Knowledge Base:Software installation fails with open wr ACCESS DENIED on SELinux systems
After upgrade of the SELinux userspace utilities (like libselinux and libsemanage), the installation process of any software fails with the following error message:
emerge -u selinux-base-policy
>>> Install selinux-base-policy-2.20120215-r7 into /var/tmp/portage/sec-policy/selinux-base-policy-2.20120215-r7/image/ category sec-policy * Installing targeted application policy package ACCESS DENIED open_wr: /sys/fs/selinux/context /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:portage_tmp_t * Installing targeted authlogin policy package ACCESS DENIED open_wr: /sys/fs/selinux/context /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:portage_tmp_t ...
This error occurs on a SELinux-enabled Gentoo system, after updating the SELinux libselinux package towards version 2.1.9 or higher and with a Portage version prior to 18.104.22.168 or 2.2.0_alpha100:
eselect profile show
Current /etc/make.profile symlink: hardened/linux/amd64/selinux
emerge -pv libselinux
[ebuild R ] sys-libs/libselinux-2.1.9
emerge -pv portage
[ebuild R ] sys-apps/portage-22.214.171.124
Since libselinux version 2.1.9 or higher, the standard location for the SELinux file system (selinuxfs) has moved from /selinux to /sys/fs/selinux. As a result, the sandbox integration in Portage, which allows read/write access to /selinux/context is now invalid (as it should point to /sys/fs/selinux/context). This has been fixed in recent versions of Portage, but these have not been stabilized when libselinux-2.1.9 was.
Edit /etc/sandbox.conf to add /sys/fs/selinux/context to the SANDBOX_WRITE variable.
- Emerge fails with ACCESS DENIED on /sys/fs/selinux/context (Gentoo's Bugzilla).