Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 515582

Summary: dev-java/oracle-jdk-bin does not preserve xattr pax-marks in src_install()
Product: Gentoo Linux Reporter: Jason Zaman <perfinion>
Component: [OLD] JavaAssignee: Java team <java>
Status: RESOLVED FIXED    
Severity: normal Keywords: PATCH
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=517626
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 516158    
Attachments: oracle-jdk-bin-1.7.0.65.ebuild.patch

Description Jason Zaman gentoo-dev 2014-06-28 10:19:33 UTC 
oracle-jdk-bin does the pax-marking in src_compile() and then when afterwards in src_install() uses 'cp -pPR' to "install" everything. 'cp -p' does not preserve xattrs.

I have moved to using xattr pax-marks on my system (PAX_MARKINGS="XT" in make.conf). blueness has released a wrapper for install that preserves xattrs.

Please either use "einstall" for the binaries or use "cp --preserve=mode,ownership,timestamps,xattrs" instead of only "cp -p"


Reproducible: Always

Steps to Reproduce:
1. use a hardened profile, set PAX_MARKINGS="XT" in make.conf
2. emerge oracle-jdk-bin
3.
Actual Results:  
the 'java' program does not run.
paxctl-ng -v /opt/oracle-jdk-bin-1.7.0.55/bin/java says not found for both types of pax-marks

Expected Results:  
the 'java' program should run.
paxctl-ng -v /opt/oracle-jdk-bin-1.7.0.55/bin/java should show xattr paxmarks
Comment 1 Ralph Sennhauser (RETIRED) gentoo-dev 2014-07-20 21:28:40 UTC 
This is now done in:
 oracle-{jdk,jre}-bin-1.7.0.65
 oracle-{jdk,jre}-bin-1.8.0.11

Thanks for the report.
Comment 2 Jason Zaman gentoo-dev 2014-07-20 22:23:45 UTC 
Hi,

Sorry to be a bother, this works for PaX but it has issues with SELinux :(

It looks like cp --preserve=xattr copies all xattrs including: security.selinux.
The problem is that this xattr is protected (actually all security.* are) and the copy fails.

It looks like for bin/* doins should be used. The am attaching a patch to 1.7.0.65 works for me.

-- Jason
Comment 3 Jason Zaman gentoo-dev 2014-07-20 22:25:51 UTC 
Created attachment 381176 [details, diff]
oracle-jdk-bin-1.7.0.65.ebuild.patch

This uses dobin instead of cp --preserve=xattr since cp touches the SELinux xattrs too which is disallowed.
Comment 4 Ralph Sennhauser (RETIRED) gentoo-dev 2014-07-21 00:12:18 UTC 
Solved it in a silighly different way. Updated in place and added a dependensy on the corresponding selinux policy. Thanks.