If GRKERNSEC_SELINUX_AVC_LOG_IPADDR ("Add source IP address to SELinux AVC log messages") is set in the kernel configuration, GRSecurity tries to use the NIPQUAD macro, but NIPQUAD no longer exists in 2.6.36 (as of http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cf4ca4874fc45166198424384275f443a672d0b7), so compilation fails with: security/selinux/avc.c: In function 'avc_dump_query': security/selinux/avc.c:148: error: implicit declaration of function 'NIPQUAD' security/selinux/avc.c:148: warning: too few arguments for format Reproducible: Always Steps to Reproduce:
Okay this is an easy one. I'm going to pass it by the grsec/pax team first and see how they want to handle it. Otherwise, I can just reintroduce the macro myself. I'm make sure its fixed for 2.6.36-r3. Thanks for reporting.
Can you please test the following simple patch. It compiles, but I don't use SELinux so I'd like a runtime check from you. If all is good, I'll throw it into the next rev bump: diff -Naur avc.c.orig avc.c --- avc.c.orig 2010-11-23 10:48:18.000000000 -0500 +++ avc.c 2010-11-23 10:48:37.000000000 -0500 @@ -145,7 +145,7 @@ #ifdef CONFIG_GRKERNSEC_SELINUX_AVC_LOG_IPADDR if (current->signal->curr_ip) - audit_log_format(ab, "ipaddr=%u.%u.%u.%u ", NIPQUAD(current->signal->curr_ip)); + audit_log_format(ab, "ipaddr=%pI4 ", ¤t->signal->curr_ip); #endif rc = security_sid_to_context(ssid, &scontext, &scontext_len);
Created attachment 255193 [details, diff] Switches from NIPQUAD to %pI4 Sorry about the line wrap in the previous comment. Here's the patch as an attachment.
Yes, that patch seems to work.
(In reply to comment #4) > Yes, that patch seems to work. > The fix is in hardened-sources-2.6.32-r28.ebuild hardened-sources-2.6.36-r3.ebuild which I just committed to the tree. I'll close this bug as soon as both of these (or higher) go stable.
> hardened-sources-2.6.32-r28.ebuild > hardened-sources-2.6.36-r3.ebuild > Those ebuilds are off the tree because of serious breakage (not related to his). Please use hardened-sources-2.6.32-r29.ebuild hardened-sources-2.6.36-r4.ebuild and above.
Just stabilized hardened-sources-2.6.32-r31.ebuild and hardened-sources-2.6.36-r6.ebuild which include the fix. Closing.