| View previous topic :: View next topic |
| Author |
Message |
sparky007
n00b
Joined: 19 Sep 2003
Posts: 15
Location: Bristol, UK
|
 Posted: Wed Dec 05, 2007 1:13 am Post subject: Can't install a hardened selinux multilib gentoo [SOLVED] |
 |
|
As the title suggests, I've been having problems with a new gentoo installation I'm trying on my amd64 machine.
I start with stage3-amd64-hardened-multilib-2007.0 and attempt to set up an appropriate profile.
As there is no profile that supports hardened, selinux and multilib, I've created one by merging the | Code: | | selinux/2007.0/amd64/hardened |
and | Code: | | hardened/amd64/multilib |
profiles (I got the idea from here).
Combined with the make.conf from my working install on the same machine, my emerge --info therefore looks like this:
| Code: |
Portage 2.1.3.19 (selinux/2007.0/amd64/multilib/hardened, gcc-3.4.6, glibc-2.3.6-r5, 2.6.22-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.22-gentoo-r8 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Timestamp of tree: Tue, 04 Dec 2007 22:30:01 +0000
app-shells/bash: 3.2_p17
dev-lang/python: 2.4.3-r4
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.9
sys-apps/sandbox: 1.2.17
sys-devel/autoconf: 2.60
sys-devel/automake: 1.10
sys-devel/binutils: 2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool: 1.5.22
virtual/os-headers: 2.6.17-r2
ACCEPT_KEYWORDS="amd64"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -msse3 -pipe -fforce-addr"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -msse3 -pipe -fforce-addr"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks fixpackages loadpolicy metadata-transfer sandbox selinux sesandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://ftp.twaren.net/Linux/Gentoo/ ftp://ftp.kaist.ac.kr/gentoo/ ftp://ftp.twaren.net/Linux/Gentoo/"
LANG="en_GB@euro"
LC_ALL="en_GB@euro"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -s"
LINGUAS="en_GB"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 berkdb bitmap-fonts cli cracklib crypt cups dbus dri fortran gdbm gnome gpm gtk gtk2 hal hardened iconv ipv6 isdnlog midi mmx mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection selinux session spl sse sse2 ssl tcpd truetype-fonts type1-fonts unicode xorg zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB" USERLAND="GNU" VIDEO_CARDS="nv nvidia vesa"
Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
|
My problems arise when I try to rebuild the toolchain with the new profile.
I've tried various combinations of compiling linux-headers, compiling glibc, compiling gcc and setting the new profile in different orders and I always seem to get some serious problem after up to one of the packages compiles.
Examples include
- various lib files become truncated
- "configure: error: cannot run C compiled programs"
- "unable to find a libc !?"
And I'm sure there have been various other problems.
Has anyone managed to install a hardened selinux multilib gentoo and, if so, could you let me know us how it is done?
Thanks
Last edited by sparky007 on Fri Dec 07, 2007 1:16 am; edited 1 time in total |
|
| Back to top |
|
 |
kyndigen
n00b
Joined: 27 Jun 2004
Posts: 1
|
| Posted: Wed Dec 05, 2007 6:27 pm Post subject: |
|
|
(Note: I'm the original poster of the message on gentoo-hardened that you linked to. I may refer to things in that post without re-posting them here.)
First of all, you don't need to roll your own profile anymore. Just use the selinux/2007.0/amd64/hardened profile. Back when I rolled my own, multilib support was controlled by a use flag. These days it's controlled by the value of MULTILIB_ABIS that's set in make.defaults in your profile. Run "emerge --info --verbose | grep MULTILIB" to see what settings you have. If you see MULTILIB_ABIS="amd64 x86", you're golden. If you're set to the selinux/2007.0/amd64/hardend profile, you'll pick up multilib support automatically since the default-linux/amd64/2007.0 profile has it, and is included as a parent of selinux/2007.0/amd64.
My guess is that your underlying problem is with the profile setting. Try setting the profile I mentioned above (which happens to *exactly* match the stage3 you're using) and updating stuff normally. My normal update order from a clean stage3 install is:
| Code: | emerge -avu binutils
emerge -avu gcc
emerge -avu linux-headers
emerge -avu system
emerge -aDvu system
|
I've got a sandbox install that I did before I updated my server, but I can't get to it until tonight. Once I do I can post the exact stage I used, and the exact steps I took to bootstrap it. |
|
| Back to top |
|
|
sparky007
n00b
Joined: 19 Sep 2003
Posts: 15
Location: Bristol, UK
|
| Posted: Fri Dec 07, 2007 1:15 am Post subject: |
|
|
Thank you kyndigen, you gave me just the information I needed to sort this issue out.
It wasn't as simple as I was hoping for after I read your post, but I did manage to complete a rebuild of the toolchain last night and I'll post my findings here in case anyone else runs into the same problems:
NOTE: If anyone is thinking of following these steps, read through it all first as an error occurred which could be avoided by doing things in a different order.
First of all, and I think this was probably quite important, I completely stripped down the make.conf to what came with the stage3-amd64-hardened-multilib-2007.0 base + some gentoo mirror urls for pulling in packages:
So the original make.conf on my machine went from:
| Code: | CFLAGS="-march=athlon64 -O2 -msse3 -pipe"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
LDFLAGS="-Wl,-O1 -Wl,--sort-common -s"
ACCEPT_KEYWORDS="amd64"
MAKEOPTS="-j3"
USE="nptlonly unicode gnome gtk gtk2 hal dbus firefox ogg flac xinerama alsa"
GENTOO_MIRRORS="http://ftp.snt.utwente.nl/pub/os/linux/gentoo http://gentoo.intergenia.de http://gentoo.tiscali.nl/"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_RSYNC_TIMEOUT=180
PORTAGE_NICENESS=3
AUTOCLEAN="yes"
FEATURES="ccache distlocks fixpackages sandbox userpriv usersandbox"
CCACHE_SIZE="2G"
CCACHE_DIR="/var/tmp"
INPUT_DEVICES="keyboard mouse"
VIDEO_CARDS="nv nvidia vesa"
ALSA_CARDS="intel8x0"
LINGUAS="en_GB"
source /usr/portage/local/layman/make.conf
|
to a clean install version that looked like:
| Code: | CFLAGS="-O2 -pipe -fforce-addr"
CXXFLAGS="${CFLAGS}"
CHOST="x86_64-pc-linux-gnu"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_RSYNC_TIMEOUT=180
GENTOO_MIRRORS="http://ftp.twaren.net/Linux/Gentoo/ ftp://ftp.kaist.ac.kr/gentoo/ ftp://ftp.twaren.net/Linux/Gentoo/"
|
The other big issue was trying to compile glibc; it would not compile under the selinux/2007.0/amd64/hardened profile without compiling libselinux first, but libselinux would not compile without a more up to date version of glibc than what comes in the stage3-amd64-hardened-multilib-2007.0 install. So I needed to do a bit of profile juggling half way through.
For anyone who's interested, here is the step-by-step process I took to build the basic install (after disks have been prepared). It is based on kyndigen's help and includes commands that were recommended after emerging packages and any problem workarounds. Any recommended commands that didn't do anything useful have been ignored. I've tried to sumarize and optimize what I did in a script, which I've put at the end of this post:
1: Prepare the "base layout":
Unpack the downloaded stage 3 and portage snapshot and mount the 'special' partitions before chrooting:
| Code: | cd /mnt/gentoo
tar -xjvpf stage3-amd64-hardened-multilib-2007.0.tar.bz2
tar -xjvf portage-latest.tar.bz2 -C usr/
mount -t proc none proc
mount -o bind /dev dev
cp -L /etc/resolv.conf /mnt/crypt/gentoo/etc/resolv.conf
|
2: Prepare make.conf and locale.gen before chrooting:
/mnt/gentoo/etc/make.conf was set to:
| Code: | CFLAGS="-O2 -pipe -fforce-addr"
CXXFLAGS=${CFLAGS}
CHOST="x86_64-pc-linux-gnu"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_RSYNC_TIMEOUT=180
GENTOO_MIRRORS="http://ftp.twaren.net/Linux/Gentoo/ ftp://ftp.kaist.ac.kr/gentoo/ ftp://ftp.twaren.net/Linux/Gentoo/"
|
(the mirrors were chosen by mirrorselect for my area)
/mnt/gentoo/etc/locale.gen was set to:
| Code: | en_GB ISO-8859-1
en_GB.UTF-8 UTF-8
|
(the locale settings are good for my area)
3: Enter chroot:
| Code: | chroot <install> /bin/bash
env-update && source /etc/profile
|
At this point, the profile is set to the hardened-multilib profile:
| Code: | ls -FGg /etc/make.profile
lrwxrwxrwx 1 47 2007-12-05 22:35 /etc/make.profile -> ../usr/portage/profiles/hardened/amd64/multilib/ |
4: Update portage:
| Code: | emerge --sync
emerge -uav portage
|
The emerge command above built the following packages:
| Quote: | [ebuild U ] sys-devel/autoconf-2.61-r1 [2.60] USE="-emacs" 1,365 kB
[ebuild U ] sys-apps/sandbox-1.2.18.1-r2 [1.2.17] 232 kB
[ebuild U ] app-misc/pax-utils-0.1.16 [0.1.15] USE="-caps" 64 kB
[ebuild U ] app-shells/bash-3.2_p17 [3.1_p17] USE="nls (-afs) -bashlogger -vanilla" 2,522 kB
[ebuild U ] sys-apps/portage-2.1.3.19 [2.1.2.2] USE="-build -doc -epydoc (-selinux)" LINGUAS="-pl" 387 kB
*** Portage will stop merging at this point and reload itself,
then resume the merge.
[ebuild U ] dev-lang/python-2.4.4-r6 [2.4.3-r4] USE="berkdb readline ssl -bootstrap -build -doc -examples% -gdbm -ipv6 -ncurses -nocxx -nothreads% -tk -ucs2" 7,977 kB
[ebuild U ] net-misc/rsync-2.6.9-r5 [2.6.9-r1] USE="-acl -ipv6 -static -xinetd" 793 kB
[ebuild U ] sys-apps/coreutils-6.9-r1 [6.4] USE="nls -acl (-selinux) -static -xattr%" 5,307 kB
[ebuild U ] dev-python/pycrypto-2.0.1-r6 [2.0.1-r5] USE="-bindist -gmp -test" 151 kB
[ebuild N ] app-admin/python-updater-0.2 3 kB[ |
Apply recommended followup commands:
5: Change to the hardened selinux profile:
| Code: | rm /etc/make.profile
ln -snf /usr/portage/profiles/selinux/2007.0/amd64/hardened /etc/make.profile
ls -FGg /etc/make.profile
lrwxrwxrwx 1 51 2007-12-05 23:34 /etc/make.profile -> /usr/portage/profiles/selinux/2007.0/amd64/hardened/ |
Apply recommended followup commands:
| Code: | | env-update && source /etc/profile |
Note that at this point (updating env I think), a warning about the missing dev-python/python-selinux package was announced:
| Quote: | !!! SELinux module not found. Please verify that it was installed.
>>> Regenerating /etc/ld.so.cache... |
6: Build binutils (kyndigen 1):
| Code: | | emerge -auv binutils |
This built the following packages:
| Quote: | [ebuild U ] sys-devel/binutils-config-1.9-r4 [1.9-r3] 0 kB
[ebuild U ] sys-devel/gnuconfig-20070118 [20060702] 40 kB
[ebuild U ] sys-devel/gettext-0.16.1-r1 [0.16.1] USE="nls -doc -emacs -nocxx" 8,340 kB
[ebuild U ] sys-devel/binutils-2.18-r1 [2.16.1-r3] USE="nls -multislot (-multitarget) -test -vanilla" 14,629 kB |
| Quote: | | !!! SELinux module not found. Please verify that it was installed. |
Apply recommended followup commands:
| Code: | | source /etc/profile |
7: (Attempt to) build gcc (kyndigen 2):
Interestingly, an attempt to build gcc here does nothing.
| Quote: | Nothing to merge; would you like to auto-clean packages? y
>>> No outdated packages were found on your system. |
8: Build linux-headers (kyndigen 3):
| Code: | | emerge -auv linux-headers |
| Quote: | [ebuild N ] dev-util/unifdef-1.20 65 kB
[ebuild U ] sys-kernel/linux-headers-2.6.22-r2 [2.6.17-r2] USE="(-gcc64%)" 4,599 kB |
| Quote: | | !!! SELinux module not found. Please verify that it was installed. |
9: Build system (kyndigen 4):
| Quote: | [ebuild N ] sys-apps/setarch-2.0 5 kB
[ebuild U ] sys-devel/gcc-config-1.3.16 [1.3.14] 0 kB
[ebuild U ] sys-libs/timezone-data-2007g [2007c] USE="nls" 344 kB
[ebuild U ] app-arch/bzip2-1.0.4-r1 [1.0.3-r6] USE="-static (-build%)" 822 kB
[ebuild U ] app-arch/cpio-2.9-r1 [2.6-r5] USE="nls" 741 kB
[ebuild N ] sys-apps/hdparm-7.7 62 kB
[ebuild U ] sys-devel/m4-1.4.10 [1.4.7] USE="nls -examples%" 722 kB
[ebuild U ] sys-devel/flex-2.5.33-r3 [2.5.33-r2] USE="nls -static" 680 kB
[ebuild U ] sys-libs/cracklib-2.8.10 [2.8.9-r1] USE="nls python*" 565 kB
[ebuild U ] sys-apps/man-1.6e-r3 [1.6d] USE="nls" 247 kB
[ebuild N ] dev-lang/swig-1.3.31 USE="perl python -doc -guile -java -lua -mono -ocaml -php -pike -ruby -tcl -tk" 4,080 kB
[ebuild N ] dev-perl/Locale-gettext-1.05 8 kB
[ebuild U ] app-arch/gzip-1.3.12 [1.3.5-r10] USE="nls pic -static (-build%)" 452 kB
[ebuild U ] sys-apps/kbd-1.13-r1 [1.12-r8] USE="nls" 652 kB
[ebuild U ] net-misc/iputils-20070202 [20060512] USE="ipv6* -doc -static" 87 kB
[ebuild U ] sys-apps/gawk-3.1.5-r5 [3.1.5-r2] USE="nls" 2,257 kB
[ebuild U ] app-arch/tar-1.19 [1.16-r2] USE="nls -static" 1,839 kB
[ebuild U ] sys-apps/file-4.21-r1 [4.20-r1] USE="python*" 538 kB
[ebuild U ] sys-apps/net-tools-1.60-r13 [1.60-r12] USE="nls -static" 298 kB
[ebuild U ] sys-apps/man-pages-2.68 [2.42] USE="nls" 1,819 kB
[ebuild U ] sys-devel/bison-2.3 [2.2] USE="nls -static" 1,055 kB
[ebuild N ] sys-apps/help2man-1.36.4 USE="nls" 84 kB
[ebuild U ] sys-devel/libtool-1.5.24 [1.5.22] USE="-vanilla%" 2,852 kB
[ebuild U ] sys-apps/diffutils-2.8.7-r2 [2.8.7-r1] USE="nls -static" 1,038 kB
[ebuild U ] dev-libs/openssl-0.9.8g [0.9.8d] USE="(sse2*) zlib -bindist -emacs -gmp% -kerberos% -test" 3,277 kB
[ebuild N ] sys-libs/libsepol-1.16.3 179 kB
[ebuild N ] sys-libs/libselinux-1.34.0 123 kB
[ebuild U ] sys-libs/pam-0.99.9.0 [0.78-r5] USE="cracklib%* nls%* (selinux*) -audit% -test% -vim-syntax% (-berkdb%*) (-nis%) (-pam_chroot%) (-pam_console%) (-pam_timestamp%) (-pwdb%)" 888 kB
[ebuild N ] sys-libs/libsemanage-1.10.0 153 kB
[ebuild U ] sys-libs/glibc-2.6.1 [2.3.6-r5] USE="hardened nls (selinux*) -debug% -gd% -glibc-omitfp (-multilib) -profile -vanilla% (-build%) (-erandom%) (-glibc-compat20%) (-nptl%) (-nptlonly%)" 16,006 kB
[ebuild U ] sys-apps/sysvinit-2.86-r8 [2.86-r6] USE="(selinux*) (-ibm) -static" 101 kB
[ebuild U ] sys-apps/findutils-4.3.8-r1 [4.3.2-r1] USE="nls (selinux*) -static" 1,766 kB
[ebuild N ] sys-apps/checkpolicy-1.34.0 USE="-debug" 56 kB
[ebuild N ] sys-apps/policycoreutils-1.34.1 USE="nls pam" 305 kB
[ebuild U ] sys-apps/shadow-4.0.18.1-r1 [4.0.18.1] USE="cracklib* nls pam (selinux*) -nousuid -skey" 1,481 kB
[ebuild N ] sys-apps/busybox-1.7.4 USE="pam (selinux) -debug -make-symlinks -savedconfig -static" 1,688 kB
[ebuild N ] sec-policy/selinux-base-policy-20070329 306 kB
[ebuild U ] net-misc/openssh-4.6_p1-r3 [4.5_p1-r1] USE="pam (selinux*) tcpd -X -X509 -chroot -hpn -kerberos -ldap -libedit -skey -smartcard -static" 945 kB
[ebuild N ] sec-policy/selinux-gpm-20070329 0 kB
[ebuild U ] sys-libs/readline-5.2_p7 [5.1_p4] 2,008 kB
[ebuild U ] sys-apps/baselayout-1.12.9-r2 [1.12.9] USE="unicode* -bootstrap -build -static (-ldap%)" 214 kB
[ebuild U ] sys-apps/module-init-tools-3.2.2-r3 [3.2.2-r2] USE="-old-linux% (-no-old-linux%)" 166 kB
[ebuild U ] sys-fs/udev-115-r1 [104-r12] USE="(selinux*)" 210 kB
[ebuild N ] sys-libs/gpm-1.20.1-r5 USE="(selinux)" 560 kB
[ebuild U ] sys-libs/ncurses-5.6-r1 [5.5-r3] USE="gpm* unicode* -bootstrap -build -debug -doc -minimal -nocxx -trace" 2,353 kB
[ebuild N ] sys-devel/bc-1.06-r6 USE="readline -static" 273 kB
[ebuild U ] app-editors/nano-2.0.6 [2.0.2] USE="ncurses* nls unicode* -debug -justify* -minimal -slang -spell" 1,285 kB
[ebuild U ] sys-process/procps-3.2.7 [3.2.6] USE="(-n32)" 276 kB
[ebuild U ] sys-apps/less-409 [394] USE="unicode*" 481 kB
[ebuild U ] sys-process/psmisc-22.5-r2 [22.2] USE="ipv6* nls (selinux*) -X" 271 kB
[ebuild U ] sys-libs/com_err-1.40.2 [1.39] USE="nls" 3,873 kB
[ebuild N ] virtual/editor-0 0 kB
[ebuild U ] sys-libs/ss-1.40.2 [1.39] USE="nls" 0 kB
[ebuild U ] sys-fs/e2fsprogs-1.40.2 [1.39] USE="nls -static" 0 kB |
ERROR:At this point the build failed because a more recent glibc had not been built yet with '__tls_get_addr' functionality
| Quote: | [ebuild U ] sys-apps/util-linux-2.12r-r8 [2.12r-r5] USE="crypt nls perl* (selinux*) -old-crypt -static" 1,509 kB
!!! SELinux module not found. Please verify that it was installed.
matchpathcon.lo: In function `set_matchpathcon_flags':
matchpathcon.c .text+0x2c7): undefined reference to `__tls_get_addr'
matchpathcon.lo: In function `process_line':
matchpathcon.c.text+0xe72): undefined reference to `__tls_get_addr'
matchpathcon.lo: In function `matchpathcon_init_prefix_internal':
matchpathcon.c.text+0xfdc): undefined reference to `__tls_get_addr'
matchpathcon.lo: In function `matchpathcon':
matchpathcon.c.text+0x1a46): undefined reference to `__tls_get_addr'
matchpathcon.lo: In function `selinux_file_context_verify':
matchpathcon.c.text+0x1e0b): undefined reference to `__tls_get_addr'
matchpathcon.lo:matchpathcon.c.text+0x1f47): more undefined references to `__tls_get_addr' follow
collect2: ld returned 1 exit status
make[1]: *** [libselinux.so.1] Error 1
make[1]: Leaving directory `/var/tmp/portage/sys-libs/libselinux-1.34.0/work/libselinux-1.34.0/src'
make: *** [all] Error 2
*
* ERROR: sys-libs/libselinux-1.34.0 failed.
* Call stack:
* ebuild.sh, line 1701: Called dyn_compile
* ebuild.sh, line 1039: Called qa_call 'src_compile'
* ebuild.sh, line 44: Called src_compile
* libselinux-1.34.0.ebuild, line 38: Called die
* The specific snippet of code:
* emake LDFLAGS="-fPIC ${LDFLAGS}" all || die
* The die message:
* (no error message)
*
* If you need support, post the topmost build error, and the call stack if relevant.
* A complete build log is located at '/var/tmp/portage/sys-libs/libselinux-1.34.0/temp/build.log'.
|
So here the profile was switched back to the original hardened one from the stage 3 and glibc was explicitly emerged to bring it up to date (after updating configs for the system packages that did emerge):
| Code: | etc-update
rm /etc/make.profile
ln -snf /usr/portage/profiles/hardened/amd64/multilib /etc/make.profile
env-update && source /etc/profile
USE=multilib emerge -auv glibc |
| Quote: | | [ebuild U ] sys-libs/glibc-2.6.1 [2.3.6-r5] USE="hardened multilib* nls -debug% -gd% -glibc-omitfp -profile (-selinux) -vanilla% (-build%) (-erandom%) (-glibc-compat20%) (-nptl%) (-nptlonly%)" 16,006 kB |
The profile was then switched back to the selinux one and glibc was emerged again. An emerge -auv glibc would have also brought in libselinux, python-selinux dependencies and finally gcc as a dependent. As I was half way through a system emerge, I chose to ignore gcc for now to keep thing consistent:
| Code: | rm /etc/make.profile
ln -snf /usr/portage/profiles/selinux/2007.0/amd64/hardened /etc/make.profile
env-update && source /etc/profile
emerge -1av libselinux python-selinux glibc |
| Quote: | [ebuild N ] sys-libs/libselinux-1.34.0 0 kB
[ebuild N ] dev-python/python-selinux-2.16-r2 11 kB
[ebuild R ] sys-libs/glibc-2.6.1 USE="hardened nls (selinux*) -debug -gd -glibc-omitfp (-multilib*) -profile -vanilla" 0 kB |
It looks like glibc should have been brought up to date before stage 5 when the profile was switched to selinux. If done this way, I think gcc would have been compiled where it should have been.
So, now that glibc has the required functionality and the profile is back to selinux, we can finish off the system emerge:
| Quote: | [ebuild U ] sys-libs/pam-0.99.9.0 [0.78-r5] USE="cracklib%* nls%* (selinux*) -audit% -test% -vim-syntax% (-berkdb%*) (-nis%) (-pam_chroot%) (-pam_console%) (-pam_timestamp%) (-pwdb%)" 888 kB
[ebuild N ] sys-libs/libsemanage-1.10.0 153 kB
[ebuild U ] sys-apps/sysvinit-2.86-r8 [2.86-r6] USE="(selinux*) (-ibm) -static" 101 kB
[ebuild U ] sys-apps/findutils-4.3.8-r1 [4.3.2-r1] USE="nls (selinux*) -static" 1,766 kB
[ebuild N ] sys-apps/checkpolicy-1.34.0 USE="-debug" 56 kB
[ebuild N ] sys-apps/policycoreutils-1.34.1 USE="nls pam" 305 kB
[ebuild U ] sys-apps/shadow-4.0.18.1-r1 [4.0.18.1] USE="cracklib* nls pam (selinux*) -nousuid -skey" 1,481 kB
[ebuild N ] sys-apps/busybox-1.7.4 USE="pam (selinux) -debug -make-symlinks -savedconfig -static" 1,688 kB
[ebuild N ] sec-policy/selinux-base-policy-20070329 306 kB
[ebuild U ] net-misc/openssh-4.6_p1-r3 [4.5_p1-r1] USE="pam (selinux*) tcpd -X -X509 -chroot -hpn -kerberos -ldap -libedit -skey -smartcard -static" 945 kB
[ebuild N ] sec-policy/selinux-gpm-20070329 0 kB
[ebuild U ] sys-libs/readline-5.2_p7 [5.1_p4] 2,008 kB
[ebuild U ] sys-apps/baselayout-1.12.9-r2 [1.12.9] USE="unicode* -bootstrap -build -static (-ldap%)" 214 kB
[ebuild U ] sys-apps/module-init-tools-3.2.2-r3 [3.2.2-r2] USE="-old-linux% (-no-old-linux%)" 166 kB
[ebuild U ] sys-fs/udev-115-r1 [104-r12] USE="(selinux*)" 210 kB
[ebuild N ] sys-libs/gpm-1.20.1-r5 USE="(selinux)" 560 kB
[ebuild U ] sys-libs/ncurses-5.6-r1 [5.5-r3] USE="gpm* unicode* -bootstrap -build -debug -doc -minimal -nocxx -trace" 2,353 kB
[ebuild N ] sys-devel/bc-1.06-r6 USE="readline -static" 273 kB
[ebuild U ] app-editors/nano-2.0.6 [2.0.2] USE="ncurses* nls unicode* -debug -justify* -minimal -slang -spell" 1,285 kB
[ebuild U ] sys-process/procps-3.2.7 [3.2.6] USE="(-n32)" 276 kB
[ebuild U ] sys-apps/less-409 [394] USE="unicode*" 481 kB
[ebuild U ] sys-process/psmisc-22.5-r2 [22.2] USE="ipv6* nls (selinux*) -X" 271 kB
[ebuild U ] sys-libs/com_err-1.40.2 [1.39] USE="nls" 3,873 kB
[ebuild N ] virtual/editor-0 0 kB
[ebuild U ] sys-libs/ss-1.40.2 [1.39] USE="nls" 0 kB
[ebuild U ] sys-fs/e2fsprogs-1.40.2 [1.39] USE="nls -static" 0 kB
[ebuild U ] sys-apps/util-linux-2.12r-r8 [2.12r-r5] USE="crypt nls perl* (selinux*) -old-crypt -static" 1,509 kB |
Apply follow up commands that do anything useful:
And now build gcc:
| Quote: | [ebuild R ] sys-libs/zlib-1.2.3-r1 USE="(-build%)" 416 kB
[ebuild R ] sys-devel/gcc-3.4.6-r2 USE="fortran* hardened nls (-altivec) -bootstrap -boundschecking -build -d% -doc -gcj -gtk -ip28 -ip32r10k (-multilib) -multislot (-n32) (-n64) -nocxx -nopie -nossp -objc -test -vanilla" 27,700 kB
|
I noted here that gcc was not built with the multilib USE flag enabled. Perhaps someone with more experience than me can say whether gcc should have been build with USE=multilib emerge -uDN gcc or not for this amd64 (with multilib support) machine?
10: Rebuild system (kyndigen 5):
Before building the system for the second time, I replaced a bit more of the original make.conf:
| Code: | CFLAGS="-march=athlon64 -O2 -msse3 -pipe -fforce-addr"
CXXFLAGS=${CLAGS}
CHOST="x86_64-pc-linux-gnu"
MAKEOPTS="-j3"
ACCEPT_KEYWORDS="amd64"
PORTAGE_NICENESS=3
AUTOCLEAN="yes"
USE="nptlonly unicode gnome gtk gtk2 hal dbus firefox ogg flac xinerama alsa"
INPUT_DEVICES="keyboard mouse"
VIDEO_CARDS="nv nvidia vesa"
ALSA_CARDS="intel8x0"
LINGUAS="en_GB"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
PORTAGE_RSYNC_RETRIES="3"
PORTAGE_RSYNC_TIMEOUT=180
GENTOO_MIRRORS="http://ftp.twaren.net/Linux/Gentoo/ ftp://ftp.kaist.ac.kr/gentoo/ ftp://ftp.twaren.net/Linux/Gentoo/" |
| Code: | env-update && source /etc/profile
emerge -uDNav system |
| Quote: | [ebuild R ] sys-apps/portage-2.1.3.19 USE="(selinux*) -build -doc -epydoc" LINGUAS="-pl" 0 kB
[ebuild U ] dev-libs/expat-2.0.1 [1.95.8] USE="(-test%)" 436 kB
[ebuild R ] sys-apps/tcp-wrappers-7.6-r8 USE="ipv6*" 113 kB
[ebuild R ] net-misc/rsync-2.6.9-r5 USE="ipv6* (-acl) -static -xinetd" 0 kB
[ebuild U ] app-misc/ca-certificates-20070303-r1 [20061027.2] 95 kB
[ebuild R ] sys-libs/pwdb-0.62 USE="(selinux*)" 131 kB
[ebuild NS ] sys-libs/db-4.5.20_p2 USE="-bootstrap -doc -java -nocxx -tcl -test" 9,068 kB
[ebuild R ] sys-devel/libperl-5.8.8-r1 USE="berkdb gdbm* -debug -ithreads" 0 kB
[ebuild R ] sys-devel/gcc-3.4.6-r2 USE="fortran gtk* hardened nls (-altivec) -bootstrap -boundschecking -build -d -doc -gcj -ip28 -ip32r10k (-multilib) -multislot (-n32) (-n64) -nocxx -nopie -nossp -objc -test -vanilla" 0 kB
[ebuild R ] net-misc/wget-1.10.2 USE="ipv6* nls ssl -build -debug -socks5 -static" 1,190 kB
[ebuild R ] sys-apps/coreutils-6.9-r1 USE="nls (selinux*) (-acl) -static -xattr" 0 kB
[ebuild R ] dev-lang/python-2.4.4-r6 USE="berkdb gdbm* ipv6* ncurses* readline ssl -bootstrap -build -doc -examples -nocxx -nothreads -tk -ucs2" 0 kB |
| Code: | etc-update
revdep-rebuild -X --library libexpat.so.0 |
| Quote: | | emerge --oneshot =sys-devel/gettext-0.16.1-r1 |
Relax:
So now the toolchain has been rebuilt and I have a hardened selinux multilib stage 3 installation on my amd64 machine  (phew!)
I will rebuild the system again now though (emerge -e system perhaps) as glibc and gcc were built at the wrong time.
Summary:
As I has a lot of time on my hands waiting for my install to compile itself, I tried to put together a script that I think covers these steps in the correct order.
PLEASE NOTE: this script has NEVER been executed at all and should be treated as note taking for the install process that has been described above. But if anyone thinks it might be useful to finish off, please add your comments.
| Code: |
#! /bin/bash
# To be performed after completing the official
# gentoo install (or similar) up to and including
# Section 4 - Preparing the Disks.
#############################################################
# Set parameters
#############################################################
# Variables:
INSTALL_DIR=/mnt/gentoo # changeme
RELEASE_MIRROR=ftp://closest.release.mirror/gentoo # changeme
PACKAGE_MIRRORS="ftp://first.package.mirror http://second.package.mirror http://third.package.mirror" #changeme
MAKEOPTS="-j3"
LOCALES=("en_GB ISO-8859-1" "en_GB.UTF-8 UTF-8") # changeme
# Constants:
RSYNC=rsync://rsync.gentoo.org/gentoo-portage
STAGE_3=stage3-amd64-hardened-multilib-2007.0.tar.bz2
SNAPSHOT=portage-latest.tar.bz2
HARDENED_PROFILE=/usr/portage/profiles/hardened/amd64/multilib
SELINUX_PROFILE=/usr/portage/profiles/selinux/2007.0/amd64/hardened
INSTALL_SCRIPT=install.sh
#############################################################
# Retrieve stage 3 and portage snapshot
#############################################################
cd ${INSTALL_DIR}
wget ${RELEASE_MIRROR}/releases/amd64/current/stages/hardened/${STAGE_3}{,.DIGESTS}
md5sum ${STAGE_3}.DIGESTS
# TODO exit if md5sum fails
wget ${RELEASE_MIRROR}/snapshots/${SNAPSHOT}{,.md5sum}
md5sum ${SNAPSHOT}.md5sum
# TODO exit if md5sum fails
tar -xjvpf ${STAGE_3}
tar -xjvf ${SNAPSHOT} -C usr/
#############################################################
# Mount proc and dev and link resolv.conf
#############################################################
mount -t proc none proc
mount -o bind /dev dev
cp -L /etc/resolv.conf etc/resolv.conf
#############################################################
# Edit make.conf, locale.gen and dispatch-conf.conf
#############################################################
echo "MAKEOPTS=${MAKEOPTS}" >> etc/make.conf
echo SYNC="${RSYNC}" >> etc/make.conf
echo PORTAGE_RSYNC_RETRIES="3" >> etc/make.conf
echo PORTAGE_RSYNC_TIMEOUT=180 >> etc/make.conf
echo "GENTOO_MIRRORS=\"${PACKAGE_MIRRORS}\"" >> etc/make.conf
# TODO: LOCALES array handling
for locale in $LOCALES; do echo $locale >> etc/locale.gen
# TODO: edit ${INSTALL_DIR}/etc/dispatch-conf.conf to automatically update new config files
#############################################################
# Build install script to be run in chroot
#############################################################
echo "#! /bin/bash" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# TODO: write error messages to ${ERRORS} if operations fail" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "env-update && source /etc/profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# Update portage:" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge --sync" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge -u portage" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "dispatch-conf" >> ${INSTALL_DIR}/${INSTALL_SCRIPT} # was etc-update
echo "hash -r" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# Build glibc with hardened profile:" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "rm /etc/make.profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "ln -snf ${HARDENED_PROFILE} /etc/make.profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "env-update && source /etc/profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "USE=multilib emerge -u glibc" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# Rebuild glibc with selinux profile:" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "rm /etc/make.profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "ln -snf ${SELINUX_PROFILE} /etc/make.profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "env-update && source /etc/profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge -1 libselinux python-selinux glibc" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# Build toolchain:" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge -u binutils" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "source /etc/profile" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge -u gcc" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge -u linux-headers" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# Build system:" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge -u system" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "dispatch-conf" >> ${INSTALL_DIR}/${INSTALL_SCRIPT} # was etc-update
echo "grpconv" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# Rebuild system:" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "#############################################################" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "# TODO: insert extra make.conf parameters" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "emerge -uDN system" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
echo "dispatch-conf" >> ${INSTALL_DIR}/${INSTALL_SCRIPT} # was etc-update
echo "revdep-rebuild -X" >> ${INSTALL_DIR}/${INSTALL_SCRIPT}
#############################################################
# Run install script in chroot
#############################################################
chmod u+x ${INSTALL_DIR}/${INSTALL_SCRIPT}
chroot ${INSTALL_DIR} /bin/bash -c ${INSTALL_SCRIPT}
#############################################################
# Cleanup
#############################################################
# TODO: edit ${INSTALL_DIR}/etc/dispatch-conf.conf to not automatically update new config files
rm ${STAGE_3}{,.DIGESTS}
rm ${SNAPSHOT}{,.md5sum}
cat ${INSTALL_DIR}/${ERRORS}
|
Thanks again kyndigen for your help.
Right, now for the kernel .... |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
