Installworld deletes libc

[Paul B. Mahol]

On 9/22/08, Jason C. Wells <jcw at highperformance.net> wrote:
> Jason C. Wells wrote:
>> Jeremy Chadwick wrote:
>>> On Sun, Sep 21, 2008 at 11:17:58AM -0700, Jason C. Wells wrote:
>>>> I have the problem similar to one described in 20071024 UPDATING.
>>>> The  build is running inside a jail. The system is 6.2-RELEASE. I
>>>> supped this  moring.  I have the correct lib/Makefile.  During
>>>> installworld I receive  an error:
>>>>
>>>> install: /lib/libc.so.6: chflags: Operation not permitted
>>>> *** Error code 71
>>>>
>>>> Stop in /usr/src/lib/libc.
>>>>
>>>> My situation is different in the libc is erased in the process.
>>>> Copying  the new libc.so.6 from /usr/obj does not fix the problem.
>>>>
>>>> Any ideas?
>>>
>>> Sounds like kern.securelevel is in the way.  See security(7).
>>
>> The securelevel would normally prevent the deletion of a file.  The
>> secure level of this jail is -1 in any case so the schg flag should be
>> ignored. security.jail.chflags_allowed=0 seems to supersede the
>> securelevel according to sysctl(8).
>>
>> Some part of installworld is misbehaving in the jail. The security
>> mechanisms in securelevel and security.jail.chflags_allowed are not
>> working.
>
> I should add that 'systcl security.jail.chflags_allowed=1' allowed
> installworld to proceed without error. That solves my immediate problem.
>   There appears to be a bug in the security mechanism.

sysctl -d security.jail.chflags_allowed
security.jail.chflags_allowed: Processes in jail can alter system file flags

It is not bug in security mechanism.