Since a few months I have a build failure every time I try to generate an initial ram file system (as my current primary workstation uses a separate
/usr and LVM for everything except
* busybox: >> Compiling... * ERROR: Failed to compile the "all" target... * * -- Grepping log... -- * * - busybox-1.7.4-signal-hack.patch * busybox: >> Configuring... *COMMAND: make -j2 CC="gcc" LD="ld" AS="as" * HOSTCC scripts/basic/fixdep *make: execvp: /var/tmp/genkernel/18562.2920.28766.17301/busybox-1.20.2/scripts/gen_build_files.sh: Permission denied *make: *** [gen_build_files] Error 127 *make: *** Waiting for unfinished jobs.... */bin/sh: scripts/basic/fixdep: Permission denied *make: *** [scripts/basic/fixdep] Error 1 *make: *** [scripts_basic] Error 2
I know it isn’t SELinux that is causing this, as I have no denial messages and even putting SELinux in permissive mode doesn’t help. Today I found the time to look at it with more fresh eyes, and noticed that it wants to execute a file (
gen_build_files.sh) situated in
/var/tmp somewhere. That file system however is mounted with
noexec (amongst other settings) so executing anything from within that file system is not allowed.
The solution? Update
/etc/genkernel.conf and have
TMPDIR point to a location where executing is allowed. Of course, this being a SELinux system, the new location will need to be labeled as
tmp_t as well, but that’s just a simple thing to do.
~# semanage fcontext -a -t tmp_t /var/build/genkernel(/.*)? ~# restorecon -R /var/build/genkernel
The new location is not world-writable (only for root as only root builds initial ram file systems here) so not having
noexec here is ok.