The Selinux profile masks the multilib and x264 flags this is fine, but the Selinux profile for amd64 should unmask then again. Note: This bug apply to both the 2007 and v2refpolicy profiles for Selinux. Reproducible: Always Steps to Reproduce: 1. eselect profile set selinux/2007.0/amd64 2. Add 'multilib', to your make.conf 3. emerge -pv gcc, The is now listed as unset (-multilib*) 4. emerge -pv vlc, The is now listed as unset (-x264*). Actual Results: The multilib is not set. Expected Results: The multilib flag should be set. Portage 2.1.6.13 (selinux/2007.0/amd64, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.31-gentoo-r6 x86_64) ================================================================= System uname: Linux-2.6.31-gentoo-r6-x86_64-AMD_Athlon-tm-_7750_Dual-Core_Processor-with-gentoo-1.12.13 Timestamp of tree: Sat, 26 Dec 2009 09:00:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p35 dev-lang/python: 2.6.4 dev-util/ccache: 2.4-r7 dev-util/cmake: 2.6.4-r3 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.13, 2.63-r1 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.19.1-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="amd64" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/tomoyo/conf /usr/share/X11/xkb /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="ccache distlocks fixpackages loadpolicy parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.virginmedia.com/ http://gentoo.tiscali.nl/ http://de-mirror.org/distro/gentoo/ http://gentoo.mneisen.org/" LDFLAGS="-Wl,-O1" LINGUAS="en_GB en" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--quiet" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/dev/shm" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/armagetron /usr/local/portage/layman/suka /usr/local/portage/local" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 aspell avahi bash-completion berkdb bzip2 cdda cdr cli cracklib crypt cups cxx dbus dhcpcd djvu dri dvd dvdr encode ffmpeg flac fortran gdbm gif git gnome gnutls gpm gstreamer gtk hal hddtemp hdri iconv imap ipv6 jbig jpeg jpeg2k kerberos ldap lm_sensors lzma lzo mad mikmod mmx modules mp3 mp4 mpeg mudflap nautilus ncurses nls nptl nvidia ogg opengl openmp pam pcre perl png pppd python rar readline reflection samba sdl selinux sensord session spell spl sse sse2 ssl subversion svg tcpd tga theora threads tiff truetype unicode vorbis xorg xvmc zeroconf zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="nvidia nv" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
I did not tell you. You need to add 'x264' to your make.conf file. I messed up the text for steps 3 and 4 but I think you get the point.
I think this not a enchancement but a bug. from the use.mask file: ># ppc and x86/amd64 >x264 That line should be removed because the x264 package and in turn the use flag is now for alpha, amd64, mips, ppc, ppc64, sparc, x86 and x86-fbsd. ># Only used by mips and old amd64 profiles >multilib In that comment the only thing wrong is the word old. From how I read that it's saying that multilib should be unmasked in the amd64 profile.
Apparently this is still an issue. My setup: Hardened Gentoo amd64, no-multilib, SELinux, PaX, grsec, selinux/v2refpolicy/amd64/hardened profile. Steps to reproduce: 1. Start a fresh install from Gentoo minimal install cd 2. During the install grab stage3-amd64-hardened+nomultilib-20101230.tar.bz2 from the releases directory. 3. After install, try to emerge -uDN world 4. glibc and gcc fail to compile This most likely is due to the fact that I grab a nomultilib stage 3 during install, but SELinux profiles do not offer a nomultilib setting. However, when using emerge gcc glibc, they both have (-multilib) set, as in /usr/portage/profiles/selinux/use.mask it says multilib is masked. I however understood that there was no such thing as SELinux and nomultilib. Switching multilib to -multilib in /usr/portage/profiles/selinux/use.mask makes portage try and emerge glibc and gcc as multilib. They still fail on the same errors as before though: glibc: configure: error: C preprocessor "/lib/cpp" fails sanity check gcc: error: gnu/stubs-32.h: No such file or directory Searching the web I find that this is a circular dependency and so I am not able to resolve this (gcc requires multilib glibc and vice versa). Should there be a warning on the hardened nomultilib stage 3 that it cannot be used with SELinux at the moment?
This has been resolved with the new selinux "feature" profile.
