See attached build.log the latest portage currently depends on sandbox >=1.6, which are currently all masked. I tried sandbox-2.0 and it failed to compile with the message: *** Warning: Linking the shared library libsandbox.la against the *** static library ../libsbutil/.libs/libsbutil.a is not portable! libtool: link: i686-pc-linux-gnu-gcc -shared .libs/libsandbox_la-eqawarn.o .libs/libsandbox_la-libsandbox.o .libs/libsandbox_la-lock.o .libs/libsandbox_la-memory.o .libs/libsandbox_la-trace.o .libs/libsandbox_la-wrappers.o .libs/libsandbox_la-canonicalize.o -lc -ldl ../libsbutil/.libs/libsbutil.a -Wl,--version-script -Wl,libsandbox.map -Wl,-O1 -Wl,--as-needed -Wl,--gc-sections -Wl,--no-undefined -Wl,-soname -Wl,libsandbox.so -o .libs/libsandbox.so .libs/libsandbox_la-trace.o: In function `trace_main': trace.c:(.text.trace_main+0xde): undefined reference to `sb_unlinkat_pre_check' /data/pwaller/gentoo/usr/lib/gcc/i686-pc-linux-gnu/4.2.4/../../../../i686-pc-linux-gnu/bin/ld: .libs/libsandbox_la-trace.o: relocation R_386_GOTOFF against undefined symbol `sb_unlinkat_pre_check' can not be used when making a shared object /data/pwaller/gentoo/usr/lib/gcc/i686-pc-linux-gnu/4.2.4/../../../../i686-pc-linux-gnu/bin/ld: final link failed: Bad value collect2: ld returned 1 exit status make[2]: *** [libsandbox.la] Error 1 make[1]: *** [all-recursive] Error 1 make: *** [all] Error 2
Created attachment 194792 [details] build.log
The lastest stable version is sys-apps/sandbox-1.6-r2 as can be seen here: http://packages.gentoo.org/package/sys-apps/sandbox
we either have to drop sandbox in prefix, or fix it voodoo style
(In reply to comment #2) > The lastest stable version is sys-apps/sandbox-1.6-r2 as can be seen here: > > http://packages.gentoo.org/package/sys-apps/sandbox > Indeed, but 1.6 isn't in prefix, and the latest portage seems to require it.
I added 1.6-r2 now, with some luck...
@Peter: what linux are you on?
(In reply to comment #6) > @Peter: what linux are you on? Scientific Linux 4, a derivative of RHEL (4?). 32bit.
I'm bootstrapping a prefix with sandbox-2.0 on "Red Hat Enterprise Linux Server release 5.2 (Tikanga)", and had to add this to EPREFIX/etc/sandbox.conf to get things working: +# Needed for selinux +SANDBOX_WRITE="/selinux:/proc/self/task" Looking at the error again it might have been enough to add "/selinux/context" though...
i dont know anything about selinux, but if libselinux really needs applications to screw around with /selinux/context, then that libselinux should be updated to install a sandbox.d file.
Well, libselinux isn't installed within Prefix (yet?), it is from the host system. So we either need to add /selinux/context in Prefix somehow, or sandbox knows itself. Maybe due to some configure check ("checking for selinux": test -d /selinux), although IMHO it shouldn't hurt to "addwrite /selinux/context" unconditional.
i really dont want to add special casing for selinux to sandbox. i spent time getting all the special casing out. if you have selinux up & running on your system, doesnt it make sense to include libselinux in the prefix too ? a `test -d /...` would defeat cross-compiling and similar scenarios ... so it would have to be added all the time
I'm coming in on this way late, but it is fine to allow write in /selinux since this is SELinux's pseudo filesystem (you can't create new files) which is strongly protected by policy. I don't have a problem allowing /selinux/context across the board for sandbox because of that. So if it helps I can add a sandbox.d entry to the gentoo libselinux package. (I'm not familiar with prefix, so please excuse me if I'm off base)
I think this issue no longer exists with recent versions