86373 – (selinux) can not emerge apache-2.0.53

Bug 86373 - (selinux) can not emerge apache-2.0.53

Summary: (selinux) can not emerge apache-2.0.53

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	SE Linux Bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2005-03-23 04:49 UTC by Konstantin Arkhipov (RETIRED)
Modified:	2005-03-23 06:55 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Konstantin Arkhipov (RETIRED) gentoo-dev

2005-03-23 04:49:43 UTC

emerge fails to compile apache:

Making all in srclib
make[1]: Entering directory `/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/srclib'
Making all in pcre
make[2]: Entering directory `/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/srclib/pcre'
make[3]: Entering directory `/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/srclib/pcre'
/usr/share/apr-0/build/libtool --silent --mode=compile x86_64-pc-linux-gnu-gcc  -pthread  -O2 -march=opteron -mtune=opteron -funroll-loops -pipe -ftracer  -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER   -I/usr/include/apr-0 -I. -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/os/unix -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/server/mpm/prefork -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/http -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/filters -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/proxy -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/include -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/generators -I/usr/include/openssl -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/dav/main  -c maketables.c && touch maketables.lo
/usr/share/apr-0/build/libtool --silent --mode=compile x86_64-pc-linux-gnu-gcc  -pthread  -O2 -march=opteron -mtune=opteron -funroll-loops -pipe -ftracer  -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER   -I/usr/include/apr-0 -I. -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/os/unix -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/server/mpm/prefork -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/http -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/filters -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/proxy -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/include -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/generators -I/usr/include/openssl -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/dav/main  -c get.c && touch get.lo
/bin/sh: /usr/share/apr-0/build/libtool: /bin/sh: bad interpreter: Permission denied
/usr/share/apr-0/build/libtool --silent --mode=compile x86_64-pc-linux-gnu-gcc  -pthread  -O2 -march=opteron -mtune=opteron -funroll-loops -pipe -ftracer  -DLINUX=2 -D_REENTRANT -D_XOPEN_SOURCE=500 -D_BSD_SOURCE -D_SVID_SOURCE -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -DAP_HAVE_DESIGNATED_INITIALIZER   -I/usr/include/apr-0 -I. -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/os/unix -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/server/mpm/prefork -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/http -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/filters -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/proxy -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/include -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/generators -I/usr/include/openssl -I/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/modules/dav/main  -c study.c && touch study.lo
make[3]: *** [maketables.lo] Error 126
make[3]: *** Waiting for unfinished jobs....
/bin/sh: /usr/share/apr-0/build/libtool: /bin/sh: bad interpreter: Permission denied
make[3]: *** [get.lo] Error 126
/bin/sh: /usr/share/apr-0/build/libtool: /bin/sh: bad interpreter: Permission denied
make[3]: *** [study.lo] Error 126
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/srclib/pcre'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/var/tmp/portage/apache-2.0.53/work/httpd-2.0.53/srclib'
make: *** [all-recursive] Error 1

dmesg:

audit(1111581325.463:0): avc:  denied  { execute } for  pid=23655 exe=/bin/bash name=libtool dev=sda2 ino=67115406 scontext=voxus:sysadm_r:portage_t tcontext=system_u:object_r:usr_t tclass=file
audit(1111581336.437:0): avc:  denied  { execute } for  pid=4229 exe=/bin/bash name=libtool dev=sda2 ino=67115406 scontext=voxus:sysadm_r:portage_t tcontext=system_u:object_r:usr_t tclass=file
audit(1111581336.441:0): avc:  denied  { execute } for  pid=8025 exe=/bin/bash name=libtool dev=sda2 ino=67115406 scontext=voxus:sysadm_r:portage_t tcontext=system_u:object_r:usr_t tclass=file
audit(1111581336.442:0): avc:  denied  { execute } for  pid=2912 exe=/bin/bash name=libtool dev=sda2 ino=67115406 scontext=voxus:sysadm_r:portage_t tcontext=system_u:object_r:usr_t tclass=file

emerge info:

Portage 2.0.51.19 (selinux/2004.1/amd64/lib64, gcc-3.4.3, glibc-2.3.4.20041102-r1, 2.6.11-hardened-r1 x86_64)
=================================================================
System uname: 2.6.11-hardened-r1 x86_64 AMD Opteron(tm) Processor 248
Gentoo Base System version 1.4.16
Python:              dev-lang/python-2.3.4-r1 [2.3.4 (#1, Mar 13 2005, 22:02:37)]
dev-lang/python:     2.3.4-r1
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.5, 1.8.5-r3, 1.6.3, 1.7.9-r1, 1.4_p6, 1.9.4
sys-devel/binutils:  2.15.92.0.2-r1
sys-devel/libtool:   1.5.10-r4
virtual/os-headers:  2.6.8.1-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=opteron -mtune=opteron -funroll-loops -pipe -ftracer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=x86-64 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks loadpolicy relabel sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://z80.rdw.ru/gentoo-portage"
USE="amd64 bash-completion crypt emul-linux-x86 nptl nptlonly pam readline selinux ssl threads userlocales zlib"
Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, PORTDIR_OVERLAY

grep apache /etc/portage/*:
/etc/portage/package.keywords:net-www/apache                    ~amd64
/etc/portage/package.use:>=net-www/apache-2             apache2 mpm-threadpool mpm-worker mpm-prefork


Reproducible: Always
Steps to Reproduce:
1. emerge apache
2.
3.

Actual Results:  
emerge fails

Expected Results:  
successful emerging

Comment 1 petre rodan (RETIRED) gentoo-dev

2005-03-23 04:58:41 UTC

it should be fixed by selinux-base-policy-20050322

Comment 2 Konstantin Arkhipov (RETIRED) gentoo-dev

2005-03-23 05:08:45 UTC

o root # qpkg -I -v selinux-base-policy
sec-policy/selinux-base-policy-20050322

Comment 3 petre rodan (RETIRED) gentoo-dev

2005-03-23 06:43:34 UTC

in types.fc, do
-/usr/share/apr-0/build/.*\.sh -- system_u:object_r:bin_t
+/usr/share/apr-0/build/.* -- system_u:object_r:bin_t

if pebenito agrees, he might include it in the next base-policy

Comment 4 Konstantin Arkhipov (RETIRED) gentoo-dev

2005-03-23 06:55:09 UTC

yep, that works.
thanks, Petre. :-)