Emerging (1 of 1) sys-fs/udev-164-r1 Traceback (most recent call last): File "/usr/lib64/portage/pym/_emerge/EbuildFetcher.py", line 113, in _spawn allow_missing_digests=False): File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 489, in fetch if _userpriv_test_write_file(mysettings, write_test_file): File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 122, in _userpriv_test_write_file returncode = _spawn_fetch(settings, args) File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 90, in _spawn_fetch rval = spawn_func(args, env=settings.environ(), **kwargs) File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func setexec(con) File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec if selinux.setexeccon(ctx) < 0: OSError: [Errno 22] Invalid argument * Fetch failed for 'sys-fs/udev-164-r1', Log file: * '/var/tmp/portage/sys-fs/udev-164-r1/temp/build.log'
mini ~ # emerge --info FEATURES variable contains unknown value(s): loadpolicy Portage 2.1.9.40 (selinux/v2refpolicy/amd64/desktop, gcc-4.5.2, glibc-2.13-r1, 2.6.37-gentoo-1.08 x86_64) ================================================================= System uname: Linux-2.6.37-gentoo-1.08-x86_64-Intel-R-_Atom-TM-_CPU_330_@_1.60GHz-with-gentoo-2.0.1 Timestamp of tree: Sat, 19 Feb 2011 07:45:01 +0000 app-shells/bash: 4.1_p9 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.6.6-r1, 2.7.1, 3.1.3 dev-util/cmake: 2.8.3-r1 sys-apps/baselayout: 2.0.1-r1 sys-apps/openrc: 0.7.0 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.21 sys-devel/gcc: 4.5.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.4-r1 sys-devel/make: 3.82 virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -fomit-frame-pointer -mfpmath=sse+387 -mpc80 -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=native -fomit-frame-pointer -mfpmath=sse+387 -mpc80 -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages loadpolicy news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" FFLAGS="" GENTOO_MIRRORS="http://gentoo.tups.lv/source " LANG="ru_RU.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common -Wl,--hash-style=gnu" LINGUAS="ru" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="lzma" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/kde /var/lib/layman/sunrise /var/lib/layman/sunrise /var/lib/layman/alexxy /var/lib/layman/hardened-development /home/slep/rion /home/slep/slepnoga/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac aalib acl acpi akonadi alsa amd64 assistant avahi bash-completion berkdb bl bluetooth branding bzip2 cairo caps cdda cdio cdparanoia cli clucene consolekit cracklib crypt cue cups cxx dbus declarative device-mapper dga dia djvu dri dts dvd dvdr emboss enca encode exif fam fax fbcon ffmpeg firefox flac fontconfig fortran ftp gdbm gdu ggi gif gnutls gpm gs gstreamer handbook ical iconv icu idn imagemagick imlib inkjar inotify ipv6 jbig jpeg jpeg2k kate kde kerberos kvm ladspa lame lcms ldap libnotify libsamplerate lm_sensors log4j lzma lzo mad mikmod mmap mng modplug modules mp3 mp4 mpeg mtp mudflap multimedia multislot mysql natspec ncurses nls nptl nsplugin ogg okular opengl openmp optimized-qmake pam pango pch pcre pdf perl phonon pipe plasma png pnm policykit ppds ppp pppd python qt3support qt4 radio raster readline redeyes reports rhelpatch rle samba sasl scanner sdl selinux semantic-desktop session sftp skype slp smp sms sndfile spell spice sql sqlite ssl startup-notification strigi suexec svg symlink syslog taglib tcpd theora threads tiff truetype udev unicode usb vaapi vhosts vim-syntax vorbis wav wavpack webkit winetriks xattr xcb xine xinetd xml xmlpatterns xorg xulrunner xv xvid xvmc zeroconf zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LINGUAS="ru" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="x86_64" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
P.S also please see http://forums.gentoo.org/viewtopic-t-863567-start-0.html ( This is not my post )
Could you provide output of "sestatus -v"? I suspect you are running the targeted policy and that your current context is in the unconfined_t domain (cfr. bug #356553)
Err bug #356533 that is
(In reply to comment #4) > Err bug #356533 that is > i got this errors install phase. First reboot was succesfull, but on applicatinon policy [1] installation I got this error. [1] http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=3#doc_chap4
Do you happen to have the "sestatus -v" output ?
Also, you might want to test out selinux-base-policy-2.20101213-r9 from the hardened-development overlay. It has a fix where installing packages from the unconfined domain (when SELINUXTYPE=targeted is set) wasn't possible with the exact same error as you've pasted.
The fix is in the tree now. Closing this one. Reopen if its still a problem.
*** Bug 356533 has been marked as a duplicate of this bug. ***
I think this problem is back, as "root" logged in via SSH has different context now: gen2-selinux ~ # id -Z root:staff_r:staff_t gen2-selinux ~ # emerge mc Calculating dependencies... done! >>> Verifying ebuild manifests >>> Emerging (1 of 1) app-misc/mc-4.7.5.2 Traceback (most recent call last): File "/usr/lib64/portage/pym/_emerge/EbuildFetcher.py", line 113, in _spawn allow_missing_digests=False): File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 489, in fetch if _userpriv_test_write_file(mysettings, write_test_file): File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 122, in _userpriv_test_write_file returncode = _spawn_fetch(settings, args) File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 90, in _spawn_fetch rval = spawn_func(args, env=settings.environ(), **kwargs) File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func setexec(con) File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec if selinux.setexeccon(ctx) < 0: OSError: [Errno 22] Invalid argument * Fetch failed for 'app-misc/mc-4.7.5.2', Log file: * '/var/tmp/portage/app-misc/mc-4.7.5.2/temp/build.log' >>> Failed to emerge app-misc/mc-4.7.5.2, Log file: >>> '/var/tmp/portage/app-misc/mc-4.7.5.2/temp/build.log' * Messages for package app-misc/mc-4.7.5.2: * Fetch failed for 'app-misc/mc-4.7.5.2', Log file: * '/var/tmp/portage/app-misc/mc-4.7.5.2/temp/build.log'
I do disallow root logins. But sudo also cannot emerge... I did solve it updateing the pam.d/sudo entry to: auth include system-auth account include system-auth session required pam_selinux.so close session include system-auth session required pam_selinux.so multiple open
staff_t is not allowed to work with Portage for management tasks. You'll need to switch to sysadm_r first using "newrole -r sysadm_r". This is by design.
(In reply to comment #12) > staff_t is not allowed to work with Portage for management tasks. You'll need > to switch to sysadm_r first using "newrole -r sysadm_r". This is by design. When I first ssh in and su root, id -Z gives user_u:user_r:user_t. I hit the above error when emerging. I then switch context using runcon -u root -r sysadm_r -t sysadm_t /bin/bash and emerge works fine.
(In reply to comment #13) > (In reply to comment #12) > > staff_t is not allowed to work with Portage for management tasks. You'll need > > to switch to sysadm_r first using "newrole -r sysadm_r". This is by design. > > When I first ssh in and su root, id -Z gives user_u:user_r:user_t. I hit the > above error when emerging. I then switch context using > > runcon -u root -r sysadm_r -t sysadm_t /bin/bash > > and emerge works fine. I had this issue, too. This advice worked for me, until 'emerge -uDN world' got to the first update in line. Sandbox refuses to build even with "FEATURES=-selinux". Seems like that may be related but maybe not...?
The use of runcon here is imo not correct. Unless the user is running in permissive mode, I'm also wondering why it would be allowed. Transitioning towards a different SELinux user is prohibited. To have emerge working properly, you need to be in the sysadm_r role. You can do so by switching roles (newrole -r sysadm_r).
