Knowledge Base:Software installation fails with open wr ACCESS DENIED on SELinux systems

From Gentoo Wiki
Jump to: navigation, search

Synopsis

After upgrade of the SELinux userspace utilities (like libselinux and libsemanage), the installation process of any software fails with the following error message:

root #emerge -u selinux-base-policy
>>> Install selinux-base-policy-2.20120215-r7 into /var/tmp/portage/sec-policy/selinux-base-policy-2.20120215-r7/image/ category sec-policy
 * Installing targeted application policy package
ACCESS DENIED  open_wr:      /sys/fs/selinux/context
/etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:portage_tmp_t
 * Installing targeted authlogin policy package
ACCESS DENIED  open_wr:      /sys/fs/selinux/context
/etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:portage_tmp_t
...

Environment

This error occurs on a SELinux-enabled Gentoo system, after updating the SELinux libselinux package towards version 2.1.9 or higher and with a Portage version prior to 2.1.10.56 or 2.2.0_alpha100:

root #eselect profile show
Current /etc/make.profile symlink:
  hardened/linux/amd64/selinux
root #emerge -pv libselinux
[ebuild  R  ] sys-libs/libselinux-2.1.9
root #emerge -pv portage
[ebuild  R  ] sys-apps/portage-2.1.10.49

Analysis

Since libselinux version 2.1.9 or higher, the standard location for the SELinux file system (selinuxfs) has moved from /selinux to /sys/fs/selinux. As a result, the sandbox integration in Portage, which allows read/write access to /selinux/context is now invalid (as it should point to /sys/fs/selinux/context). This has been fixed in recent versions of Portage, but these have not been stabilized when libselinux-2.1.9 was.

Resolution

Edit /etc/sandbox.conf to add /sys/fs/selinux/context to the SANDBOX_WRITE variable.

root #vim /etc/sandbox.conf
SANDBOX_WRITE="/sys/fs/selinux/context"

External resources