[gentoo-user] Issue with new hardened profiles 23.0

[gentoo-user] Issue with new hardened profiles 23.0

[J. Roeleveld]

Hi all,

After succesfully migrating my desktop to 23.0, I decided to do the same for 
my server.
The only difference is that the server uses a hardened profile.

When rebooting, I noticed the "openrc" program was moved from "/sbin/openrc" 
to "/usr/sbin/openrc". I understand this is related to the merge-usr stuff, but 
I am planning on doing this change later.
The profile I selected has the "split-usr" in the name (just as described).

Has anyone else seen this as well?

Thanks,

Joost

Re: [gentoo-user] Issue with new hardened profiles 23.0

[Matthias Hanft]

J. Roeleveld wrote:
> 
> When rebooting, I noticed the "openrc" program was moved from "/sbin/openrc" 
> to "/usr/sbin/openrc". I understand this is related to the merge-usr stuff, but 
> I am planning on doing this change later.
> The profile I selected has the "split-usr" in the name (just as described).
> 
> Has anyone else seen this as well?

Not here.  Moved from

  [3]   default/linux/amd64/17.1/hardened (exp)

to

  [58]  default/linux/amd64/23.0/split-usr/hardened (stable) *

and openrc still remains in /sbin:

gentoo64 ~ # which openrc
/sbin/openrc
gentoo64 ~ #

So if your openrc has been moved, there must have been a reason
for this other than simply changing the profile...

-Matt

Re: [gentoo-user] Issue with new hardened profiles 23.0

[J. Roeleveld]

On Thursday, 28 March 2024 08:42:57 CET Matthias Hanft wrote:
> J. Roeleveld wrote:
> > When rebooting, I noticed the "openrc" program was moved from
> > "/sbin/openrc" to "/usr/sbin/openrc". I understand this is related to the
> > merge-usr stuff, but I am planning on doing this change later.
> > The profile I selected has the "split-usr" in the name (just as
> > described).
> > 
> > Has anyone else seen this as well?
> 
> Not here.  Moved from
> 
>   [3]   default/linux/amd64/17.1/hardened (exp)
> 
> to
> 
>   [58]  default/linux/amd64/23.0/split-usr/hardened (stable) *
> 
> and openrc still remains in /sbin:
> 
> gentoo64 ~ # which openrc
> /sbin/openrc
> gentoo64 ~ #
> 
> So if your openrc has been moved, there must have been a reason
> for this other than simply changing the profile...

Do you use the binary packages supplied by Gentoo?
Or all local-compiled?

If you don't use them, then that explains it. (As I had to prevent the libtool 
one to be used to avoid issues later with my desktop)

--
Joost

Re: [gentoo-user] Issue with new hardened profiles 23.0

[Matthias Hanft]

J. Roeleveld wrote:
> 
> Do you use the binary packages supplied by Gentoo?
> Or all local-compiled?

All local-compiled, with the exemption of "monster-packages" which
would take hours or even days to compile (e.g. rust - here I use
"dev-lang/rust-bin" instead).

I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
(and "emerge --getbinpkg ..." displays a warning that it won't work).

-Matt

Re: [gentoo-user] Issue with new hardened profiles 23.0

[Michael]

[-- Attachment #1: Type: text/plain, Size: 718 bytes --]

On Thursday, 28 March 2024 10:23:29 GMT Matthias Hanft wrote:
> J. Roeleveld wrote:
> > Do you use the binary packages supplied by Gentoo?
> > Or all local-compiled?
> 
> All local-compiled, with the exemption of "monster-packages" which
> would take hours or even days to compile (e.g. rust - here I use
> "dev-lang/rust-bin" instead).
> 
> I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
> (and "emerge --getbinpkg ..." displays a warning that it won't work).
> 
> -Matt

You mentioned you have created your custom profile with hardened and desktop - 
could this action have inadvertently mixed merged with split /usr profiles in 
your system?  What does 'tree -L 1 /' show on your server?

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Issue with new hardened profiles 23.0

[J. Roeleveld]

On Thursday, 28 March 2024 12:01:54 CET Michael wrote:
> On Thursday, 28 March 2024 10:23:29 GMT Matthias Hanft wrote:
> > J. Roeleveld wrote:
> > > Do you use the binary packages supplied by Gentoo?
> > > Or all local-compiled?
> > 
> > All local-compiled, with the exemption of "monster-packages" which
> > would take hours or even days to compile (e.g. rust - here I use
> > "dev-lang/rust-bin" instead).
> > 
> > I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
> > (and "emerge --getbinpkg ..." displays a warning that it won't work).
> > 
> > -Matt
> 
> You mentioned you have created your custom profile with hardened and desktop
> - could this action have inadvertently mixed merged with split /usr
> profiles in your system?

No, because the server uses hardened and the desktop uses a desktop profile.
These are 2 different systems.

> What does 'tree -L 1 /' show on your server?

After the migration, no symlinks for /bin, /sbin or /lib.

I have just migrated to merge-usr to make sure this particular issue won't 
occur again.

Hope this does warn others using gentoo-provided binary packages that some 
weird issues can happen:
- desktop profile: prevent the use of binaries for "libtool"
- hardened profile: prevent the use of binaries for "libtool" + make symlinks 
for /usr/sbin/openrc* in /sbin/

The symlinks will be handled correctly when doing the usr-merge afterwards.

--
Joost

Re: [gentoo-user] Issue with new hardened profiles 23.0

[J. Roeleveld]

On Thursday, 28 March 2024 11:23:29 CET Matthias Hanft wrote:
> J. Roeleveld wrote:
> > Do you use the binary packages supplied by Gentoo?
> > Or all local-compiled?
> 
> All local-compiled, with the exemption of "monster-packages" which
> would take hours or even days to compile (e.g. rust - here I use
> "dev-lang/rust-bin" instead).
> 
> I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
> (and "emerge --getbinpkg ..." displays a warning that it won't work).
> 
> -Matt

Then I assume the issue is caused by the packages Gentoo supplies.
I'll work around it :)

--
Joost