View previous topic :: View next topic |
Author |
Message |
0x64626d63 n00b
Joined: 26 Mar 2018 Posts: 2
|
Posted: Thu Apr 26, 2018 12:05 pm Post subject: Cannot emerge package with selinux in permissive mode |
|
|
Hi,
I have enabled SELINUX in the kernel (4.9.34).
Code: | zgrep SELINUX /proc/config.gz
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_BOOTPARAM_VALUE=1
CONFIG_SECURITY_SELINUX_DISABLE=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
CONFIG_DEFAULT_SECURITY_SELINUX=y |
I'm booting in permissive mode.
Code: | sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: strict
Current mode: permissive
Mode from config file: permissive
Policy MLS status: disabled
Policy deny_unknown status: denied
Memory protection checking: requested (insecure)
Max kernel policy version: 30 |
This is the fstab setup
Code: | grep tmp /etc/fstab
tmpfs /tmp tmpfs defaults,noexec,nosuid,rootcontext=system_u:object_r:tmp_t 0 0
tmpfs /run tmpfs mode=0755,nosuid,nodev,rootcontext=system_u:object_r:var_run_t 0 0
tmpfs /var/tmp/portage tmpfs uid=250,gid=250,mode=0775,size=75% 0 0 |
And when I'm trying to emerge I'm getting the following.
Code: | >>> Install tig-2.3.3 into /var/tmp/portage/dev-vcs/tig-2.3.3/image/ category dev-vcs
make -j8 DESTDIR=/var/tmp/portage/dev-vcs/tig-2.3.3/image/ install install-doc-man
INSTALL INSTALL src/tig -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/bin
doc/tig.1 -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/share/man/man1
INSTALL tigrc -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//etc
INSTALL doc/tigrc.5 -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/share/man/man5
INSTALL doc/tigmanual.7 -> /var/tmp/portage/dev-vcs/tig-2.3.3/image//usr/share/man/man7
>>> Completed installing tig-2.3.3 into /var/tmp/portage/dev-vcs/tig-2.3.3/image/
* Final size of build directory: 5140 KiB (5.0 MiB)
* Final size of installed tree: 716 KiB
* ACCESS DENIED: open_wr: /proc/thread-self/attr/fscreate
sed: warning: failed to set default file creation context to root:object_r:user_tmpfs_t: Operation not permitted * ACCESS DENIED: open_wr: /proc/thread-self/attr/fscreate
strip: x86_64-pc-linux-gnu-strip --strip-unneeded -R .comment -R .GCC.command.line -R .note.gnu.gold-version
usr/bin/tig
ecompressdir: bzip2 -9 /usr/share/man
ecompressdir: bzip2 -9 /usr/share/doc
* --------------------------- ACCESS VIOLATION SUMMARY ---------------------------
* LOG FILE: "/var/log/sandbox/sandbox-20460.log"
*
VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line
F: open_wr
S: deny
P: /proc/thread-self/attr/fscreate
A: /proc/thread-self/attr/fscreate
R: /proc/thread-self/attr/fscreate
C: sed -e /^$/d -e s#^#/# -i /var/tmp/portage/dev-vcs/tig-2.3.3/temp/prepstrip/scanelf-already-stripped.log
F: open_wr
S: deny
P: /proc/thread-self/attr/fscreate
A: /proc/thread-self/attr/fscreate
R: /proc/thread-self/attr/fscreate
C: sed -e /^$/d -e s#^#/# -i /var/tmp/portage/dev-vcs/tig-2.3.3/temp/prepstrip/scanelf-already-stripped.log
* -------------------------------------------------------------------------------- |
I am unclear as to why this is happening with SELINUX set to Permissive mode. Any ideas?
[Moderator edit: changed [quote] tags to [code] tags to preserve output layout. -Hu] |
|
Back to top |
|
|
papas Tux's lil' helper
Joined: 01 Dec 2014 Posts: 141 Location: Athens
|
Posted: Thu Apr 26, 2018 6:31 pm Post subject: |
|
|
Hello, i have enabled selinux (permissive) and i had no problems at all.
have you "Define the administrator accounts" ?
and "Supporting service administration" ?
( from this guide here https://wiki.gentoo.org/wiki/SELinux/Installation) |
|
Back to top |
|
|
0x64626d63 n00b
Joined: 26 Mar 2018 Posts: 2
|
Posted: Mon Apr 30, 2018 5:25 pm Post subject: |
|
|
Well, that link refers to having a normal user with the ability to run emerge, but I'm actually running the command as root and getting that output.
Code: | semanage user -l | grep root
root staff_r sysadm_r system_r |
I also did
Code: | restorecon -RF /var/tmp/portage |
But still got the same result on running emerge. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|