Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 778311

Summary: app-shells/bash ebuilds for bash-5* mislabel context of /bin/sh ( it's done in pkg_postinst and hence not relabeled by portage
Product: Gentoo Linux Reporter: brankob
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: jstein, sam, selinux
Priority: Normal Keywords: PATCH, PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/21359
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: my ebuild
resulting patch

Description brankob 2021-03-26 08:01:21 UTC 
This one is sneaky.
NEw ebuilds place their /bin/sh only if nothing was there ( no  previous link or something else), so things might work fine if bash is just being upgraded from say 4.x version.
But once that /bin/sh is missing, link gets installed with context portage_tmp_t instead of default bin_t.

With systemd, this makes things like setting fonts and locale on bootup faile without any good trace that points to the reason. I suspect there are plenty of other situations, too. 
Here is my ebuild for latest portage version at the moment and patch for it, which might apply for previous 5.x versions.


 



Reproducible: Always

Steps to Reproduce:
1.bootstrap Gentoo from non-selinux stage3 to working selinux profile
2.emerge friggin bash-5x
3. reboot and try to find your keys on your supposedly non-EN keyboard layout
4. do few days worth of headsratching, trying to understand, why systemd fails to set the locale on bootup.
Comment 1 brankob 2021-03-26 08:02:28 UTC 
Created attachment 693858 [details]
my ebuild
Comment 2 brankob 2021-03-26 08:03:25 UTC 
Created attachment 693888 [details, diff]
resulting patch
Comment 3 dkjii 2021-05-21 09:03:04 UTC 
Can confirm this is an issue for =app-shells/bash-5.1_p8

emerge -1 bash && ls -Z /bin/sh shows portage_tmp_t context which breaks a few (lot of?) thing
Comment 4 Mike Gilbert gentoo-dev 2021-05-21 19:25:52 UTC 
Comment on attachment 693888 [details, diff]
resulting patch

There's a typo:

> restorecon /bnin/sh died

Personally, I would drop the message entirely.

The restorecon call should occur within the "if" block; if we are not creating the symlink, we don't need to restore its context.

Is restorecon smart enough to set the proper context when ${ROOT} != ""?

Also, I would prefer to see one of the following implemented:

1. Drop IUSE=selinux, and simply try to call restorecon if it exists.
OR
2. Add "selinux? ( sys-apps/policycoreutils )" to BDEPEND and RDEPEND (IDEPEND once we switch to EAPI 8).
Comment 5 dkjii 2021-05-23 00:38:55 UTC 
The issue is in the pkg_preinst and not the pkg_postinst. Context would be correct if pkg_postinst created the symlink.

Patch should remove the whole mtime-changing part of pkg_preinst and put in inside pkg_postinst.

It should also either use mv -Z (if selinux is on), or "touch -h /bin/sh"

I assume touch -h was not used because of compatibility issues? openbsd does not seem to support it.

Not sure why the mtime is being changed on the symlink though, seems useless but I assume its because of a bug? Git blame on gentoo tree sucks
Comment 6 dkjii 2021-05-23 00:43:32 UTC 
Btw, rewriting the symlink using mv still causes temporary absence of /bin/sh if /var/tmp/portage is on a different filesystem than /bin (which on my system is the case).
Comment 7 Larry the Git Cow gentoo-dev 2021-06-21 18:16:40 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=89b32081e7c8404b35f7d3cf82f105877331454b

commit 89b32081e7c8404b35f7d3cf82f105877331454b
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2021-06-21 14:20:40 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2021-06-21 18:16:14 +0000

    app-shells/bash: remove /bin/sh logic from pkg_preinst
    
    This was added back in 2008 to handle some migration in file ownership.
    I expect all users have upgraded many times since then.
    
    Closes: https://bugs.gentoo.org/778311
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 app-shells/bash/bash-5.0_p18.ebuild | 9 ---------
 app-shells/bash/bash-5.1_p8.ebuild  | 9 ---------
 2 files changed, 18 deletions(-)