>>> Emerging (1 of 8) net-libs/serf-1.3.8::gentoo * serf-1.3.8.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ] >>> Unpacking source... >>> Unpacking serf-1.3.8.tar.bz2 to /var/tmp/portage/net-libs/serf-1.3.8/work >>> Source unpacked in /var/tmp/portage/net-libs/serf-1.3.8/work >>> Preparing source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ... * Applying serf-1.3.2-disable_linking_against_unneeded_libraries.patch ... [ ok ] * Applying serf-1.3.8-scons_variables.patch ... [ ok ] * Applying serf-1.3.8-tests.patch ... [ ok ] >>> Source prepared. >>> Configuring source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ... >>> Source configured. >>> Compiling source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ... scons -j2 PREFIX=/usr LIBDIR=/usr/lib64 APR=/usr/bin/apr-1-config APU=/usr/bin/apu-1-config OPENSSL=/usr CC=x86_64-pc-linux-gnu-gcc CPPFLAGS= CFLAGS=-O2 -pipe -march=native -fno-unwind-tables -fno-as ynchronous-unwind-tables -fpeel-loops -ftracer -fuse-linker-plugin LINKFLAGS=-Wl,-O1 -Wl,--as-needed -Wl,--sort-common scons: Reading SConscript files ... scons: done reading SConscript files. error: can't start new thread: File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1372: _exec_main(parser, values) File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1335: _main(parser) File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1099: nodes = _build_targets(fs, options, targets, target_top) File "/usr/lib64/python2.7/site-packages/SCons/Script/Main.py", line 1259: jobs = SCons.Job.Jobs(num_jobs, taskmaster) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 92: self.job = Parallel(taskmaster, num, stack_size) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 365: self.tp = ThreadPool(num, stack_size, self.interrupted) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 295: worker = Worker(self.requestQueue, self.resultsQueue, interrupted) File "/usr/lib64/python2.7/site-packages/SCons/Job.py", line 242: self.start() File "/usr/lib64/python2.7/threading.py", line 745: _start_new_thread(self.__bootstrap, ()) * ERROR: net-libs/serf-1.3.8::gentoo failed (compile phase): * escons failed. * * Call stack: * ebuild.sh, line 133: Called src_compile * environment, line 2029: Called escons * environment, line 879: Called die * The specific snippet of code: * die "escons failed." * * If you need support, post the output of `emerge --info '=net-libs/serf-1.3.8::gentoo'`, * the complete build log and the output of `emerge -pqv '=net-libs/serf-1.3.8::gentoo'`. * The complete build log is located at '/var/tmp/portage/net-libs/serf-1.3.8/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/net-libs/serf-1.3.8/temp/environment'. * Working directory: '/var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8' * S: '/var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8' >>> Failed to emerge net-libs/serf-1.3.8, Log file: In messages.log is: 2016-02-03T11:31:31.215515+01:00 gentoo-mirror kernel: [6621659.215204] grsec: From 192.168.254.1: denied RWX mmap of <anonymous mapping> by /usr/bin/python2.7[python2.7:11540] uid/euid:250/250 gid/egid:250/250, parent /var/tmp/portage/._portage_reinstall_.dvq2ruow/bin/ebuild.sh[ebuild.sh:11526] uid/euid:250/250 gid/egid:250/250 Reproducible: Always Portage 2.2.26 (python 3.4.3-final-0, hardened/linux/amd64, gcc-4.9.3, glibc-2.21-r1, 3.17.7-hardened-r1 x86_64) ================================================================= System uname: Linux-3.17.7-hardened-r1-x86_64-Intel_Xeon_E312xx_-Sandy_Bridge-with-gentoo-2.2 KiB Mem: 890424 total, 103696 free KiB Swap: 511996 total, 503760 free Timestamp of repository gentoo: Wed, 03 Feb 2016 05:15:01 +0000 sh bash 4.3_p42-r1 ld GNU gold (Gentoo 2.25.1 p1.1 2.25.1) 1.11 ccache version 3.1.9 [enabled] app-shells/bash: 4.3_p42-r1::gentoo dev-lang/perl: 5.20.2::gentoo dev-lang/python: 2.7.9-r1::gentoo, 3.4.3-r1::gentoo dev-util/ccache: 3.1.9-r4::gentoo dev-util/cmake: 3.3.1-r1::gentoo dev-util/pkgconfig: 0.28-r2::gentoo sys-apps/baselayout: 2.2::gentoo sys-apps/openrc: 0.19.1::gentoo sys-apps/sandbox: 2.10-r1::gentoo sys-devel/autoconf: 2.69::gentoo sys-devel/automake: 1.13.4::gentoo, 1.14.1::gentoo, 1.15::gentoo sys-devel/binutils: 2.25.1-r1::gentoo sys-devel/gcc: 4.9.3::gentoo sys-devel/gcc-config: 1.7.3::gentoo sys-devel/libtool: 2.4.6::gentoo sys-devel/make: 4.1-r1::gentoo sys-kernel/linux-headers: 4.3::gentoo (virtual/os-headers) sys-libs/glibc: 2.21-r1::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://gentoo.prz.rzeszow.pl/gentoo-portage/ priority: -1000 sync-rsync-extra-opts: -O ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -march=native -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops -ftracer -fuse-linker-plugin" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe -march=native -fno-unwind-tables -fno-asynchronous-unwind-tables -fpeel-loops -ftracer -fuse-linker-plugin" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache collision-protect compressdebug config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="pl_PL.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--sort-common" MAKEOPTS="-j2 -l 3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="-O" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" USE="acl acpi amd64 bash-completion caps cli cracklib crypt cxx dri hardened iconv ipv6 justify mmx mmxext modules multilib ncurses nls nptl openmp pax_kernel pcre pie readline seccomp session sse sse2 sse3 ssp ssse3 threads unicode urandom vim-syntax xattr xtpax" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-5" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python3_4" RUBY_TARGETS="ruby20 ruby21" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="3.3" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS
Check that you have emutramp enable in the kernel
# zgrep -i emutr /proc/config.gz CONFIG_PAX_EMUTRAMP=y
Check the pax mark on python and what you use in the kernel config for marking.
>>> Compiling source in /var/tmp/portage/net-libs/serf-1.3.8/work/serf-1.3.8 ... scons -j6 PREFIX=/usr LIBDIR=/usr/lib64 APR=/usr/bin/apr-1-config APU=/usr/bin/apu-1-config OPENSSL=/usr CC=x86_64-pc-linux-gnu-gcc CPPFLAGS= CFLAGS=-pipe -O2 -march=core2 LINKFLAGS=-Wl,-O1 -Wl,--as-needed scons: Reading SConscript files ... scons: done reading SConscript files. scons: Building targets ... It works fine for me.
On a other host it also works for me. # zgrep -i xattr /proc/config.gz CONFIG_TMPFS_XATTR=y CONFIG_PAX_XATTR_PAX_FLAGS=y Ok, I've tracked how to fix it. I didn't had set in make.conf variable PAX_MARKINGS. So paxmarking was: paxctl-ng -v /usr/bin/python2.7 /usr/bin/python2.7: PT_PAX : -E--- XATTR_PAX : -E--- Next I set PAX_MARKINGS="XT", so python2.7 received such flags: paxctl-ng -v /usr/bin/python2.7 /usr/bin/python2.7: PT_PAX : not found XATTR_PAX : -E--- Now scons has no problem with working. Bug in kernel when both PT_PAX and XATTR_PAX flags are set?
Created attachment 467778 [details] messages_170321_1009_g5n When installing Firefox ( Pls., I don't use Firefox anymore, I use Palemoon. I'm only following Firefox out of curiosity and spite after they ruined it all for me with: Require PulseAudio to play sound on Linux https://bugzilla.mozilla.org/show_bug.cgi?id=1247056 ) So, [when installing Firefox] this happened, (from /var/log/messages): Mar 21 10:08:26 g5n kernel: [172037.447577] grsec: (admin:S:/) exec of /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7 (/var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7 - setuptools pip wheel ) by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python2.7:15256] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:15254] uid/euid:250/250 gid/egid:250/250 Mar 21 10:08:26 g5n kernel: [172037.765438] grsec: (admin:S:/) denied RWX mmap of <anonymous mapping> by /var/tmp/portage/www-client/firefox-52.0.1/work/firefox-52.0.1/ff/_virtualenv/bin/python2.7[python2.7:15256] uid/euid:250/250 gid/egid:250/250, parent /usr/bin/python2.7[python2.7:15254] uid/euid:250/250 gid/egid:250/250 See all of it (and more, I only partly understand it) in the attachment: messages_170321_1009_g5n And in the other attachment (that I'll post with the next comment): www-client_firefox-52.0.1_20170321-090648.log find: checking for PIE support... no configure: error: --enable-pie requires PIE support from the linker. The two excerpts above, to my best understanding belong to the same event. PIE means, IIUC, position independent executable (the way in which binaries are installed in a hardened system, like mine). I do have in /etc/portage/make.conf : PAX_MARKINGS="XT" So this: # paxctl-ng -v /usr/bin/python2.7 /usr/bin/python2.7: PT_PAX : not found XATTR_PAX : -E--- # [so this] is all regular. I also have: CONFIG_TMPFS_XATTR=y CONFIG_PAX_XATTR_PAX_FLAGS=y in all my hardened kernels (including the running one). When installing firefox-51.0.1 some three weeks ago I didn't have any issues, excerpt from the log in /var/log/portage/<firefox-51.0.1>.log : checking for shmat... yes checking for IceConnectionNumber in -lICE... yes checking for --noexecstack option to as... yes checking for -z noexecstack option to ld... yes checking for -z text option to ld... yes checking for --ignore-unresolved-symbol option to ld... yes checking if toolchain supports -mssse3 option... yes checking if toolchain supports -msse4.1 option... yes checking for x86 AVX2 asm support in compiler... yes checking for PIE support... yes ^^^^^^^^^^^^^ ||||||||||||| See the PIE support... yes above. How's that not working now?
Created attachment 467782 [details] www-client_firefox-52.0.1_20170321-090648.log (the attachment promised in the previous post)
Created attachment 467788 [details] emerge--info_4.9.16-hardened It doesn't work (all the errors are the same) with all the latest updates, including the hardened kernel.
The firefox bug is not the same as this so open a new one
(In reply to Magnus Granberg from comment #9) > The firefox bug is not the same as this so open a new one Sorry! I tried to mend by posting at: PIE support in linker missing, reason: denied RWX mmap of by /var/tmp/...firefox-52.0.1/_virtualenv/bin/python2.7 https://bugs.gentoo.org/show_bug.cgi?id=613452 Regards!
(In reply to Marcin Mirosław from comment #5) > Now scons has no problem with working.