Created attachment 750513 [details, diff] 0001-Check-writability-in-env.d-instead-of-EROOT.patch SELinux blocks access to / so gcc-config fails even tho the required dirs are writable. Adding SELinux rules to allow writing to / is pretty undesirable. The best is to check for writability in the actual dirs that gcc-config needs to write. It should be sufficient to check only one dir instead of every dir, since the check for only EROOT has been sufficient in the past. Signed-off-by: Jason Zaman <perfinion@gentoo.org> I looked through binutils-config for a similar check but did not see one. I'll leave it up to the maintainers if you'd like to add this same check there as well :)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/gcc-config.git/commit/?id=6c4d82dde134b4e947480759c125e9389f09ae01 commit 6c4d82dde134b4e947480759c125e9389f09ae01 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-11-13 04:48:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-11-13 04:49:06 +0000 gcc-config: add comment explaining SELinux-related writable check Bug: https://bugs.gentoo.org/823203 Signed-off-by: Sam James <sam@gentoo.org> gcc-config | 5 +++++ 1 file changed, 5 insertions(+) https://gitweb.gentoo.org/proj/gcc-config.git/commit/?id=5a7cc0acb21bb44c8246d8fc11bdf3823f921b3b commit 5a7cc0acb21bb44c8246d8fc11bdf3823f921b3b Author: Jason Zaman <perfinion@gentoo.org> AuthorDate: 2021-11-12 00:34:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-11-13 04:49:06 +0000 gcc-config: Check writability in env.d instead of EROOT SELinux blocks access to / so gcc-config fails even tho the required dirs are writable. Adding SELinux rules to allow writing to / is pretty undesirable. The best is to check for writability in the actual dirs that gcc-config needs to write. It should be sufficient to check only one dir instead of every dir, since the check for only EROOT has been sufficient in the past. avc: denied { write } for pid=17173 comm="gcc-config" name="/" dev="zfs" ino=34 scontext=staff_u:sysadm_r:gcc_config_t:s0-s0:c0.c1023 tcontext=system_u:object_r:root_t:s0 tclass=dir Bug: https://github.com/perfinion/hardened-refpolicy/pull/20 Bug: https://bugs.gentoo.org/823203 Signed-off-by: Jason Zaman <perfinion@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> gcc-config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2859f92a5bc308e7b9c917baa6a47eecd25624d1 commit 2859f92a5bc308e7b9c917baa6a47eecd25624d1 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-11-18 05:29:00 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-11-18 05:29:00 +0000 sys-devel/gcc-config: add 2.5 Closes: https://bugs.gentoo.org/823203 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/gcc-config/Manifest | 1 + sys-devel/gcc-config/gcc-config-2.5.ebuild | 53 ++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+)
