Bug 48451

Summary:	tcp-wrappers SELinux polic'ed fails to compile!
Product:	Gentoo Linux	Reporter:	Alexander Ivanchev <alexander>
Component:	Hardened	Assignee:	Chris PeBenito (RETIRED) <pebenito>
Status:	RESOLVED FIXED
Severity:	major	CC:	chris, jens, wschlich
Priority:	High
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Alexander Ivanchev 2004-04-20 05:08:37 UTC

That's an odd one.. I did a clean install with the latest 2.6 SELinux CD, and got a 2.6.5, glibc / NPTL, ~86 system up, HOWEVER, I faced an odd OpenSSH problem (unrelated I guess, but still...) I was able to login just one time, any further attempts, till reboot closed remotely (sshd-side). So. I decided to re-emerge tcp-wrappers to be one the safe-side, and...

dmz policy # emerge tcp-wrappers    
Calculating dependencies ...done!
>>> emerge (1 of 1) sys-apps/tcp-wrappers-7.6-r8 to /
>>> md5 src_uri ;-) tcp_wrappers_7.6.tar.gz
>>> md5 src_uri ;-) tcp-wrappers-7.6-r7-patches.tar.bz2
>>> Unpacking source...
>>> Unpacking tcp_wrappers_7.6.tar.gz to /var/tmp/portage/tcp-wrappers-7.6-r8/work
>>> Unpacking tcp-wrappers-7.6-r7-patches.tar.bz2 to /var/tmp/portage/tcp-wrappers-7.6-r8/work
 * Applying tcp-wrappers-7.6-makefile.patch.bz2...                                                                            [ ok ]
 * Applying various patches (bugfixes/updates)...
 *   01_all_redhat-bug11881.patch.bz2...                                                                                      [ ok ]
 *   02_all_redhat-bug17795.patch.bz2...                                                                                      [ ok ]
 *   03_all_wildcard.patch.bz2...                                                                                             [ ok ]
 *   04_all_fixgethostbyname.patch.bz2...                                                                                     [ ok ]
 *   07_all_sig.patch.bz2...                                                                                                  [ ok ]
 *   08_all_strerror.patch.bz2...                                                                                             [ ok ]
 * Done with patching
 * Applying tcp-wrappers-7.6-shared.patch.bz2...                                                                              [ ok ]
>>> Source unpacked.
make: *** [config-check] Error 1

!!! ERROR: sys-apps/tcp-wrappers-7.6-r8 failed.
!!! Function src_compile, Line 51, Exitcode 2
!!! (no error message)

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/tmp/sandbox-sys-apps_-_tcp-wrappers-7.6-r8-27772.log"

open_wr:   /proc/self/attr/fscreate
--------------------------------------------------------------------------------

IT IS SELinux-related since, if the policy is not loaded compilation starts (and then aborts during install for lack of proper setfiles labels)

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Chris PeBenito (RETIRED) gentoo-dev

2004-04-20 07:30:28 UTC

*** Bug 48452 has been marked as a duplicate of this bug. ***

Comment 2 Chris PeBenito (RETIRED) gentoo-dev

2004-04-20 07:42:58 UTC

I can't reproduce this.  It doesn't make sense, either, because nothing touches /proc/self/attr/fscreate in config-check.  I need more information: denials, enforcing or permissive, etc.

Comment 3 Alexander Ivanchev 2004-04-20 07:52:39 UTC

Yes, I concur, it does NOT make any sense ;-) BUT, it happens... i tried

emerge -eD tcp-wrappers waited for 2 hours, and still... same thing happens

Enforcing is NOT set (z.e.r.o.), here go denials...

avc:  denied  { syslog_mod } for  pid=859 exe=/usr/sbin/syslog-ng scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system

avc:  denied  { rmdir } for  pid=2611 exe=/usr/bin/python2.3 name=temp dev=hda4 ino=32444 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:portage_tmp_t tclass=dir

avc:  denied  { unlink } for  pid=2628 exe=/bin/rm name=tcp-wrappers-7.6-r8.ebuild dev=hda4 ino=32474 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:portage_ebuild_t tclass=file

I'm really stumped...

Additionally here's what happens when SELinux is disabled:
dmz root # emerge tcp-wrappers
!!! SELinux not loaded: SELinux is not enabled.
Calculating dependencies ...done!
>>> emerge (1 of 1) sys-apps/tcp-wrappers-7.6-r8 to /
>>> md5 src_uri ;-) tcp_wrappers_7.6.tar.gz
>>> md5 src_uri ;-) tcp-wrappers-7.6-r7-patches.tar.bz2
>>> Unpacking source...
>>> Unpacking tcp_wrappers_7.6.tar.gz to /var/tmp/portage/tcp-wrappers-7.6-r8/work
>>> Unpacking tcp-wrappers-7.6-r7-patches.tar.bz2 to /var/tmp/portage/tcp-wrappers-7.6-r8/work
 * Applying tcp-wrappers-7.6-makefile.patch.bz2...                                                                            [ ok ]
 * Applying various patches (bugfixes/updates)...
 *   01_all_redhat-bug11881.patch.bz2...                                                                                      [ ok ]
 *   02_all_redhat-bug17795.patch.bz2...                                                                                      [ ok ]
 *   03_all_wildcard.patch.bz2...                                                                                             [ ok ]
 *   04_all_fixgethostbyname.patch.bz2...                                                                                     [ ok ]
 *   07_all_sig.patch.bz2...                                                                                                  [ ok ]
 *   08_all_strerror.patch.bz2...                                                                                             [ ok ]
 * Done with patching
 * Applying tcp-wrappers-7.6-shared.patch.bz2...                                                                              [ ok ]
>>> Source unpacked.
cp: setting attribute `security.selinux' for `build-info/tcp-wrappers-7.6-r8.ebuild': Invalid argument
make[1]: Entering directory `/var/tmp/portage/tcp-wrappers-7.6-r8/work/tcp_wrappers_7.6'

blah blah compile completes...

Comment 4 Chris PeBenito (RETIRED) gentoo-dev

2004-04-29 11:34:30 UTC

You're in system_u:system_r:kernel_t, which is not correct.  Is your policy being loaded on boot?

Comment 5 Wolfram Schlich (RETIRED) gentoo-dev

2004-06-03 23:26:13 UTC

I can confirm the problem.
Trying to install Gentoo from the latest available SELinux LiveCD:
livecd-2004.0-x86-selinux-nostages-20040227.iso
and with stage1-x86-selinux-20040211.tar.bz2 using
/usr/portage/profiles/selinux/2004.1/x86. Bootstrap done using
bootstrap-cascade.sh (had to "emerge --nodeps portage" before because
it was too old for cascaded profiles :-/).

While doing "emerge system":
--8<--
 * Applying tcp-wrappers-7.6-ipv6-1.14.diff.bz2...                                                                                                               [ ok ]
>>> Source unpacked.
ipv6
make: *** [config-check] Error 1

!!! ERROR: sys-apps/tcp-wrappers-7.6-r8 failed.
!!! Function src_compile, Line 53, Exitcode 2
!!! (no error message)

--------------------------- ACCESS VIOLATION SUMMARY ---------------------------
LOG FILE = "/tmp/sandbox-sys-apps_-_tcp-wrappers-7.6-r8-14183.log"

open_wr:   /proc/self/attr/fscreate
--------------------------------------------------------------------------------
--8<--

Comment 6 Wolfram Schlich (RETIRED) gentoo-dev

2004-06-03 23:27:20 UTC

The LiveCD kernel (2.6.3-gentoo-r1-livecd) was booted in permissive (!) mode.

Comment 7 Wolfram Schlich (RETIRED) gentoo-dev

2004-06-03 23:28:04 UTC

Well, FEATURES="-sandbox" does the trick.

Comment 8 Chris PeBenito (RETIRED) gentoo-dev

2004-07-03 09:49:50 UTC

Ok, figured this one out finally.  Its a broken coreutils patch; I'll close when seemant gets the fixed one out.

Comment 9 Chris PeBenito (RETIRED) gentoo-dev

2004-07-20 15:28:09 UTC

This should be fixed in coreutils-5.2.1-r1, which should hopefully be stable soon.

Comment 10 Bryan Stine (RETIRED) gentoo-dev

2004-07-28 15:23:59 UTC

*** Bug 58704 has been marked as a duplicate of this bug. ***

Comment 11 Chris PeBenito (RETIRED) gentoo-dev

2004-11-11 18:57:02 UTC

*** Bug 70346 has been marked as a duplicate of this bug. ***

Comment 12 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev

2006-10-03 05:45:05 UTC

Hi.

Just want to let you know that I got the same issue here after updating my Portage tree.
Following Wolfram Schlich's suggestion of FEATURES="-sandbox" solved the issue.
Thanks,

Jorge.



hseahserv99 http-replicator # cat /usr/portage/metadata/timestamp
Sun Sep 24 01:39:24 UTC 2006

hseahserv99 http-replicator # qlist -Iv coreutils
sys-apps/coreutils-5.94-r1
sys-apps/policycoreutils-1.30-r1

hseahserv99 http-replicator # cat /var/log/sandbox/sandbox-sys-apps_-_tcp-wrappers-7.6-r8-15244.log 
open_wr:   /proc/self/attr/fscreate (symlink to /proc/15267/attr/fscreate)
open_wr:   /proc/self/attr/fscreate (symlink to /proc/15282/attr/fscreate)

I get no relevant info from /var/log/avc.log

I'm willing to do some tests here if it helps. I can also update the tree again to use some new version and see if the error persists.

Comment 13 Chris PeBenito (RETIRED) gentoo-dev

2007-04-20 13:38:04 UTC

*** Bug 175326 has been marked as a duplicate of this bug. ***

Comment 14 Chris PeBenito (RETIRED) gentoo-dev

2007-08-20 04:17:25 UTC

a fix has been applied to the selinux profiles for a while.  closing.