Following the instructions at http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml , I recompiled the kernel with PaX, rebooted, added "hardened pic" to USE, and ran emerge binutils gcc virtual/libc. During compilation of the gcc package (after a few minutes), there's a configure that runs on libstdc++ (so it seems), that reports itself as not being able to create an a.out executable. While this is happening, I also get the following permission denied message from selinux: audit(1116915430.943:0): avc: denied { execmem } for pid=21146 comm=a.out scontext=root:sysadm_r:portage_t tcontext=root:sysadm_r:portage_t tclass=process Putting selinux into permissive mode (echo 0 > /selinux/enforce) did NOT help. (same problem) Using FEATURES="-sandbox" did NOT help. (same problem) Using USE="-hardened -pic" did NOT help. (same problem) Trying ACCEPT_KEYWORDS="~amd64" to compile the unstable gcc yeilds the exact same error. Probably not a PaX problem, because I see no error from PaX on dmesg? Using ===> USE="-multilib" emerge gcc <=== the merge is success (with, of course, no support for compiling of 32bit executables...) Reproducible: Always Steps to Reproduce: 1. Use a profile that has "multilib" in USE (for instance selinux/2004.1/amd64) 2. emerge gcc Actual Results: checking for a BSD-compatible install... /bin/install -c checking whether build environment is sane... yes checking for gawk... gawk checking whether make sets $(MAKE)... yes checking for x86_64-pc-linux-gnu-gcc... /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -m32 checking for C compiler default output file name... a.out checking whether the C compiler works... configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details. make[1]: *** [configure-target-libstdc++-v3] Error 1 make[1]: Leaving directory `/var/tmp/portage/gcc-3.4.3-r1/work/build' make: *** [profiledbootstrap] Error 2 !!! ERROR: sys-devel/gcc-3.4.3-r1 failed. !!! Function gcc_do_make, Line 1161, Exitcode 2 !!! emake failed with profiledbootstrap Expected Results: Successful compile of gcc. Portage 2.0.51.22-r1 (selinux/2004.1/amd64, gcc-3.4.3, glibc-2.3.4.20041102-r1, 2.6.11-hardened-r13 x86_64) ================================================================= System uname: 2.6.11-hardened-r13 x86_64 AMD Opteron(tm) Processor 248 Gentoo Base System version 1.6.12 dev-lang/python: 2.3.5 sys-apps/sandbox: 1.2.8 sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r8 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r4 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks loadpolicy sandbox selinux sfperms strict" GENTOO_MIRRORS="http://mirror.hamakor.org.il/pub/mirrors/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 apache2 berkdb calendar crypt emul-linux-x86 exif ftp gd geoip gif gpm hardened iconv imagemagick innodb ipv6 jpeg libwww lm_sensors memlimit mmap multilib mysql ncurses nls pam perl php pic png python readline selinux session sqlite ssl tcpd tiff zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
*** This bug has been marked as a duplicate of 86123 ***
what version of emul-linux-x86-glibc do you have?
# emerge search emul-linux-x86-glibc Searching... [ Results for search key : emul-linux-x86-glibc ] [ Applications found : 1 ] * app-emulation/emul-linux-x86-glibc Latest version available: 2.3.4.20041102 Latest version installed: 2.3.4.20041102 Size of downloaded files: 11,380 kB Homepage: http://www.gentoo.org/ Description: GNU C Library for emulation of 32bit x86 on amd64 License: GPL-2
If it helps, here are the Contents of the file ./build/x86_64-pc-linux-gnu/32/libstdc++-v3/config.log : # grep configure\: config.log configure:1280: creating cache ./config.cache configure:1504: checking build system type configure:1522: result: x86_64-pc-linux-gnu configure:1530: checking host system type configure:1544: result: x86_64-pc-linux-gnu configure:1552: checking target system type configure:1566: result: x86_64-pc-linux-gnu configure:1614: checking for a BSD-compatible install configure:1669: result: /bin/install -c configure:1680: checking whether build environment is sane configure:1723: result: yes configure:1756: checking for gawk configure:1772: found /bin/gawk configure:1782: result: gawk configure:1792: checking whether make sets $(MAKE) configure:1812: result: yes configure:2043: checking for x86_64-pc-linux-gnu-gcc configure:2069: result: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -m32 configure:2351: checking for C compiler version configure:2354: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -m32 --version </dev/null >&5 configure:2357: $? = 0 configure:2359: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -m32 -v </dev/null >&5 configure:2362: $? = 0 configure:2364: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -m32 -V </dev/null >&5 configure:2367: $? = 1 configure:2390: checking for C compiler default output file name configure:2393: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -m32 -O2 -O2 -O2 -O2 conftest.c >&5 configure:2396: $? = 0 configure:2442: result: a.out configure:2447: checking whether the C compiler works configure:2453: ./a.out configure:2456: $? = 127 configure:2465: error: cannot run C compiled programs. configure: exit 1
This bug is still there. I am trying to get up to 2005.0, and now need a multilib gcc. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My command: USE="multilib" FEATURES="-sandbox" emerge gcc (doesn't matter if sandbox is there or not. same problem) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My failure: checking whether the C compiler works... configure: error: cannot run C compiled programs. If you meant to cross compile, use `--host'. See `config.log' for more details. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My config.log (/var/tmp/portage/gcc-3.4.3-r1/work/build/x86_64-pc-linux-gnu/32/libstdc++-v3/config.log) configure:2447: checking whether the C compiler works configure:2453: ./a.out /var/tmp/portage/gcc-3.4.3-r1/work/gcc-3.4.3/libstdc++-v3/configure: line 2454: ./a.out: cannot execute bin\ary file configure:2456: $? = 126 configure:2465: error: cannot run C compiled programs. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ My info Portage 2.0.51.19 (default-linux/amd64/2004.3, gcc-3.4.3, glibc-2.3.4.20041102-r1, 2.6.9-gentoo-r14 x86_64) ================================================================= System uname: 2.6.9-gentoo-r14 x86_64 AMD Opteron(tm) Processor 844 Gentoo Base System version 1.4.16 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Jun 2 2005, 20:56:27)] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.13, 2.59-r6 sys-devel/automake: 1.9.5, 1.5, 1.8.5-r3, 1.6.3, 1.7.9-r1, 1.4_p6 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r4 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CFLAGS="-march=k8 -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=k8 -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://gentoo.ccccom.com http://mirror.usu.edu/mirrors/gentoo/ http://csociety-ftp.ecn.purdue.edu/pub/gentoo/ http://mirror.tucdemonic.org/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 acpi alsa apache2 berkdb bitmap-fonts crypt emacs font-server fortran gdbm gif gpm ipv6 jp2 jpeg libwww lzw lzw-tiff mp3 ncurses nls opengl oss pam perl php png postgres postgresql python readline slang ssl tcpd tiff truetype truetype-fonts type1-fonts usb userlocales xml2 xpm xrandr xv zlib userland_GNU kernel_linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY
I am changing severity to major. Currently I cannot compile the very basic GRUB program (which requires 32bit) which one would need to boot his system!
shimi, can you please attach the config.log?
Created attachment 62579 [details] /var/tmp/portage/gcc-3.4.3-r1/work/build/x86_64-pc-linux-gnu/32/libstdc++-v3/config.log
It's not finding your 32bit libc. Please provide the contents of /etc/ld.so.conf, /etc/env.d/*emul*, and 'equery files emul-linux-x86-glibc'
Created attachment 62613 [details] /etc/env.d/40emul-linux-x86-glibc
Created attachment 62614 [details] /etc/ld.so.conf
Created attachment 62615 [details] equery files emul-linux-x86-glibc
ok, can you create test.c: int main() { return 0; } then compile it with: gcc -m32 test.c tell me the output of: ldd a.out also, attatch the result of: ldconfig -v
*** Bug 94619 has been marked as a duplicate of this bug. ***
# gcc -m32 test.c /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/./libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/./libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lgcc collect2: ld returned 1 exit status Obviously there's no a.out... I don't see why this should work if I don't currently have multilib installed... # ldconfig -v ldconfig: Path `/usr/local/lib' given more than once ldconfig: Path `/emul/linux/x86/lib' given more than once ldconfig: Path `/emul/linux/x86/usr/lib' given more than once ldconfig: Path `/lib' given more than once ldconfig: Path `/lib64' given more than once ldconfig: Path `/usr/lib' given more than once ldconfig: Path `/usr/lib64' given more than once /usr/local/lib: /lib: libsepol.so.1 -> libsepol.so.1 libselinux.so.1 -> libselinux.so.1 libpwdb.so.0 -> libpwdb.so.0.62 libcap.so.1 -> libcap.so.1.10 libuuid.so.1 -> libuuid.so.1.2 libss.so.2 -> libss.so.2.0 libext2fs.so.2 -> libext2fs.so.2.4 libe2p.so.2 -> libe2p.so.2.3 libcom_err.so.2 -> libcom_err.so.2.1 libblkid.so.1 -> libblkid.so.1.0 libpam_misc.so.0 -> libpam_misc.so.0.77 libpamc.so.0 -> libpamc.so.0.77 libpam.so.0 -> libpam.so.0.77 libcrack.so.2 -> libcrack.so.2.7 libproc-3.2.5.so -> libproc-3.2.5.so libgcc_s.so.1 -> libgcc_s.so.1 libwrap.so.0 -> libwrap.so.0.7.6 libreadline.so.5 -> libreadline.so.5.0 libhistory.so.5 -> libhistory.so.5.0 libreadline.so.4 -> libreadline.so.4.3 libgpm.so.1 -> libgpm.so.1.19.0 libcidn.so.1 -> libcidn-2.3.4.so libz.so.1 -> libz.so.1.2.2 libncurses.so.5 -> libncurses.so.5.4 libthread_db.so.1 -> libthread_db-1.0.so libutil.so.1 -> libutil-2.3.4.so libnss_nisplus.so.2 -> libnss_nisplus-2.3.4.so libnss_nis.so.2 -> libnss_nis-2.3.4.so libnsl.so.1 -> libnsl-2.3.4.so libnss_hesiod.so.2 -> libnss_hesiod-2.3.4.so libnss_compat.so.2 -> libnss_compat-2.3.4.so libSegFault.so -> libSegFault.so librt.so.1 -> librt-2.3.4.so libpcprofile.so -> libpcprofile.so libanl.so.1 -> libanl-2.3.4.so libresolv.so.2 -> libresolv-2.3.4.so libnss_files.so.2 -> libnss_files-2.3.4.so libpthread.so.0 -> libpthread-0.10.so libcrypt.so.1 -> libcrypt-2.3.4.so libmemusage.so -> libmemusage.so libdl.so.2 -> libdl-2.3.4.so libm.so.6 -> libm-2.3.4.so libBrokenLocale.so.1 -> libBrokenLocale-2.3.4.so libnss_dns.so.2 -> libnss_dns-2.3.4.so ld-linux-x86-64.so.2 -> ld-2.3.4.so libc.so.6 -> libc-2.3.4.so /usr/lib: libsqlite.so.0 -> libsqlite.so.0.8.6 libsqlite3.so.0 -> libsqlite3.so.0.8.6 libidn.so.11 -> libidn.so.11.5.6 libgd.so.2 -> libgd.so.2.0.0 libt1.so.5 -> libt1.so.5.0.2 libttf.so.2 -> libttf.so.2.2.0 libfreetype.so.6 -> libfreetype.so.6.3.7 libswigpy.so.0 -> libswigpy.so.0.0.0 libswigpl.so.0 -> libswigpl.so.0.0.0 libgthread-2.0.so.0 -> libgthread-2.0.so.0.600.3 libgmodule-2.0.so.0 -> libgmodule-2.0.so.0.600.3 libgobject-2.0.so.0 -> libgobject-2.0.so.0.600.3 libglib-2.0.so.0 -> libglib-2.0.so.0.600.3 libsandbox.so.0 -> libsandbox.so.0.0.0 libpics.so.0 -> libpics.so.0.0.0 libwwwsql.so.0 -> libwwwsql.so.0.1.0 libwwwzip.so.0 -> libwwwzip.so.0.1.0 libwwwxml.so.0 -> libwwwxml.so.0.1.0 libwwwmux.so.0 -> libwwwmux.so.0.1.0 libwwwinit.so.0 -> libwwwinit.so.0.1.0 libwwwapp.so.0 -> libwwwapp.so.0.1.0 libwwwhtml.so.0 -> libwwwhtml.so.0.1.0 libwwwtelnet.so.0 -> libwwwtelnet.so.0.1.0 libwwwnews.so.0 -> libwwwnews.so.0.1.0 libwwwhttp.so.0 -> libwwwhttp.so.0.1.0 libwwwmime.so.0 -> libwwwmime.so.0.1.0 libwwwgopher.so.0 -> libwwwgopher.so.0.1.0 libwwwftp.so.0 -> libwwwftp.so.0.1.0 libwwwfile.so.0 -> libwwwfile.so.0.1.0 libwwwdir.so.0 -> libwwwdir.so.0.1.0 libwwwcache.so.0 -> libwwwcache.so.0.1.0 libwwwstream.so.0 -> libwwwstream.so.0.1.0 libwwwtrans.so.0 -> libwwwtrans.so.0.1.0 libwwwcore.so.0 -> libwwwcore.so.0.1.0 libwwwutils.so.0 -> libwwwutils.so.0.1.0 libwwwssl.so.0 -> libwwwssl.so.0.1.0 libmd5.so.0 -> libmd5.so.0.1.0 libxmlparse.so.0 -> libxmlparse.so.0.1.0 libxmltok.so.0 -> libxmltok.so.0.1.0 libpng.so.3 -> libpng.so.3.1.2.8 libpng12.so.0 -> libpng12.so.0.1.2.8 libdb.so.2 -> libndbm.so libsablot.so.0 -> libsablot.so.0.100.0 libmcrypt.so.4 -> libmcrypt.so.4.4.7 libmhash.so.2 -> libmhash.so.2.0.0 libaprutil-0.so.0 -> libaprutil-0.so.0.9.6 libapr-0.so.0 -> libapr-0.so.0.9.6 libmysqlclient_r.so.12 -> libmysqlclient_r.so.12.0.0 libmysqlclient.so.12 -> libmysqlclient.so.12.0.0 libpcreposix.so.0 -> libpcreposix.so.0.0.0 libpcre.so.0 -> libpcre.so.0.0.1 libtiffxx.so.3 -> libtiffxx.so.3.7.2 libtiff.so.3 -> libtiff.so.3.7.2 libjpeg.so.62 -> libjpeg.so.62.0.0 libgthread-1.2.so.0 -> libgthread.so libgmodule-1.2.so.0 -> libgmodule.so libglib-1.2.so.0 -> libglib.so libltdl.so.3 -> libltdl.so.3.1.1 libpopt.so.0 -> libpopt.so.0.0.0 libexpat.so.0 -> libexpat.so.0.5.0 libcrypto.so.0.9.7 -> libcrypto.so.0.9.7 libssl.so.0.9.7 -> libssl.so.0.9.7 libperl.so.1 -> libperl.so.1.5.8 libdb_cxx-4.2.so -> libdb_cxx.so libdb-4.2.so -> libdb.so libdb_cxx-4.1.so -> libdb_cxx-4.1.so libbz2.so.1 -> libbz2.so.1.0.3 libpanel.so.5 -> libpanel.so.5.4 libmenu.so.5 -> libmenu.so.5.4 libform.so.5 -> libform.so.5.4 libgettextpo.so.0 -> libgettextpo.so.0.1.0 libgettextsrc-0.14.1.so -> libgettextsrc.so libgettextsrc-0.12.1.so -> libgettextsrc-0.12.1.so libgettextlib-0.14.1.so -> libgettextlib.so libgettextlib-0.12.1.so -> libgettextlib-0.12.1.so libdb-4.1.so -> libdb-4.1.so libmagic.so.1 -> libmagic.so.1.0.0 libpython2.3.so.1.0 -> libpython2.3.so.1.0 /lib32: libgcc_s.so.1 -> libgcc_s.so.1 libcidn.so.1 -> libcidn-2.3.4.so libpthread.so.0 -> libpthread-0.10.so libdl.so.2 -> libdl-2.3.4.so libBrokenLocale.so.1 -> libBrokenLocale-2.3.4.so libc.so.6 -> libc-2.3.4.so libnss_dns.so.2 -> libnss_dns-2.3.4.so libcrypt.so.1 -> libcrypt-2.3.4.so libanl.so.1 -> libanl-2.3.4.so libmemusage.so -> libmemusage.so libnss_hesiod.so.2 -> libnss_hesiod-2.3.4.so ld-linux.so.2 -> ld-2.3.4.so libnss_compat.so.2 -> libnss_compat-2.3.4.so libSegFault.so -> libSegFault.so libpcprofile.so -> libpcprofile.so libthread_db.so.1 -> libthread_db-1.0.so libutil.so.1 -> libutil-2.3.4.so libnsl.so.1 -> libnsl-2.3.4.so libresolv.so.2 -> libresolv-2.3.4.so libnss_nisplus.so.2 -> libnss_nisplus-2.3.4.so librt.so.1 -> librt-2.3.4.so libm.so.6 -> libm-2.3.4.so libnss_nis.so.2 -> libnss_nis-2.3.4.so libnss_files.so.2 -> libnss_files-2.3.4.so /usr/lib32: /usr/local/lib32: /usr/x86_64-pc-linux-gnu/lib: libopcodes-2.15.92.0.2.so -> libopcodes.so libbfd-2.15.92.0.2.so -> libbfd.so /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3: libgcc_s.so.1 -> libgcc_s.so.1 libstdc++.so.6 -> libstdc++.so.6.0.3 /usr/lib/gcc-lib/x86_64-pc-linux-gnu/3.4.2: libgcc_s.so.1 -> libgcc_s.so.1 /usr/lib/gcc-lib/x86_64-pc-linux-gnu/3.4.2/32: libgcc_s.so.1 -> libgcc_s_32.so /usr/lib/libstdc++-v3: libstdc++.so.5 -> libstdc++.so.5.0.6
Heh... sorry about that Use the stage1 xgcc instead of gcc: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -m32 test.c ldd a.out
That gives me the same error. If it helps: # file /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc: ELF 64-bit LSB shared object, AMD x86-64, version 1 (SYSV), not stripped One more thing: in the begining, I got: bash: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc: Permission denied . Found out that SELinux blocked it (which is kinda funny, considering I am root and sysadm_r): audit(1120542631.905:0): avc: denied { execute } for pid=22959 exe=/bin/bash name=xgcc dev=md2 ino=6068916 scontext=shimi:sysadm_r:sysadm_t tcontext=shimi:object_r:portage_tmp_t tclass=file I had to put SELinux in permissive mode for this to work. This could actually be OK, as I guess nobody is supposed to run stuff inside /var/tmp/portage besides portage itself... but go figure :) Just to make sure, I tried re-doing emerge gcc with SELinux off; Still got the same problem ;-)
so... why can't you execute /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc???
First line in comment 17... "same error": # /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -m32 test.c /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/./libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/./libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: skipping incompatible /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/libgcc.a when searching for -lgcc /usr/lib/gcc/x86_64-pc-linux-gnu/3.4.3/../../../../x86_64-pc-linux-gnu/bin/ld: cannot find -lgcc collect2: ld returned 1 exit status
Ok... sorry... try this one /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -m32 test.c
same error :) shouldn't I be referencing stuff in /var/tmp/portage instead of in the "global wide" paths?
After working with eradicator (Jeremy Huddleston) on IRC, we found out that a test program compiled with: /var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/xgcc -B/var/tmp/portage/gcc-3.4.3-r1/work/build/gcc/ -B/usr/x86_64-pc-linux-gnu/bin/ -B/usr/x86_64-pc-linux-gnu/lib/ -isystem /usr/x86_64-pc-linux-gnu/include -isystem /usr/x86_64-pc-linux-gnu/sys-include -fPIC -m32 test.c Fails to run, saying: ./a.out: error while loading shared libraries: /lib32/libc.so.6: cannot apply additional memory protection after relocation: Permission denied paxctl -m a.out [disabling MPROTECT] fixes this. selinux is in permissive mode during the test. Hardened people?
oops! re. comment 22, the -fPIC is something that I added to test something. anyways, with or without it, same Permission denied on MPROTECT. Sorry for all the comment spam :)
(In reply to comment #23) > Permission denied on MPROTECT. Now we are starting to get somewhere. Keeping exploring that route please. strace -emmap,mprotect failing app etc..
Downgrade Severity all the way. Hardened does not even have a multilib profile.
Solar, Your command gives me just that: # strace -emmap,mprotect ./a.out [ Process PID=9863 runs in 32 bit mode. ] ./a.out: error while loading shared libraries: /lib32/libc.so.6: cannot apply additional memory protection after relocation: Permission denied Just strace, with no parameters: # strace ./a.out execve("./a.out", ["./a.out"], [/* 24 vars */]) = 0 [ Process PID=9844 runs in 32 bit mode. ] uname({sys="Linux", node="hurricane", ...}) = 0 brk(0) = 0x1801afb0 access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(0x3, 0xffffcaf4) = 0 mmap2(NULL, 20866, PROT_READ, MAP_PRIVATE, 3, 0) = 0x6034c000 close(3) = 0 open("/lib32/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@U\1\000"..., 512) = 512 fstat64(0x3, 0xffffcb74) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x60352000 mmap2(NULL, 1154436, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x60353000 mmap2(0x60467000, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x114) = 0x60467000 mmap2(0x6046b000, 7556, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x6046b000 close(3) = 0 mprotect(0x60467000, 4096, PROT_READ) = -1 EACCES (Permission denied) writev(2, [{ptrace: umoven: Input/output error 0x7ffffd73b, 10203986407}, {ptrace: umoven: Input/output error 0x246034926c, 10203986411}, {ptrace: umoven: Input/output error 0x106034bdc0, 10203986402}, {ptrace: umoven: Input/output error 0x3a60346980, 10203986402}, {ptrace: umoven: Input/output error 0x1160347dc2, 5909019127}, {NULL, 0}, {NULL, 0}, {NULL, 0}, {NULL, 0}, {NULL, 0}], 10./a.out: error while loading shared libraries: /lib32/libc.so.6: cannot apply additional memory protection after relocation: Permission denied ) = 143 exit_group(127) = ?
Chances are this is comming from the amd64 kernel internal handling of READ_IMPLIES_EXEC shimi can you try rebooting adding noexec32 to your boot commandline. Also can you please do a readelf -d /lib32/libc.so
noexec32=on noexec32=off are valid options. Actually it appears that (all|on|off|stack|force|compat) are valid options as of 2.6.9 Also please change that readelf -d to a scanelf -a (scanelf comes from pax-utils package) The libc may have incorrect gnu stack markings or the libc.so.6 might have textrels. scanelf will show us.
Solar, No can do about the reboot. Production machine that really shouldn't ever go down... About your other request: # scanelf -a /lib32/libc.so.6 TYPE PAX STK/REL/PTL TEXTREL RPATH NEEDED INTERP BIND FILE ET_DYN ---xe- RW- R-- RW- - - ld-linux.so.2 /lib/ld-linux.so.2 NOW /lib32/libc.so.6
*** Bug 89204 has been marked as a duplicate of this bug. ***
I added noexec32=on to my kernel command line, and now I can run programmes compiled with -m32 without doing paxctl -m on them, which means that the gcc compile process should run fine now.
(In reply to comment #31) > I added noexec32=on to my kernel command line, and now I can run programmes > compiled with -m32 without doing paxctl -m on them, which means that the gcc > compile process should run fine now. Milan, Thanks for confirming. You should do a 'scanelf -xlpyqR' to see what all you -m and change it back now. noexec32=on by default handling should be added to the 2.6.13 pax release when it's ready. In the mean time I would probably add the appened kernel command line to your grub or other bootloader. Sorry but multilib can not be supported on amd64 for hardened till such time as the kernel is prepared to work like this by default.
the PaX (and also grsecurity) test versions for 2.6.13/14 should fix this by flipping the default noexec32 behaviour. this used to add PROT_EXEC to every mmap(PROT_READ) and mmap(PROT_READ|PROT_WRITE) request. the latter is used when mapping the ELF segment containing data/bss, and later part of it is turned into a PROT_READ mapping (this is the so-called RELRO support that hardened enables by default, iirc), except the final mprotect(PROT_READ) would be turned into a mprotect(PROT_READ|PROT_EXEC) behind the scenes in the kernel (the old noexec32 behaviour), which would then be denied by PaX because it's a request to turn a previously writable mapping into an executable one. turning off MPROTECT helped before because that's the exact control over runtime code generation (and something you don't want to give to everyone and his dog, only apps that absolutely need it, like java).
Appears this bug was fixed one way or another ages ago. Closing as FIXED, re-open if I'm wrong. Thanks.
