| Summary: | Feature request: A more verbose warning when emerging from the wrong role | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Eric Gisse <jowr.pi> |
| Component: | SELinux | Assignee: | Portage team <dev-portage> |
| Status: | RESOLVED FIXED | ||
| Severity: | enhancement | CC: | selinux |
| Priority: | Normal | Keywords: | InVCS, PATCH |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 484436 | ||
| Attachments: | Describe to the user that the SELinux execution context change failed | ||
Is the stacktrace also something you rather not see? I think from a development and support point of view, we need to keep the stacktrace. However, I can have the error message somewhat better than "[Errno 22] Invalid argument", like so:
Traceback (most recent call last):
File "/usr/lib64/portage/pym/portage/process.py", line 316, in spawn
unshare_net, unshare_ipc, cgroup)
File "/usr/lib64/portage/pym/portage/process.py", line 511, in _exec
pre_exec()
File "/usr/lib64/portage/pym/portage/_selinux.py", line 122, in _pre_exec
setexec(self._con)
File "/usr/lib64/portage/pym/portage/_selinux.py", line 91, in setexec
raise OSError(_("Failed to switch SELinux context\nIs your current SELinux context allowed to be running Portage in the first place?"))
OSError: Failed to switch SELinux context
Is your current SELinux context allowed to be running Portage in the first place?
That would be great. Anything to indicate the issue is your selinux context. I do this to myself all the time - emerge, portage stack trace, "oh yeah", newrole, emerge. Especially because this happens in a *permissive* context that would otherwise let the process run. For example, the RHEL family has you start out in an unconfined role (this statement is by no means absolute, though) so if you primarily work with that it will take a bit to get used to the fact that the default user context with Gentoo's implementation doesn't let you do that. This is in no way me saying "LETS BE LIKE RHEL", because noooooo. There's enough of that. In fact I would love to see the same thing for init scripts, but I don't see a nice way to make that issue more visible and its' already reasonably well documented in the wiki. So from my point of view, anything that increases the ease of use of administrating a SELinux machine is a win. Created attachment 389066 [details, diff]
Describe to the user that the SELinux execution context change failed
This patch does two things:
1. It explains to the user why a failure occurred (the SELinux execution context change failed) and what the most likely fix is (correct the current context)
2. It does not fail hard when SELinux is not in enforcing mode (permissive should allow for the code to continue, but with a message displayed)
@portage team: attached patch gives a better failure message and also continues running if the system is in SELinux permissive state. Tested on SELinux systems and, given the scope of the patch, I don't think it influences non-SELinux systems at all. I have a fixed up version of your patch in this branch: https://github.com/zmedico/portage/tree/bug_525726 I've posted it for review here: http://thread.gmane.org/gmane.linux.gentoo.portage.devel/4776 The patch posted to the list is already behind my branch, due to this grammar fix in the commit my message: s/since is/since it is/ |
So on a new selinux system, either in full enforcing or permissive, and you try to emerge a package when in the staff_r role (but root user), you get something like this: >>> Emerging (1 of 1) net-misc/openssh-6.6.1_p1-r4::gentoo * openssh-6.6p1.tar.gz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] * openssh-6.6.1p1-hpnssh14v5.diff.xz SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] [Errno 22] Invalid argument: /usr/bin/sandbox /usr/lib/portage/python2.7/ebuild.sh unpack Traceback (most recent call last): File "/usr/lib64/python2.7/site-packages/portage/process.py", line 317, in spawn unshare_net, unshare_ipc, cgroup) File "/usr/lib64/python2.7/site-packages/portage/process.py", line 512, in _exec pre_exec() File "/usr/lib64/python2.7/site-packages/portage/_selinux.py", line 119, in _pre_exec setexec(self._con) File "/usr/lib64/python2.7/site-packages/portage/_selinux.py", line 80, in setexec if selinux.setexeccon(ctx) < 0: OSError: [Errno 22] Invalid argument Now, this is a pretty well known issue and the requirement of newrole -r sysadm_r appears to be documented pretty well on The Google(tm). However, from a pure usability point of view, it strikes me that it would be very helpful a specific notice was put into portage explaining that you need to be in the proper role. SELinux is hard enough as it is. No point in making it harder than it needs to be. Reproducible: Always Part n+1 in my ongoing puppet + selinux project.