Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Cannot emerge package with selinux in permissive mode
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
0x64626d63
n00b
n00b


Joined: 26 Mar 2018
Posts: 2
PostPosted: Thu Apr 26, 2018 12:05 pm    Post subject: Cannot emerge package with selinux in permissive mode Reply with quote
Hi,

I have enabled SELINUX in the kernel (4.9.34).

Code:
zgrep SELINUX /proc/config.gz
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_DEFAULT_SECURITY_SELINUX=y


I'm booting in permissive mode.

Code:
sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             strict
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              disabled
Policy deny_unknown status:     denied
Memory protection checking:     requested (insecure)
Max kernel policy version:      30


This is the fstab setup

Code:
grep tmp /etc/fstab
tmpfs                   /tmp                       tmpfs     defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t      0 0
tmpfs                   /run                       tmpfs     mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t  0 0
tmpfs                   /var/tmp/portage           tmpfs     uid=250,gid=250,mode=0775,size=75%                              0 0


And when I'm trying to emerge I'm getting the following.

Code:
>>> Install tig-2.3.3 into /var/tmp/portage/dev-vcs/tig-2.3.3/image/ category dev-vcs
make -j8 DESTDIR=/var/tmp/portage/dev-vcs/tig-2.3.3/image/ install install-doc-man
   INSTALL     INSTALL  src/tig -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/bin
doc/tig.1 -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/share/man/man1
   INSTALL  tigrc -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//etc
   INSTALL  doc/tigrc.5 -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/share/man/man5
   INSTALL  doc/tigmanual.7 -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/share/man/man7
>>> Completed installing tig-2.3.3 into /var/tmp/portage/dev-vcs/tig-2.3.3/image/

 * Final size of build directory: 5140 KiB (5.0 MiB)
 * Final size of installed tree:   716 KiB

 * ACCESS DENIED:  open_wr:      /proc/thread-self/attr/fscreate
sed: warning: failed to set default file creation context to root:object_r:user_tmpfs_t: Operation not permitted * ACCESS DENIED:  open_wr:      /proc/thread-self/attr/fscreate
strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment -R .GCC.command.line -R .note.gnu.gold-version
   usr/bin/tig
ecompressdir: bzip2 -9 /usr/share/man
ecompressdir: bzip2 -9 /usr/share/doc
 * --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
 * LOG FILE: "/var/log/sandbox/sandbox-20460.log"
 *
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: open_wr
S: deny
P: /proc/thread-self/attr/fscreate
A: /proc/thread-self/attr/fscreate
R: /proc/thread-self/attr/fscreate
C: sed -e /^$/d -e s#^#/# -i /var/tmp/portage/dev-vcs/tig-2.3.3/temp/prepstrip/scanelf-already-stripped.log

F: open_wr
S: deny
P: /proc/thread-self/attr/fscreate
A: /proc/thread-self/attr/fscreate
R: /proc/thread-self/attr/fscreate
C: sed -e /^$/d -e s#^#/# -i /var/tmp/portage/dev-vcs/tig-2.3.3/temp/prepstrip/scanelf-already-stripped.log
 * --------------------------------------------------------------------------------


I am unclear as to why this is happening with SELINUX set to Permissive mode. Any ideas?

[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu]
Back to top
View user's profile Send private message
papas
Tux's lil' helper
Tux's lil' helper


Joined: 01 Dec 2014
Posts: 141
Location: Athens
PostPosted: Thu Apr 26, 2018 6:31 pm    Post subject: Reply with quote
Hello, i have enabled selinux (permissive) and i had no problems at all.
have you "Define the administrator accounts" ?
and "Supporting service administration" ?
( from this guide here https://wiki.gentoo.org/wiki/SELinux/Installation)
Back to top
View user's profile Send private message
0x64626d63
n00b
n00b


Joined: 26 Mar 2018
Posts: 2
PostPosted: Mon Apr 30, 2018 5:25 pm    Post subject: Reply with quote
Well, that link refers to having a normal user with the ability to run emerge, but I'm actually running the command as root and getting that output.
Code:
semanage user -l | grep root
root            staff_r sysadm_r system_r


I also did
Code:
restorecon -RF /var/tmp/portage


But still got the same result on running emerge.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy