| Summary: | Portage SELinux enhancements for musl and cleanups | ||
|---|---|---|---|
| Product: | Portage Development | Reporter: | Jason Zaman <perfinion> |
| Component: | Core - External Interaction | Assignee: | Portage team <dev-portage> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | blueness, musl, selinux |
| Priority: | Normal | Keywords: | InVCS |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 651804 | ||
| Attachments: |
0001-misc-functions-selinux-is-gone-in-favour-of-sys-fs-s.patch
0002-misc-functions-fix-selinux-labelling-on-musl.patch preinst_selinux_labels: disable LD_PRELOAD sandbox |
||
|
Description
Jason Zaman
2018-05-18 06:03:57 UTC
Created attachment 531970 [details, diff]
0001-misc-functions-selinux-is-gone-in-favour-of-sys-fs-s.patch
Created attachment 531972 [details, diff]
0002-misc-functions-fix-selinux-labelling-on-musl.patch
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=6c32161a8a2db662c49c7763803a4219fd994612 commit 6c32161a8a2db662c49c7763803a4219fd994612 Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2018-05-18 04:07:24 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-05-18 16:06:39 +0000 misc-functions: fix selinux labelling on musl musl's implementation of getopt is different from glibc's in that it does not accept flags after non-flag arguments, moving the flags earlier makes SELinux labelling work on musl also. Bug: https://bugs.gentoo.org/655996 Signed-off-by: Jason Zaman <perfinion@gentoo.org> bin/misc-functions.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) https://gitweb.gentoo.org/proj/portage.git/commit/?id=7bbbee4c03367c09ec9cb19737066c781f28c06d commit 7bbbee4c03367c09ec9cb19737066c781f28c06d Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2018-05-18 04:05:29 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-05-18 16:05:56 +0000 misc-functions: /selinux is gone in favour of /sys/fs/selinux It was moved to /sys/fs/selinux/ long ago and not supported anymore Bug: https://bugs.gentoo.org/655996 Signed-off-by: Jason Zaman <perfinion@gentoo.org> bin/misc-functions.sh | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (In reply to Jason Zaman from comment #0) > The last issue is that SELinux doesnt allow LD_PRELOAD across domain > transitions by default so every time a package is installed this message > appears: > > >>> Setting SELinux security labels > ERROR: ld.so: object 'libsandbox.so' from LD_PRELOAD cannot be preloaded: > ignored. > > There is no real harm, its just not that nice. more info here: > http://blog.siphos.be/2011/04/selinux-and-noatsecure-or-why-portage- > complains-about-ld_preload-and-libsandbox-so/ > > I'd rather not allow the permission in the policy since its not required so > the better option is to probably not sandbox that function in the first > place. Whether or not to sandbox the other functions that run together with > it is up to you. Patch posted for review: https://archives.gentoo.org/gentoo-portage-dev/message/911e6ea5d75d04d3f4bdf6bb0e9b16d8 https://github.com/gentoo/portage/pull/321 Created attachment 532540 [details, diff]
preinst_selinux_labels: disable LD_PRELOAD sandbox
(In reply to Zac Medico from comment #4) > Patch posted for review: > > https://archives.gentoo.org/gentoo-portage-dev/message/ > 911e6ea5d75d04d3f4bdf6bb0e9b16d8 > https://github.com/gentoo/portage/pull/321 confirming. it works great now :) >>> Installing (1 of 1) games-misc/cowsay-3.03-r2::gentoo * checking 51 files for package collisions >>> Merging games-misc/cowsay-3.03-r2 to / >>> Setting SELinux security labels --- /usr/ [snip] The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=ef99f7e9e0e0b4d0ae20b6964b1efbee4c49fdaa commit ef99f7e9e0e0b4d0ae20b6964b1efbee4c49fdaa Author: Zac Medico <zmedico@gentoo.org> AuthorDate: 2018-05-18 03:57:59 +0000 Commit: Zac Medico <zmedico@gentoo.org> CommitDate: 2018-05-21 16:57:42 +0000 preinst_selinux_labels: disable LD_PRELOAD sandbox (bug 655996) Since SELinux does not allow LD_PRELOAD across domain transitions, disable the LD_PRELOAD sandbox for preinst_selinux_labels. Bug: https://bugs.gentoo.org/655996 Tested-by: Jason Zaman <perfinion@gentoo.org> pym/_emerge/EbuildPhase.py | 30 +++++++++++++++++++++++++++++- pym/_emerge/MiscFunctionsProcess.py | 6 +++++- pym/portage/package/ebuild/doebuild.py | 28 +++++++++++++++++++++------- 3 files changed, 55 insertions(+), 9 deletions(-) Great, thanks for testing! Fixed in portage-2.3.40-r1. |