View previous topic :: View next topic |
Author |
Message |
ThaOverlord n00b
Joined: 07 Feb 2011 Posts: 5
|
Posted: Tue Feb 08, 2011 11:56 am Post subject: can't emerge anything OSError [Errno 22] |
|
|
Hi,
I run Gentoo hardened with selinux in permissive mode.
After a recent emerge --update world I now can't emerge anything because the fetch fails with the following:
Code: |
Traceback (most recent call last):
File "/usr/lib/portage/pym/_emerge/EbuildFetcher.py", line 113, in _spawn
allow_missing_digests=False):
File "/usr/lib/portage/pym/portage/package/ebuild/fetch.py", line 489, in fetch
if _userpriv_test_write_file(mysettings, write_test_file):
File "/usr/lib/portage/pym/portage/package/ebuild/fetch.py", line 122, in _userpriv_test_write_file
returncode = _spawn_fetch(settings, args)
File "/usr/lib/portage/pym/portage/package/ebuild/fetch.py", line 90, in _spawn_fetch
rval = spawn_func(args, env=settings.environ(), **kwargs)
File "/usr/lib/portage/pym/portage/_selinux.py", line 105, in wrapper_func
setexec(con)
File "/usr/lib/portage/pym/portage/_selinux.py", line 79, in setexec
if selinux.setexeccon(ctx) < 0:
OSError: [Errno 22] Invalid argument
* Fetch failed for 'sys-libs/glibc-2.13', Log file:
* '/var/tmp/portage/sys-libs/glibc-2.13/temp/build.log'
|
the build.log just says the same thing.
It doesn't matter what I try to emerge the error is always the same (except for ebuild name)
emerge --sync works just fine though
here is emerge --info
Code: |
FEATURES variable contains unknown value(s): loadpolicy
Portage 2.1.9.36 (selinux/v2refpolicy/x86/hardened, gcc-4.5.2, glibc-2.12.2-r0,
2.6.37-hardened-r1 i686)
=================================================================
System uname: Linux-2.6.37-hardened-r1-i686-Genuine_Intel-R-_CPU_T2300_@_1.66GHz
-with-gentoo-2.0.1
Timestamp of tree: Tue, 08 Feb 2011 10:45:01 +0000
app-shells/bash: 4.1_p9
dev-java/java-config: 2.1.11-r3
dev-lang/python: 2.7.1, 3.1.3
dev-util/cmake: 2.8.3-r1
sys-apps/baselayout: 2.0.1-r1
sys-apps/openrc: 0.7.0
sys-apps/sandbox: 2.4
sys-devel/autoconf: 2.68
sys-devel/automake: 1.11.1
sys-devel/binutils: 2.21
sys-devel/gcc: 4.5.2
sys-devel/gcc-config: 1.4.1
sys-devel/libtool: 2.4-r1
sys-devel/make: 3.82
virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers)
ACCEPT_KEYWORDS="x86 ~x86"
ACCEPT_LICENSE="* -@EULA dlj-1.1"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe -floop-interchange -floop-strip-mine -floop-bloc
k"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/openvpn/easy-rsa"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/
fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox
.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe -floop-interchange -floop-strip-mine -floop-bl
ock"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests binpkg-logs distlocks fixlafiles fixpackages loadpolicy
news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unkn
own-features-warn unmerge-logs unmerge-orphans userfetch"
FFLAGS=""
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress
--force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclu
de=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/zugaina /var/lib/layman/sunrise"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="acl berkdb btrfs caps cli cracklib crypt cups cxx dri fortran graphite hard
ened iconv ipv6 madwifi modules mudflap ncurses nfs nls openmp pam pcre perl pic
pppd python readline samba selinux session ssl syslog tcpd udev unicode x86 xor
g zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu1
0k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m ma
estro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm a
law asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa l
float linear meter mmap_emul mulaw multi null plug rate route share shm softvol"
APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm auth
n_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_ow
ner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cac
he env expires ext_filter file_cache filter headers include info log_config logi
o mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_i
d userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory
rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate everm
ore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver o
ldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx"
INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz
cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RU
BY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neo
magic nouveau nv r128 radeon savage sis tdfx trident vesa dummy v4l" XTABLES_ADD
ONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy c
ondition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos accou
nt"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LING
UAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_
RSYNC_EXTRA_OPTS
|
Last edited by ThaOverlord on Tue Feb 08, 2011 1:42 pm; edited 1 time in total |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Tue Feb 08, 2011 12:40 pm Post subject: |
|
|
Do you get any denials in your audit logs? Even though SELinux is running in permissive mode, there are still certain aspects which are errorprone (most of them are the applications that are SELinux-aware and thus try to execute things which they consider to always function).
Try updating the SELinux-related packages to their ~arch versions as the current stables are overdue. _________________ Please add "[solved]" to the initial topic title when it is solved. |
|
Back to top |
|
|
ThaOverlord n00b
Joined: 07 Feb 2011 Posts: 5
|
Posted: Tue Feb 08, 2011 12:55 pm Post subject: |
|
|
I can't find anything related in audit.log or avc.log, syslog or messages
I'm not sure what you mean by
Quote: |
Try updating the SELinux-related packages to their ~arch versions
|
What are ~arch versions?
Also like I said I can't update anything
Sorry I'm a bit of noob regarding Gentoo |
|
Back to top |
|
|
ThaOverlord n00b
Joined: 07 Feb 2011 Posts: 5
|
Posted: Wed Feb 09, 2011 12:14 pm Post subject: |
|
|
Hmm, no ideas? |
|
Back to top |
|
|
hielvc Advocate
Joined: 19 Apr 2002 Posts: 2805 Location: Oceanside, Ca
|
Posted: Wed Feb 09, 2011 6:39 pm Post subject: |
|
|
Arch is your ACCEPT_KEYWORDS setting in your /etc/make.conf file. For x86, arch testing is ~x86 and for amd64 it is ~amd64. Mine is set for testing amd64 so it set like this ACCEPT_KEYWORDS="~amd64". You need to read Gentoo Handbook and Code: | man portage
man emerge |
This will help you to know at least the basics and where to start to figure out the answer
I don't do selinux so I knows nothing ,I sees nothing.
Luck
EDIT: I figured out the puzzle and put in the left over words, sigh _________________ An A-Z Index of the Linux BASH command line |
|
Back to top |
|
|
ThaOverlord n00b
Joined: 07 Feb 2011 Posts: 5
|
Posted: Wed Feb 09, 2011 8:46 pm Post subject: |
|
|
Yeah I know that,
and if you look into the emerge --info I have ~x86 enabled
So what's the point? Also I don't know how that would help.
Meanwhile I also tested with a non SELinux Kernel but didn't get anywhere |
|
Back to top |
|
|
ThaOverlord n00b
Joined: 07 Feb 2011 Posts: 5
|
Posted: Thu Feb 10, 2011 3:38 pm Post subject: |
|
|
I now unmerged python-selinux and switched to the default hardened-profile without selinux, then rebooted into a non SELinux Kernel and now it seems to work.
At least I can emerge --update
Still don't know what happened though, and switching profiles is not a good way to install stuff imho.
So no "[Solved]" i think.
Guess I will try to switch back to hardened-selinux afterwards and see if it works |
|
Back to top |
|
|
voidbeast n00b
Joined: 21 Feb 2011 Posts: 1
|
Posted: Mon Feb 21, 2011 5:10 am Post subject: |
|
|
I am having this exact same problem. I can not use portage to emerge anything at all. It fails every time on the fetch. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9526 Location: beyond the rim
|
Posted: Mon Feb 21, 2011 11:25 am Post subject: |
|
|
This has been reported as bug 355745. |
|
Back to top |
|
|
Sven Vermeulen Retired Dev
Joined: 29 Aug 2002 Posts: 1345 Location: Mechelen, Belgium
|
Posted: Wed Mar 02, 2011 5:28 pm Post subject: |
|
|
In the hardened-development overlay, a fix was added to allow unconfined_t domain to transition to the portage domains. This wasn't allowed previously (and even in permissive mode this would result in the error you've pasted before).
If you want to see if this is indeed the case on your system, run
Code: |
~# seinfo -runconfined_r -x | grep portage
|
Without selinux-base-policy-2.20101213-r9 (as offered through the hardened-development overlay) you will see nothing. With the fix, you'll see that the role has access to the portage_t, portage_sandbox_t and portage_fetch_t domains.
You can also trigger the error that you get through simple python:
Code: |
~$ python
>>> import selinux
>>> print selinux.setexeccon("unconfined_u:unconfined_r:portage_fetch_t")
|
_________________ Please add "[solved]" to the initial topic title when it is solved. |
|
Back to top |
|
|
blueness Developer
Joined: 25 Nov 2009 Posts: 32 Location: Buffalo, NY
|
Posted: Fri Mar 11, 2011 9:08 pm Post subject: |
|
|
Its in portage now. I tested and it appears to fix the issue. |
|
Back to top |
|
|
mbar Veteran
Joined: 19 Jan 2005 Posts: 1990 Location: Poland
|
Posted: Wed Apr 13, 2011 6:30 am Post subject: |
|
|
Is this really solved? Because I have a quite fresh Gentoo SELinux install with hardened-overlay and seems that I have just the same problem updating:
Code: | gen2-selinux ~ # seinfo -runconfined_r -x
unconfined_r
Dominated Roles:
unconfined_r
gen2-selinux ~ # sestatus -v
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: strict
Process contexts:
Current context: root:staff_r:staff_t
Init context: system_u:system_r:init_t
/sbin/agetty system_u:system_r:getty_t
/usr/sbin/sshd system_u:system_r:sshd_t
File contexts:
Controlling term: root:object_r:user_devpts_t
/sbin/init system_u:object_r:init_exec_t
/sbin/agetty system_u:object_r:getty_exec_t
/bin/login system_u:object_r:login_exec_t
/sbin/rc system_u:object_r:initrc_exec_t
/usr/sbin/sshd system_u:object_r:sshd_exec_t
/sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t
/etc/passwd system_u:object_r:etc_t
/etc/shadow system_u:object_r:shadow_t
/bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t
/bin/bash system_u:object_r:shell_exec_t
/usr/bin/newrole system_u:object_r:newrole_exec_t
/lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:lib_t
/lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t
gen2-selinux ~ # emerge -uDN world
Calculating dependencies... done!
>>> Verifying ebuild manifests
>>> Starting parallel fetch
>>> Emerging (1 of 6) sys-libs/ncurses-5.9
Traceback (most recent call last):
File "/usr/lib64/portage/pym/_emerge/EbuildFetcher.py", line 113, in _spawn
allow_missing_digests=False):
File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 489, in fetch
if _userpriv_test_write_file(mysettings, write_test_file):
File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 122, in _userpriv_test_write_file
returncode = _spawn_fetch(settings, args)
File "/usr/lib64/portage/pym/portage/package/ebuild/fetch.py", line 90, in _spawn_fetch
rval = spawn_func(args, env=settings.environ(), **kwargs)
File "/usr/lib64/portage/pym/portage/_selinux.py", line 105, in wrapper_func
setexec(con)
File "/usr/lib64/portage/pym/portage/_selinux.py", line 79, in setexec
if selinux.setexeccon(ctx) < 0:
OSError: [Errno 22] Invalid argument
* Fetch failed for 'sys-libs/ncurses-5.9', Log file:
* '/var/tmp/portage/sys-libs/ncurses-5.9/temp/build.log'
>>> Failed to emerge sys-libs/ncurses-5.9, Log file:
>>> '/var/tmp/portage/sys-libs/ncurses-5.9/temp/build.log'
* Messages for package sys-libs/ncurses-5.9:
* Fetch failed for 'sys-libs/ncurses-5.9', Log file:
* '/var/tmp/portage/sys-libs/ncurses-5.9/temp/build.log' |
Code: | type=1400 audit(1302676122.869:185): avc: denied { create } for pid=2264 comm="emerge" name=".news-lcd-filtering.unread.portage_lockfile" scontext=root:staff_r:staff_t tcontext=root:object_r:var_lib_t tclass=file
type=1400 audit(1302676122.869:186): avc: denied { write } for pid=2264 comm="emerge" name=".news-lcd-filtering.unread.portage_lockfile" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=root:object_r:var_lib_t tclass=file
type=1400 audit(1302676122.869:187): avc: denied { setattr } for pid=2264 comm="emerge" name=".news-lcd-filtering.unread.portage_lockfile" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=root:object_r:var_lib_t tclass=file
type=1400 audit(1302676122.869:188): avc: denied { unlink } for pid=2264 comm="emerge" name=".news-lcd-filtering.unread.portage_lockfile" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=root:object_r:var_lib_t tclass=file
type=1400 audit(1302676129.574:189): avc: denied { write } for pid=2264 comm="emerge" name="portage" dev=sda1 ino=259296 scontext=root:staff_r:staff_t tcontext=system_u:object_r:portage_tmp_t tclass=dir
type=1400 audit(1302676129.574:190): avc: denied { add_name } for pid=2264 comm="emerge" name="exectest-iAXmxJ" scontext=root:staff_r:staff_t tcontext=system_u:object_r:portage_tmp_t tclass=dir
type=1400 audit(1302676129.574:191): avc: denied { create } for pid=2264 comm="emerge" name="exectest-iAXmxJ" scontext=root:staff_r:staff_t tcontext=root:object_r:portage_tmp_t tclass=file
type=1400 audit(1302676129.574:192): avc: denied { read write open } for pid=2264 comm="emerge" name="exectest-iAXmxJ" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=root:object_r:portage_tmp_t tclass=file
type=1400 audit(1302676129.574:193): avc: denied { setattr } for pid=2264 comm="emerge" name="exectest-iAXmxJ" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=root:object_r:portage_tmp_t tclass=file
type=1400 audit(1302676129.574:194): avc: denied { execute } for pid=2264 comm="emerge" name="exectest-iAXmxJ" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=root:object_r:portage_tmp_t tclass=file
type=1400 audit(1302676129.574:195): avc: denied { remove_name } for pid=2264 comm="emerge" name="exectest-iAXmxJ" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=system_u:object_r:portage_tmp_t tclass=dir
type=1400 audit(1302676129.574:196): avc: denied { unlink } for pid=2264 comm="emerge" name="exectest-iAXmxJ" dev=sda1 ino=258295 scontext=root:staff_r:staff_t tcontext=root:object_r:portage_tmp_t tclass=file
type=1400 audit(1302676129.581:197): avc: denied { read } for pid=2264 comm="emerge" name="Makefile" dev=sda1 ino=326038 scontext=root:staff_r:staff_t tcontext=system_u:object_r:src_t tclass=file
type=1400 audit(1302676129.581:198): avc: denied { open } for pid=2264 comm="emerge" name="Makefile" dev=sda1 ino=326038 scontext=root:staff_r:staff_t tcontext=system_u:object_r:src_t tclass=file
|
EDIT: I'm logged in via SSH:
Code: | gen2-selinux ~ # id -Z
root:staff_r:staff_t |
EDIT2: updating after logging in at "physical" console workd OK and root has different context then:
Code: | gen2-selinux ~ # id -Z
root:sysadm_r:sysadm_t |
|
|
Back to top |
|
|
OWNSyouAll Tux's lil' helper
Joined: 20 Apr 2010 Posts: 99
|
Posted: Wed Apr 27, 2011 8:54 pm Post subject: |
|
|
had a similar problem
Code: |
newrole -r sysadm_r
|
solved it over ssh as root |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|