Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 565354

Summary: pax-utils.eclass install/merge phases: setfattr: /var/tmp/portage/…: Operation not supported
Product: Portage Development Reporter: Sergey S. Starikoff <Ikonta>
Component: Conceptual/Abstract IdeasAssignee: Portage team <dev-portage>
Status: CONFIRMED ---    
Severity: normal CC: hardened
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 193766    

Description Sergey S. Starikoff 2015-11-10 10:42:57 UTC
Today's update at least on =www-client/firefox-38.4.0 and =app-emulation/virtualbox-4.3.32 showed title error. mail-client/thunderbird brobably also should.

Quote below for Firefox:
…
 *      /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox
 *      /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox-bin
 *      /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/plugin-container
 * XT PaX marking -me /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox with setfattr
setfattr: /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox.
 * XT PaX marking -me /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox-bin with setfattr
setfattr: /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox-bin: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/firefox-bin.
 * XT PaX marking -me /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/plugin-container with setfattr
setfattr: /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/plugin-container: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/www-client/firefox-38.4.0/image//usr/lib64/firefox/plugin-container.
>>> Completed installing firefox-38.4.0 into /var/tmp/portage/www-client/firefox-38.4.0/image/
…

For VirtualBox:
…
>>> Install virtualbox-4.3.32 into /var/tmp/portage/app-emulation/virtualbox-4.3.32/image/ category app-emulation
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxManage
 TYPE    PAX   FILE 
ET_EXEC --mxe- /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxManage 
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxManage
 * XT PaX marking -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxManage with setfattr
setfattr: /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxManage: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxManage.
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSVC
 TYPE    PAX   FILE 
ET_EXEC --mxe- /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSVC 
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSVC
 * XT PaX marking -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSVC with setfattr
setfattr: /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSVC: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSVC.
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxXPCOMIPCD
 TYPE    PAX   FILE 
ET_EXEC --mxe- /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxXPCOMIPCD 
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxXPCOMIPCD
 * XT PaX marking -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxXPCOMIPCD with setfattr
setfattr: /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxXPCOMIPCD: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxXPCOMIPCD.
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSDL
 TYPE    PAX   FILE 
ET_EXEC --mxe- /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSDL 
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSDL
 * XT PaX marking -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSDL with setfattr
setfattr: /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSDL: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxSDL.
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxTestOGL
 TYPE    PAX   FILE 
ET_EXEC --mxe- /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxTestOGL 
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxTestOGL
 * XT PaX marking -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxTestOGL with setfattr
setfattr: /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxTestOGL: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxTestOGL.
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VirtualBox
 TYPE    PAX   FILE 
ET_EXEC --mxe- /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VirtualBox 
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VirtualBox
 * XT PaX marking -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VirtualBox with setfattr
setfattr: /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VirtualBox: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VirtualBox.
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxHeadless
 TYPE    PAX   FILE 
ET_EXEC --mxe- /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxHeadless 
 *      /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxHeadless
 * XT PaX marking -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxHeadless with setfattr
setfattr: /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxHeadless: Operation not supported
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/app-emulation/virtualbox-4.3.32/image//usr/lib64/virtualbox/VBoxHeadless.
>>> Completed installing virtualbox-4.3.32 into /var/tmp/portage/app-emulation/virtualbox-4.3.32/image/
…


/var is placed on dedicated partition:
$ mount | grep var
/dev/sda6 on /var type reiserfs (rw,noatime)


It would be fine if such errors would be caught by portage and echoed after update as QA warnings for Gentoo bug tracker.

$ einfo 
Portage 2.2.20.1 (python 3.4.3-final-0, default/linux/amd64/13.0, gcc-4.9.3, glibc-2.21-r1, 4.1.6-aufs x86_64)
=================================================================
System uname: Linux-4.1.6-aufs-x86_64-AMD_Athlon-tm-_II_X2_250_Processor-with-gentoo-2.2
KiB Mem:     1793632 total,     58348 free
KiB Swap:    8000364 total,   7184104 free
Timestamp of repository gentoo: Tue, 10 Nov 2015 00:50:01 +0000
sh bash 4.3_p39
ld GNU ld (Gentoo 2.25.1 p1.1) 2.25.1
app-shells/bash:          4.3_p39::gentoo
dev-java/java-config:     2.2.0::gentoo
dev-lang/perl:            5.20.2::gentoo
dev-lang/python:          2.7.10::gentoo, 3.4.3::gentoo
dev-util/cmake:           3.3.1-r1::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.2::gentoo
sys-apps/openrc:          0.17::gentoo
sys-apps/sandbox:         2.6-r1::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.25.1-r1::gentoo
sys-devel/gcc:            4.9.3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6::gentoo
sys-devel/make:           4.1-r1::gentoo
sys-kernel/linux-headers: 3.18::gentoo (virtual/os-headers)
sys-libs/glibc:           2.21-r1::gentoo
Repositories:

gentoo
    location: /usr/portage/gentoo
    sync-type: rsync
    priority: -1000

local_hdd
    location: /usr/portage/local
    masters: gentoo

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /etc/env.d /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--ask --verbose --autounmask=n"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs buildsyspkg config-protect-if-modified distlocks downgrade-backup ebuild-locks fixlafiles merge-sync metadata-transfer news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/                 ftp://mirror.yandex.ru/gentoo-distfiles/                 http://ftp.corbina.net/pub/Linux/gentoo/                 ftp://ftp.corbina.net/pub/Linux/gentoo/"
LANG="ru_RU.utf8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 ac3 acl alsa amd64 avi berkdb bold bzip2 cdr cli consolekit cracklib crypt cups cxx dbus djvu dri dvd flac fortran gdbm gif gtk iconv inotify jpeg jpeg2k lock mmx mmxext modules mp3 multilib ncurses nls nptl ogg openmp pam pcre pdf png policykit qt3support readline seccomp session sse sse2 ssl tcpd thunar tiff udev udisks unicode utf8 vorbis xattr xcb xulrunner zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="3dnow 3dnowext mmx mmxext popcnt sse sse2 sse3 sse4a" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="ru ru_RU" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby20" USERLAND="GNU" VIDEO_CARDS="radeon" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, USE_PYTHON
Comment 1 Zac Medico gentoo-dev 2015-11-10 17:48:37 UTC
(In reply to Sergey S. Starikoff from comment #0)
> 
> /var is placed on dedicated partition:
> $ mount | grep var
> /dev/sda6 on /var type reiserfs (rw,noatime)
> 
> 
> It would be fine if such errors would be caught by portage and echoed after
> update as QA warnings for Gentoo bug tracker.

It's a user configuration issue, not a QA problem, so pax-utils.eclass calls elog (and with default configuration portage's "echo" elog module will echo the elog messages after the update).

The messages originates from this line:

https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/pax-utils.eclass?id=b95c7dc6904efdea1b1bf7d55d2767759fa799be#n134
Comment 2 Sergey S. Starikoff 2015-11-11 14:23:41 UTC
(In reply to Zac Medico from comment #1)
> It's a user configuration issue, not a QA problem
I agree, that it is my system's configuration issue.
But this warning is hidden and present only on terminal and in temporary log file, cleaned on merge.
So, without human monitoring this issue stays unknown and unfixed. That is not right.

> so pax-utils.eclass calls
> elog (and with default configuration portage's "echo" elog module will echo
> the elog messages after the update).
> 
> The messages originates from this line:
> 
> https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/pax-utils.
> eclass?id=b95c7dc6904efdea1b1bf7d55d2767759fa799be#n134

Thank you!
I guess referencies to not installed utilities.

So, maybe pax-utils.eclass should list dependencies, reqiered by each of not blank PAX_MARKINGS values like office-ext-r1.eclass does?
This will solve the particuluar title issue by either setting proper value of PAX_MARKINGS in make conf or installing missed dependencies.
Comment 3 Zac Medico gentoo-dev 2015-11-11 17:40:37 UTC
(In reply to Sergey S. Starikoff from comment #2)
> (In reply to Zac Medico from comment #1)
> > It's a user configuration issue, not a QA problem
> I agree, that it is my system's configuration issue.
> But this warning is hidden and present only on terminal and in temporary log
> file, cleaned on merge.
> So, without human monitoring this issue stays unknown and unfixed. That is
> not right.

It sounds like you have a non-default PORTAGE_ELOG_CLASSES and/or PORTAGE_ELOG_SYSTEM setting. You can use this command to query those settings:

    portageq envvar PORTAGE_ELOG_CLASSES PORTAGE_ELOG_SYSTEM

> > so pax-utils.eclass calls
> > elog (and with default configuration portage's "echo" elog module will echo
> > the elog messages after the update).
> > 
> > The messages originates from this line:
> > 
> > https://gitweb.gentoo.org/repo/gentoo.git/tree/eclass/pax-utils.
> > eclass?id=b95c7dc6904efdea1b1bf7d55d2767759fa799be#n134
> 
> Thank you!
> I guess referencies to not installed utilities.
> 
> So, maybe pax-utils.eclass should list dependencies, reqiered by each of not
> blank PAX_MARKINGS values like office-ext-r1.eclass does?
> This will solve the particuluar title issue by either setting proper value
> of PAX_MARKINGS in make conf or installing missed dependencies.
 
I think you just need a filesystem with support for user.pax.* extended attributes (gentoo-sources includes 1500_XATTR_USER_PREFIX.patch to enable this for tmpfs).

@hardened: What do you think about having the eclass give some more hints to the user?
Comment 4 Sergey S. Starikoff 2015-11-12 11:57:37 UTC
(In reply to Zac Medico from comment #3)
> It sounds like you have a non-default PORTAGE_ELOG_CLASSES and/or
> PORTAGE_ELOG_SYSTEM setting. You can use this command to query those
> settings:
> 
>     portageq envvar PORTAGE_ELOG_CLASSES PORTAGE_ELOG_SYSTEM

I don't overrided defaults:

$ eselect profile list
Available profile symlink targets:
  [1]   default/linux/amd64/13.0 *
…

$ portageq envvar PORTAGE_ELOG_CLASSES PORTAGE_ELOG_SYSTEM
log warn error
save_summary:log,warn,error,qa echo

> I think you just need a filesystem with support for user.pax.* extended
> attributes (gentoo-sources includes 1500_XATTR_USER_PREFIX.patch to enable
> this for tmpfs).

Thank you! I've seen bug #465330
But here /var/tmp/portage is placed on real filesystem (reiser3).

For now I use 4.1.6-aufs kernel with proper FS_XATTR support:
$ zgrep XATT /proc/config.gz 
…
CONFIG_REISERFS_FS_XATTR=y

Tomorrow I'll make a check on another box with =sys-kernel/aufs-sources-4.0.5 kernel and /var/tmp/portage mounted as tmpfs.
Comment 5 Sergey S. Starikoff 2015-11-13 18:39:42 UTC
(In reply to Zac Medico from comment #3)
> I think you just need a filesystem with support for user.pax.* extended
> attributes (gentoo-sources includes 1500_XATTR_USER_PREFIX.patch to enable
> this for tmpfs).

My another Gentoo box with /var/tmp/portage mounted in tmpfs:

# uname -r
4.0.5-aufs
# mount | grep "/var/"
none on /var/tmp/portage type tmpfs (rw,size=7168M)
# zgrep TMPFS_XATTR /proc/config.gz 
CONFIG_TMPFS_XATTR=y

FF build error:
!!! Failed to copy extended attributes. In order to avoid this error,
!!! set FEATURES="-xattr" in make.conf.
!!! copy /var/tmp/portage/www-client/firefox-38.4.0/image/usr/lib64/firefox/firefox-bin -> /usr/lib64/firefox/firefox-bin failed.
!!! Filesystem containing file '/usr/lib64/firefox/firefox-bin#new' does not support extended attribute 'user.pax.flags'

>>> Failed to install www-client/firefox-38.4.0, Log file:
…

Probably, something wrong in sys-kernel/aufs-sources kernel.
Comment 6 Sergey Popov gentoo-dev 2015-11-18 06:42:59 UTC
Not a portage bug. Please open new bugreport on aufs-sources, if you think that they can be source of this issue
Comment 7 Sergey S. Starikoff 2015-11-23 14:57:53 UTC
(In reply to Sergey Popov from comment #6)
> Not a portage bug. Please open new bugreport on aufs-sources, if you think
> that they can be source of this issue

You aren't right.
You resolution is INVALID.

Looking on correctness of error handling in pax-utils.eclass this bug may be marked FIXED.
Somewhere I use old reiserfs filesystem. For correct handling of PAX attributes it needs "user_xattr" mount option. And pax-utils.eclass probably should verify it at pre-merge checks phase.
Because non-critical for /var/tmp/portage errors are critical for / (or /usr if separate and formatted in reiserfs, see error description in comment #5).
Merge not only fails, but breaks existent FF installation, that is completely wrong and portage should not allow this. So, this bug may be REOPENED.

P.S. Does this feature needs to be documented in Handbook:
https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System#About_fstab
Comment 8 Zac Medico gentoo-dev 2015-11-23 17:37:23 UTC
(In reply to Sergey S. Starikoff from comment #7)
> Somewhere I use old reiserfs filesystem. For correct handling of PAX
> attributes it needs "user_xattr" mount option. And pax-utils.eclass probably
> should verify it at pre-merge checks phase.
> Because non-critical for /var/tmp/portage errors are critical for / (or /usr
> if separate and formatted in reiserfs, see error description in comment #5).
> Merge not only fails, but breaks existent FF installation, that is
> completely wrong and portage should not allow this. So, this bug may be
> REOPENED.

Yeah, portage could certainly check for security namespace support, in order to support capabilities for things like /bin/ping:

# getfattr -d -m ".*" /bin/ping
getfattr: Removing leading '/' from absolute path names
# file: bin/ping
security.capability=0sAQAAAgAgAAAAAAAAAAAAAAAAAAA=

Maybe it should also check for user namespace support for hardened profiles.

> P.S. Does this feature needs to be documented in Handbook:
> https://wiki.gentoo.org/wiki/Handbook:AMD64/Installation/System#About_fstab

For non-hardened systems, user_xattr is not strictly necessary. However, the security namespace is required for capabilities support on regular linux systems as noted above (for /bin/ping).

Probably, the Hardened/PaX documentation should explicitly mention user_xattr in some place(s), like here:

https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart
Comment 9 Sergey S. Starikoff 2015-12-22 13:33:34 UTC
I see progress in this bug.
In addition to install merge check is performed.
But performing this check at phase step is not completely correct: it's unpleasant to get this error after a long-time build. So, they should be moved to pre-merge checks.

(In reply to Zac Medico from comment #8)
> Maybe it should also check for user namespace support for hardened profiles.
This error appears not only on hardened profiles.
So, this check should be more common.
Comment 10 Anthony Basile gentoo-dev 2015-12-23 13:29:18 UTC
(In reply to Sergey S. Starikoff from comment #9)
> I see progress in this bug.
> In addition to install merge check is performed.
> But performing this check at phase step is not completely correct: it's
> unpleasant to get this error after a long-time build. So, they should be
> moved to pre-merge checks.
> 
> (In reply to Zac Medico from comment #8)
> > Maybe it should also check for user namespace support for hardened profiles.
> This error appears not only on hardened profiles.
> So, this check should be more common.

I have significantly decreased the noise from pax-utils.eclass.  I have not however totally silenced it.  It is important that people using a kernel that doesn't support 'user.pax.flags' xattr namespace on tmpfs be made aware that they are loosing XATTR_PAX markings.  If they opt to switch to hardening in the future, they'll hit pax related bugs.  They may also hit other bugs related to loosing extended attributes for other namespaces.  We should encourage gentoo-sources or hardened-sources in Gentoo.

For reference, here are the changes to the eclass:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bd9c5468dd0ba397121c5674e370346bd0d1ebef

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5d97f52774e256b670a95f42583e01a9c268b7e6
Comment 11 Sergey S. Starikoff 2015-12-28 12:19:57 UTC
After today's update I've got a strange message:

 * Messages for package mail-client/thunderbird-38.5.0:

…
 * 
 * Failed to set XATTR_PAX markings -me /var/tmp/portage/mail-client/thunderbird-38.5.0/work/comm-esr38/tbird/mozilla/dist/bin/xpcshell.

Althought filesystem supports xattrs:
# mount | grep xattr
…
/dev/sda6 on /var type reiserfs (rw,noatime,user_xattr)

And thunderbird was merged successfully.