410687 – emerge fails with ACCESS DENIED on /sys/fs/selinux/context

Bug 410687 - emerge fails with ACCESS DENIED on /sys/fs/selinux/context

Summary: emerge fails with ACCESS DENIED on /sys/fs/selinux/context

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Portage team

URL:
Whiteboard:
Keywords:	InVCS

Duplicates (1):	410761 (view as bug list)
Depends on:
Blocks:	409383
	Show dependency tree

Reported:	2012-04-03 18:17 UTC by Sven Vermeulen (RETIRED)
Modified:	2012-04-08 20:11 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Patch to misc-functions.sh (misc-functions.patch,940 bytes, patch) 2012-04-05 16:07 UTC, Sven Vermeulen (RETIRED)	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2012-04-03 18:17:11 UTC

Any use of emerge fails with:

ACCESS DENIED open_wr:  /sys/fs/selinux/context

This is because the sandbox prohibits R/W access to /sys/fs/selinux.

Reproducible: Always




It can be easily fixed by editing /etc/sandbox.conf to include RW access on /sys/fs/selinux. We need to see if we can add in this information automatically using our packages, or if we need to document it.

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2012-04-05 15:44:12 UTC

*** Bug 410761 has been marked as a duplicate of this bug. ***

Comment 2 Sven Vermeulen (RETIRED) gentoo-dev

2012-04-05 16:07:16 UTC

@dev-portage folks...

In /usr/lib/portage/bin/misc-functions.sh, you currently allow (in sandbox) to write to /selinux. Recent SELinux systems however have their file system mounted at /sys/fs/selinux, so this location should be supported as well.

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2012-04-05 16:07:47 UTC

Created attachment 307913 [details, diff]
Patch to misc-functions.sh

Suggested change on misc-functions.sh

Comment 4 Zac Medico gentoo-dev

2012-04-05 16:47:57 UTC

Thanks, this is in git:

http://git.overlays.gentoo.org/gitweb/?p=proj/portage.git;a=commit;h=42694ba42b4d265a07e91bc0aef98dbfa7ad2c4f

Comment 5 Zac Medico gentoo-dev

2012-04-05 23:45:44 UTC

This is fixed in 2.1.10.56 and 2.2.0_alpha100.

Comment 6 Paul de Vrieze (RETIRED) gentoo-dev

2012-04-08 20:11:35 UTC

If portage has this information in its own innards, should it than still be in /usr/portage/profiles/features/selinux/profile.bashrc ?