Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 445484 - <net-nds/389-ds-base- fails to build in hardened selinux profile
Summary: <net-nds/389-ds-base- fails to build in hardened selinux profile
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Depends on: 445974
  Show dependency tree
Reported: 2012-12-01 14:04 UTC by Reto Gantenbein (ganto)
Modified: 2015-09-06 14:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Fix against selinux/Makefile to use current SELINUXTYPE instead of hardcoded "targeted" (389-ds-base-,724 bytes, text/plain)
2012-12-03 10:02 UTC, Sven Vermeulen (RETIRED)
Ebuild fix for selinux (389-ds-base-,1.34 KB, patch)
2012-12-03 10:12 UTC, Sven Vermeulen (RETIRED)
Details | Diff
Ebuild patch to use sec-policy/selinux-dirsrv instead (389-ds-base-use-selinux-dirsrv-policy.patch,2.12 KB, patch)
2013-03-10 19:29 UTC, Sven Vermeulen (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Reto Gantenbein (ganto) 2012-12-01 14:04:03 UTC
Installing net-nds/389-ds-base- when running the 'hardened/linux/amd64/no-multilib/selinux' profile fails. SELinux is run in permissive mode.

Reproducible: Always

Steps to Reproduce:
1. emerge =net-nds/389-ds-base-
Actual Results:  
make -j3 -f selinux/Makefile 
if [ ! -e /usr/share/selinux/targeted/include/Makefile ]; then echo "You need to install the SELinux policy development tools (selinux-policy)" && exit 1; fi
make -f /usr/share/selinux/targeted/include/Makefile all || exit 1;
make[1]: Entering directory `/var/tmp/portage/net-nds/389-ds-base-'
/bin/sh: tmp/dirsrv.mod.fc: No such file or directory
make[1]: *** [tmp/dirsrv.mod.fc] Error 1
make[1]: *** Waiting for unfinished jobs....
selinux/dirsrv.if:13: Error: duplicate definition of dirsrv_domtrans(). Original definition on 13.
selinux/dirsrv.if:36: Error: duplicate definition of dirsrv_signal(). Original definition on 36.
selinux/dirsrv.if:55: Error: duplicate definition of dirsrv_signull(). Original definition on 55.
selinux/dirsrv.if:73: Error: duplicate definition of dirsrv_manage_log(). Original definition on 73.
selinux/dirsrv.if:93: Error: duplicate definition of dirsrv_manage_var_lib(). Original definition on 93.
selinux/dirsrv.if:111: Error: duplicate definition of dirsrv_manage_var_run(). Original definition on 111.
selinux/dirsrv.if:130: Error: duplicate definition of dirsrv_pid_filetrans(). Original definition on 130.
selinux/dirsrv.if:148: Error: duplicate definition of dirsrv_read_var_run(). Original definition on 148.
selinux/dirsrv.if:166: Error: duplicate definition of dirsrv_manage_config(). Original definition on 166.
selinux/dirsrv.if:185: Error: duplicate definition of dirsrv_read_share(). Original definition on 185.
make[1]: Leaving directory `/var/tmp/portage/net-nds/389-ds-base-'
make: *** [all] Error 1
emake failed
 * ERROR: net-nds/389-ds-base- failed (compile phase):
 *    build selinux policy failed
 * Call stack:
 *, line  93:  Called src_compile
 *   environment, line 3256:  Called die
 * The specific snippet of code:
 *           emake -f selinux/Makefile || die " build selinux policy failed";

Expected Results:  
389-ds-base would install fine

Portage (hardened/linux/amd64/no-multilib/selinux, gcc-4.5.4, glibc-2.15-r3, 3.5.4-hardened-r1-domU x86_64)
System uname: Linux-3.5.4-hardened-r1-domU-x86_64-AMD_Athlon-tm-_II_X4_615e_Processor-with-gentoo-2.1
Timestamp of tree: Sat, 01 Dec 2012 03:00:01 +0000
ld GNU ld (GNU Binutils) 2.22
app-shells/bash:          4.2_p37
dev-lang/python:          2.7.3-r2, 3.2.3
dev-util/pkgconfig:       0.27.1
sys-apps/baselayout:      2.1-r1
sys-apps/openrc:          0.11.6
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.13, 2.68
sys-devel/automake:       1.9.6-r3, 1.11.6
sys-devel/binutils:       2.22-r1
sys-devel/gcc:            4.5.4
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r3
sys-kernel/linux-headers: 3.6 (virtual/os-headers)
sys-libs/glibc:           2.15-r3
Repositories: gentoo linuxmonk
CFLAGS="-O2 -pipe -fomit-frame-pointer -msse -msse2 -mmmx"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -pipe -fomit-frame-pointer -msse -msse2 -mmmx"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox"
FFLAGS="-O2 -pipe"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
USE="acl aio amd64 audit bash-completion berkdb bzip2 caps cli cracklib crypt cups cxx dri gdbm hardened iconv ipv6 justify mmx modules mudflap ncurses nls nptl open_perms pam pax_kernel pcre pppd readline selinux session sse sse2 ssl symlink tcpd unicode urandom vim-syntax xattr zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="lvm syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 08:44:52 UTC
I guess you're running with a policy of strict, mcs or mls?

If so, I'll draft up a patch to check the policy dir that is in use, but know that, if you ever switch towards a different profile, you might need to rebuild the package.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 10:02:38 UTC
Created attachment 331284 [details]
Fix against selinux/Makefile to use current SELINUXTYPE instead of hardcoded "targeted"

This fixes the build system to correctly parse the current loaded policy type (be it strict, targeted, mcs or mls).

Second fix on ebuild will follow shortly
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 10:12:21 UTC
Created attachment 331286 [details, diff]
Ebuild fix for selinux

This updates the ebuild to include the patch (and drops the previous selinux-related patch as it is now obsolete) and also loads in the policy. It drops the FEATURES="loadpolicy" part (as we don't support that anymore).
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 10:17:36 UTC
The above patches should help, but I haven't been able to test them yet.

What we can also do is to move the SELinux policy from the package into its own (sec-policy/selinux-dirsrv) and (R)DEPEND on it. That will simplify the ebuild and build, and is more in line with how other packages work. It does require a small patch against the build system of 389-ds-base to make the selinux-based build (i.e. selinux/Makefile) a NOOP.

It will also allow us to manage the policy similarly as others (including fixing policy issues) so that the 389-ds-base package doesn't need to be bumped for every SELinux policy change made.

The downside is however that, if the 389-ds-base package provides an updated policy, we will not include it until we detect that and update our policy repository ourselves.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 10:19:15 UTC
Fabio, what's your take on this? Update the ebuild/Makefiles to continue including and loading the SELinux policy provided by the package, or update the ebuild/Makefiles to use sec-policy/selinux-dirsrv and move the SELinux policy stuff into our policy repository?
Comment 6 Fabio Erculiani (RETIRED) gentoo-dev 2012-12-03 19:36:18 UTC
It doesn't make any difference to me, feel free to implement it the way you like more.
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-04 19:15:04 UTC
Ok, I'll include the dirsrv in our repository and manage it like we manage our other policy modules. I'll post the update against the ebuild/fix when I've finished that.
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-10 19:29:21 UTC
Created attachment 341592 [details, diff]
Ebuild patch to use sec-policy/selinux-dirsrv instead

This is a patch against the ebuild to remove building the 389-ds-base provided policy, and instead relying on the sec-policy/selinux-dirsrv that we offer. This simplifies the build somewhat, as it doesn't need to take care of SELinux stuff anymore (except for still enabling --with-selinux).
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2013-08-22 17:17:26 UTC
Fixed in CVS.
Comment 10 Fabio Erculiani (RETIRED) gentoo-dev 2013-08-23 05:50:54 UTC
Thanks swift for taking care of this. Sorry, I've been busy this month!
Much appreciated!
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2015-09-06 14:51:09 UTC
Marking as fixed as 389-ds-base has no stable packages (so no need to wait until stabilization).