While trying to compile hardened-sources-2.6.11-r14 I'm getting the following error: CC security/selinux/avc.o security/selinux/avc.c: In function `avc_dump_query': security/selinux/avc.c:210: error: structure has no member named `curr_ip' security/selinux/avc.c:211: error: structure has no member named `curr_ip' security/selinux/avc.c:211: error: structure has no member named `curr_ip' security/selinux/avc.c:211: error: structure has no member named `curr_ip' security/selinux/avc.c:211: error: structure has no member named `curr_ip' make[2]: *** [security/selinux/avc.o] Error 1 make[1]: *** [security/selinux] Error 2 make: *** [security] Error 2 I have grsecurity enabled and r13 compiled without problems ... Reproducible: Always Steps to Reproduce: Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.20041102-r1, 2.6.11-hardened-r13 i686) ================================================================= System uname: 2.6.11-hardened-r13 i686 AMD Athlon(tm) Processor Gentoo Base System version 1.6.12 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Jun 11 2005, 00:24:18)] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.7.9-r1, 1.8.5-r3, 1.5, 1.4_p6, 1.6.3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.11-r1 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=athlon-tbird -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=athlon-tbird -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ http://ftp.easynet.nl/mirror/gentoo/ http://www.gigaload.org/gentoo.org/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="x86 3dfx X acl acpi alsa apache2 apm arts avi bitmap-fonts bzlib canna cdr crypt curl divx4linux doc eds emboss encode esd fam fortran ftp gd gdbm gif gnome gpm gstreamer gtk gtk2 hardened iconv imagemagick imlib ipv6 java jpeg junit kde libg++ libwww mad mikmod mime mozilla mp3 mpeg mysql ncurses nls odbc ogg oggvorbis opengl pam pda pdflib perl php png python qt quicktime readline recode samba sdl session slang sockets socks5 spell sqlite ssl svga tcltk tcpd tetex tiff truetype truetype-fonts type1-fonts unicode usb vhost vorbis wxwindows xml xml2 xv xvid zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
Created attachment 61269 [details] .config file used for compiling
Somehow this bug has returned It was fixed orig in bug 79508.
Please, don't CC me on any other bug again. I've clearly made an statement (time ago, but maybe it wasn't handled in an appropiate manner by those who were in charge of managing the process) regarding that I don't want to get any further communication of any type and in any way from the Gentoo project and less if it comes from certain members of it's "community", sub-projects or any other associated parties. Thanks in advance, I hope the situation to get solved as soon as possible, so, no more parties will get involved in this mess and hopefully it won't need to go a step further. Cheers, Lorenzo.
Lorenzo, The issue in question comes from code you signed off on (4105_selinux-avc_audit-log-curr_ip-grsec.patch), and it is standard practice to pull in help from those that work with the code. The 'current' variable obviously doesn't have the 'curr_ip' member. Is it possible we are missing part of the patch? Marijn, if you apply the 4105_selinux-avc_audit-log-curr_ip-grsec.patch patch in reverse (it is found in hardened-patches-2.6.11-14.extras.tar.bz2 distfile) with: cd /usr/src/linux-2.6.11-hardened-r14 patch -R -p1 < 4105_selinux-avc_audit-log-curr_ip-grsec.patch you should be able to build just fine. Hopefully we'll be able to get the logging working properly shortly.
(In reply to comment #4) > Lorenzo, > > The issue in question comes from code you signed off on > (4105_selinux-avc_audit-log-curr_ip-grsec.patch), and it is standard practice to > pull in help from those that work with the code. You confuse terms: it's not standard, it's voluntary. And I can't care of all the users of specific distributions who might be suffering unexpected issues due to the politics/development/maintenance done by the developers of such distribution, it's a personal choice pretty well explained in the lines below. And BTW, why's my work used in Hardened Gentoo, a project which has *explicitly* rejected to use my work and my contributions? It's ironic, or sad, or both. If you guys reject me as a volunteer willing to help, then accept all the conditions and consequences of rejecting me. I won't support Hardened Gentoo, so, solve this issue at your own and don't send me this noise. Also, it may be polite if Hardened Gentoo stops using my work, as they have (as explained above, I apologize of the redundancy) explicitly rejected, most notable his current "lead", and expressed in IRC logs, the conversations with the Developer "Relations" team (with some notable exceptions of pretty-weird-job, but also good ones from those who were my mentors). Have fun fixing it among other couple of things that may need more care, like the way you guys want to follow in developer relationships and how you want to treat those who at some time, were willing to help, and now, as the fight seems to continue being feed from one side, can be willing to do the opposite in all the possible and profitable ways. Cheers, Lorenzo.
(In reply to comment #5) > And BTW, why's my work used in Hardened Gentoo, a project which has *explicitly* > rejected to use my work and my contributions? It's ironic, or sad, or both. A humble suggestion - don
(In reply to comment #5) > And BTW, why's my work used in Hardened Gentoo, a project which has *explicitly* > rejected to use my work and my contributions? It's ironic, or sad, or both. A humble suggestion - don´t GPL it next time. And of course - thanks for your extensive help with this bug and some really warm words that I´m sure everyone must appreciate. :-p Next time, maybe you could find a more proper place to do the dirty wash instead of bugzilla - if you feel the urge to do so.
This is a bug with SELinux and the kernel option CONFIG_GRKERNSEC_PROC_IPADDR. I experienced this bug and unset CONFIG_GRKERNSEC_PROC_IPADDR and the kernel compiled. So the logical explanation is that CONFIG_GRKERNSEC_PROC_IPADDR and SELinux's code that uses curr_ip is interfering with each other somehow.
(In reply to comment #7) > This is a bug with SELinux and the kernel option CONFIG_GRKERNSEC_PROC_IPADDR. I > experienced this bug and unset CONFIG_GRKERNSEC_PROC_IPADDR and the kernel compiled. > > So the logical explanation is that CONFIG_GRKERNSEC_PROC_IPADDR and SELinux's > code that uses curr_ip is interfering with each other somehow. There is no code interfering. The offending code is only enabled when CONFIG_GRKERNSEC_PROC_IPADDR is enabled, and unfortunatly is not complete. Disabling the option disabled the chunk of offending code, but also disables other perfectly working support. If you follow the instructions in comment #4, you can leave the option enabled keeping support where it works, and the kernel will compile fine.
apologies for not picking up on this bug earlier. The local copy of my patch was updated, after checking the grsec struct changes. This is fixed locally, but I plan to release 2.6.12 shortly under testing. At the same time I will look to rev-bump the 2.6.11 kernel for those not wanting to upgrade. Will update later :)
(In reply to comment #6) > A humble suggestion - don
(In reply to comment #6) > A humble suggestion - don´t GPL it next time. And of course - thanks for your > extensive help with this bug and some really warm words that I´m sure everyone > must appreciate. :-p You miss the point, I was talking about honesty, decency, ... My words were cool enough, but maybe you were reading too deeply, and that doesn't help for appreciating my words themselves, anyways, it's up to you to take them either as a simple, cool response to a threat, or as the most offensive essay ever published on a blessed Bugzilla file! (sigh) > Next time, maybe you could find a more proper place to do the dirty wash instead > of bugzilla - if you feel the urge to do so. At this point, what are you talking about? dirty wash in the context of this bug, my responses, etc, doesn't make sense. I would like to encourage you to express your opinion directly to me, instead of doing what you guys have done (thanks for the reminder on using Bugzilla as a disappointing place). I just say, it would be better if you just invested your time in fixing and closing other bug reports than feeding the troll. No bitterness anyways ;)
Welp.. I've had enough of this now. For the other bug readers having to suffer threw this. Lorenzo appears to be pissed off after failing the dev recruitment process bug #92033 and has now reserved the right to be an asshole to the rest of us. He was added to the CC: of this bug by me as I knew he was involved with the patch that hardened-sources-2.6 was using (mistake on my part I'm sorry others). My reasoning was he was enthusiastic about getting the code in, but now that it in and it's proved no good he rather seems to want to come up with a conspiracy about supposed decency and insulting others by calling them trolls. "We get it" trulux you don't care about the code you wrote before. Fine no big deal it sucked anyway. Do us all a favor and find another distribution to use. Please go about your ways of trying to copycat technologies you don't understand well enough to duplicate properly.
> For the other bug readers having to suffer threw this. Lorenzo appears > to be pissed off after failing the dev recruitment process bug #92033 > and has now reserved the right to be an asshole to the rest of us. Well, the quiz was pretty OK, but I think you "hardened guys" have something to say about it, and still taking bitterness as a way of acting, etc, etc, etc. I don't care about that, but, what a whole bunch of warm words you're saying. I doubt on why I'm still keeping cool while you try to continue the marketing of others. Weird, that's it. > My reasoning was he was enthusiastic about getting the > code in, but now that it in and it's proved no good he rather seems to > want to come up with a conspiracy about supposed decency and insulting > others by calling them trolls. Trolls smell bad, decency is something trolls don't care and...hey, Where I'm insulting? I just forgot it, it makes no sense. > "We get it" trulux you don't care about the code you wrote before. Fine > no big deal it sucked anyway. Yes, we all must admit that Hardened Gentoo puts "stuff that sucks" in the hardened-sources. Is that the point or I'm missing something? Please, instead of doing the real *insulting* and trying to *provoke*, could you explain your opinion with real, true, accurate, decent, close to the point, unbiased facts? > Do us all a favor and find another distribution to use. Done. > Please go about your ways of trying to copycat technologies you don't > understand well enough to duplicate properly. Hmm, what are you supposed to be talking about? It's clear enough now who starts and continues threats here. Good luck, take care. (and again, no bitterness. There are many ways to say the same thing, you don't need to insult, lie or threat. It's all about keeping close to the point). PS: Just an interesting reading for the case: http://www.wsu.edu/~dee/MESO/CODE.HTM
(In reply to comment #12) I've thought that you > don't want to get any further communication of any type and in any way from >the Gentoo project Have you perhaps changed your mind? I hope not; I'd say ditto about communication of similar kind as shown above from you. Really not interested in reading such a crap in bugzilla. So let me quote your own words one more time: > Thanks in advance, I hope the situation to get solved as soon as possible, so, > no more parties will get involved in this mess and hopefully it won't need to go > a step further. Indeed - TIA. @johnm: Please fix this ASAP, so that this bug may be closed. Meanwhile, I'd suggest marking pending SELinux enhancement bugs filed by trulux as WONTFIX so that we don't have to suffer this again once it shows equally broken as this "patch" produced by trulux. CCing pebenito on this.
in cvs as -r15. In all fairness to trulux the original patch was good against an older grsec revision. grsec was bumped and the struct changed, and I missed the change in the patch in question. this was promptly fixed locally but not in cvs as I planned for 2.6.12 to go sometime very soon. anyways. bug closed.
thanks john
