[SOLVED] Permission denied in chrooted environment

Message

gentuser27 · Post by **gentuser27** » Sun Apr 09, 2017 9:44 pm

Hello,
I've just bought a laptop and I'm installing gentoo on it. I'm already in a chrooted environment and installing some software.
I've been following the gentoo-handbook for installing, but when I try to emerge sys-apps/util-linux-2.28.2 from the chrooted environment I get the following error:

chmod 4755 /var/tmp/portage/sys-apps/util-linux-2.28.2/image//bin/mount
chmod: changing permissions of '/var/tmp/portage/sys-apps/util-linux-2.28.2/image//bin/mount': Permission denied

I've got no clue why this happens and would be very glad if someone could help me.
If any further information is needed, just ask.

Thank you.

eccerr0r · Post by **eccerr0r** » Mon Apr 10, 2017 1:07 am

What filesystem type and how did you mount your /var/tmp?

Post by Hu » Mon Apr 10, 2017 3:44 am

What is the output of emerge --info?

gentuser27 · Post by **gentuser27** » Tue Apr 11, 2017 11:42 am

Output of mount | column -t:

Code: Select all

proc         on  /proc                                 type  proc         (rw,nosuid,nodev,noexec,relatime)
udev         on  /dev                                  type  devtmpfs     (rw,nosuid,relatime,size=10240k,nr_inodes=473990,mode=755)
devpts       on  /dev/pts                              type  devpts       (rw,relatime,gid=5,mode=620,ptmxmode=000)
sysfs        on  /sys                                  type  sysfs        (rw,nosuid,nodev,noexec,relatime)
/dev/sdb1    on  /mnt/cdrom                            type  iso9660      (ro,relatime)
overlay      on  /                                     type  overlay      (rw,relatime,lowerdir=/mnt/livecd,upperdir=/mnt/overlay/.upper,workdir=/mnt/overlay/.work)
none         on  /mnt/overlay                          type  tmpfs        (rw,relatime)
/dev/loop0   on  /mnt/livecd                           type  squashfs     (ro,relatime)
tmpfs        on  /run                                  type  tmpfs        (rw,nodev,relatime,size=382388k,mode=755)
mqueue       on  /dev/mqueue                           type  mqueue       (rw,nosuid,nodev,noexec,relatime)
shm          on  /dev/shm                              type  tmpfs        (rw,nosuid,nodev,noexec,relatime)
securityfs   on  /sys/kernel/security                  type  securityfs   (rw,nosuid,nodev,noexec,relatime)
debugfs      on  /sys/kernel/debug                     type  debugfs      (rw,nosuid,nodev,noexec,relatime)
fusectl      on  /sys/fs/fuse/connections              type  fusectl      (rw,nosuid,nodev,noexec,relatime)
pstore       on  /sys/fs/pstore                        type  pstore       (rw,nosuid,nodev,noexec,relatime)
cgroup_root  on  /sys/fs/cgroup                        type  tmpfs        (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755)
openrc       on  /sys/fs/cgroup/openrc                 type  cgroup       (rw,nosuid,nodev,noexec,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc)
cpuset       on  /sys/fs/cgroup/cpuset                 type  cgroup       (rw,nosuid,nodev,noexec,relatime,cpuset)
cpu          on  /sys/fs/cgroup/cpu                    type  cgroup       (rw,nosuid,nodev,noexec,relatime,cpu)
cpuacct      on  /sys/fs/cgroup/cpuacct                type  cgroup       (rw,nosuid,nodev,noexec,relatime,cpuacct)
blkio        on  /sys/fs/cgroup/blkio                  type  cgroup       (rw,nosuid,nodev,noexec,relatime,blkio)
memory       on  /sys/fs/cgroup/memory                 type  cgroup       (rw,nosuid,nodev,noexec,relatime,memory)
devices      on  /sys/fs/cgroup/devices                type  cgroup       (rw,nosuid,nodev,noexec,relatime,devices)
freezer      on  /sys/fs/cgroup/freezer                type  cgroup       (rw,nosuid,nodev,noexec,relatime,freezer)
net_cls      on  /sys/fs/cgroup/net_cls                type  cgroup       (rw,nosuid,nodev,noexec,relatime,net_cls)
perf_event   on  /sys/fs/cgroup/perf_event             type  cgroup       (rw,nosuid,nodev,noexec,relatime,perf_event)
pids         on  /sys/fs/cgroup/pids                   type  cgroup       (rw,nosuid,nodev,noexec,relatime,pids)
binfmt_misc  on  /proc/sys/fs/binfmt_misc              type  binfmt_misc  (rw,nosuid,nodev,noexec,relatime)
none         on  /run/user/1000                        type  tmpfs        (rw,relatime,mode=700,uid=1000)
none         on  /run/user/0                           type  tmpfs        (rw,relatime,mode=700)
/dev/sda7    on  /mnt/gentoo                           type  ext4         (rw,relatime,data=ordered)
proc         on  /mnt/gentoo/proc                      type  proc         (rw,relatime)
sysfs        on  /mnt/gentoo/sys                       type  sysfs        (rw,nosuid,nodev,noexec,relatime)
securityfs   on  /mnt/gentoo/sys/kernel/security       type  securityfs   (rw,nosuid,nodev,noexec,relatime)
debugfs      on  /mnt/gentoo/sys/kernel/debug          type  debugfs      (rw,nosuid,nodev,noexec,relatime)
fusectl      on  /mnt/gentoo/sys/fs/fuse/connections   type  fusectl      (rw,nosuid,nodev,noexec,relatime)
pstore       on  /mnt/gentoo/sys/fs/pstore             type  pstore       (rw,nosuid,nodev,noexec,relatime)
cgroup_root  on  /mnt/gentoo/sys/fs/cgroup             type  tmpfs        (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755)
openrc       on  /mnt/gentoo/sys/fs/cgroup/openrc      type  cgroup       (rw,nosuid,nodev,noexec,relatime,release_agent=/lib64/rc/sh/cgroup-release-agent.sh,name=openrc)
cpuset       on  /mnt/gentoo/sys/fs/cgroup/cpuset      type  cgroup       (rw,nosuid,nodev,noexec,relatime,cpuset)
cpu          on  /mnt/gentoo/sys/fs/cgroup/cpu         type  cgroup       (rw,nosuid,nodev,noexec,relatime,cpu)
cpuacct      on  /mnt/gentoo/sys/fs/cgroup/cpuacct     type  cgroup       (rw,nosuid,nodev,noexec,relatime,cpuacct)
blkio        on  /mnt/gentoo/sys/fs/cgroup/blkio       type  cgroup       (rw,nosuid,nodev,noexec,relatime,blkio)
memory       on  /mnt/gentoo/sys/fs/cgroup/memory      type  cgroup       (rw,nosuid,nodev,noexec,relatime,memory)
devices      on  /mnt/gentoo/sys/fs/cgroup/devices     type  cgroup       (rw,nosuid,nodev,noexec,relatime,devices)
freezer      on  /mnt/gentoo/sys/fs/cgroup/freezer     type  cgroup       (rw,nosuid,nodev,noexec,relatime,freezer)
net_cls      on  /mnt/gentoo/sys/fs/cgroup/net_cls     type  cgroup       (rw,nosuid,nodev,noexec,relatime,net_cls)
perf_event   on  /mnt/gentoo/sys/fs/cgroup/perf_event  type  cgroup       (rw,nosuid,nodev,noexec,relatime,perf_event)
pids         on  /mnt/gentoo/sys/fs/cgroup/pids        type  cgroup       (rw,nosuid,nodev,noexec,relatime,pids)
udev         on  /mnt/gentoo/dev                       type  devtmpfs     (rw,nosuid,relatime,size=10240k,nr_inodes=473990,mode=755)
devpts       on  /mnt/gentoo/dev/pts                   type  devpts       (rw,relatime,gid=5,mode=620,ptmxmode=000)
mqueue       on  /mnt/gentoo/dev/mqueue                type  mqueue       (rw,nosuid,nodev,noexec,relatime)
shm          on  /mnt/gentoo/dev/shm                   type  tmpfs        (rw,nosuid,nodev,noexec,relatime)
/dev/sdc1    on  /mnt/tmp                              type  ext4         (rw,relatime,data=ordered)

Output of emerge --info:

Code: Select all

Portage 2.3.3 (python 3.4.5-final-0, default/linux/amd64/13.0, gcc-4.9.4, glibc-2.23-r3, 4.8.17-hardened-r2 x86_64)
=================================================================
System uname: Linux-4.8.17-hardened-r2-x86_64-Intel-R-_Core-TM-_i7-3517U_CPU_@_1.90GHz-with-gentoo-2.3
KiB Mem:     3823876 total,   1348408 free
KiB Swap:   10485756 total,  10485756 free
Timestamp of repository gentoo: Tue, 11 Apr 2017 11:00:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.22.3_rc4::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.23.2::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.69::gentoo
sys-devel/automake:       1.11.6-r1::gentoo, 1.14.1::gentoo, 1.15::gentoo
sys-devel/binutils:       2.26.1::gentoo
sys-devel/gcc:            4.9.4::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r3::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -pipe -march=native -frecord-gcc-switches"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -march=native -frecord-gcc-switches"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://de-mirror.org/gentoo/ ftp://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 apm bash-completion berkdb bindist branding bzip2 caps cli cracklib crypt css cups curl curlwrappers cxx dbus dga dri dts encode exif fam ffmpeg flac fortran ftp gdbm gif git gmp gnutls gpm gsl gzip hddtemp iconv imap imlib jit joystick jpeg lame libnotify libsamplerate libwww lm-sensors lua lzma lzo mad matroska mhash modules mozilla mp3 mp4 mpeg mplayer multilib ncurses netboot nls nptl ogg opengl openmp pam pcntl pcre pdf png posix postscript ppds pulseaudio python raw readline rss sasl seccomp session smp sockets sound sqlite ssl subversion svg szip tcpd threads udev unicode usb vaapi vcd vdpau vnc wifi x264 xattr xml xvmc zeroconf zlib" ABI_X86="64 32" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="evdev synaptics mutouch" KERNEL="linux" L10N="en en_US en_GB" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US en_GB" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21" USERLAND="GNU" VIDEO_CARDS="i915" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Hope this helps.

Post by Hu » Wed Apr 12, 2017 1:40 am

Historically, chroot on production systems was used to confine system services, so hardened kernels impose extra limitations on chroot'd processes. Running Gentoo with a hardened kernel should work fine. Booting a LiveCD with a hardened kernel for the purpose of chroot'ing into Gentoo may not work well.

Post by **toralf** » Wed Apr 12, 2017 7:22 pm

Try this

Code: Select all

mr-fox ~ # grep chroot /etc/sysctl.d/local.conf 
#  emerge within chroot isn't allowed otherwise
kernel.grsecurity.chroot_deny_chmod = 0
# prevent: "se of CAP_SYS_ADMIN in chroot denied for "
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_mount = 0

gentuser27 · Post by **gentuser27** » Fri May 05, 2017 7:54 am

Sorry, that I did not answer for so long, but I tried a non-hardened kernel and it worked.
So thank you.

sheogorath · Post by **sheogorath** » Wed Jul 05, 2017 7:05 pm

gentuser27 wrote:Sorry, that I did not answer for so long, but I tried a non-hardened kernel and it worked.
So thank you.

I have the same issue. I'm using the default desktop profile (so the kernel is probably non-hardened). But still I can't install util-linux. I can't even set 4755 permission to any other file I created anywhere in my mounted filesystem inside chroot but I can set it from the outside livecd filesystem (with no chroot). However in order to make util-linux emerge properly I need to be able to set SUID permission inside chroot.

Post by Hu » Thu Jul 06, 2017 1:08 am

sheogorath: please post the output of emerge --info, as I requested of the OP when the problem was initially reported. Please also post the output of the failure, so that we can verify that it is the same problem.

sheogorath · Post by **sheogorath** » Thu Jul 06, 2017 2:56 pm

Emerge info:

Code: Select all

Portage 2.3.6 (python 3.4.5-final-0, default/linux/amd64/13.0/desktop, gcc-5.4.0, glibc-2.23-r4, 4.8.17-hardened-r2 x86_64)
=================================================================
System uname: Linux-4.8.17-hardened-r2-x86_64-AMD_Phenom-tm-_II_X4_B60_Processor-with-gentoo-2.3
KiB Mem:     3901688 total,   2154704 free
KiB Swap:    8388604 total,   8388604 free
Timestamp of repository gentoo: Tue, 04 Jul 2017 20:30:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.28 p1.2) 2.28
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.24.1-r2::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.26.3::gentoo
sys-apps/sandbox:         2.10-r3::gentoo
sys-devel/autoconf:       2.13::gentoo, 2.69::gentoo
sys-devel/automake:       1.15-r2::gentoo
sys-devel/binutils:       2.28-r2::gentoo
sys-devel/gcc:            5.4.0-r3::gentoo
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::gentoo (virtual/os-headers)
sys-libs/glibc:           2.23-r4::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=amdfam10 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=amdfam10 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_US.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 berkdb bindist bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif glamor gpm gtk iconv ipv6 jpeg lcms ldap libnotify mad mng modules mp3 mp4 mpeg multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf perl png policykit ppds qt3support qt4 readline sdl seccomp session spell ssl startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vorbis wxwidgets x264 xattr xcb xml xv xvid zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

Error:

Code: Select all

make  install-exec-hook
make[4]: Entering directory '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2-abi_x86_64.amd64'
if test "/usr/lib64" != "/usr/lib64" -a -f "/var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libuuid.so"; then \
	/bin/mkdir -p /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	mv /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libuuid.so.* /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	so_img_name=$(readlink /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libuuid.so); \
	so_img_rel_target=$(echo /usr/lib64 | sed 's,\(^/\|\)[^/][^/]*,..,g'); \
	(cd /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64 && \
		rm -f libuuid.so && \
		ln -s $so_img_rel_target/usr/lib64/$so_img_name libuuid.so); \
fi
if test "/usr/lib64" != "/usr/lib64" -a -f "/var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libblkid.so"; then \
	/bin/mkdir -p /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	mv /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libblkid.so.* /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	so_img_name=$(readlink /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libblkid.so); \
	so_img_rel_target=$(echo /usr/lib64 | sed 's,\(^/\|\)[^/][^/]*,..,g'); \
	(cd /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64 && \
		rm -f libblkid.so && \
		ln -s $so_img_rel_target/usr/lib64/$so_img_name libblkid.so); \
fi
if test "/usr/lib64" != "/usr/lib64" -a -f "/var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libmount.so"; then \
	/bin/mkdir -p /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	mv /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libmount.so.* /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	so_img_name=$(readlink /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libmount.so); \
	so_img_rel_target=$(echo /usr/lib64 | sed 's,\(^/\|\)[^/][^/]*,..,g'); \
	(cd /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64 && \
		rm -f libmount.so && \
		ln -s $so_img_rel_target/usr/lib64/$so_img_name libmount.so); \
fi
if test "/usr/lib64" != "/usr/lib64" -a -f "/var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libsmartcols.so"; then \
	/bin/mkdir -p /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	mv /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libsmartcols.so.* /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	so_img_name=$(readlink /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libsmartcols.so); \
	so_img_rel_target=$(echo /usr/lib64 | sed 's,\(^/\|\)[^/][^/]*,..,g'); \
	(cd /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64 && \
		rm -f libsmartcols.so && \
		ln -s $so_img_rel_target/usr/lib64/$so_img_name libsmartcols.so); \
fi
if test "/usr/lib64" != "/usr/lib64" -a -f "/var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libfdisk.so"; then \
	/bin/mkdir -p /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	mv /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libfdisk.so.* /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64; \
	so_img_name=$(readlink /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64/libfdisk.so); \
	so_img_rel_target=$(echo /usr/lib64 | sed 's,\(^/\|\)[^/][^/]*,..,g'); \
	(cd /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/lib64 && \
		rm -f libfdisk.so && \
		ln -s $so_img_rel_target/usr/lib64/$so_img_name libfdisk.so); \
fi
cd /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/bin && ln -sf last lastb
for I in uname26 linux32 linux64   i386 x86_64     ; do \
	cd /var/tmp/portage/sys-apps/util-linux-2.28.2/image//usr/bin && ln -sf setarch $I ; \
done
chmod 4755 /var/tmp/portage/sys-apps/util-linux-2.28.2/image//bin/mount
chmod: changing permissions of '/var/tmp/portage/sys-apps/util-linux-2.28.2/image//bin/mount': Permission denied
make[4]: *** [Makefile:11842: install-exec-hook-mount] Error 1
make[4]: *** Waiting for unfinished jobs....
make[4]: Leaving directory '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2-abi_x86_64.amd64'
make[3]: *** [Makefile:11625: install-exec-am] Error 2
make[3]: Leaving directory '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2-abi_x86_64.amd64'
make[2]: *** [Makefile:11514: install-am] Error 2
make[2]: Leaving directory '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2-abi_x86_64.amd64'
make[1]: *** [Makefile:11206: install-recursive] Error 1
make[1]: Leaving directory '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2-abi_x86_64.amd64'
make: *** [Makefile:11508: install] Error 2
 * ERROR: sys-apps/util-linux-2.28.2::gentoo failed (install phase):
 *   emake failed
 * 
 * If you need support, post the output of `emerge --info '=sys-apps/util-linux-2.28.2::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=sys-apps/util-linux-2.28.2::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/sys-apps/util-linux-2.28.2/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sys-apps/util-linux-2.28.2/temp/environment'.
 * Working directory: '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2-abi_x86_64.amd64'
 * S: '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2'

>>> Failed to emerge sys-apps/util-linux-2.28.2, Log file:

>>>  '/var/tmp/portage/sys-apps/util-linux-2.28.2/temp/build.log'

 * Messages for package sys-fs/eudev-3.1.5:

 * 
 * As of 2013-01-29, eudev-3.1.5 provides the new interface renaming functionality,
 * as described in the URL below:
 * https://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames
 * 
 * This functionality is enabled BY DEFAULT because eudev has no means of synchronizing
 * between the default or user-modified choice of sys-fs/udev.  If you wish to disable
 * this new iface naming, please be sure that /etc/udev/rules.d/80-net-name-slot.rules
 * exists: touch /etc/udev/rules.d/80-net-name-slot.rules
 * 

 * Messages for package sys-apps/util-linux-2.28.2:

 * ERROR: sys-apps/util-linux-2.28.2::gentoo failed (install phase):
 *   emake failed
 * 
 * If you need support, post the output of `emerge --info '=sys-apps/util-linux-2.28.2::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=sys-apps/util-linux-2.28.2::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/sys-apps/util-linux-2.28.2/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sys-apps/util-linux-2.28.2/temp/environment'.
 * Working directory: '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2-abi_x86_64.amd64'
 * S: '/var/tmp/portage/sys-apps/util-linux-2.28.2/work/util-linux-2.28.2'

 * GNU info directory index is up-to-date.
 * After world updates, it is important to remove obsolete packages with
 * emerge --depclean. Refer to `man emerge` for more information.

I was mistaken that my kernel is not hardened, it is actually hardened due to emerge --info. I thought it was because my profile doesn't have the word 'hardend' in it's name but others do. So I'd like to know what does hardened/not hardened mean, why does hardened have such problem and how do I switch to non-hardened.

p.s. I tried chrooting and emerging util-linux from my linux mint (which kernel is likely non-hardened) and it was emerged successfully. So was it hardened because of the live cd? Should I try different image?

Post by Hu » Fri Jul 07, 2017 1:46 am

Hardened is a particular variant of the Linux kernel that disallows some otherwise permitted operations, usually for the purpose of making it harder for attackers to misuse the system. You get a hardened kernel, or not, depending on which kernel you boot. When you build your own, you can choose to install sources that produce a hardened kernel or sources that produce a non-hardened kernel.

Yes, using a hardened kernel (whether from disk or Live CD) is incompatible with using a chroot to build programs that need to do disallowed operations, such as enabling suid. Some hardened kernel restrictions can be disabled at runtime. I do not recall if this is one of them.

gengreen · Post by **gengreen** » Thu Jan 04, 2018 10:29 am

toralf wrote:Try this

Code: Select all

mr-fox ~ # grep chroot /etc/sysctl.d/local.conf 
#  emerge within chroot isn't allowed otherwise
kernel.grsecurity.chroot_deny_chmod = 0
# prevent: "se of CAP_SYS_ADMIN in chroot denied for "
kernel.grsecurity.chroot_caps = 0
kernel.grsecurity.chroot_deny_mount = 0

Thank you ! You save my day.

For this work, you should have GRKERNSEC_SYSCTL=Y in your kernel

The file could be located at /etc/sysctl.conf

And don't forget to run sysctl -p

raddaqii · Post by **raddaqii** » Mon Mar 05, 2018 10:33 am

@toralf, Hu, thank you very much. That was helpful and saved my day. @gengreen, the sysctl hint was the icing on top ^-^

(And quite an unexpected, but possible ad-hoc workaround when all I had for a setup was a hardened kernel live DVD at hand and no minimal Gentoo image. Needed to apply this outside the chroot ofcourse.)