Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 514936

Summary: install-xattr fails with "No such file or directory" if the binary to be installed has already been pax-marked
Product: Gentoo Linux Reporter: Jason Zaman <perfinion>
Component: SELinuxAssignee: SE Linux Bugs <selinux>
Status: RESOLVED UPSTREAM    
Severity: blocker CC: base-system, blueness
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 501534    
Attachments: build.log with test enabled, resulting in a failure
fix for install-xattr
patch with fix as well as added a test case

Description Jason Zaman gentoo-dev 2014-06-24 15:41:27 UTC 
Following the instructions from blueness' email[1]to make portage use install-xattr I get a failure during the install phase.

[1]: http://article.gmane.org/gmane.linux.gentoo.hardened/6242

I have narrowed the issue down to install-xattr is running inside portage_sandbox_t which is denied capability sys_admin.

Steps to reproduce:
1) make sure selinux is in enforcing mode. (this might work in permissive too)
2) make sure FEATURES has both sesandbox and test enabled.
3) emerge johntheripper
4) failure during install phase

if FEATURES=test is turned off, johntheripper will install normally.
The difference seems to be that john paxmarks during src_test, install-xattr will work if there are no pax-marks on the binary already but will fail if they exist.

This will almost certainly require a new domain (eg portage_helper_t) which is allowed cap sys_admin and which portage_sandbox_t is allowed to transition to.


I get the following avc's in audit.log:

type=AVC msg=audit(1403623979.254:4572): avc:  denied  { sys_admin } for  pid=8475 comm="install-xattr" capability=21  scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:sysadm_r:portage_sandbox_t tclass=capability
type=SYSCALL msg=audit(1403623979.254:4572): arch=c000003e syscall=194 success=yes exit=32 a0=3d853372509 a1=0 a2=0 a3=341d7c04618 items=1 ppid=8472 pid=8475 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="install-xattr" exe="/usr/bin/install-xattr" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)
type=CWD msg=audit(1403623979.254:4572):  cwd="/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/work/john-1.7.9"
type=PATH msg=audit(1403623979.254:4572): item=0 name="run/john" inode=1369033 dev=00:1e mode=0100755 ouid=250 ogid=250 rdev=00:00 obj=staff_u:object_r:portage_tmp_t nametype=NORMAL
type=AVC msg=audit(1403623979.254:4573): avc:  denied  { sys_admin } for  pid=8475 comm="install-xattr" capability=21  scontext=staff_u:sysadm_r:portage_sandbox_t tcontext=staff_u:sysadm_r:portage_sandbox_t tclass=capability
type=SYSCALL msg=audit(1403623979.254:4573): arch=c000003e syscall=194 success=yes exit=32 a0=3d853372509 a1=2c24db6c30 a2=20 a3=341d7c04618 items=1 ppid=8472 pid=8475 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="install-xattr" exe="/usr/bin/install-xattr" subj=staff_u:sysadm_r:portage_sandbox_t key=(null)
type=CWD msg=audit(1403623979.254:4573):  cwd="/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/work/john-1.7.9"
type=PATH msg=audit(1403623979.254:4573): item=0 name="run/john" inode=1369033 dev=00:1e mode=0100755 ouid=250 ogid=250 rdev=00:00 obj=staff_u:object_r:portage_tmp_t nametype=NORMAL
Comment 1 Jason Zaman gentoo-dev 2014-06-24 15:44:52 UTC 
Created attachment 379594 [details]
build.log with test enabled, resulting in a failure
Comment 2 Jason Zaman gentoo-dev 2014-06-24 18:20:21 UTC 
Created attachment 379612 [details, diff]
fix for install-xattr

I put in an echo into the bash wrapper to get the exact command run,
then I strace'd it and the path on the setxattr is wrong. This patch fixes it.

command being run by the ebuild:
exec /usr/bin/install-xattr -m0755 -o 0 -g 0 run/john /var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/image//usr/sbin
install-xattr: setxattr() failed: No such file or directory

excerpt from strace'ing the above command:
setxattr("/var/tmp/portage/app-crypt/johntheripper-1.7.9-r6/image//usr/sbin/run/john", "user.pax.flags", "emr", 3, 0) = -1 ENOENT (No such f
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-06-24 18:28:45 UTC 
I can confirm that the patch fixes the johntheripper build failure
Comment 4 Jason Zaman gentoo-dev 2014-06-24 19:23:10 UTC 
Created attachment 379616 [details, diff]
patch with fix as well as added a test case

This fixes the issue for me. The test case fails without the basename patch and succeeds with it. Can someone else confirm the test script?
Comment 5 Anthony Basile gentoo-dev 2014-06-24 21:56:10 UTC 
(In reply to Jason Zaman from comment #4)
> Created attachment 379616 [details, diff] [details, diff]
> patch with fix as well as added a test case
> 
> This fixes the issue for me. The test case fails without the basename patch
> and succeeds with it. Can someone else confirm the test script?

Committed.

http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=commit;h=18586b8eef2dee0f432d7f57b642fa177aebc788

Keeping testing with install-xattr-9999.ebuild so we don't hit the same bug again.