a deep rabbit hole with twisty passages all alike, or, a confluence of weird operating system flukes, or, sigh

2014-10-08 23:20:47

Because of reasons I am running Debian on an older smartphone by way of a chroot from Cyanogenmod. This guide is great and I based my installation off of it (thanks!). At first, everything seemed peachy. It all quickly went as rotten as that peach you left out on the counter with the best of intentions but forgot about for a week as I tried to install some Python (3.4) packages using pip and a virtualenv.

This resulted in vague "permission denied" errors even though I was root. The errors were on simple, innocuous looking files. They prevented me from installing any Python code via pip.

I blamed bad Python packages for my weird armel architecture. I reinstalled Debian Wheezy and switched to armhf; no dice. I dist-upgraded in place to Jessie; no luck. I asked a system administrating friend about it. Their immediate suggestion was "something to do with SELinux."

"No," I insisted, "SELinux is totally not installed or enabled in my chrooted Debian. It just cannot be. Look, I checked, it's just not there." In fact, I was wrong: more wrong than the existence of people like weev (okay, not that wrong, but still really wrong).

The stack trace from pip was about os.setxattr. My system administrating friend told me that was likely related ext3 extended attributes. I listened, this time, and researched those on the Internet.

Enter lsattr, which helpfully told me that the various files os.setxattr was failing on had no extended attributes. Clearly, lsattr is a liar, or I was using it wrong. I prefer to think it was the former. I rage-started a python3 REPL in the chroot and began to manually execute the code that shutil.py was running.

Sure enough, the files did have an extended attribute, and shutil.py was trying to preserve the attribute across a file copy (seems like that should be handled by the filesystem with a low level command. It could be called copy or something. [I should not be allowed to design filesystems]). Naturally, the attribute had to do with SELinux. I still, in spite of this kind of obvious evidence, insisted it couldn't be SELinux, but just to be sure I startpaged "android SELinux."

Turns out Android has always run SELinux. Moreover, the Internet quickly confirmed that it could affect a chrooted OS. However, SELinux on Android has always been set to Passive mode. Awesomely, in Android 4.4 the default switched to Enforce mode. What version of Android was my Cyanogenmod running? 4.4. Lesson learned: always listen to friends who adminster systems. Especially listen to these friends if you are a maverick hotshot "code slinger" or "sloc crusher" or "programming prodigy" or "gainfully employed computer programmer" who can't slow down enough to give a damn about important operating system features.

At this point my drinking scotch straight from the bottle went from act of desperation to beautiful swigs of golden, burning victory as I soared through start page results about "android disable selinux" like a majestic, drunken pegasus. Or like Angela Lansbury flying through cyberspace:


(aside: is there fan fiction wherein Angela Merkel wakes up as Jessica Fletcher and is compelled to solve crimes? Think about it).

Finally, after a total of four hours' worth of swearing and drinking, I ran /sbin/setenforce 0 from Android's root shell and all of my problems (actually just this one problem, I still ate too much sriracha and it made my lips go numb) went away.

I was installing Python packages in style, at last. I have no illusion that denizens of the Internet will be knocking down the door to my blog (this door is metaphorical but if my blog was a MUD it could be virtually literal) searching for the answer to this problem, but I am compelled to document it so that it will be useful for the socialist cyberpunk rebels of the year 2043 as they reconstruct the Internet from old, charred router caches after the Corporate Implosion Apocalypse of 2039 and try to run their elite Hacker OS (probably called Sonic at this point) on Hello Kitty Android phones they dug out of the 8th continent which is just a literal landfill that extends from sea level to the ocean floor.

An oceanfill, if you will.

tags: android, linux

an older post a newer post