From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D19B5158041 for ; Thu, 28 Mar 2024 11:07:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 93740E2AA8; Thu, 28 Mar 2024 11:07:46 +0000 (UTC) Received: from gw3.antarean.org (gw3.antarean.org [84.247.13.64]) by pigeon.gentoo.org (Postfix) with ESMTP id 0B9B7E2AA3 for ; Thu, 28 Mar 2024 11:07:45 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by gw3.antarean.org (Postfix) with ESMTP id 4V513P39DbzNkdr for ; Thu, 28 Mar 2024 12:07:45 +0100 (CET) X-Virus-Scanned: amavisd-new at antarean.org Received: from gw3.antarean.org ([127.0.0.1]) by localhost (gw3.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oof4lct3V7eg for ; Thu, 28 Mar 2024 12:07:45 +0100 (CET) Received: from mailstore1.adm.antarean.org (localhost [127.0.0.1]) by gw3.antarean.org (Postfix) with ESMTP id 4V513P1lbCzNkb8 for ; Thu, 28 Mar 2024 12:07:45 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by mailstore1.adm.antarean.org (Postfix) with ESMTP id 4V513P1ylzz1M for ; Thu, 28 Mar 2024 11:07:45 +0000 (UTC) X-Virus-Scanned: amavisd-new at antarean.org Received: from mailstore1.adm.antarean.org ([127.0.0.1]) by localhost (mailstore1.adm.antarean.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CFelgV06G4tf for ; Thu, 28 Mar 2024 11:07:44 +0000 (UTC) Received: from persephone.localnet (persephone.adm.antarean.org [10.55.16.48]) by mailstore1.adm.antarean.org (Postfix) with ESMTPA id 4V513N5sszz1H for ; Thu, 28 Mar 2024 11:07:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=antarean.org; s=default; t=1711624064; bh=6Xo9sdMKaC5XxXm/KL8PP/0WhzavxPMzvOnqFmdqntk=; h=From:To:Subject:Date:In-Reply-To:References; b=GI7BUdPW/Vxs7S9uEwL5+IHVi5CFmuqechYEcDM5ICTK5dtZYrU/xvuRQKY1Pw6T/ 3bfmHtzVtQUd85mLHcGNc9FYoKwi/mztWOkDD6a1XKO9X1saRabNJTJFy+Njne9YF9 3BAOy66zUJ4bUqtXZJas6FBmDgORg7FwmoG6LXVM= From: "J. Roeleveld" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Issue with new hardened profiles 23.0 Date: Thu, 28 Mar 2024 12:07:44 +0100 Message-ID: <3812833.kQq0lBPeGt@persephone> In-Reply-To: <2726584.mvXUDI8C0e@rogueboard> References: <3302895.44csPzL39Z@persephone> <2726584.mvXUDI8C0e@rogueboard> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Archives-Salt: de3d1874-d137-4104-9239-7f1367c5cc2a X-Archives-Hash: 76832644c0bd824d56f7c0f55241405a On Thursday, 28 March 2024 12:01:54 CET Michael wrote: > On Thursday, 28 March 2024 10:23:29 GMT Matthias Hanft wrote: > > J. Roeleveld wrote: > > > Do you use the binary packages supplied by Gentoo? > > > Or all local-compiled? > > > > All local-compiled, with the exemption of "monster-packages" which > > would take hours or even days to compile (e.g. rust - here I use > > "dev-lang/rust-bin" instead). > > > > I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/ > > (and "emerge --getbinpkg ..." displays a warning that it won't work). > > > > -Matt > > You mentioned you have created your custom profile with hardened and desktop > - could this action have inadvertently mixed merged with split /usr > profiles in your system? No, because the server uses hardened and the desktop uses a desktop profile. These are 2 different systems. > What does 'tree -L 1 /' show on your server? After the migration, no symlinks for /bin, /sbin or /lib. I have just migrated to merge-usr to make sure this particular issue won't occur again. Hope this does warn others using gentoo-provided binary packages that some weird issues can happen: - desktop profile: prevent the use of binaries for "libtool" - hardened profile: prevent the use of binaries for "libtool" + make symlinks for /usr/sbin/openrc* in /sbin/ The symlinks will be handled correctly when doing the usr-merge afterwards. -- Joost