Bug 184520

Summary:	>sys-apps/portage-2.1.2.2 - child process segfaults
Product:	Portage Development	Reporter:	petre rodan (RETIRED) <kaiowas>
Component:	Core - External Interaction	Assignee:	Portage team <dev-portage>
Status:	RESOLVED NEEDINFO
Severity:	major	CC:	betelgeuse, kanelxake, selinux, toni.kaufmann
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description petre rodan (RETIRED) gentoo-dev

2007-07-07 17:25:53 UTC

any portage newer then 2.1.2.2 makes the semodule process segfault. 2.1.2.2 does not have this unwanted behavior.

semodule is called by selinux-policy-2_pkg_postinst (selinux-policy-2.eclass)

it might end being a bug in semodule (sys-apps/policycoreutils-1.34.1), but why does it work manually and with older portage versions?

# emerge selinux-openvpn
[..]
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not
exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
libsemanage.semanage_exec_prog: Child process /usr/sbin/load_policy did not
exit cleanly.
libsemanage.semanage_reload_policy: load_policy returned error code -1.
semodule:  Failed!

dmesg reads:
grsec: From censored: signal 11 sent to /usr/sbin/semodule[semodule:20900]
uid/euid:0/0 gid/egid:0/0, parent /usr/sbin/semodule[semodule:20899]
uid/euid:0/0 gid/egid:0/0
grsec: From censored: denied resource overstep by requesting 4096 for
RLIMIT_CORE against limit 0 for /usr/sbin/semodule[semodule:20900] uid/euid:0/0
gid/egid:0/0, parent /usr/sbin/semodule[semodule:20899] uid/euid:0/0
gid/egid:0/0

but if I do a manual
# cd /usr/share/selinux/strict
# semodule -s strict -i openvpn.pp # exits cleanly
# semodule -l | grep openvpn
openvpn 1.1.2

the machine is in permissive mode

akara ~ # emerge --info
Portage 2.1.2.9 (selinux/x86, gcc-3.4.6, glibc-2.5-r4, 2.6.21-hardened-r2-a043
i686)
=================================================================
System uname: 2.6.21-hardened-r2-a043 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz
Gentoo Base System release 1.12.9
Timestamp of tree: Sat, 07 Jul 2007 14:20:01 +0000
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.8.1-r1, 2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/qmail/alias /var/qmail/control /var/service"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -pipe"
DISTDIR="/local/portage/distfiles"
FEATURES="buildpkg collision-protect distlocks loadpolicy metadata-transfer
sandbox selinux sesandbox sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="ftp://ftp.roedu.net/pub/mirrors/gentoo.org
ftp://ftp.lug.ro/gentoo http://gentoo.oregonstate.edu
http://www.ibiblio.org/pub/Linux/distributions/gentoo"
PKGDIR="/local/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --delete-after --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages
--filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/local/portage/build"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/local/portage/overlay"
SYNC="rsync://mirrors.bu.avira.com/gentoo-portage"
USE="bzip2 caps crypt hardened nptl nptlonly pam pic readline selinux sse sse2
ssl unicode utf8 x86 zlib" ELIBC="glibc" KERNEL="linux" USERLAND="GNU"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Zac Medico gentoo-dev

2007-07-08 01:36:38 UTC

I'm not sure why >2.1.2.2 would behave differently since there haven't been any changes in the way that the postinst phase if spawned.  The code path for that phase is the same whether you're running selinux or not since postinst runs with sesandox disabled.

Comment 2 Petteri Räty (RETIRED) gentoo-dev

2007-07-24 15:35:43 UTC

I had segfaults under Portage too. I think that was after upgrading glibc etc and was solved by booting the machine. The server in question was not running selinux but it was running hardened kernel etc.

Comment 3 Zac Medico gentoo-dev

2007-08-01 22:16:58 UTC

I don't think this has anything to do with portage. Please reopen if you have more info.

Comment 4 Xake 2007-08-02 01:17:14 UTC

I do not know what more info you need than from portage 2.1.2.2
emerge -1 =portage-2.1.2.7 && emerge -1 selinux-base-policy
and you got the segfault,
emerge -1 portage-2.1.2.2 && emerge -1 selinux-base-policy
and everything works again.

I do not know *at all* what changed, but something must have changed that directly or indirect handles selinux!


Portage 2.1.2.2 (selinux/2007.0/x86/hardened, gcc-4.1.2, glibc-2.6-r0, 2.6.21-hardened-r3 i686)
=================================================================
System uname: 2.6.21-hardened-r3 i686 Pentium III (Coppermine)
Gentoo Base System release 1.12.10
Timestamp of tree: Wed, 01 Aug 2007 17:20:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/sandbox:    1.2.18.1
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17.50.0.16
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.22-r2
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/glftpd/etc /opt/glftpd/ftp-data /usr/lib/fax /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks loadpolicy metadata-transfer parallel-fetch sandbox selinux sesandbox sfperms strict test"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/overlays/portage /usr/local/overlays/pieworld /usr/portage/local/layman/webapps-experimental"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="apache2 bash-completion berkdb bitmap-fonts bzip2 cli cracklib crypt cups curl dri fam fortran gdbm gmp gpm hardened hpn iconv ipv6 isdnlog jpeg keyutils libg++ logrotate midi mudflap mysql ncurses network-cron nls nonfsv4 nptl nptlonly offensive openmp pam parport pcre perl pic png pppd python readline reflection selinux sensord serial session slang spl srvdir sse ssl syslog tcpd test tiff truetype-fonts type1-fonts unicode unzip x86 xattr xinetd xorg zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="none"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 5 Zac Medico gentoo-dev

2007-08-02 03:32:37 UTC

The only thing I see in the diff that's related to selinux is the way that the fetch phase is spawned. That code is only triggered for the fetch phase though, so it doesn't seem like it could have anything to do with a segfault during postinst.

If it's really related to something that portage is doing then you'll have to provide more information about why the segfault is happening and what portage can do to prevent it.

You might also try portage-2.1.2.11 or portage-2.1.3.1 to see if those make any difference.

Comment 6 Antoine Kaufmann 2007-08-02 10:53:01 UTC

*** Bug 187468 has been marked as a duplicate of this bug. ***

Comment 7 Antoine Kaufmann 2007-08-02 10:54:57 UTC

I had exactly the same problem. But for me it workls with portage-2.1.3.1. Thanks!

Comment 8 Xake 2007-08-02 12:55:32 UTC

portage-2.1.2.11 does not work, portage-2.1.3 works.

Comment 9 Zac Medico gentoo-dev

2007-08-03 19:55:48 UTC

I'm still clueless on this one. Anyway, I glad to hear that 2.1.3 seems to work. If anybody has any idea what change may have triggered this then please comment.

Comment 10 Xake 2007-08-03 22:39:06 UTC

I do not know, but it was one of the changes between 2.1.2.2 and 2.1.2.3 (I tried the "dead" ebuild from portage cvs).
There are some changes picked up by portage -d in the output (exept for postinst where the only diff is the errormessage), and after some ugly testing I am pretty sure that it is before the postinst portage made something not so good.
From portage-2.1.2.2 do a 'ebuild selinux-base-policy install' and from portage-2.1.2.3 doing the merge and postinst did not produce the errors as far as I could see.

However I have not and therefore will not spend more time on the issue. If it comes back in newer version I may.