The SELinux policy prevents portage_t, and therefore mount-boot.eclass (used in the grub ebuild) from mounting /boot. So we either have to grant portage_t that permission, or to (imho better) disable that automatism. To do the latter, it's only neccessary to add the line "DONT_MOUNT_BOOT=1" to profiles/features/selinux/make.defaults in the portage tree.
Or add in a SELinux boolean (portage_mount_boot?) to toggle this as well.
A boolean toggling portage access to /boot between "dontaudit" and "allow" wouldn't suffice, as the grub ebuild die()s if it can't mount /boot.
Yes, but I was thinking of letting the user decide on its options without "forcing" things through our profile. 1) The user mounts /boot himself and retries. As /boot is already mounted, things continue to work. 2) User doesn't want the ebuild to mount /boot, so he sets DONT_MOUNT_BOOT himself. 3) User wants Portage to mount /boot, so toggles the SELinux boolean allowing Portage to mount /boot Just need to find the proper permissions ;)
portage_mount_fs boolean is in repo. This way, users can choose - either disable portage trying to mount /boot, or allow it through the boolean as well.
It's in 20140311-r1
Stable