preinst_selinux_labels() in misc-functions.sh is called after build to set the SELinux labels before merging, there are a couple issues. musl libc does getopt differently so the order of args to setfiles needs fixing to work there. (patch 0002) the /selinux path has not been used in many many years so it can be removed, only need /sys/fs/selinux. (patch 0001) The last issue is that SELinux doesnt allow LD_PRELOAD across domain transitions by default so every time a package is installed this message appears: >>> Setting SELinux security labels ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored. There is no real harm, its just not that nice. more info here: http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage-complains-about-ld_preload-and-libsandbox-so/ I'd rather not allow the permission in the policy since its not required so the better option is to probably not sandbox that function in the first place. Whether or not to sandbox the other functions that run together with it is up to you. Reproducible: Always
Created attachment 531970 [details, diff] 0001-misc-functions-selinux-is-gone-in-favour-of-sys-fs-s.patch
Created attachment 531972 [details, diff] 0002-misc-functions-fix-selinux-labelling-on-musl.patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=6c32161a8a2db662c49c7763803a4219fd994612 commit 6c32161a8a2db662c49c7763803a4219fd994612 Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2018-05-18 04:07:24 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-05-18 16:06:39 +0000 misc-functions: fix selinux labelling on musl musl's implementation of getopt is different from glibc's in that it does not accept flags after non-flag arguments, moving the flags earlier makes SELinux labelling work on musl also. Bug: https://bugs.gentoo.org/655996 Signed-off-by: Jason Zaman <perfinion@gentoo.org> bin/misc-functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=7bbbee4c03367c09ec9cb19737066c781f28c06d commit 7bbbee4c03367c09ec9cb19737066c781f28c06d Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2018-05-18 04:05:29 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-05-18 16:05:56 +0000 misc-functions: /selinux is gone in favour of /sys/fs/selinux It was moved to /sys/fs/selinux/ long ago and not supported anymore Bug: https://bugs.gentoo.org/655996 Signed-off-by: Jason Zaman <perfinion@gentoo.org> bin/misc-functions.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-)
(In reply to Jason Zaman from comment #0) > The last issue is that SELinux doesnt allow LD_PRELOAD across domain > transitions by default so every time a package is installed this message > appears: > > >>> Setting SELinux security labels > ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: > ignored. > > There is no real harm, its just not that nice. more info here: > http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage- > complains-about-ld_preload-and-libsandbox-so/ > > I'd rather not allow the permission in the policy since its not required so > the better option is to probably not sandbox that function in the first > place. Whether or not to sandbox the other functions that run together with > it is up to you. Patch posted for review: https://archives.gentoo.org/gentoo-portage-dev/message/911e6ea5d75d04d3f4bdf6bb0e9b16d8 https://github.com/gentoo/portage/pull/321
Created attachment 532540 [details, diff] preinst_selinux_labels: disable LD_PRELOAD sandbox
(In reply to Zac Medico from comment #4) > Patch posted for review: > > https://archives.gentoo.org/gentoo-portage-dev/message/ > 911e6ea5d75d04d3f4bdf6bb0e9b16d8 > https://github.com/gentoo/portage/pull/321 confirming. it works great now :) >>> Installing (1 of 1) games-misc/cowsay-3.03-r2::gentoo * checking 51 files for package collisions >>> Merging games-misc/cowsay-3.03-r2 to / >>> Setting SELinux security labels --- /usr/ [snip]
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=ef99f7e9e0e0b4d0ae20b6964b1efbee4c49fdaa commit ef99f7e9e0e0b4d0ae20b6964b1efbee4c49fdaa Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2018-05-18 03:57:59 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-05-21 16:57:42 +0000 preinst_selinux_labels: disable LD_PRELOAD sandbox (bug 655996) Since SELinux does not allow LD_PRELOAD across domain transitions, disable the LD_PRELOAD sandbox for preinst_selinux_labels. Bug: https://bugs.gentoo.org/655996 Tested-by: Jason Zaman <perfinion@gentoo.org> pym/_emerge/EbuildPhase.py | 30 +++++++++++++++++++++++++++++- pym/_emerge/MiscFunctionsProcess.py | 6 +++++- pym/portage/package/ebuild/doebuild.py | 28 +++++++++++++++++++++------- 3 files changed, 55 insertions(+), 9 deletions(-)
Great, thanks for testing!
Fixed in portage-2.3.40-r1.
