oracle-jdk-bin does the pax-marking in src_compile() and then when afterwards in src_install() uses 'cp -pPR' to "install" everything. 'cp -p' does not preserve xattrs. I have moved to using xattr pax-marks on my system (PAX_MARKINGS="XT" in make.conf). blueness has released a wrapper for install that preserves xattrs. Please either use "einstall" for the binaries or use "cp --preserve=mode,ownership,timestamps,xattrs" instead of only "cp -p" Reproducible: Always Steps to Reproduce: 1. use a hardened profile, set PAX_MARKINGS="XT" in make.conf 2. emerge oracle-jdk-bin 3. Actual Results: the 'java' program does not run. paxctl-ng -v /opt/oracle-jdk-bin-1.7.0.55/bin/java says not found for both types of pax-marks Expected Results: the 'java' program should run. paxctl-ng -v /opt/oracle-jdk-bin-1.7.0.55/bin/java should show xattr paxmarks
This is now done in: oracle-{jdk,jre}-bin-1.7.0.65 oracle-{jdk,jre}-bin-1.8.0.11 Thanks for the report.
Hi, Sorry to be a bother, this works for PaX but it has issues with SELinux :( It looks like cp --preserve=xattr copies all xattrs including: security.selinux. The problem is that this xattr is protected (actually all security.* are) and the copy fails. It looks like for bin/* doins should be used. The am attaching a patch to 1.7.0.65 works for me. -- Jason
Created attachment 381176 [details, diff] oracle-jdk-bin-1.7.0.65.ebuild.patch This uses dobin instead of cp --preserve=xattr since cp touches the SELinux xattrs too which is disallowed.
Solved it in a silighly different way. Updated in place and added a dependensy on the corresponding selinux policy. Thanks.