Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 655996

Summary: Portage SELinux enhancements for musl and cleanups
Product: Portage Development Reporter: Jason Zaman <perfinion>
Component: Core - External InteractionAssignee: Portage team <dev-portage>
Status: RESOLVED FIXED    
Severity: normal CC: blueness, musl, selinux
Priority: Normal Keywords: InVCS
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 651804    
Attachments: 0001-misc-functions-selinux-is-gone-in-favour-of-sys-fs-s.patch
0002-misc-functions-fix-selinux-labelling-on-musl.patch
preinst_selinux_labels: disable LD_PRELOAD sandbox

Description Jason Zaman gentoo-dev 2018-05-18 06:03:57 UTC
preinst_selinux_labels() in misc-functions.sh is called after build to set the SELinux labels before merging, there are a couple issues.

musl libc does getopt differently so the order of args to setfiles needs fixing to work there. (patch 0002)

the /selinux path has not been used in many many years so it can be removed, only need /sys/fs/selinux. (patch 0001)

The last issue is that SELinux doesnt allow LD_PRELOAD across domain transitions by default so every time a package is installed this message appears:

>>> Setting SELinux security labels
ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: ignored.

There is no real harm, its just not that nice. more info here: http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage-complains-about-ld_preload-and-libsandbox-so/

I'd rather not allow the permission in the policy since its not required so the better option is to probably not sandbox that function in the first place. Whether or not to sandbox the other functions that run together with it is up to you.


Reproducible: Always
Comment 1 Jason Zaman gentoo-dev 2018-05-18 06:05:06 UTC
Created attachment 531970 [details, diff]
0001-misc-functions-selinux-is-gone-in-favour-of-sys-fs-s.patch
Comment 2 Jason Zaman gentoo-dev 2018-05-18 06:05:48 UTC
Created attachment 531972 [details, diff]
0002-misc-functions-fix-selinux-labelling-on-musl.patch
Comment 3 Larry the Git Cow gentoo-dev 2018-05-18 16:08:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=6c32161a8a2db662c49c7763803a4219fd994612

commit 6c32161a8a2db662c49c7763803a4219fd994612
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2018-05-18 04:07:24 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2018-05-18 16:06:39 +0000

    misc-functions: fix selinux labelling on musl
    
    musl's implementation of getopt is different from glibc's in that it
    does not accept flags after non-flag arguments, moving the flags earlier
    makes SELinux labelling work on musl also.
    
    Bug: https://bugs.gentoo.org/655996
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>

 bin/misc-functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

https://gitweb.gentoo.org/proj/portage.git/commit/?id=7bbbee4c03367c09ec9cb19737066c781f28c06d

commit 7bbbee4c03367c09ec9cb19737066c781f28c06d
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2018-05-18 04:05:29 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2018-05-18 16:05:56 +0000

    misc-functions: /selinux is gone in favour of /sys/fs/selinux
    
    It was moved to /sys/fs/selinux/ long ago and not supported anymore
    
    Bug: https://bugs.gentoo.org/655996
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>

 bin/misc-functions.sh | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)
Comment 4 Zac Medico gentoo-dev 2018-05-18 17:34:19 UTC
(In reply to Jason Zaman from comment #0)
> The last issue is that SELinux doesnt allow LD_PRELOAD across domain
> transitions by default so every time a package is installed this message
> appears:
> 
> >>> Setting SELinux security labels
> ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded:
> ignored.
> 
> There is no real harm, its just not that nice. more info here:
> http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage-
> complains-about-ld_preload-and-libsandbox-so/
> 
> I'd rather not allow the permission in the policy since its not required so
> the better option is to probably not sandbox that function in the first
> place. Whether or not to sandbox the other functions that run together with
> it is up to you.

Patch posted for review:

https://archives.gentoo.org/gentoo-portage-dev/message/911e6ea5d75d04d3f4bdf6bb0e9b16d8
https://github.com/gentoo/portage/pull/321
Comment 5 Zac Medico gentoo-dev 2018-05-21 09:09:22 UTC
Created attachment 532540 [details, diff]
preinst_selinux_labels: disable LD_PRELOAD sandbox
Comment 6 Jason Zaman gentoo-dev 2018-05-21 14:04:20 UTC
(In reply to Zac Medico from comment #4)
> Patch posted for review:
> 
> https://archives.gentoo.org/gentoo-portage-dev/message/
> 911e6ea5d75d04d3f4bdf6bb0e9b16d8
> https://github.com/gentoo/portage/pull/321

confirming. it works great now :)

>>> Installing (1 of 1) games-misc/cowsay-3.03-r2::gentoo
 * checking 51 files for package collisions
>>> Merging games-misc/cowsay-3.03-r2 to /
>>> Setting SELinux security labels
--- /usr/
[snip]
Comment 7 Larry the Git Cow gentoo-dev 2018-05-21 16:58:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/portage.git/commit/?id=ef99f7e9e0e0b4d0ae20b6964b1efbee4c49fdaa

commit ef99f7e9e0e0b4d0ae20b6964b1efbee4c49fdaa
Author:     Zac Medico <zmedico@gentoo.org>
AuthorDate: 2018-05-18 03:57:59 +0000
Commit:     Zac Medico <zmedico@gentoo.org>
CommitDate: 2018-05-21 16:57:42 +0000

    preinst_selinux_labels: disable LD_PRELOAD sandbox (bug 655996)
    
    Since SELinux does not allow LD_PRELOAD across domain transitions,
    disable the LD_PRELOAD sandbox for preinst_selinux_labels.
    
    Bug: https://bugs.gentoo.org/655996
    Tested-by: Jason Zaman <perfinion@gentoo.org>

 pym/_emerge/EbuildPhase.py             | 30 +++++++++++++++++++++++++++++-
 pym/_emerge/MiscFunctionsProcess.py    |  6 +++++-
 pym/portage/package/ebuild/doebuild.py | 28 +++++++++++++++++++++-------
 3 files changed, 55 insertions(+), 9 deletions(-)
Comment 8 Zac Medico gentoo-dev 2018-05-21 16:59:42 UTC
Great, thanks for testing!
Comment 9 Zac Medico gentoo-dev 2018-07-02 18:54:05 UTC
Fixed in portage-2.3.40-r1.