Summary: | sys-apps/sandbox-2.0 fails to compile due to /selinux/context violations | ||
---|---|---|---|
Product: | Gentoo/Alt | Reporter: | Peter Waller <p> |
Component: | Prefix Support | Assignee: | Gentoo Prefix <prefix> |
Status: | RESOLVED FIXED | ||
Severity: | critical | CC: | me, sandbox, selinux |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | build.log |
Description
Peter Waller
2009-06-15 15:18:20 UTC
Created attachment 194792 [details]
build.log
The lastest stable version is sys-apps/sandbox-1.6-r2 as can be seen here: http://packages.gentoo.org/package/sys-apps/sandbox we either have to drop sandbox in prefix, or fix it voodoo style (In reply to comment #2) > The lastest stable version is sys-apps/sandbox-1.6-r2 as can be seen here: > > http://packages.gentoo.org/package/sys-apps/sandbox > Indeed, but 1.6 isn't in prefix, and the latest portage seems to require it. I added 1.6-r2 now, with some luck... @Peter: what linux are you on? (In reply to comment #6) > @Peter: what linux are you on? Scientific Linux 4, a derivative of RHEL (4?). 32bit. I'm bootstrapping a prefix with sandbox-2.0 on "Red Hat Enterprise Linux Server release 5.2 (Tikanga)", and had to add this to EPREFIX/etc/sandbox.conf to get things working: +# Needed for selinux +SANDBOX_WRITE="/selinux:/proc/self/task" Looking at the error again it might have been enough to add "/selinux/context" though... i dont know anything about selinux, but if libselinux really needs applications to screw around with /selinux/context, then that libselinux should be updated to install a sandbox.d file. Well, libselinux isn't installed within Prefix (yet?), it is from the host system. So we either need to add /selinux/context in Prefix somehow, or sandbox knows itself. Maybe due to some configure check ("checking for selinux": test -d /selinux), although IMHO it shouldn't hurt to "addwrite /selinux/context" unconditional. i really dont want to add special casing for selinux to sandbox. i spent time getting all the special casing out. if you have selinux up & running on your system, doesnt it make sense to include libselinux in the prefix too ? a `test -d /...` would defeat cross-compiling and similar scenarios ... so it would have to be added all the time I'm coming in on this way late, but it is fine to allow write in /selinux since this is SELinux's pseudo filesystem (you can't create new files) which is strongly protected by policy. I don't have a problem allowing /selinux/context across the board for sandbox because of that. So if it helps I can add a sandbox.d entry to the gentoo libselinux package. (I'm not familiar with prefix, so please excuse me if I'm off base) I think this issue no longer exists with recent versions |