Summary: | gnustep-base/gnustep-base-1.22.1 fails to emerge on ~amd64/selinux with enforcing | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Amadeusz Sławiński <amade> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | build.log |
Description
Amadeusz Sławiński
2012-02-01 21:52:56 UTC
Created attachment 300725 [details]
build.log
gnustep-gui, gnustep-back-cairo (all of them with gnustep-base are pulled by virtual/gnustep-back) also fail in similar way What is the content of /usr/share/GNUstep/Makefiles? If all the files inside it are meant to be executable files, then try the following: ~# semanage fcontext -a -t bin_t "/usr/share/GNUstep/Makefiles/.*" ~# restorecon -R /usr/share/GNUstep/Makefiles Then try again (and validate that "ls -lZ" against the files shows bin_t, not usr_t). The current issue is that the files are marked as usr_t files, which aren't meant to be executed. The above statements will register that path for binary files (semanage) and update the contexts (restorecon). Seems to work even if I only change the print_unique_pathlist.sh and mkinstalldirs type to bin_t. However just in case I include short analysis of files found on my system. Not all files inside /usr/share/GNUstep/Makefiles seem to be executables, for example *.make are makefiles and probably should not be bin_t. There are few not executable *.sh ones having comments indicating that they need to be sourced. And few folders. So on my system after fresh gnustep install files marked as executable are app-wrapper.template clean_cpu.sh clean_os.sh clean_vendor.sh config.guess config.sub cpu.sh executable.template fixpath.sh install-sh java-executable.template mkinstalldirs os.sh print_unique_pathlist.sh relative_path.sh strip_makefiles.sh vendor.sh TestFramework/Summary.sh Sourcing doesn't need bin_t, but direct execution will. I'll add in the mkinstalldirs and *.sh for bin_t. in hardened-dev overlay In main tree, ~arch'ed Stable |