RE: glibc check errors

RE: glibc check errors

[Kratzer, James R.]

I am running the new 2.4 based SELinux kernel and userland archive on Red
Hat 9.  If I understand you correctly, since the glibc changes have been
upstreamed and were not SELinux specific, you will be releasing soon a new
userland archive which will require an updated version of the glibc package.
If this is correct, how soon do you anticipate the release of the new
userland archive and the release of the new glibc package ( glibc-2.3.3
maybe? )?  Can I use the current userland archive utilities without the
patched glibc?


-----Original Message-----
From: Stephen Smalley [mailto:sds@epoch.ncsc.mil]
Sent: Tuesday, September 30, 2003 12:27 PM
To: Kratzer, James R.
Cc: 'SELinux@tycho.nsa.gov'
Subject: Re: glibc check errors


On Tue, 2003-09-30 at 11:34, Kratzer, James R. wrote:
> I have built the glibc library with the SELinux patches.  When running
"make
> check", I get the following errors.  Any ideas what is going on here and
how
> I can resolve it because I'm at a loss?  Thanks for any help.
> 
> /bin/sh -e tst-gettext.sh /usr/src/redhat/BUILD/glibc-2.3.2-build/
> /usr/src/redhat/BUILD/glibc-2.3.2-build/intl/ \
> 	/usr/src/redhat/BUILD/glibc-2.3.2-build/intl/tst-gettext.mtrace
> make[2]: ***
[/usr/src/redhat/BUILD/glibc-2.3.2-build/intl/tst-gettext.out]
> Error 1
> make[2]: Leaving directory
> '/usr/src/redhat/BUILD/glibc-2.3.2-200304020432/intl'
> make[1]: *** [intl/tests] Error 2

We expect to make an updated release soon, so you may want to wait for
it.  We are no longer including a patched glibc, because the change
(which wasn't specific to SELinux) has been upstreamed and is available
in newer glibc packages.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: glibc check errors

[Stephen Smalley]

On Tue, 2003-09-30 at 13:30, Kratzer, James R. wrote:
> I am running the new 2.4 based SELinux kernel and userland archive on Red
> Hat 9.  If I understand you correctly, since the glibc changes have been
> upstreamed and were not SELinux specific, you will be releasing soon a new
> userland archive which will require an updated version of the glibc package.  
> If this is correct, how soon do you anticipate the release of the new
> userland archive and the release of the new glibc package ( glibc-2.3.3
> maybe? )?  Can I use the current userland archive utilities without the
> patched glibc?

You don't need the modified glibc to use the userland archive
utilities.  The glibc patch was to make glibc recognize security
transitions other than just setuid/setgid, so that it will enable its
secure mode for programs that cause a change in other security
attributes (e.g. role/domain) as well as for setuid/setgid programs. 
That is important for security, but not a functional requirement for
using the system.  The modification to glibc has made its way upstream
and I believe that it is available in the RedHat beta (severn / fedora
core).

We'll be making an updated release of the kernel and userland archives
soon, likely later this week.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: glibc check errors

[Diyab]

Stephen Smalley wrote:
> On Tue, 2003-09-30 at 13:30, Kratzer, James R. wrote:
> 
>>I am running the new 2.4 based SELinux kernel and userland archive on Red
>>Hat 9.  If I understand you correctly, since the glibc changes have been
>>upstreamed and were not SELinux specific, you will be releasing soon a new
>>userland archive which will require an updated version of the glibc package.  
>>If this is correct, how soon do you anticipate the release of the new
>>userland archive and the release of the new glibc package ( glibc-2.3.3
>>maybe? )?  Can I use the current userland archive utilities without the
>>patched glibc?
> 
> 
> You don't need the modified glibc to use the userland archive
> utilities.  The glibc patch was to make glibc recognize security
> transitions other than just setuid/setgid, so that it will enable its
> secure mode for programs that cause a change in other security
> attributes (e.g. role/domain) as well as for setuid/setgid programs. 
> That is important for security, but not a functional requirement for
> using the system.  The modification to glibc has made its way upstream
> and I believe that it is available in the RedHat beta (severn / fedora
> core).
> 
> We'll be making an updated release of the kernel and userland archives
> soon, likely later this week.
> 

So is this new glibc version available as the mainstream glibc package 
or will non redhat users still have to apply the patch.  And if is or 
will be soon available as mainstream glibc do you know what version?

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: glibc check errors

[Stephen Smalley]

On Tue, 2003-09-30 at 21:04, Diyab wrote:
> So is this new glibc version available as the mainstream glibc package 
> or will non redhat users still have to apply the patch.  And if is or 
> will be soon available as mainstream glibc do you know what version?

The support for the AT_SECURE auxv entry was upstreamed into the
mainline glibc CVS tree back in June after the corresponding kernel
change was accepted by Linus into the mainline 2.5 (now 2.6) kernel.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: glibc check errors

[Stephen Smalley]

On Tue, 2003-09-30 at 11:34, Kratzer, James R. wrote:
> I have built the glibc library with the SELinux patches.  When running "make
> check", I get the following errors.  Any ideas what is going on here and how
> I can resolve it because I'm at a loss?  Thanks for any help.
> 
> /bin/sh -e tst-gettext.sh /usr/src/redhat/BUILD/glibc-2.3.2-build/
> /usr/src/redhat/BUILD/glibc-2.3.2-build/intl/ \
> 	/usr/src/redhat/BUILD/glibc-2.3.2-build/intl/tst-gettext.mtrace
> make[2]: *** [/usr/src/redhat/BUILD/glibc-2.3.2-build/intl/tst-gettext.out]
> Error 1
> make[2]: Leaving directory
> '/usr/src/redhat/BUILD/glibc-2.3.2-200304020432/intl'
> make[1]: *** [intl/tests] Error 2

We expect to make an updated release soon, so you may want to wait for
it.  We are no longer including a patched glibc, because the change
(which wasn't specific to SELinux) has been upstreamed and is available
in newer glibc packages.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

glibc check errors

[Kratzer, James R.]

I have built the glibc library with the SELinux patches.  When running "make
check", I get the following errors.  Any ideas what is going on here and how
I can resolve it because I'm at a loss?  Thanks for any help.

/bin/sh -e tst-gettext.sh /usr/src/redhat/BUILD/glibc-2.3.2-build/
/usr/src/redhat/BUILD/glibc-2.3.2-build/intl/ \
	/usr/src/redhat/BUILD/glibc-2.3.2-build/intl/tst-gettext.mtrace
make[2]: *** [/usr/src/redhat/BUILD/glibc-2.3.2-build/intl/tst-gettext.out]
Error 1
make[2]: Leaving directory
'/usr/src/redhat/BUILD/glibc-2.3.2-200304020432/intl'
make[1]: *** [intl/tests] Error 2

James Kratzer


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.