installation from scratch problems

installation from scratch problems

[Vincenzo Ciaglia]

Hello, i'm Vincenzo Ciaglia. 

I'm the main developer of Linux Netwosix, a server and security oriented
GNU/Linux LFS distribution. I was really impressed to the power of
SELinux so I'd like to give to the next releases the complete support to
SELinux, for this reason i'm already working on that. I have a good
knowledge in selinux policy writing but no experiences with "from
scratch installation".

So, i have compiled the latest kernel with "Socket and Networking
Security Hooks" and other "Security Models". Of course with the Ext[3]
extended attributes and Ext[3] Security Labels options. 
Everything is ok.

After that, i have downloaded the userland packages from the NSA
website.

I succesfully compiled the "libsepol-1.14". 

So i tried to compile the "libselinux-1.32" but i get these errors:

--------------
matchpathcon.lo: In function `set_matchpathcon_flags':
matchpathcon.c:(.text+0x187): undefined reference to `___tls_get_addr'
matchpathcon.lo: In function `.L183':
matchpathcon.c:(.text+0x13c1): undefined reference to `___tls_get_addr'
matchpathcon.lo: In function `matchpathcon_init_prefix':
matchpathcon.c:(.text+0x15f3): undefined reference to `___tls_get_addr'
matchpathcon.lo: In function `matchpathcon':
matchpathcon.c:(.text+0x2005): undefined reference to `___tls_get_addr'
matchpathcon.lo: In function `selinux_file_context_verify':
matchpathcon.c:(.text+0x2417): undefined reference to `___tls_get_addr'
matchpathcon.lo:matchpathcon.c:(.text+0x246e): more undefined references
to `___tls_get_addr' follow
collect2: ld returned 1 exit status
make[1]: *** [libselinux.so.1] Error 1
make[1]: Leaving directory `/root/selinux/libselinux-1.32/src'
make: *** [all] Error 2
--------------

Of course i can't go ahead because "checkpolicy" needs the libselinux:

--------------
/usr/bin/ld: cannot find -lselinux
collect2: ld returned 1 exit status
make[1]: *** [dispol] Error 1
make[1]: Leaving directory `/root/selinux/checkpolicy-1.32/test'
make: *** [all] Error 2
--------------

And these are the errors of "libsemanage".

--------------
booleans_activedb.c: In function 'bool_commit_list':
booleans_activedb.c:94: error: 'SELboolean' undeclared (first use in
this function)
booleans_activedb.c:94: error: (Each undeclared identifier is reported
only once
booleans_activedb.c:94: error: for each function it appears in.)
booleans_activedb.c:94: error: 'blist' undeclared (first use in this
function)
booleans_activedb.c:113: warning: implicit declaration of function
'security_set_boolean_list'
make[1]: *** [booleans_activedb.o] Error 1
make[1]: Leaving directory `/root/selinux/libsemanage-1.8/src'
make: *** [all] Error 2
--------------

These are the "policycoreutils" ones:

--------------
setfiles.c:516: error: 'MATCHPATHCON_VALIDATE' undeclared (first use in
this function)
setfiles.c:516: error: 'MATCHPATHCON_NOTRANS' undeclared (first use in
this function)
setfiles.c:549: error: 'MATCHPATHCON_BASEONLY' undeclared (first use in
this function)
setfiles.c:643: warning: implicit declaration of function
'set_matchpathcon_canoncon'
setfiles.c:656: warning: implicit declaration of function
'matchpathcon_init'
setfiles.c:740: warning: implicit declaration of function
'set_matchpathcon_printf'
setfiles.c:741: warning: implicit declaration of function
'matchpathcon_filespec_eval'
setfiles.c:745: warning: implicit declaration of function
'matchpathcon_filespec_destroy'
setfiles.c:751: warning: implicit declaration of function
'matchpathcon_checkmatches'
make[1]: *** [setfiles.o] Error 1
make[1]: Leaving directory `/root/selinux/policycoreutils-1.32/setfiles'
make: *** [all] Error 1
--------------

Additional informations:

# gcc -v
Using built-in specs.
Target: i686-pc-linux-gnu
Configured with: ../gcc-4.0.3/configure --prefix=/usr
--libexecdir=/usr/lib --enable-languages=c,c++,objc
--enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
--enable-shared --disable-nls --with-x=no
Thread model: posix
gcc version 4.0.3

# uname -a
Linux netwosix 2.6.19.2 #2 SMP Fri Jan 19 13:05:53 UTC 2007 i686
athlon-4 i386 GNU/Linux

Of course i can't go ahead and start working on relabeling the system. 
Someone can tell me what i'm missing?

That's all. Excuse me for the long mail.
Thank you so much! Looking forward to discuss with you.

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix - <www.netwosix.org>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Antoine Martin]

Looks like a glibc issue, which version do you have and does it have tls 
support? (LFS is going to be similar to Gentoo)
FYI:
http://www.nsa.gov/selinux/list-archive/0605/15487.cfm


Vincenzo Ciaglia wrote:
> Hello, i'm Vincenzo Ciaglia. 
> 
> I'm the main developer of Linux Netwosix, a server and security oriented
> GNU/Linux LFS distribution. I was really impressed to the power of
> SELinux so I'd like to give to the next releases the complete support to
> SELinux, for this reason i'm already working on that. I have a good
> knowledge in selinux policy writing but no experiences with "from
> scratch installation".
> 
> So, i have compiled the latest kernel with "Socket and Networking
> Security Hooks" and other "Security Models". Of course with the Ext[3]
> extended attributes and Ext[3] Security Labels options. 
> Everything is ok.
> 
> After that, i have downloaded the userland packages from the NSA
> website.
> 
> I succesfully compiled the "libsepol-1.14". 
> 
> So i tried to compile the "libselinux-1.32" but i get these errors:
> 
> --------------
> matchpathcon.lo: In function `set_matchpathcon_flags':
> matchpathcon.c:(.text+0x187): undefined reference to `___tls_get_addr'
> matchpathcon.lo: In function `.L183':
> matchpathcon.c:(.text+0x13c1): undefined reference to `___tls_get_addr'
> matchpathcon.lo: In function `matchpathcon_init_prefix':
> matchpathcon.c:(.text+0x15f3): undefined reference to `___tls_get_addr'
> matchpathcon.lo: In function `matchpathcon':
> matchpathcon.c:(.text+0x2005): undefined reference to `___tls_get_addr'
> matchpathcon.lo: In function `selinux_file_context_verify':
> matchpathcon.c:(.text+0x2417): undefined reference to `___tls_get_addr'
> matchpathcon.lo:matchpathcon.c:(.text+0x246e): more undefined references
> to `___tls_get_addr' follow
> collect2: ld returned 1 exit status
> make[1]: *** [libselinux.so.1] Error 1
> make[1]: Leaving directory `/root/selinux/libselinux-1.32/src'
> make: *** [all] Error 2
> --------------
> 
> Of course i can't go ahead because "checkpolicy" needs the libselinux:
> 
> --------------
> /usr/bin/ld: cannot find -lselinux
> collect2: ld returned 1 exit status
> make[1]: *** [dispol] Error 1
> make[1]: Leaving directory `/root/selinux/checkpolicy-1.32/test'
> make: *** [all] Error 2
> --------------
> 
> And these are the errors of "libsemanage".
> 
> --------------
> booleans_activedb.c: In function 'bool_commit_list':
> booleans_activedb.c:94: error: 'SELboolean' undeclared (first use in
> this function)
> booleans_activedb.c:94: error: (Each undeclared identifier is reported
> only once
> booleans_activedb.c:94: error: for each function it appears in.)
> booleans_activedb.c:94: error: 'blist' undeclared (first use in this
> function)
> booleans_activedb.c:113: warning: implicit declaration of function
> 'security_set_boolean_list'
> make[1]: *** [booleans_activedb.o] Error 1
> make[1]: Leaving directory `/root/selinux/libsemanage-1.8/src'
> make: *** [all] Error 2
> --------------
> 
> These are the "policycoreutils" ones:
> 
> --------------
> setfiles.c:516: error: 'MATCHPATHCON_VALIDATE' undeclared (first use in
> this function)
> setfiles.c:516: error: 'MATCHPATHCON_NOTRANS' undeclared (first use in
> this function)
> setfiles.c:549: error: 'MATCHPATHCON_BASEONLY' undeclared (first use in
> this function)
> setfiles.c:643: warning: implicit declaration of function
> 'set_matchpathcon_canoncon'
> setfiles.c:656: warning: implicit declaration of function
> 'matchpathcon_init'
> setfiles.c:740: warning: implicit declaration of function
> 'set_matchpathcon_printf'
> setfiles.c:741: warning: implicit declaration of function
> 'matchpathcon_filespec_eval'
> setfiles.c:745: warning: implicit declaration of function
> 'matchpathcon_filespec_destroy'
> setfiles.c:751: warning: implicit declaration of function
> 'matchpathcon_checkmatches'
> make[1]: *** [setfiles.o] Error 1
> make[1]: Leaving directory `/root/selinux/policycoreutils-1.32/setfiles'
> make: *** [all] Error 1
> --------------
> 
> Additional informations:
> 
> # gcc -v
> Using built-in specs.
> Target: i686-pc-linux-gnu
> Configured with: ../gcc-4.0.3/configure --prefix=/usr
> --libexecdir=/usr/lib --enable-languages=c,c++,objc
> --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
> --enable-shared --disable-nls --with-x=no
> Thread model: posix
> gcc version 4.0.3
> 
> # uname -a
> Linux netwosix 2.6.19.2 #2 SMP Fri Jan 19 13:05:53 UTC 2007 i686
> athlon-4 i386 GNU/Linux
> 
> Of course i can't go ahead and start working on relabeling the system. 
> Someone can tell me what i'm missing?
> 
> That's all. Excuse me for the long mail.
> Thank you so much! Looking forward to discuss with you.
> 


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Stephen Smalley]

On Fri, 2007-01-19 at 12:59 +0100, Vincenzo Ciaglia wrote:
> Hello, i'm Vincenzo Ciaglia. 
> 
> I'm the main developer of Linux Netwosix, a server and security oriented
> GNU/Linux LFS distribution. I was really impressed to the power of
> SELinux so I'd like to give to the next releases the complete support to
> SELinux, for this reason i'm already working on that. I have a good
> knowledge in selinux policy writing but no experiences with "from
> scratch installation".
> 
> So, i have compiled the latest kernel with "Socket and Networking
> Security Hooks" and other "Security Models". Of course with the Ext[3]
> extended attributes and Ext[3] Security Labels options. 
> Everything is ok.
> 
> After that, i have downloaded the userland packages from the NSA
> website.
> 
> I succesfully compiled the "libsepol-1.14". 
> 
> So i tried to compile the "libselinux-1.32" but i get these errors:
> 
> --------------
> matchpathcon.lo: In function `set_matchpathcon_flags':
> matchpathcon.c:(.text+0x187): undefined reference to `___tls_get_addr'

The current libselinux depends on thread local storage (tls) support,
which exists in glibc 2.4.  See the link below for a workaround patch
used by the Debian folks:
http://marc.theaimsgroup.com/?l=selinux&m=115807948020898&w=2

Also, I would tend to suggest updating to stable branch that we just
created in the sourceforge svn repo, as that will be the basis for the
next nsa.gov/selinux stable release.  But that won't change the
situation wrt to tls support.  

$ svn co https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0 selinux-stable

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Vincenzo Ciaglia]

Il giorno ven, 19/01/2007 alle 07.48 -0500, Stephen Smalley ha scritto:

> The current libselinux depends on thread local storage (tls) support,
> which exists in glibc 2.4.  See the link below for a workaround patch
> used by the Debian folks:
> http://marc.theaimsgroup.com/?l=selinux&m=115807948020898&w=2
> 
> Also, I would tend to suggest updating to stable branch that we just
> created in the sourceforge svn repo, as that will be the basis for the
> next nsa.gov/selinux stable release.  But that won't change the
> situation wrt to tls support.  
> 
> $ svn co https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0 selinux-stable

Thank you! I solved the problems. I used the debian's patch, recompiled
gcc and glibc with tls support and i used the userland packages from the
svn repo.

Now i can install libselinux, libsemanage, libsepol and checkpolicy but
i get this error with the latest package to compile: policycoreutils

Here the output:

**********************************************
# cd policycoreutils/
# make
make[1]: Entering directory
`/root/selinux-stable/policycoreutils/setfiles'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory
`/root/selinux-stable/policycoreutils/setfiles'
make[1]: Entering directory
`/root/selinux-stable/policycoreutils/semanage'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory
`/root/selinux-stable/policycoreutils/semanage'
make[1]: Entering directory
`/root/selinux-stable/policycoreutils/load_policy'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory
`/root/selinux-stable/policycoreutils/load_policy'
make[1]: Entering directory
`/root/selinux-stable/policycoreutils/newrole'
cc -Werror -Wall -W -DVERSION=\"1.34.0\"  -I/usr/include -DUSE_NLS
-DLOCALEDIR="\"/usr/share/locale\"" -DPACKAGE="\"policycoreutils\""
-D_XOPEN_SOURCE=500    newrole.c  -lselinux -lsepol -L/usr/lib -lcrypt
-o newrole
cc1: warnings being treated as errors
newrole.c: In function 'main':
newrole.c:947: warning: unused variable 'rc'
make[1]: *** [newrole] Error 1
make[1]: Leaving directory
`/root/selinux-stable/policycoreutils/newrole'
make: *** [all] Error 1
**********************************************

What is going wrong ?

Thank you very much!

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix - <www.netwosix.org>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Karl MacMillan]

Vincenzo Ciaglia wrote:
> Il giorno ven, 19/01/2007 alle 07.48 -0500, Stephen Smalley ha scritto:
> 
>> The current libselinux depends on thread local storage (tls) support,
>> which exists in glibc 2.4.  See the link below for a workaround patch
>> used by the Debian folks:
>> http://marc.theaimsgroup.com/?l=selinux&m=115807948020898&w=2
>>
>> Also, I would tend to suggest updating to stable branch that we just
>> created in the sourceforge svn repo, as that will be the basis for the
>> next nsa.gov/selinux stable release.  But that won't change the
>> situation wrt to tls support.  
>>
>> $ svn co https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0 selinux-stable
> 
> Thank you! I solved the problems. I used the debian's patch, recompiled
> gcc and glibc with tls support

Only one of these is necessary - not both. Doesn't hurt, of course, but 
it may be easier to not have to worry with the patch if you have tls 
support.

  and i used the userland packages from the
> svn repo.
> 
> Now i can install libselinux, libsemanage, libsepol and checkpolicy but
> i get this error with the latest package to compile: policycoreutils
> 
> Here the output:
> 
> **********************************************
> # cd policycoreutils/
> # make
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/setfiles'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/setfiles'
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/semanage'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/semanage'
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/load_policy'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/load_policy'
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/newrole'
> cc -Werror -Wall -W -DVERSION=\"1.34.0\"  -I/usr/include -DUSE_NLS
> -DLOCALEDIR="\"/usr/share/locale\"" -DPACKAGE="\"policycoreutils\""
> -D_XOPEN_SOURCE=500    newrole.c  -lselinux -lsepol -L/usr/lib -lcrypt
> -o newrole
> cc1: warnings being treated as errors
> newrole.c: In function 'main':
> newrole.c:947: warning: unused variable 'rc'
> make[1]: *** [newrole] Error 1
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/newrole'
> make: *** [all] Error 1
> **********************************************
> 

Just a warning. Upstream selinux doesn't treat warnings as errors so 
occasionally they creep in. You should back out whatever caused -Werror 
to be added to your compile flags.

Karl



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Vincenzo Ciaglia]

Il giorno ven, 19/01/2007 alle 17.02 -0500, Karl MacMillan ha scritto:

> Just a warning. Upstream selinux doesn't treat warnings as errors so 
> occasionally they creep in. You should back out whatever caused -Werror 
> to be added to your compile flags.

I used the cvs repo package. So, just for trying, i download the same
package (policycoreutils-1.32) from the NSA's pages and it does the
trick. No warning and no errors. 

Is it the same package and can i use it without problems ?

Thank you for your helps. I'll keep you upgraded on the netwosix-selinux
progresses.

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix - <www.netwosix.org>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Karl MacMillan]

Vincenzo Ciaglia wrote:
> Il giorno ven, 19/01/2007 alle 17.02 -0500, Karl MacMillan ha scritto:
> 
>> Just a warning. Upstream selinux doesn't treat warnings as errors so 
>> occasionally they creep in. You should back out whatever caused -Werror 
>> to be added to your compile flags.
> 
> I used the cvs repo package. So, just for trying, i download the same
> package (policycoreutils-1.32) from the NSA's pages and it does the
> trick. No warning and no errors. 
> 
> Is it the same package and can i use it without problems ?
> 

Depends on which cvs repo you mean. If it is from a distro there are 
likely to be a few extra patches.

Karl


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Vincenzo Ciaglia]

Il giorno ven, 19/01/2007 alle 17.16 -0500, Karl MacMillan ha scritto:

> Depends on which cvs repo you mean. If it is from a distro there are 
> likely to be a few extra patches.

As suggested from Stephen Smalley i used this:

https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0
selinux-stable

Anyway, everything works fine now. Another question: where can i get the
latest refpolicy? The Tresys's OSS repository seems to be down just now.

Thank you,

-- 
Vincenzo Ciaglia, <vin(at)netwosix(dot)org>
Linux Netwosix - <www.netwosix.org>



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Stephen Smalley]

On Fri, 2007-01-19 at 22:48 +0100, Vincenzo Ciaglia wrote:
> Il giorno ven, 19/01/2007 alle 07.48 -0500, Stephen Smalley ha scritto:
> 
> > The current libselinux depends on thread local storage (tls) support,
> > which exists in glibc 2.4.  See the link below for a workaround patch
> > used by the Debian folks:
> > http://marc.theaimsgroup.com/?l=selinux&m=115807948020898&w=2
> > 
> > Also, I would tend to suggest updating to stable branch that we just
> > created in the sourceforge svn repo, as that will be the basis for the
> > next nsa.gov/selinux stable release.  But that won't change the
> > situation wrt to tls support.  
> > 
> > $ svn co https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0 selinux-stable
> 
> Thank you! I solved the problems. I used the debian's patch, recompiled
> gcc and glibc with tls support and i used the userland packages from the
> svn repo.
> 
> Now i can install libselinux, libsemanage, libsepol and checkpolicy but
> i get this error with the latest package to compile: policycoreutils
> 
> Here the output:
> 
> **********************************************
> # cd policycoreutils/
> # make
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/setfiles'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/setfiles'
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/semanage'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/semanage'
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/load_policy'
> make[1]: Nothing to be done for `all'.
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/load_policy'
> make[1]: Entering directory
> `/root/selinux-stable/policycoreutils/newrole'
> cc -Werror -Wall -W -DVERSION=\"1.34.0\"  -I/usr/include -DUSE_NLS
> -DLOCALEDIR="\"/usr/share/locale\"" -DPACKAGE="\"policycoreutils\""
> -D_XOPEN_SOURCE=500    newrole.c  -lselinux -lsepol -L/usr/lib -lcrypt
> -o newrole
> cc1: warnings being treated as errors
> newrole.c: In function 'main':
> newrole.c:947: warning: unused variable 'rc'
> make[1]: *** [newrole] Error 1
> make[1]: Leaving directory
> `/root/selinux-stable/policycoreutils/newrole'
> make: *** [all] Error 1
> **********************************************
> 
> What is going wrong ?

Looks like your system doesn't have the pam library installed.  Best
option is to install the pam library (e.g. look for a pam-devel package)
and then build it.  Otherwise, if you truly aren't using pam on that
system, then you could remove that variable declaration as it is then
unnecessary.  We can fix that upstream as well, but AFAIK, everyone
using selinux has pam these days.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Stephen Smalley]

On Fri, 2007-01-19 at 17:02 -0500, Karl MacMillan wrote:
> Vincenzo Ciaglia wrote:
> > Il giorno ven, 19/01/2007 alle 07.48 -0500, Stephen Smalley ha scritto:
> > 
> >> The current libselinux depends on thread local storage (tls) support,
> >> which exists in glibc 2.4.  See the link below for a workaround patch
> >> used by the Debian folks:
> >> http://marc.theaimsgroup.com/?l=selinux&m=115807948020898&w=2
> >>
> >> Also, I would tend to suggest updating to stable branch that we just
> >> created in the sourceforge svn repo, as that will be the basis for the
> >> next nsa.gov/selinux stable release.  But that won't change the
> >> situation wrt to tls support.  
> >>
> >> $ svn co https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0 selinux-stable
> > 
> > Thank you! I solved the problems. I used the debian's patch, recompiled
> > gcc and glibc with tls support
> 
> Only one of these is necessary - not both. Doesn't hurt, of course, but 
> it may be easier to not have to worry with the patch if you have tls 
> support.
> 
>   and i used the userland packages from the
> > svn repo.
> > 
> > Now i can install libselinux, libsemanage, libsepol and checkpolicy but
> > i get this error with the latest package to compile: policycoreutils
> > 
> > Here the output:
> > 
> > **********************************************
> > # cd policycoreutils/
> > # make
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/setfiles'
> > make[1]: Nothing to be done for `all'.
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/setfiles'
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/semanage'
> > make[1]: Nothing to be done for `all'.
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/semanage'
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/load_policy'
> > make[1]: Nothing to be done for `all'.
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/load_policy'
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/newrole'
> > cc -Werror -Wall -W -DVERSION=\"1.34.0\"  -I/usr/include -DUSE_NLS
> > -DLOCALEDIR="\"/usr/share/locale\"" -DPACKAGE="\"policycoreutils\""
> > -D_XOPEN_SOURCE=500    newrole.c  -lselinux -lsepol -L/usr/lib -lcrypt
> > -o newrole
> > cc1: warnings being treated as errors
> > newrole.c: In function 'main':
> > newrole.c:947: warning: unused variable 'rc'
> > make[1]: *** [newrole] Error 1
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/newrole'
> > make: *** [all] Error 1
> > **********************************************
> > 
> 
> Just a warning. Upstream selinux doesn't treat warnings as errors so 
> occasionally they creep in. You should back out whatever caused -Werror 
> to be added to your compile flags.

Actually, those are the upstream build flags.  The problem in this case
is that the newrole Makefile automatically enables or disables pam in
the build based on the presence of /usr/include/security/pam_appl.h, so
if he doesn't have pam-devel (or equivalent) installed, then it will
disable pam, and we don't really test that configuration.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Stephen Smalley]

On Fri, 2007-01-19 at 23:15 +0100, Vincenzo Ciaglia wrote:
> Il giorno ven, 19/01/2007 alle 17.02 -0500, Karl MacMillan ha scritto:
> 
> > Just a warning. Upstream selinux doesn't treat warnings as errors so 
> > occasionally they creep in. You should back out whatever caused -Werror 
> > to be added to your compile flags.
> 
> I used the cvs repo package. So, just for trying, i download the same
> package (policycoreutils-1.32) from the NSA's pages and it does the
> trick. No warning and no errors. 
> 
> Is it the same package and can i use it without problems ?

No, use the svn stable branch as I recommended.  It will be the basis
for the next nsa.gov release.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: installation from scratch problems

[Stephen Smalley]

On Mon, 2007-01-22 at 08:36 -0500, Stephen Smalley wrote:
> On Fri, 2007-01-19 at 22:48 +0100, Vincenzo Ciaglia wrote:
> > Il giorno ven, 19/01/2007 alle 07.48 -0500, Stephen Smalley ha scritto:
> > 
> > > The current libselinux depends on thread local storage (tls) support,
> > > which exists in glibc 2.4.  See the link below for a workaround patch
> > > used by the Debian folks:
> > > http://marc.theaimsgroup.com/?l=selinux&m=115807948020898&w=2
> > > 
> > > Also, I would tend to suggest updating to stable branch that we just
> > > created in the sourceforge svn repo, as that will be the basis for the
> > > next nsa.gov/selinux stable release.  But that won't change the
> > > situation wrt to tls support.  
> > > 
> > > $ svn co https://selinux.svn.sourceforge.net/svnroot/selinux/branches/stable/1_0 selinux-stable
> > 
> > Thank you! I solved the problems. I used the debian's patch, recompiled
> > gcc and glibc with tls support and i used the userland packages from the
> > svn repo.
> > 
> > Now i can install libselinux, libsemanage, libsepol and checkpolicy but
> > i get this error with the latest package to compile: policycoreutils
> > 
> > Here the output:
> > 
> > **********************************************
> > # cd policycoreutils/
> > # make
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/setfiles'
> > make[1]: Nothing to be done for `all'.
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/setfiles'
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/semanage'
> > make[1]: Nothing to be done for `all'.
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/semanage'
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/load_policy'
> > make[1]: Nothing to be done for `all'.
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/load_policy'
> > make[1]: Entering directory
> > `/root/selinux-stable/policycoreutils/newrole'
> > cc -Werror -Wall -W -DVERSION=\"1.34.0\"  -I/usr/include -DUSE_NLS
> > -DLOCALEDIR="\"/usr/share/locale\"" -DPACKAGE="\"policycoreutils\""
> > -D_XOPEN_SOURCE=500    newrole.c  -lselinux -lsepol -L/usr/lib -lcrypt
> > -o newrole
> > cc1: warnings being treated as errors
> > newrole.c: In function 'main':
> > newrole.c:947: warning: unused variable 'rc'
> > make[1]: *** [newrole] Error 1
> > make[1]: Leaving directory
> > `/root/selinux-stable/policycoreutils/newrole'
> > make: *** [all] Error 1
> > **********************************************
> > 
> > What is going wrong ?
> 
> Looks like your system doesn't have the pam library installed.  Best
> option is to install the pam library (e.g. look for a pam-devel package)
> and then build it.  Otherwise, if you truly aren't using pam on that
> system, then you could remove that variable declaration as it is then
> unnecessary.  We can fix that upstream as well, but AFAIK, everyone
> using selinux has pam these days.

Trivial diff below.

Index: policycoreutils/newrole/newrole.c
===================================================================
--- policycoreutils/newrole/newrole.c	(revision 2198)
+++ policycoreutils/newrole/newrole.c	(working copy)
@@ -944,11 +944,11 @@
 	int preserve_environment;
 
 	int fd;
-	int rc;
 	pid_t childPid = 0;
 	char *shell_argv0 = NULL;
 
 #ifdef USE_PAM
+	int rc;
 	int pam_status;		   /* pam return code */
 	pam_handle_t *pam_handle;  /* opaque handle used by all PAM functions */
 

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.