Bug 823203

Summary:	sys-devel/gcc-config : Check writability in env.d instead of EROOT
Product:	Gentoo Linux	Reporter:	Jason Zaman <perfinion>
Component:	Current packages	Assignee:	Gentoo Toolchain Maintainers <toolchain>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sam, selinux
Priority:	Normal	Keywords:	PATCH
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=833018 https://bugs.gentoo.org/show_bug.cgi?id=768552
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	777717
Attachments:	0001-Check-writability-in-env.d-instead-of-EROOT.patch

Description Jason Zaman gentoo-dev

2021-11-12 00:50:44 UTC

Created attachment 750513 [details, diff]
0001-Check-writability-in-env.d-instead-of-EROOT.patch

SELinux blocks access to / so gcc-config fails even tho the required
dirs are writable. Adding SELinux rules to allow writing to / is pretty
undesirable. The best is to check for writability in the actual dirs
that gcc-config needs to write.

It should be sufficient to check only one dir instead of every dir,
since the check for only EROOT has been sufficient in the past.

Signed-off-by: Jason Zaman <perfinion@gentoo.org>

I looked through binutils-config for a similar check but did not see one. I'll leave it up to the maintainers if you'd like to add this same check there as well :)

Comment 1 Larry the Git Cow gentoo-dev

2021-11-13 04:49:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/gcc-config.git/commit/?id=6c4d82dde134b4e947480759c125e9389f09ae01

commit 6c4d82dde134b4e947480759c125e9389f09ae01
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-13 04:48:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-13 04:49:06 +0000

    gcc-config: add comment explaining SELinux-related writable check
    
    Bug: https://bugs.gentoo.org/823203
    Signed-off-by: Sam James <sam@gentoo.org>

 gcc-config | 5 +++++
 1 file changed, 5 insertions(+)

https://gitweb.gentoo.org/proj/gcc-config.git/commit/?id=5a7cc0acb21bb44c8246d8fc11bdf3823f921b3b

commit 5a7cc0acb21bb44c8246d8fc11bdf3823f921b3b
Author:     Jason Zaman <perfinion@gentoo.org>
AuthorDate: 2021-11-12 00:34:04 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-13 04:49:06 +0000

    gcc-config: Check writability in env.d instead of EROOT
    
    SELinux blocks access to / so gcc-config fails even tho the required
    dirs are writable. Adding SELinux rules to allow writing to / is pretty
    undesirable. The best is to check for writability in the actual dirs
    that gcc-config needs to write.
    
    It should be sufficient to check only one dir instead of every dir,
    since the check for only EROOT has been sufficient in the past.
    
    avc:  denied  { write } for  pid=17173 comm="gcc-config" name="/" dev="zfs" ino=34 scontext=staff_u:sysadm_r:gcc_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir
    
    Bug: https://github.com/perfinion/hardened-refpolicy/pull/20
    Bug: https://bugs.gentoo.org/823203
    Signed-off-by: Jason Zaman <perfinion@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 gcc-config | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 2 Larry the Git Cow gentoo-dev

2021-11-18 05:29:28 UTC

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2859f92a5bc308e7b9c917baa6a47eecd25624d1

commit 2859f92a5bc308e7b9c917baa6a47eecd25624d1
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-11-18 05:29:00 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-18 05:29:00 +0000

    sys-devel/gcc-config: add 2.5
    
    Closes: https://bugs.gentoo.org/823203
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-devel/gcc-config/Manifest              |  1 +
 sys-devel/gcc-config/gcc-config-2.5.ebuild | 53 ++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)