Following the instructions from blueness' email[1]to make portage use install-xattr I get a failure during the install phase. [1]: http://article.gmane.org/gmane.linux.gentoo.hardened/6242 I have narrowed the issue down to install-xattr is running inside portage_sandbox_t which is denied capability sys_admin. Steps to reproduce: 1) make sure selinux is in enforcing mode. (this might work in permissive too) 2) make sure FEATURES has both sesandbox and test enabled. 3) emerge johntheripper 4) failure during install phase if FEATURES=test is turned off, johntheripper will install normally. The difference seems to be that john paxmarks during src_test, install-xattr will work if there are no pax-marks on the binary already but will fail if they exist. This will almost certainly require a new domain (eg portage_helper_t) which is allowed cap sys_admin and which portage_sandbox_t is allowed to transition to. I get the following avc's in audit.log: type=AVC msg=audit(1403623979.254:4572): avc: denied { sys_admin } for pid=8475 comm="install-xattr" capability=21 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:sysadm_r:portage_sandbox_t tclass=capability type=SYSCALL msg=audit(1403623979.254:4572): arch=c000003e syscall=194 success=yes exit=32 a0=3d853372509 a1=0 a2=0 a3=341d7c04618 items=1 ppid=8472 pid=8475 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="install-xattr" exe="/usr/bin/install-xattr" subj=staff_u:sysadm_r:portage_sandbox_t key=(null) type=CWD msg=audit(1403623979.254:4572): cwd="/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/work/john-1.7.9" type=PATH msg=audit(1403623979.254:4572): item=0 name="run/john" inode=1369033 dev=00:1e mode=0100755 ouid=250 ogid=250 rdev=00:00 obj=staff_u:object_r:portage_tmp_t nametype=NORMAL type=AVC msg=audit(1403623979.254:4573): avc: denied { sys_admin } for pid=8475 comm="install-xattr" capability=21 scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:sysadm_r:portage_sandbox_t tclass=capability type=SYSCALL msg=audit(1403623979.254:4573): arch=c000003e syscall=194 success=yes exit=32 a0=3d853372509 a1=2c24db6c30 a2=20 a3=341d7c04618 items=1 ppid=8472 pid=8475 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="install-xattr" exe="/usr/bin/install-xattr" subj=staff_u:sysadm_r:portage_sandbox_t key=(null) type=CWD msg=audit(1403623979.254:4573): cwd="/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/work/john-1.7.9" type=PATH msg=audit(1403623979.254:4573): item=0 name="run/john" inode=1369033 dev=00:1e mode=0100755 ouid=250 ogid=250 rdev=00:00 obj=staff_u:object_r:portage_tmp_t nametype=NORMAL
Created attachment 379594 [details] build.log with test enabled, resulting in a failure
Created attachment 379612 [details, diff] fix for install-xattr I put in an echo into the bash wrapper to get the exact command run, then I strace'd it and the path on the setxattr is wrong. This patch fixes it. command being run by the ebuild: exec /usr/bin/install-xattr -m0755 -o 0 -g 0 run/john /var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/image//usr/sbin install-xattr: setxattr() failed: No such file or directory excerpt from strace'ing the above command: setxattr("/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/image//usr/sbin/run/john", "user.pax.flags", "emr", 3, 0) = -1 ENOENT (No such f
I can confirm that the patch fixes the johntheripper build failure
Created attachment 379616 [details, diff] patch with fix as well as added a test case This fixes the issue for me. The test case fails without the basename patch and succeeds with it. Can someone else confirm the test script?
(In reply to Jason Zaman from comment #4) > Created attachment 379616 [details, diff] [details, diff] > patch with fix as well as added a test case > > This fixes the issue for me. The test case fails without the basename patch > and succeeds with it. Can someone else confirm the test script? Committed. http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=18586b8eef2dee0f432d7f57b642fa177aebc788 Keeping testing with install-xattr-9999.ebuild so we don't hit the same bug again.