Re: [gentoo-hardened] linux32 chroot issue

[Alexander Tiurin <alexanderyt@gmail.com>]

On 27.02.2014 17:31, Anthony G. Basile wrote:
> On 02/26/2014 01:09 PM, Alexander Tiurin wrote:
>> I tried to reproduce this issue on another hardware (core2quad instead
>> core i7). emerge works fine. No errors detected.
>> Kernel, kernel config and enviroment  is equal.
>> That's odd.
>>
> Okay. Thanks for getting back because I was at a loss to help you.  If
> you figure out what *is* different let us know.
>

I upgraded kernel up to 3.13.2-hardened-r3, and portage return error:

ACCESS DENIED  mkdir:        /var
(line 2035 in  http://pastebin.com/nsCV06Ca)




emerge proftp without debug info. Now no errors as ACCESS DENIED 
/dev/{tty,null}

 >>> Verifying ebuild manifests
 >>> Emerging (1 of 1) net-ftp/proftpd-1.3.4c
 >>> Failed to emerge net-ftp/proftpd-1.3.4c, Log file:
 >>>  '/var/log/portage/net-ftp:proftpd-1.3.4c:20140324-160939.log'
 >>> Jobs: 0 of 1 complete, 1 failed                 Load avg: 1.59, 
1.34, 1.46
  * Package:    net-ftp/proftpd-1.3.4c
  * Repository: gentoo
  * Maintainer: bernd@lommerzheim.com 
voyageur@gentoo.org,slyfox@gentoo.org,net-ftp@gentoo.org,proxy-maint@gentoo.org
  * USE:        acl caps elibc_glibc kernel_linux ncurses nls pam pcre 
tcpd userland_GNU x86
  * FEATURES:   sandbox
ACCESS DENIED  mkdir:        /var
install: cannot change permissions of 
‘/var/tmp/portage/net-ftp/proftpd-1.3.4c/work’: No such file or directory
  * ERROR: net-ftp/proftpd-1.3.4c failed (unpack phase):
  *   Failed to create dir '/var/tmp/portage/net-ftp/proftpd-1.3.4c/work'
  *
  * Call stack:
  *            ebuild.sh, line 708:  Called ebuild_main 'unpack'
  *   phase-functions.sh, line 955:  Called dyn_unpack
  *   phase-functions.sh, line 243:  Called die
  * The specific snippet of code:
  *              install -m${PORTAGE_WORKDIR_MODE:-0700} -d "${WORKDIR}" 
|| die "Failed to create dir '${WORKDIR}'"
  *
  * If you need support, post the output of `emerge --info 
'=net-ftp/proftpd-1.3.4c'`,
  * the complete build log and the output of `emerge -pqv 
'=net-ftp/proftpd-1.3.4c'`.
  * The complete build log is located at 
'/var/log/portage/net-ftp:proftpd-1.3.4c:20140324-160939.log'.
  * For convenience, a symlink to the build log is located at 
'/var/tmp/portage/net-ftp/proftpd-1.3.4c/temp/build.log'.
  * The ebuild environment file is located at 
'/var/tmp/portage/net-ftp/proftpd-1.3.4c/temp/environment'.
  * Working directory: '/var/tmp/portage/net-ftp/proftpd-1.3.4c'
  * S: '/var/tmp/portage/net-ftp/proftpd-1.3.4c/work/proftpd-1.3.4c'
--------------------------- ACCESS VIOLATION SUMMARY 
---------------------------
LOG FILE "/var/log/sandbox/sandbox-13354.log"

VERSION 1.0
FORMAT: F - Function called
FORMAT: S - Access Status
FORMAT: P - Path as passed to function
FORMAT: A - Absolute Path (not canonical)
FORMAT: R - Canonical Path
FORMAT: C - Command Line

F: mkdir
S: deny
P: /var
A: /var
R: /var
C: install -m0700 -d /var tmp/portage/net-ftp/proftpd-1.3.4c/work



I changed step by step grsec kernel config options, but it not worked 
for me. Maybe I missed something.