Bug 384625

Summary:	Broken setfile prevents emerge of sys-apps/policycoreutils to fix issue
Product:	Gentoo Linux	Reporter:	MarisN <maris.gis>
Component:	Hardened	Assignee:	Robin Johnson <robbat2>
Status:	RESOLVED FIXED
Severity:	normal	CC:	selinux, swift
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description MarisN 2011-09-27 08:16:09 UTC

After emerge world, policycoreutils required to be rebuilt, still it was not possible as setfile produces error during qmerge of policycoreutils thus preventing revdep-rebuild from fixing system.

Reproducible: Always

Steps to Reproduce:
1. Accidentaly break setfile (i.e. by upgrading it's dependencies and thus leading into "error while loading shared libraries")
2. Run emerge policycoreutils or revdep-rebuild to fix the issue.
3. Observe how step #2 fails as qmerge step requires working setfile.
Actual Results:  
Impossible to fix system without manual intervention (copying compiled setfile manually to /sbin and then restarting emerge process).

Expected Results:  
emerge world should not leave system in half-broken state. There should be a way how to emerge policycoreutils if existing policycoreutils have become bad due to other system part upgrades.

emerge --info
Portage 2.1.10.19 (selinux/v2refpolicy/amd64/hardened, gcc-4.5.3, glibc-2.13-r4, 2.6.39-hardened-r4 x86_64)
=================================================================
System uname: Linux-2.6.39-hardened-r4-x86_64-Intel-R-_Xeon-R-_CPU_5110_@_1.60GHz-with-gentoo-2.0.3
Timestamp of tree: Tue, 27 Sep 2011 07:15:01 +0000
app-shells/bash:          4.2_p10
dev-lang/python:          2.5.4-r4, 2.7.2-r3, 3.1.3-r1, 3.2-r2
dev-util/cmake:           2.8.5-r2
dev-util/pkgconfig:       0.26
sys-apps/baselayout:      2.0.3
sys-apps/openrc:          0.9.3-r1
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13::<unknown repository>, 2.68
sys-devel/automake:       1.4_p6::<unknown repository>, 1.5::<unknown repository>, 1.6.3::<unknown repository>, 1.7.9-r1, 1.8.5-r3::<unknown repository>, 1.9.6-r2, 1.10.3, 1.11.1-r1
sys-devel/binutils:       2.21.1-r1
sys-devel/gcc:            3.4.6-r2, 4.3.5, 4.4.5, 4.5.3-r1
sys-devel/gcc-config:     1.4.1-r1
sys-devel/libtool:        2.4-r3
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)
sys-libs/glibc:           2.13-r4
Repositories: gentoo sunrise x-portage
ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.2/ext-active/ /etc/php/apache2-php5.3/ext-active/ /etc/php/cgi-php5.2/ext-active/ /etc/php/cgi-php5.3/ext-active/ /etc/php/cli-php5.2/ext-active/ /etc/php/cli-php5.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -fomit-frame-pointer -march=nocona"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://gentoo.tups.lv/source http://ftp.linux.ee/pub/gentoo/distfiles"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/sunrise /root/portage"
SYNC="rsync://gentoo.tups.lv/gentoo-portage"
USE="amd64 apache2 berkdb cli cracklib crypt cxx dri fortran hardened iconv ipv6 jfs jpeg logrotate modules mudflap multilib mysql ncurses nls openmp pam pcre perl pic png pppd python readline selinux session ssl syslog tcpd unicode urandom usb vhosts xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_default authn_file authz_default authz_host authz_user autoindex cache cgi deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif so speling unique_id userdir usertrack vhost_alias status" APACHE2_MPMS="prefork" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2011-09-27 18:04:02 UTC

Does rebuilding with FEATURES="-selinux" work?

Comment 2 MarisN 2011-09-28 07:45:57 UTC

(In reply to comment #1)
> Does rebuilding with FEATURES="-selinux" work?
Can't check, as I fixed system by copying compiled setfiles file and reruning emerge.

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-02 17:09:14 UTC

You don't happen to have any output logs of failures? I'm interesting in knowing what exactly failed.

Comment 4 MarisN 2011-10-03 07:09:44 UTC

(In reply to comment #3)
> You don't happen to have any output logs of failures? I'm interesting in
> knowing what exactly failed.

Unfortunately I was too worried about getting my system back into shape and was not thinking about later failure analysis :(

Judging by my emerge.log, failure was caused by emerge world doing an upgrade from sys-process/audit-1.7.4 to sys-process/audit-2.1.3

Here are steps to reproduce issue:
emerge =sys-process/audit-1.7.4
setfiles <- now this command fails. Let's fix it by reemerging it:
emerge sys-apps/policycoreutils
>>> Setting SELinux security labels
/usr/sbin/setfiles: error while loading shared libraries: libaudit.so.1: cannot open shared object file: No such file or directory

Comment 5 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-05 17:47:32 UTC

Aha, thanks.

I'll check what we can do about this, but I think it'll be a documentation enhancement (can't imagine an immediate solution to make sure this never happens, unless we can temporarily keep the "old" so files, rebuild, hope they link with the "new" so files and only then remove it).

Comment 6 MarisN 2011-10-07 13:46:09 UTC

I'm not familiar with setfiles and how portage uses it, still wouldn't be possible to use a new setfiles version to run it after emerging of policycoreutils and thus relay only on known good version of file?
(In reply to comment #5)
> Aha, thanks.
> 
> I'll check what we can do about this, but I think it'll be a documentation
> enhancement (can't imagine an immediate solution to make sure this never
> happens, unless we can temporarily keep the "old" so files, rebuild, hope they
> link with the "new" so files and only then remove it).

Comment 7 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-08 11:41:17 UTC

Not really; the "new" setfiles would be built by policycoreutils, and portage would first need to relabel it before it can use it. But since the old setfiles doesn't work, and the new setfiles isn't properly labeled, you'll hit the same problem anyhow.

I think the best way to go forward is to use FEATURES="-selinux" emerge policycoreutils, something we do during the SELinux installation as well. Then, you can use "rlpkg policycoreutils" to relabel the package. The rlpkg package uses the python bindings rather than the setfiles command so probably suffices in this case. But that's based on (insufficient) knowledge, so I'll first see if I can reproduce ;)

Comment 8 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-08 16:56:49 UTC

Okay, easily reproduceable.

For starters, I'll document this as a FAQ using the following text:

>>>
Portage fails to label files because "setfiles" does not work anymore

Portage uses the setfiles command to set the labels of the files it installs. However, that command is a dynamically linked executable, so any update in its depending libraries (libselinux.so, libsepol.so, libaudit.so and of course libc.so) might cause for the application to fail. Gentoo's standard solution (revdep-rebuild) will not work, since the tool will try to rebuild policycoreutils, which will fail to install because Portage cannot set the file labels.

The solution is to rebuild policycoreutils while disabling Portage' selinux support, then label the installed files manually using chcon, based on the feedback received from matchpathcon.

Code Listing 5.14: Recovering from Portage installation failures

# FEATURES="-selinux" emerge --oneshot policycoreutils
# for FILE in $(qlist policycoreutils); do \
CONTEXT=$(matchpathcon -n ${FILE}) chcon ${CONTEXT} ${FILE}; done
<<<

I'll see if we can somehow provide a technical fix as well, but I'm not sure there is (a proper) one.

Comment 9 Sven Vermeulen (RETIRED) gentoo-dev

2011-10-08 17:11:49 UTC

Robin,

Is it possible for sys-process/audit to preserve_old_lib on /usr/lib(64)?/libaudit.so.0 ? If the file disappears during the audit upgrade, setfiles breaks, which causes Portage to break on SELinux.

Comment 10 Sven Vermeulen (RETIRED) gentoo-dev

2014-02-02 12:35:01 UTC

This is now handled by FEATURES="preserve-lib" so we can continue safely now ;-)