Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 617704 - sys-apps/policycoreutils-2.6-r1 does not works with musl
Summary: sys-apps/policycoreutils-2.6-r1 does not works with musl
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: AMD64 Linux
: High major (vote)
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-07 07:56 UTC by Alexander Miroshnichenko
Modified: 2018-10-12 21:29 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Miroshnichenko 2017-05-07 07:56:34 UTC
I use Gentoo Hardened with musl. I have added selinux profile.

# cat /etc/portage/make.profile/parent 
gentoo:hardened/linux/musl/amd64
gentoo:features/selinux


But sys-apps/policycoreutils-2.6-r1 requires glibc.
I tried to modify ebuild:
-        >=sys-libs/glibc-2.4
+        elibc_glibc? ( >=sys-libs/glibc-2.4 )

but compile fails with error:
copying sepolicy/help/transition_from_boolean_2.png -> build/lib/sepolicy/help
copying sepolicy/help/transition_to.png -> build/lib/sepolicy/help
copying sepolicy/help/users.png -> build/lib/sepolicy/help
warning: build_py: byte-compiling is disabled, skipping.

make[1]: Leaving directory '/var/tmp/portage/sys-apps/policycoreutils-2.6-r1/work/policycoreutils-2.6-python2_7/sepolicy'
make[1]: Entering directory '/var/tmp/portage/sys-apps/policycoreutils-2.6-r1/work/policycoreutils-2.6-python2_7/setfiles'
x86_64-gentoo-linux-musl-gcc -march=native -O2 -pipe -I/usr/include   -c -o setfiles.o setfiles.c
x86_64-gentoo-linux-musl-gcc -march=native -O2 -pipe -I/usr/include   -c -o restore.o restore.c
x86_64-gentoo-linux-musl-gcc -march=native -O2 -pipe -I/usr/include   -c -o restorecon_xattr.o restorecon_xattr.c
restore.c: In function 'process_glob':
restore.c:78:22: error: 'GLOB_TILDE' undeclared (first use in this function)
  errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
                      ^
restore.c:78:22: note: each undeclared identifier is reported only once for each function it appears in
restore.c:79:21: error: 'GLOB_BRACE' undeclared (first use in this function)
      GLOB_NOCHECK | GLOB_BRACE, NULL, &globbuf);
                     ^
make[1]: *** [<builtin>: restore.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/var/tmp/portage/sys-apps/policycoreutils-2.6-r1/work/policycoreutils-2.6-python2_7/setfiles'
make: *** [Makefile:10: all] Error 1
make: Leaving directory '/var/tmp/portage/sys-apps/policycoreutils-2.6-r1/work/policycoreutils-2.6-python2_7'
 * ERROR: sys-apps/policycoreutils-2.6-r1::local failed (compile phase):
 *   emake failed
 * 
 * If you need support, post the output of `emerge --info '=sys-apps/policycoreutils-2.6-r1::local'`


I tried to apply https://git.alpinelinux.org/cgit/aports/tree/testing/policycoreutils pathes. Package compiles success, but semodule binary broken: it is impossible to create /etc/selinux/<TYPE>/policy/policy.30, /etc/selinux/<TYPE>/contexts/files/file_contexts and other by `semodule -B -n -s <TYPE>`

Reproducible: Always

Steps to Reproduce:
1. Install Gentoo Hardened Musl stage3
2. Add SELiunx feature to profile
3. emerge sys-apps/policycoreutils
Actual Results:  
a) Blocked because of require glibc.
b) Failed to compile if remove ebuild glibc dependency.
c) When apply Alpine Linux patches compile success, but `semodule` binary does not work properly.

Expected Results:  
Correct working SELINUX with musl

# emerge --info '=sys-apps/policycoreutils-2.6-r1::local'
Portage 2.3.3 (python 2.7.12-final-0, hardened/linux/musl/amd64, gcc-5.4.0, musl-1.1.16, 4.9.24-hardened-fitlet x86_64)
=================================================================
                         System Settings
=================================================================
System uname: Linux-4.9.24-hardened-fitlet-x86_64-AMD_A10_Micro-6700T_APU+AMD_Radeon_R6_Graphics-with-gentoo-2.3
KiB Mem:     8061384 total,    148628 free
KiB Swap:          0 total,         0 free
Timestamp of repository gentoo: Sun, 07 May 2017 03:00:01 +0000
sh bash 4.3_p48-r1
ld GNU ld (Gentoo 2.26.1 p1.0) 2.26.1
app-shells/bash:          4.3_p48-r1::gentoo
dev-lang/perl:            5.24.1-r1::gentoo
dev-lang/python:          2.7.12::gentoo, 3.4.5::gentoo
dev-util/cmake:           3.7.2::gentoo
dev-util/pkgconfig:       0.28-r2::gentoo
sys-apps/baselayout:      2.3::gentoo
sys-apps/openrc:          0.24.2::gentoo
sys-apps/sandbox:         2.10-r3::musl
sys-devel/autoconf:       2.69::gentoo
sys-devel/automake:       1.15-r2::gentoo
sys-devel/binutils:       2.26.1::gentoo
sys-devel/gcc:            5.4.0-r3::musl
sys-devel/gcc-config:     1.7.3::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1::gentoo
sys-kernel/linux-headers: 4.4::musl (virtual/os-headers)
sys-libs/musl:            1.1.16::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000

local
    location: /usr/local/portage
    masters: gentoo
    priority: 0

musl
    location: /var/lib/layman/musl
    sync-type: laymansync
    sync-uri: git://anongit.gentoo.org/proj/musl.git
    masters: gentoo
    priority: 50

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-gentoo-linux-musl"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-gentoo-linux-musl"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/php/apache2-php7.0/ext-active/ /etc/php/cgi-php7.0/ext-active/ /etc/php/cli-php7.0/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs=2 "
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
INSTALL_MASK="charset.alias"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl aio amd64 bzip2 caps cli conntrack cracklib crypt cxx dane dav dav_ext dri ecdsa efi filecaps fortran gccgo gost hardened iconv idn ipv6 jemalloc leaps_timezone logrotate lz4 lzo mmx modern-top modules naxsi ncat ncurses netlink nfsv41 nping nptl nse open_perms openmp pam pax_kernel pcre pcre16 pic readline sasl seccomp secure-delete selinux session smp spdy sse sse2 ssl tcmalloc tcpd threads udev unbound unconfined unicode upload_progress xattr xfs xtpax zlib" ABI_X86="64" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx mmx mmxext popcnt sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3" ELIBC="musl" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-0" PYTHON_SINGLE_TARGET="python3_4" PYTHON_TARGETS="python2_7 python3_4" QEMU_SOFTMMU_TARGETS="x86_64" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby21 ruby22" USERLAND="GNU" VIDEO_CARDS="dummy fbdev v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON

=================================================================
                        Package Settings
=================================================================

sys-apps/policycoreutils-2.6-r1::local was built with the following:
USE="pam -audit -dbus" PYTHON_TARGETS="python2_7 python3_4 -python3_5"
Comment 1 Felix Janda 2017-05-08 11:46:39 UTC
The alpine patches do not seem relevant to the bug of the semodule
binary you are seeing. Can you describe the bug in more detail?
(What is expected behavior? What does actually happen? Does the program
emit any error message?)
Comment 2 Alexander Miroshnichenko 2017-05-08 15:00:32 UTC
(In reply to Felix Janda from comment #1)
> Can you describe the bug in more detail?

> What is expected behavior? 
I expect sucessfully install and load selinux-base-policy and other selinux policy packages.

> What does actually happen? 
Package sys-apps/policycoreutils can not be compiled from official gentoo repo.

>Does the program emit any error message?

Compile error with musl profile:
restore.c:78:22: error: 'GLOB_TILDE' undeclared (first use in this function)
  errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
Comment 3 Alexander Miroshnichenko 2017-09-11 06:34:59 UTC
Hi,

Do yo have any progress for the bug?
Comment 4 Jason Zaman gentoo-dev 2017-09-14 12:53:36 UTC
(In reply to Alexander Miroshnichenko from comment #3)
> Hi,
> 
> Do yo have any progress for the bug?

2.7 is in the tree. Can you test that version? I seem to recall some patches relating to musl a while ago.
Comment 5 Alexander Miroshnichenko 2017-09-14 13:07:55 UTC
The following mask changes are necessary to proceed:
 (see "package.unmask" in the portage(5) man page for more details)
# required by sys-apps/policycoreutils-2.7::gentoo
# required by =sys-apps/policycoreutils-2.7 (argument)
# /usr/portage/profiles/hardened/linux/musl/package.mask:
=sys-libs/glibc-2.23-r4

It still requires GLIBC
Comment 6 Alexander Miroshnichenko 2017-09-22 16:17:12 UTC
I have modified ebuild in local portage by removing GLIBC dependency, but compile fails with same error:

 * Package:    sys-apps/policycoreutils-2.7
 * Repository: x-portage
 * Maintainer: selinux@gentoo.org
 * USE:        abi_x86_64 amd64 elibc_musl kernel_linux pam python_targets_python2_7 python_targets_python3_4 userland_GNU
 * FEATURES:   preserve-libs sandbox selinux sesandbox userpriv usersandbox
>>> Unpacking source...
>>> Unpacking policycoreutils-2.7.tar.gz to /var/tmp/portage/sys-apps/policycoreutils-2.7/work
>>> Unpacking policycoreutils-extra-1.36.tar.bz2 to /var/tmp/portage/sys-apps/policycoreutils-2.7/work
>>> Source unpacked in /var/tmp/portage/sys-apps/policycoreutils-2.7/work
>>> Preparing source in /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7 ...
 * Applying policycoreutils-2.7-0001-newrole-not-suid.patch ...
 [ ok ]
 * Will copy sources from /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7
 * python2_7: copying to /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7-python2_7
 * python3_4: copying to /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7-python3_4
 * Will copy sources from /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-extra
 * python2_7: copying to /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-extra-python2_7
 * python3_4: copying to /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-extra-python3_4
>>> Source prepared.
>>> Configuring source in /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-extra ...
>>> Source configured.
>>> Compiling source in /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-extra ...
 * python2_7: running building
make -j4 -C /var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7-python2_7 AUDIT_LOG_PRIVS=y AUDITH=n PAMH=y INOTIFYH=n SESANDBOX=n CC=x86_64-gentoo-linux-musl-gcc PYLIBVER=python2.7 LIBDIR=$(PREFIX)/lib
make: Entering directory '/var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7-python2_7'
make[1]: Entering directory '/var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7-python2_7/setfiles'
x86_64-gentoo-linux-musl-gcc -march=native -O2 -pipe   -c -o setfiles.o setfiles.c
x86_64-gentoo-linux-musl-gcc -march=native -O2 -pipe   -c -o restore.o restore.c
x86_64-gentoo-linux-musl-gcc -march=native -O2 -pipe   -c -o restorecon_xattr.o restorecon_xattr.c
restore.c: In function 'process_glob':
restore.c:79:22: error: 'GLOB_TILDE' undeclared (first use in this function)
  errors = glob(name, GLOB_TILDE | GLOB_PERIOD |
                      ^
restore.c:79:22: note: each undeclared identifier is reported only once for each function it appears in
restore.c:80:21: error: 'GLOB_BRACE' undeclared (first use in this function)
      GLOB_NOCHECK | GLOB_BRACE, NULL, &globbuf);
                     ^
make[1]: *** [<builtin>: restore.o] Error 1
make[1]: *** Waiting for unfinished jobs....
make[1]: Leaving directory '/var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7-python2_7/setfiles'
make: *** [Makefile:4: all] Error 1
make: Leaving directory '/var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7-python2_7'
 * ERROR: sys-apps/policycoreutils-2.7::x-portage failed (compile phase):
 *   emake failed
 *
 * If you need support, post the output of `emerge --info '=sys-apps/policycoreutils-2.7::x-portage'`,
 * the complete build log and the output of `emerge -pqv '=sys-apps/policycoreutils-2.7::x-portage'`.
 * The complete build log is located at '/var/tmp/portage/sys-apps/policycoreutils-2.7/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/sys-apps/policycoreutils-2.7/temp/environment'.
 * Working directory: '/var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-extra'
 * S: '/var/tmp/portage/sys-apps/policycoreutils-2.7/work/policycoreutils-2.7'
Comment 7 Mira Ressel 2018-10-12 21:29:32 UTC
Fixed in 2.8.