Hi, Since the first beta releases of genkernel-4.0.0, it fails to build initramfs with a sandbox error on blkid. * ACCESS DENIED: open_wr: /proc/thread-self/attr/fscreate * --------------------------- ACCESS VIOLATION SUMMARY --------------------------- * LOG FILE: "/var/log/sandbox/sandbox-12150.log" * VERSION 1.0 FORMAT: F - Function called FORMAT: S - Access Status FORMAT: P - Path as passed to function FORMAT: A - Absolute Path (not canonical) FORMAT: R - Canonical Path FORMAT: C - Command Line F: open_wr S: deny P: /proc/thread-self/attr/fscreate A: /proc/thread-self/attr/fscreate R: /proc/8284/task/8284/attr/fscreate C: cp -a blkid.static /var/tmp/genkernel/gk.HKIGtjqU/util-linux.KtPd3Lqn/image/sbin/blkid * -------------------------------------------------------------------------------- * ERROR: create_initramfs(): append_data(): append_blkid(): populate_binpkg(): gkbuild(): Failed to create binpkg of util-linux-2.34! * Please consult '/var/log/genkernel.log' for more information and any * errors that were reported above. * * Report any genkernel bugs to bugs.gentoo.org and * assign your bug to genkernel@gentoo.org. Please include * as much information as you can in your bug report; attaching * '/var/log/genkernel.log' so that your issue can be dealt with effectively. * * Please do *not* report kernel compilation failures as genkernel bugs! * Reproducible: Always Steps to Reproduce: 1. Install genkernel-4.0.0 beta 2. Build kernel with initramfs 3. It fails with an ACESS VIOLATION
Created attachment 592288 [details] Log file from genkernel
emerge --info Portage 2.3.76 (python 3.6.9-final-0, default/linux/amd64/17.1/no-multilib/hardened/selinux, gcc-9.2.0, glibc-2.29-r5, 5.3.2-gentoo-x86_64 x86_64) ================================================================= System uname: Linux-5.3.2-gentoo-x86_64-x86_64-Intel-R-_Atom-TM-_CPU_C2550_@_2.40GHz-with-gentoo-2.6 KiB Mem: 12249924 total, 862616 free KiB Swap: 15728636 total, 15728636 free Timestamp of repository gentoo: Wed, 09 Oct 2019 11:46:20 +0000 Head commit of repository gentoo: 0f0fa621638058efb28763875a6e2597e40e095f sh bash 5.0_p11 ld GNU ld (Gentoo 2.32 p2) 2.32.0 ccache version 3.7.4 [enabled] app-shells/bash: 5.0_p11::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.30.0::gentoo dev-lang/python: 3.6.9::gentoo dev-util/ccache: 3.7.4::gentoo dev-util/cmake: 3.15.4::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/openrc: 0.42.1::gentoo sys-apps/sandbox: 2.18::gentoo sys-devel/autoconf: 2.69-r4::gentoo sys-devel/automake: 1.16.1-r1::gentoo sys-devel/binutils: 2.32-r1::gentoo sys-devel/gcc: 9.2.0-r1::gentoo sys-devel/gcc-config: 2.1::gentoo sys-devel/libtool: 2.4.6-r5::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 5.3::gentoo (virtual/os-headers) sys-libs/glibc: 2.29-r5::gentoo Repositories: gentoo location: /usr/portage sync-type: git sync-uri: https://github.com/gentoo-mirror/gentoo priority: -1000 x-portage location: /usr/local/portage masters: gentoo priority: 0 ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE dlj-1.1 Oracle-BCLA-JavaSE intel-ucode" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.3/ext-active/ /etc/php/cgi-php7.3/ext-active/ /etc/php/cli-php7.3/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs buildsyspkg ccache clean-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="fr_FR.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="fr" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl amd64 audit bzip2 caps ccache crypt gnutls hardened iconv ipv6 libressl libtirpc mysql ncurses nls nptl openmp openssl pam pcre pie readline seccomp selinux smp split-usr ssl ssp syslog threads unicode xattr xml xtpax zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" CURL_SSL="libressl" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" L10N="fr" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" NGINX_MODULES_HTTP="access auth_basic autoindex browser cache_purge charset dav dav_ext empty_gif fastcgi geo gzip headers_more limit_conn limit_req map memcached proxy referer rewrite scgi split_clients ssi upstream_hash upstream_ip_hash upstream_keepalive upstream_least_conn upstream_zone userid uwsgi" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python3_6" RUBY_TARGETS="ruby24 ruby25" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
You are running in an environment where sandbox isn't working properly. Please tell us more about your setup.
See also: https://forums.gentoo.org/viewtopic-t-1100916-start-0.html
(In reply to Thomas Deutschmann from comment #3) > You are running in an environment where sandbox isn't working properly. > Please tell us more about your setup. Yes sure, but I don't have any specific setup, what would you want to know ?
Well, I guess this is a hardened/selinux problem. Or in other words: genkernel would need a selinux policy. I don't use SELinux so I cannot help. Maybe adding SANDBOX_WRITE exception for /proc/self (?) like https://gitweb.gentoo.org/proj/genkernel.git/tree/gen_funcs.sh?h=v4.0.0_beta19#n1376 would be enough (https://wiki.gentoo.org/wiki/SELinux/Gentoo_profiles#SANDBOX_WRITE)? Of course you can disable sandbox usage in genkernel with "--no-sandbox" argument but...
Created attachment 598618 [details, diff] genkernel-4.0.0_rc3-selinux.patch This patch fixes the problem for me, thanks.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/proj/genkernel.git/commit/?id=a611a39cabab9836b51d1fc4326c3747cbdcd29a commit a611a39cabab9836b51d1fc4326c3747cbdcd29a Author: Mark Wright <gienah@gentoo.org> AuthorDate: 2019-12-06 15:23:51 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-12-06 15:25:50 +0000 Improve SELinux compatibility Closes: https://bugs.gentoo.org/697074 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> gen_funcs.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)