in COPYING COPYRIGHT README CHANGES THANKS doc/*.pod doc/*.txt doc/*.png; do \ /usr/bin/install -c -m 644 $x /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/share/doc/mrtg2; done) /bin/sh ./mkinstalldirs /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/share/man/man1 mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/share/man mkdir /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/usr/share/man/man1 for x in ./doc/*.1; do \ /usr/bin/install -c -m 644 $x /var/tmp/portage/net-analyzer/mrtg-2.16.1/image//usr/share/man/man1; done >>> Completed installing mrtg-2.16.1 into /var/tmp/portage/net-analyzer/mrtg-2.16.1/image/ ecompressdir: bzip2 -9 /usr/share/man strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment usr/bin/rateup Traceback (most recent call last): File "/usr/bin/emerge", line 6971, in <module> retval = emerge_main() File "/usr/bin/emerge", line 6965, in emerge_main myopts, myaction, myfiles, spinner) File "/usr/bin/emerge", line 6395, in action_build retval = mergetask.merge(pkglist, favorites, mtimedb) File "/usr/bin/emerge", line 3981, in merge return self._merge(mylist, favorites, mtimedb) File "/usr/bin/emerge", line 4259, in _merge prev_mtimes=ldpath_mtimes) File "/usr/lib64/portage/pym/portage.py", line 4818, in doebuild vartree=vartree, prev_mtimes=prev_mtimes) File "/usr/lib64/portage/pym/portage.py", line 5013, in merge mydbapi=mydbapi, prev_mtimes=prev_mtimes) File "/usr/lib64/portage/pym/portage.py", line 9486, in merge mydbapi=mydbapi, prev_mtimes=prev_mtimes) File "/usr/lib64/portage/pym/portage.py", line 9494, in _merge cleanup=cleanup, mydbapi=mydbapi, prev_mtimes=prev_mtimes) File "/usr/lib64/portage/pym/portage.py", line 8777, in treewalk retval = self._security_check(others_in_slot) File "/usr/lib64/portage/pym/portage.py", line 8656, in _security_check s = os.lstat(path) OSError: [Errno 13] Permission denied: '/usr/bin/cfgmaker' ]0; *** terminating.]0;root@:~_root@circular:~\[01;31mcircular[01;34m ~ #[00m audit2allow -d -l allow portage_t null_device_t:chr_file setattr; allow portage_t.merge mrtg_exec_t:file getattr; allow portage_t.merge null_device_t:chr_file setattr; allow sysadm_t portage_exec_t:file entrypoint; _root@circular:~\[01;31mcircular[01;34m ~ #[00m exit Script done on Sat Jul 19 04:23:25 2008 Expected Results: Should upgrade mrtg to "net-analyzer/mrtg-2.16.1" from "[2.15.2]" # emerge --info Portage 2.1.4.4 (selinux/2007.0/amd64/hardened, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-hardened-r3-circular-prod.2 x86_64) ================================================================= System uname: 2.6.24-hardened-r3-circular-prod.2 x86_64 Intel(R) Core(TM)2 Duo CPU E4500 @ 2.20GHz Timestamp of tree: Fri, 18 Jul 2008 22:45:01 +0000 ccache version 2.4 [disabled] app-shells/bash: 3.2_p33 dev-java/java-config: 1.3.7, 2.1.6 dev-lang/python: 2.4.4-r13, 2.5.2-r5 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.7.9-r1, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /var/bind" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=nocona -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="distlocks fixpackages loadpolicy metadata-transfer parallel-fetch sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.ynet.sk/pub http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://mirror.gentoo.no/" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="7zip acl alsa amd64 apache2 berkdb bzip2 cli cracklib crypt cups distcc dri fortran ftp gcj gd gdbm gpm gs hardened iconv ipv6 isdnlog jpeg midi mmx mp3 mpeg mudflap mysql ncurses nls nptl nptlonly openmp pam pcre perl php pic pie png pppd python quotas readline reflection samba sasl selinux session sharedmem slang snmp spl sse sse2 ssl ssp ssse3 symlink tcpd threads tiff truetype unicode userlocales utf8 wmf xattr xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias asis auth_basic auth_digest authn_alias authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cern_meta charset_lite dav dav_fs dav_lock dbd deflate dir disk_cache dumpio env expires ext_filter file_cache filter headers ident imagemap include info log_config log_forensic logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_http rewrite setenvif speling status unique_id userdir usertrack version vhost_alias" APACHE2_MPMS="worker" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128 radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
circular ~ # stat /etc/make.profile File: `/etc/make.profile' -> `/usr/portage/profiles/selinux/2007.0/amd64/hardened/'
I need the denial message(s) associated with this
Greetings, I apologize for bogus bug report, I just realized that I got my own module with my own file context for "/usr/bin/cfgmaker", so the problem was caused by me.
