Re: [gentoo-hardened] SELinux Targeted strangeness - gentoo-hardened

From:	Ronan Mullally <ronan@××××××.ie>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] SELinux Targeted strangeness
Date:	Tue, 31 Jul 2007 14:34:23
Message-Id:	`Pine.LNX.4.64.0707311516360.8479@office.4L`
In Reply to:	Re: [gentoo-hardened] SELinux Targeted strangeness by Chris PeBenito

1

Hi Chris,

2

3

On Tue, 31 Jul 2007, Chris PeBenito wrote:

4

5

> This is a policy bug in base-policy.  You can hotfix your policy by

6

> making a local policy module [1] that has:

7

8

That did the trick - thanks for your speedy response!

9

10

On to the next question ;-|

11

12

I'm unable to rebuild glibc using the selinux/2007.0/amd64/hardened

13

profile.  It works fine with a non-selinux amd64/hardened profile, and all

14

I can find on google is suggestions that I've not got g++ installed (I

15

have).

16

17

The emerge fails at:

18

19

 * Building multilib glibc for ABIs: x86 amd64

20

21

 *             ABI:   x86

22

 *          CBUILD:   x86_64-pc-linux-gnu

23

 *           CHOST:   x86_64-pc-linux-gnu

24

 *         CTARGET:   x86_64-pc-linux-gnu

25

 *      CBUILD_OPT:   i686-pc-linux-gnu

26

 *     CTARGET_OPT:   i686-pc-linux-gnu

27

 *              CC:

28

 *          CFLAGS:   -pipe -march=nocona -O2 -fno-strict-aliasing -fno-stack-protector

29

30

 * Configuring GLIBC for nptl with:

31

                --enable-stackguard-randomization

32

                --enable-old-ssp-compat

33

                --with-tls

34

                --with-__thread

35

                --enable-add-ons=ports,nptl,c_stubs,libidn

36

                --enable-kernel=2.6.9

37

                --without-selinux

38

                --without-cvs

39

                --enable-bind-now

40

                --build=i686-pc-linux-gnu

41

                --host=i686-pc-linux-gnu

42

                --disable-profile

43

                --without-gd

44

                --with-headers=/usr/include

45

                --prefix=/usr

46

                --libdir=/usr/lib32

47

                --mandir=/usr/share/man

48

                --infodir=/usr/share/info

49

                --libexecdir=/usr/lib32/misc/glibc

50

51

52

checking build system type... i686-pc-linux-gnu

53

checking host system type... i686-pc-linux-gnu

54

checking add-on ports for preconfigure fragments... am33 arm hppa m68k mips

55

configure: running configure fragment for add-on nptl

56

configure: running configure fragment for add-on c_stubs

57

configure: running configure fragment for add-on libidn

58

checking sysdep dirs... sysdeps/i386/elf

59

nptl/sysdeps/unix/sysv/linux/i386/i686 nptl/sysdeps/unix/sysv/linux/i386

60

sysdeps/unix/sysv/linux/i386 ports/sysdeps/unix/sysv/linux

61

nptl/sysdeps/unix/sysv/linux nptl/sysdeps/pthread sysdeps/pthread

62

sysdeps/unix/sysv/linux sysdeps/gnu sysdeps/unix/common sysdeps/unix/mman

63

sysdeps/unix/inet ports/sysdeps/unix/sysv/i386 sysdeps/unix/sysv/i386

64

ports/sysdeps/unix/sysv nptl/sysdeps/unix/sysv sysdeps/unix/sysv

65

sysdeps/unix/i386 ports/sysdeps/unix nptl/sysdeps/unix sysdeps/unix

66

sysdeps/posix sysdeps/i386/i686/fpu nptl/sysdeps/i386/i686

67

sysdeps/i386/i686 sysdeps/i386/i486 nptl/sysdeps/i386/i486

68

sysdeps/i386/fpu nptl/sysdeps/i386 sysdeps/i386 sysdeps/wordsize-32

69

sysdeps/ieee754/ldbl-96 sysdeps/ieee754/dbl-64 sysdeps/ieee754/flt-32

70

sysdeps/ieee754 sysdeps/generic/elf sysdeps/generic

71

checking for a BSD-compatible install... /usr/bin/install -c

72

checking whether ln -s works... yes

73

checking for i686-pc-linux-gnu-gcc... x86_64-pc-linux-gnu-gcc

74

checking for suffix of object files... o

75

checking whether we are using the GNU C compiler... yes

76

checking whether x86_64-pc-linux-gnu-gcc accepts -g... yes

77

checking for x86_64-pc-linux-gnu-gcc option to accept ANSI C... none needed

78

checking how to run the C preprocessor... /lib/cpp

79

configure: error: C preprocessor "/lib/cpp" fails sanity check

80

See `config.log' for more details.

81

82

!!! ERROR: sys-libs/glibc-2.5-r4 failed.

83

Call stack:

84

  ebuild.sh, line 1614:   Called dyn_compile

85

  ebuild.sh, line 971:   Called qa_call 'src_compile'

86

  environment, line 4203:   Called src_compile

87

  glibc-2.5-r4.ebuild, line 1160:   Called src_compile

88

  glibc-2.5-r4.ebuild, line 1171:   Called toolchain-glibc_src_compile

89

  glibc-2.5-r4.ebuild, line 270:   Called glibc_do_configure 'nptl'

90

  glibc-2.5-r4.ebuild, line 944:   Called die

91

92

The mention of --without-selinux, multilib and /usr/lib32 strikes me as

93

incorrect - I'm using an selinux policy and I'm not using multilib - this

94

is a pure amd64/em64t build.

95

96

My emerge --info is:

97

98

Portage 2.1.2.2 (selinux/2007.0/amd64/hardened, gcc-3.4.6, glibc-2.5-r4,

99

2.6.20-hardened-r5-4L x86_64)

100

=================================================================

101

                        System Settings

102

=================================================================

103

System uname: 2.6.20-hardened-r5-4L x86_64 Intel(R) Xeon(R) CPU 5130 @ 2.00GHz

104

Gentoo Base System release 1.12.9

105

Timestamp of tree: Tue, 31 Jul 2007 06:20:01 +0000

106

dev-lang/python:     2.4.4-r4

107

dev-python/pycrypto: 2.0.1-r6

108

sys-apps/sandbox:    1.2.17

109

sys-devel/autoconf:  2.61

110

sys-devel/automake:  1.10

111

sys-devel/binutils:  2.17

112

sys-devel/gcc-config: 1.3.16

113

sys-devel/libtool:   1.5.23b

114

virtual/os-headers:  2.6.21

115

ACCEPT_KEYWORDS="amd64"

116

AUTOCLEAN="yes"

117

CBUILD="x86_64-pc-linux-gnu"

118

CFLAGS="-O2 -pipe -march=nocona"

119

CHOST="x86_64-pc-linux-gnu"

120

CONFIG_PROTECT="/etc"

121

CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild

122

/etc/terminfo"

123

CXXFLAGS="-O2 -pipe -march=nocona"

124

DISTDIR="/usr/portage/distfiles"

125

FEATURES="distlocks loadpolicy metadata-transfer sandbox selinux sesandbox

126

sfperms strict"

127

GENTOO_MIRRORS="http://gentoo.blueyonder.co.uk/

128

http://distfiles.gentoo.org/"

129

MAKEOPTS="-j3"

130

PKGDIR="/usr/portage/packages"

131

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times

132

--compress --force --whole-file --delete --delete-after --stats

133

--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages

134

--filter=H_**/files/digest-*"

135

PORTAGE_TMPDIR="/var/tmp"

136

PORTDIR="/usr/portage"

137

SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"

138

USE="amd64 berkdb cracklib crypt gdbm hardened iconv ipv6 libg++ minimal

139

mmap mudflap ncurses nls nocardbus nptl nptlonly pam pcre perl pic

140

readline selinux ssl tcpd threads unicode zlib" ALSA_CARDS="ali5451

141

als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371

142

es1938 es1968 fm801 hda-intel intel8x0

143

intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"

144

ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug

145

file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug

146

rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse"

147

KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216

148

lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips

149

cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128

150

radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga

151

trident tseng v4l vesa vga via voodoo"

152

Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,

153

LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,

154

PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

155

156

=================================================================

157

                        Package Settings

158

=================================================================

159

sys-libs/glibc-2.5-r4 was built with the following:

160

CFLAGS="-O2 -fno-stack-protector -fno-strict-aliasing -march=nocona -pipe"

161

CXXFLAGS="-O2 -fno-stack-protector -fno-strict-aliasing -march=nocona -pipe"

162

USE="glibc-omitfp hardened nls nptl nptlonly"

163

164

Any ideas?

165

166

167

-Ronan

168

--

169

gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened

Replies

1	Hi Chris,
2
3	On Tue, 31 Jul 2007, Chris PeBenito wrote:
4
5	> This is a policy bug in base-policy. You can hotfix your policy by
6	> making a local policy module [1] that has:
7
8	That did the trick - thanks for your speedy response!
9
10	On to the next question ;-\|
11
12	I'm unable to rebuild glibc using the selinux/2007.0/amd64/hardened
13	profile. It works fine with a non-selinux amd64/hardened profile, and all
14	I can find on google is suggestions that I've not got g++ installed (I
15	have).
16
17	The emerge fails at:
18
19	* Building multilib glibc for ABIs: x86 amd64
20
21	* ABI: x86
22	* CBUILD: x86_64-pc-linux-gnu
23	* CHOST: x86_64-pc-linux-gnu
24	* CTARGET: x86_64-pc-linux-gnu
25	* CBUILD_OPT: i686-pc-linux-gnu
26	* CTARGET_OPT: i686-pc-linux-gnu
27	* CC:
28	* CFLAGS: -pipe -march=nocona -O2 -fno-strict-aliasing -fno-stack-protector
29
30	* Configuring GLIBC for nptl with:
31	--enable-stackguard-randomization
32	--enable-old-ssp-compat
33	--with-tls
34	--with-__thread
35	--enable-add-ons=ports,nptl,c_stubs,libidn
36	--enable-kernel=2.6.9
37	--without-selinux
38	--without-cvs
39	--enable-bind-now
40	--build=i686-pc-linux-gnu
41	--host=i686-pc-linux-gnu
42	--disable-profile
43	--without-gd
44	--with-headers=/usr/include
45	--prefix=/usr
46	--libdir=/usr/lib32
47	--mandir=/usr/share/man
48	--infodir=/usr/share/info
49	--libexecdir=/usr/lib32/misc/glibc
50
51
52	checking build system type... i686-pc-linux-gnu
53	checking host system type... i686-pc-linux-gnu
54	checking add-on ports for preconfigure fragments... am33 arm hppa m68k mips
55	configure: running configure fragment for add-on nptl
56	configure: running configure fragment for add-on c_stubs
57	configure: running configure fragment for add-on libidn
58	checking sysdep dirs... sysdeps/i386/elf
59	nptl/sysdeps/unix/sysv/linux/i386/i686 nptl/sysdeps/unix/sysv/linux/i386
60	sysdeps/unix/sysv/linux/i386 ports/sysdeps/unix/sysv/linux
61	nptl/sysdeps/unix/sysv/linux nptl/sysdeps/pthread sysdeps/pthread
62	sysdeps/unix/sysv/linux sysdeps/gnu sysdeps/unix/common sysdeps/unix/mman
63	sysdeps/unix/inet ports/sysdeps/unix/sysv/i386 sysdeps/unix/sysv/i386
64	ports/sysdeps/unix/sysv nptl/sysdeps/unix/sysv sysdeps/unix/sysv
65	sysdeps/unix/i386 ports/sysdeps/unix nptl/sysdeps/unix sysdeps/unix
66	sysdeps/posix sysdeps/i386/i686/fpu nptl/sysdeps/i386/i686
67	sysdeps/i386/i686 sysdeps/i386/i486 nptl/sysdeps/i386/i486
68	sysdeps/i386/fpu nptl/sysdeps/i386 sysdeps/i386 sysdeps/wordsize-32
69	sysdeps/ieee754/ldbl-96 sysdeps/ieee754/dbl-64 sysdeps/ieee754/flt-32
70	sysdeps/ieee754 sysdeps/generic/elf sysdeps/generic
71	checking for a BSD-compatible install... /usr/bin/install -c
72	checking whether ln -s works... yes
73	checking for i686-pc-linux-gnu-gcc... x86_64-pc-linux-gnu-gcc
74	checking for suffix of object files... o
75	checking whether we are using the GNU C compiler... yes
76	checking whether x86_64-pc-linux-gnu-gcc accepts -g... yes
77	checking for x86_64-pc-linux-gnu-gcc option to accept ANSI C... none needed
78	checking how to run the C preprocessor... /lib/cpp
79	configure: error: C preprocessor "/lib/cpp" fails sanity check
80	See `config.log' for more details.
81
82	!!! ERROR: sys-libs/glibc-2.5-r4 failed.
83	Call stack:
84	ebuild.sh, line 1614: Called dyn_compile
85	ebuild.sh, line 971: Called qa_call 'src_compile'
86	environment, line 4203: Called src_compile
87	glibc-2.5-r4.ebuild, line 1160: Called src_compile
88	glibc-2.5-r4.ebuild, line 1171: Called toolchain-glibc_src_compile
89	glibc-2.5-r4.ebuild, line 270: Called glibc_do_configure 'nptl'
90	glibc-2.5-r4.ebuild, line 944: Called die
91
92	The mention of --without-selinux, multilib and /usr/lib32 strikes me as
93	incorrect - I'm using an selinux policy and I'm not using multilib - this
94	is a pure amd64/em64t build.
95
96	My emerge --info is:
97
98	Portage 2.1.2.2 (selinux/2007.0/amd64/hardened, gcc-3.4.6, glibc-2.5-r4,
99	2.6.20-hardened-r5-4L x86_64)
100	=================================================================
101	System Settings
102	=================================================================
103	System uname: 2.6.20-hardened-r5-4L x86_64 Intel(R) Xeon(R) CPU 5130 @ 2.00GHz
104	Gentoo Base System release 1.12.9
105	Timestamp of tree: Tue, 31 Jul 2007 06:20:01 +0000
106	dev-lang/python: 2.4.4-r4
107	dev-python/pycrypto: 2.0.1-r6
108	sys-apps/sandbox: 1.2.17
109	sys-devel/autoconf: 2.61
110	sys-devel/automake: 1.10
111	sys-devel/binutils: 2.17
112	sys-devel/gcc-config: 1.3.16
113	sys-devel/libtool: 1.5.23b
114	virtual/os-headers: 2.6.21
115	ACCEPT_KEYWORDS="amd64"
116	AUTOCLEAN="yes"
117	CBUILD="x86_64-pc-linux-gnu"
118	CFLAGS="-O2 -pipe -march=nocona"
119	CHOST="x86_64-pc-linux-gnu"
120	CONFIG_PROTECT="/etc"
121	CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild
122	/etc/terminfo"
123	CXXFLAGS="-O2 -pipe -march=nocona"
124	DISTDIR="/usr/portage/distfiles"
125	FEATURES="distlocks loadpolicy metadata-transfer sandbox selinux sesandbox
126	sfperms strict"
127	GENTOO_MIRRORS="http://gentoo.blueyonder.co.uk/
128	http://distfiles.gentoo.org/"
129	MAKEOPTS="-j3"
130	PKGDIR="/usr/portage/packages"
131	PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
132	--compress --force --whole-file --delete --delete-after --stats
133	--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages
134	--filter=H_*/files/digest-"
135	PORTAGE_TMPDIR="/var/tmp"
136	PORTDIR="/usr/portage"
137	SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
138	USE="amd64 berkdb cracklib crypt gdbm hardened iconv ipv6 libg++ minimal
139	mmap mudflap ncurses nls nocardbus nptl nptlonly pam pcre perl pic
140	readline selinux ssl tcpd threads unicode zlib" ALSA_CARDS="ali5451
141	als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371
142	es1938 es1968 fm801 hda-intel intel8x0
143	intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci"
144	ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug
145	file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug
146	rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse"
147	KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216
148	lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="apm ark chips
149	cirrus cyrix dummy fbdev glint i128 i810 mach64 mga neomagic nv r128
150	radeon rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga
151	trident tseng v4l vesa vga via voodoo"
152	Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS,
153	LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
154	PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
155
156	=================================================================
157	Package Settings
158	=================================================================
159	sys-libs/glibc-2.5-r4 was built with the following:
160	CFLAGS="-O2 -fno-stack-protector -fno-strict-aliasing -march=nocona -pipe"
161	CXXFLAGS="-O2 -fno-stack-protector -fno-strict-aliasing -march=nocona -pipe"
162	USE="glibc-omitfp hardened nls nptl nptlonly"
163
164	Any ideas?
165
166
167	-Ronan
168	--
169	gentoo-hardened@g.o mailing list