Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Can't get PAM to compile after upgrading to SELinux
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Rikai
n00b
n00b


Joined: 05 Feb 2005
Posts: 65
Location: Huntsville, AL
PostPosted: Wed May 24, 2006 4:37 pm    Post subject: Can't get PAM to compile after upgrading to SELinux Reply with quote
I'm creating a firewall/proxy server, using the hardened SELinux profile.

I did an emerge -e world yesterday, to make sure that everything had been compiled with PIE/SSP. Everything compiles, except for tcp-wrappers and pam. tcp-wrappers gets an error in sandbox, but when I go though the steps manually using ebuild (from Sandbox Troubleshooting), it seems to install OK.

PAM, however, fails to compile. I've tried both the x86 (0.78-r3) and ~x86 (0.78-r5) versions. Watching it, it looks like it compiles one set of programs, which works ok, and then runs another configure, and begins to compile something else. This is where it fails. I get the error message:
Code:
pam_unix_passwd.c: In function '_unix_run_shadow_binary':
pam_unix_passwd.c:278: error: invalid lvalue in assignment

This error is repeated for every line in pam_unix_passwd.c where SELINUX_ENABLED is used, with the function names changed as appropriate, of course. Looking through pam_unix_passwd.c, nothing seems wrong to me, though I'm not some amazing C hacker.

After error messages about invalid lvalues appear these errors:
Code:
pam_unix_passwd.c: In function '_pam_unix_approve_pass':
pam_unix_passwd.c:955: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_unix_passwd.c: In function 'pam_sm_chauthtok':
pam_unix_passwd.c:1163: warning: dereferencing type-punned pointer will break strict-aliasing rules
pam_unix_passwd.c:1166: warning: dereferencing type-punned pointer will break strict-aliasing rules


I hesitate to post a bug, because no one else seems to have this problem, but I created my system following the SELinux HOWTO closely, and I'm sure the combination of hardened gentoo and SELinux is not rare. I did, however, have to unmask new versions of libselinux (1.30) and libsepol (1.12-r1) in order for portage to stop getting the "!!! SELinux module not found. Please verify that it was installed." error. So I'm fairly certain that there's just a problem with my configuration somewhere.

If anyone can tell me where I've gone wrong, I'd love to know... I don't want to reboot at the moment, in case PAM is now broken. Being able to log in is a good thing :)

Here's my emerge --info
Code:
Portage 2.1_rc2-r2 (selinux/2005.1/x86/hardened, gcc-4.1.1-pre20060517, glibc-2.4-r3, 2.6.14-hardened-r8 i686)
=================================================================
System uname: 2.6.14-hardened-r8 i686 Pentium III (Coppermine)
Gentoo Base System version 1.6.14
ccache version 2.3 [enabled]
dev-lang/python:     2.4.2
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  0.4.2-r1
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=pentium3 -O2 -fomit-frame-pointer -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=pentium3 -O2 -fomit-frame-pointer -pipe -fvisibility-inlines-hidden"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache confcache distlocks metadata-transfer sandbox selinux sfperms strict userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.osuosl.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -s"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="berkdb chroot crypt dlloader hardened mailwrapper ncurses nls nptl nptlonly pam pic python readline selinux sftplogging ssl symlink tcpd x86 zlib elibc_glibc kernel_linux userland_GNU"
Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Back to top
View user's profile Send private message
Rikai
n00b
n00b


Joined: 05 Feb 2005
Posts: 65
Location: Huntsville, AL
PostPosted: Wed May 24, 2006 7:10 pm    Post subject: Reply with quote
Ah.... I've now realized it's even worse.

Without the selinux PAM module loaded, I can't run scripts in /etc/init.d/, among other things. It seems I can still make policy changes, and emerge new packages, so not all is lost.
Back to top
View user's profile Send private message
Kosa
Tux's lil' helper
Tux's lil' helper


Joined: 03 May 2005
Posts: 106
Location: Prague
PostPosted: Sat Sep 02, 2006 12:14 pm    Post subject: Reply with quote
I had same problem, downgrading to gcc 3.4.6 and glibc 2.3.6 solved it (i tried to install from 2006.1 stage so i went back to 2006.0).
Back to top
View user's profile Send private message
vaxbrat
l33t
l33t


Joined: 05 Oct 2005
Posts: 731
Location: DC Burbs
PostPosted: Mon Sep 04, 2006 6:09 pm    Post subject: The lvalue error hit me here during the gcc 4.1.1 move Reply with quote
I've been working with a stable hardened profile PIII system since a few months ago and had everything emerged nicely without too much ado on 3.4.6. (now if only I could get the amount of selinux whining down a bit and get out of permissive mode). I did hit a speed bump a while back on a glibc version that borked my xorg for a while but that was taken care of at some point.

Anyhoo... I hit the pam lvalue error upgrading to gcc 4.1.1 and so far have decided to punt for the moment by just skipping it on the emerge -e system/world bit. I still have 3.4.6 installed.

I don't recall having this heartburn when 4.1.1 was unmasked on the ~amd64 a few months back. However I'm not running the hardened profile on that box. I notice Pam is at 0.78-r5 over there.
Back to top
View user's profile Send private message
dumdey
n00b
n00b


Joined: 08 Jul 2002
Posts: 47
Location: Höchstadt, Germany
PostPosted: Tue Oct 24, 2006 12:51 pm    Post subject: Reply with quote
I can compile PAM with GCC 3.4.5 without a downgrade of glibc.

Regards,

Harry
_________________
http://www.k-u-h.org/harry/
Back to top
View user's profile Send private message
dumdey
n00b
n00b


Joined: 08 Jul 2002
Posts: 47
Location: Höchstadt, Germany
PostPosted: Wed Nov 29, 2006 11:39 pm    Post subject: Reply with quote
There is a Bug filed: https://bugs.gentoo.org/show_bug.cgi?id=150859

pam-0.78-r5 should fix it

Regards, Harry
_________________
http://www.k-u-h.org/harry/
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy