That's an odd one.. I did a clean install with the latest 2.6 SELinux CD, and got a 2.6.5, glibc / NPTL, ~86 system up, HOWEVER, I faced an odd OpenSSH problem (unrelated I guess, but still...) I was able to login just one time, any further attempts, till reboot closed remotely (sshd-side). So. I decided to re-emerge tcp-wrappers to be one the safe-side, and... dmz policy # emerge tcp-wrappers Calculating dependencies ...done! >>> emerge (1 of 1) sys-apps/tcp-wrappers-7.6-r8 to / >>> md5 src_uri ;-) tcp_wrappers_7.6.tar.gz >>> md5 src_uri ;-) tcp-wrappers-7.6-r7-patches.tar.bz2 >>> Unpacking source... >>> Unpacking tcp_wrappers_7.6.tar.gz to /var/tmp/portage/tcp-wrappers-7.6-r8/work >>> Unpacking tcp-wrappers-7.6-r7-patches.tar.bz2 to /var/tmp/portage/tcp-wrappers-7.6-r8/work * Applying tcp-wrappers-7.6-makefile.patch.bz2... [ ok ] * Applying various patches (bugfixes/updates)... * 01_all_redhat-bug11881.patch.bz2... [ ok ] * 02_all_redhat-bug17795.patch.bz2... [ ok ] * 03_all_wildcard.patch.bz2... [ ok ] * 04_all_fixgethostbyname.patch.bz2... [ ok ] * 07_all_sig.patch.bz2... [ ok ] * 08_all_strerror.patch.bz2... [ ok ] * Done with patching * Applying tcp-wrappers-7.6-shared.patch.bz2... [ ok ] >>> Source unpacked. make: *** [config-check] Error 1 !!! ERROR: sys-apps/tcp-wrappers-7.6-r8 failed. !!! Function src_compile, Line 51, Exitcode 2 !!! (no error message) --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-sys-apps_-_tcp-wrappers-7.6-r8-27772.log" open_wr: /proc/self/attr/fscreate -------------------------------------------------------------------------------- IT IS SELinux-related since, if the policy is not loaded compilation starts (and then aborts during install for lack of proper setfiles labels) Reproducible: Always Steps to Reproduce: 1. 2. 3.
*** Bug 48452 has been marked as a duplicate of this bug. ***
I can't reproduce this. It doesn't make sense, either, because nothing touches /proc/self/attr/fscreate in config-check. I need more information: denials, enforcing or permissive, etc.
Yes, I concur, it does NOT make any sense ;-) BUT, it happens... i tried emerge -eD tcp-wrappers waited for 2 hours, and still... same thing happens Enforcing is NOT set (z.e.r.o.), here go denials... avc: denied { syslog_mod } for pid=859 exe=/usr/sbin/syslog-ng scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system avc: denied { rmdir } for pid=2611 exe=/usr/bin/python2.3 name=temp dev=hda4 ino=32444 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:portage_tmp_t tclass=dir avc: denied { unlink } for pid=2628 exe=/bin/rm name=tcp-wrappers-7.6-r8.ebuild dev=hda4 ino=32474 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:portage_ebuild_t tclass=file I'm really stumped... Additionally here's what happens when SELinux is disabled: dmz root # emerge tcp-wrappers !!! SELinux not loaded: SELinux is not enabled. Calculating dependencies ...done! >>> emerge (1 of 1) sys-apps/tcp-wrappers-7.6-r8 to / >>> md5 src_uri ;-) tcp_wrappers_7.6.tar.gz >>> md5 src_uri ;-) tcp-wrappers-7.6-r7-patches.tar.bz2 >>> Unpacking source... >>> Unpacking tcp_wrappers_7.6.tar.gz to /var/tmp/portage/tcp-wrappers-7.6-r8/work >>> Unpacking tcp-wrappers-7.6-r7-patches.tar.bz2 to /var/tmp/portage/tcp-wrappers-7.6-r8/work * Applying tcp-wrappers-7.6-makefile.patch.bz2... [ ok ] * Applying various patches (bugfixes/updates)... * 01_all_redhat-bug11881.patch.bz2... [ ok ] * 02_all_redhat-bug17795.patch.bz2... [ ok ] * 03_all_wildcard.patch.bz2... [ ok ] * 04_all_fixgethostbyname.patch.bz2... [ ok ] * 07_all_sig.patch.bz2... [ ok ] * 08_all_strerror.patch.bz2... [ ok ] * Done with patching * Applying tcp-wrappers-7.6-shared.patch.bz2... [ ok ] >>> Source unpacked. cp: setting attribute `security.selinux' for `build-info/tcp-wrappers-7.6-r8.ebuild': Invalid argument make[1]: Entering directory `/var/tmp/portage/tcp-wrappers-7.6-r8/work/tcp_wrappers_7.6' blah blah compile completes...
You're in system_u:system_r:kernel_t, which is not correct. Is your policy being loaded on boot?
I can confirm the problem. Trying to install Gentoo from the latest available SELinux LiveCD: livecd-2004.0-x86-selinux-nostages-20040227.iso and with stage1-x86-selinux-20040211.tar.bz2 using /usr/portage/profiles/selinux/2004.1/x86. Bootstrap done using bootstrap-cascade.sh (had to "emerge --nodeps portage" before because it was too old for cascaded profiles :-/). While doing "emerge system": --8<-- * Applying tcp-wrappers-7.6-ipv6-1.14.diff.bz2... [ ok ] >>> Source unpacked. ipv6 make: *** [config-check] Error 1 !!! ERROR: sys-apps/tcp-wrappers-7.6-r8 failed. !!! Function src_compile, Line 53, Exitcode 2 !!! (no error message) --------------------------- ACCESS VIOLATION SUMMARY --------------------------- LOG FILE = "/tmp/sandbox-sys-apps_-_tcp-wrappers-7.6-r8-14183.log" open_wr: /proc/self/attr/fscreate -------------------------------------------------------------------------------- --8<--
The LiveCD kernel (2.6.3-gentoo-r1-livecd) was booted in permissive (!) mode.
Well, FEATURES="-sandbox" does the trick.
Ok, figured this one out finally. Its a broken coreutils patch; I'll close when seemant gets the fixed one out.
This should be fixed in coreutils-5.2.1-r1, which should hopefully be stable soon.
*** Bug 58704 has been marked as a duplicate of this bug. ***
*** Bug 70346 has been marked as a duplicate of this bug. ***
Hi. Just want to let you know that I got the same issue here after updating my Portage tree. Following Wolfram Schlich's suggestion of FEATURES="-sandbox" solved the issue. Thanks, Jorge. hseahserv99 http-replicator # cat /usr/portage/metadata/timestamp Sun Sep 24 01:39:24 UTC 2006 hseahserv99 http-replicator # qlist -Iv coreutils sys-apps/coreutils-5.94-r1 sys-apps/policycoreutils-1.30-r1 hseahserv99 http-replicator # cat /var/log/sandbox/sandbox-sys-apps_-_tcp-wrappers-7.6-r8-15244.log open_wr: /proc/self/attr/fscreate (symlink to /proc/15267/attr/fscreate) open_wr: /proc/self/attr/fscreate (symlink to /proc/15282/attr/fscreate) I get no relevant info from /var/log/avc.log I'm willing to do some tests here if it helps. I can also update the tree again to use some new version and see if the error persists.
*** Bug 175326 has been marked as a duplicate of this bug. ***
a fix has been applied to the selinux profiles for a while. closing.