Summary: | [SELinux and gcc] Compiling failed if not "eselect gcc set 1" | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | yesi <yesi> |
Component: | Hardened | Assignee: | SE Linux Bugs <selinux> |
Status: | RESOLVED FIXED | ||
Severity: | blocker | CC: | sam |
Priority: | Normal | Keywords: | PATCH, PullRequest |
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
See Also: |
https://github.com/perfinion/hardened-refpolicy/pull/20 https://bugs.gentoo.org/show_bug.cgi?id=833018 https://bugs.gentoo.org/show_bug.cgi?id=768552 |
||
Whiteboard: | 2.20210908-r1 | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 823203 | ||
Bug Blocks: |
Description
yesi
2021-03-22 13:15:37 UTC
I fixed this in https://github.com/perfinion/hardened-refpolicy/pull/20 Hi, Thank you for your work. To reproduce this : I removed my previous rules : # impossible to do "eselect gcc set" #============= gcc_config_t ============== allow gcc_config_t bin_t:lnk_file create; allow gcc_config_t lib_t:lnk_file create; allow gcc_config_t self:capability dac_read_search; allow gcc_config_t self:process getsched; allow gcc_config_t tmpfs_t:filesystem getattr; allow gcc_config_t bin_t:lnk_file { rename unlink }; allow gcc_config_t lib_t:lnk_file { rename unlink }; And i gave a try to compile again sys-process/htop and sys-devel/llvm. There is no errors. :-) But i noticed this behaviour : > eselect gcc list [1] x86_64-pc-linux-gnu-10.3.0 * > eselect gcc set 1 * gcc-config: need write access to / Hmm... What do you think about this ? > mount /dev/mapper/gnu-rootfs on / type btrfs (rw,noatime,seclabel,compress=lzo,ssd,discard,space_cache,autodefrag,subvolid=257,subvol=/@) Peace. My apologies :
> eselect gcc set 1
* gcc-config: need write access to /
With or without my rules, i get the same message when i am in Enforcing mode.
I'd like to have your return before closing this bug. We fixed the ${EROOT} writability check in bug 823203 but looks like we still need to fix the symlink part? The policy parts of this were added in 2.20210908-r1 > emerge -av @selinux-rebuild > rlpkg acct aide apm arpwatch avahi base base-policy cgmanager consolekit cups dante dbus devicekit dirmngr dmidecode dracut fail2ban gnome gpg gpm java kerberos ldap logrotate ldp mandb mozilla ntp openrc policykit pulseaudio rpc rpcbind samba sasl screen shutdown snmp snort sudo sysstat unconfined vmware wireshark xserver > eselect gcc list [1] x86_64-pc-linux-gnu-11.2.0 * > eselect gcc set 1 * Switching native-compiler to x86_64-pc-linux-gnu-11.2.0 ... There is no error. :-) Thanks. |