Discussion:
[gentoo-user] Issue with new hardened profiles 23.0
(too old to reply)
J. Roeleveld
2024-03-28 07:00:01 UTC
Permalink
Hi all,

After succesfully migrating my desktop to 23.0, I decided to do the same for
my server.
The only difference is that the server uses a hardened profile.

When rebooting, I noticed the "openrc" program was moved from "/sbin/openrc"
to "/usr/sbin/openrc". I understand this is related to the merge-usr stuff, but
I am planning on doing this change later.
The profile I selected has the "split-usr" in the name (just as described).

Has anyone else seen this as well?

Thanks,

Joost
Matthias Hanft
2024-03-28 07:50:01 UTC
Permalink
Post by J. Roeleveld
When rebooting, I noticed the "openrc" program was moved from "/sbin/openrc"
to "/usr/sbin/openrc". I understand this is related to the merge-usr stuff, but
I am planning on doing this change later.
The profile I selected has the "split-usr" in the name (just as described).
Has anyone else seen this as well?
Not here. Moved from

[3] default/linux/amd64/17.1/hardened (exp)

to

[58] default/linux/amd64/23.0/split-usr/hardened (stable) *

and openrc still remains in /sbin:

gentoo64 ~ # which openrc
/sbin/openrc
gentoo64 ~ #

So if your openrc has been moved, there must have been a reason
for this other than simply changing the profile...

-Matt
J. Roeleveld
2024-03-28 09:30:01 UTC
Permalink
Post by Matthias Hanft
Post by J. Roeleveld
When rebooting, I noticed the "openrc" program was moved from
"/sbin/openrc" to "/usr/sbin/openrc". I understand this is related to the
merge-usr stuff, but I am planning on doing this change later.
The profile I selected has the "split-usr" in the name (just as described).
Has anyone else seen this as well?
Not here. Moved from
[3] default/linux/amd64/17.1/hardened (exp)
to
[58] default/linux/amd64/23.0/split-usr/hardened (stable) *
gentoo64 ~ # which openrc
/sbin/openrc
gentoo64 ~ #
So if your openrc has been moved, there must have been a reason
for this other than simply changing the profile...
Do you use the binary packages supplied by Gentoo?
Or all local-compiled?

If you don't use them, then that explains it. (As I had to prevent the libtool
one to be used to avoid issues later with my desktop)

--
Joost
Matthias Hanft
2024-03-28 10:30:02 UTC
Permalink
Post by J. Roeleveld
Do you use the binary packages supplied by Gentoo?
Or all local-compiled?
All local-compiled, with the exemption of "monster-packages" which
would take hours or even days to compile (e.g. rust - here I use
"dev-lang/rust-bin" instead).

I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
(and "emerge --getbinpkg ..." displays a warning that it won't work).

-Matt
J. Roeleveld
2024-03-28 11:10:01 UTC
Permalink
Post by Matthias Hanft
Post by J. Roeleveld
Do you use the binary packages supplied by Gentoo?
Or all local-compiled?
All local-compiled, with the exemption of "monster-packages" which
would take hours or even days to compile (e.g. rust - here I use
"dev-lang/rust-bin" instead).
I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
(and "emerge --getbinpkg ..." displays a warning that it won't work).
-Matt
Then I assume the issue is caused by the packages Gentoo supplies.
I'll work around it :)

--
Joost
J. Roeleveld
2024-03-28 11:10:01 UTC
Permalink
Post by Matthias Hanft
Post by J. Roeleveld
Do you use the binary packages supplied by Gentoo?
Or all local-compiled?
All local-compiled, with the exemption of "monster-packages" which
would take hours or even days to compile (e.g. rust - here I use
"dev-lang/rust-bin" instead).
I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
(and "emerge --getbinpkg ..." displays a warning that it won't work).
-Matt
You mentioned you have created your custom profile with hardened and desktop
- could this action have inadvertently mixed merged with split /usr
profiles in your system?
No, because the server uses hardened and the desktop uses a desktop profile.
These are 2 different systems.
What does 'tree -L 1 /' show on your server?
After the migration, no symlinks for /bin, /sbin or /lib.

I have just migrated to merge-usr to make sure this particular issue won't
occur again.

Hope this does warn others using gentoo-provided binary packages that some
weird issues can happen:
- desktop profile: prevent the use of binaries for "libtool"
- hardened profile: prevent the use of binaries for "libtool" + make symlinks
for /usr/sbin/openrc* in /sbin/

The symlinks will be handled correctly when doing the usr-merge afterwards.

--
Joost
Michael
2024-03-28 11:10:01 UTC
Permalink
Post by Matthias Hanft
Post by J. Roeleveld
Do you use the binary packages supplied by Gentoo?
Or all local-compiled?
All local-compiled, with the exemption of "monster-packages" which
would take hours or even days to compile (e.g. rust - here I use
"dev-lang/rust-bin" instead).
I don't even have any of /etc/portage/binrepos.conf or /var/cache/binpkgs/
(and "emerge --getbinpkg ..." displays a warning that it won't work).
-Matt
You mentioned you have created your custom profile with hardened and desktop -
could this action have inadvertently mixed merged with split /usr profiles in
your system? What does 'tree -L 1 /' show on your server?

Loading...