Bug 14253 - Glibc does not build with SELinux support
Summary: Glibc does not build with SELinux support
Status: RESOLVED FIXED
Alias: None
Product: glibc
Classification: Unclassified
Component: build (show other bugs)
Version: 2.15
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-16 10:52 UTC by Wolf
Modified: 2014-06-19 06:25 UTC (History)
3 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolf 2012-06-16 10:52:17 UTC
The nss folder doesn't build when SELinux support is enabled because it needs to link with libsepol and doesn't. I have no idea how this could be overlooked, but... have a fix:

sed -i 's/-lselinux/& -lsepol/' nss/Makefile
Comment 1 Carlos O'Donell 2012-06-19 03:57:21 UTC
Wolf,

We are actively looking for new members of the community to help ensure that all configuration options of glibc are well tested. It looks like you might have found a broken corner.

Could you please ask on the developer mailing list (libc-alpha@sourceware.org) to see if anyone is building and testing with SELinux enabled? Please reference this bugzilla entry in your post.
Comment 2 Andreas Jaeger 2012-06-19 19:39:00 UTC
Which version of libselinux and libsepol are you using?
What exactly is the error message?
Comment 3 Wolf 2012-06-20 06:22:03 UTC
(In reply to comment #2)
> Which version of libselinux and libsepol are you using?
> What exactly is the error message?

I'm using the latest libselinux and libsepol from the following page:

http://userspace.selinuxproject.org/trac/wiki/Releases

namely, libselinux 2.1.9 and libsepol 2.1.4. As for the exact error message, it'll take me several hours to reproduce the exact environment, so I'll post again when I do. I'll have lots and lots of details.
Comment 4 Wolf 2012-06-20 06:23:10 UTC
(In reply to comment #2)
> Which version of libselinux and libsepol are you using?
> What exactly is the error message?

I'm using the latest libselinux and libsepol from the following page:

http://userspace.selinuxproject.org/trac/wiki/Releases

namely, libselinux 2.1.9 and libsepol 2.1.4. As for the exact error message, it'll take me several hours to reproduce the exact environment, so I'll post again when I do. I'll have lots and lots of details.
Comment 5 Andreas Jaeger 2012-06-20 06:48:48 UTC
Ok, you're using a newer version of the libs than I do - and I don't see the problem:
libselinux1-2.0.91-18.1.x86_64
libsepol1-2.0.41-14.36.x86_64
Comment 6 Wolf 2012-06-20 07:05:43 UTC
(In reply to comment #5)
> Ok, you're using a newer version of the libs than I do - and I don't see the
> problem:
> libselinux1-2.0.91-18.1.x86_64
> libsepol1-2.0.41-14.36.x86_64

I'm using the configparms file. Try it with these:

../glibc-2.15/configure --prefix=/usr --disable-profile --enable-add-ons --enable-kernel=3.2 --libexecdir=/usr/lib/glibc --enable-bind-now --enable-stackguard-randomization libc_cv_gcc_builtin_expect=yes

cat > configparms << "EOF"
build-programs=no
CC += -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
CXX += -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie
EOF

make

cat > configparms << "EOF"
CC += -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2
CXX += -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2
CFLAGS-sln.c += -fno-PIC -fno-PIE
+link = $(CC) -pie -Wl,-O1 -nostdlib -nostartfiles -o $@ \
$(sysdep-LDFLAGS) $(config-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \
$(combreloc-LDFLAGS) $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \
-Wl,-z,now -Wl,--warn-shared-textrel,--fatal-warnings \
$(addprefix $(csu-objpfx),S$(start-installed-name)) \
$(+preinit) $(+prectorS) \
$(filter-out $(addprefix $(csu-objpfx),start.o \
S$(start-installed-name))\
$(+preinit) $(link-extra-libs) \
$(common-objpfx)libc% $(+postinit),$^) \
$(link-extra-libs) $(link-libc) $(+postctorS) $(+postinit)
EOF

make

I'm still working on setting up my environment again.
Comment 7 Andreas Jaeger 2012-06-20 07:25:35 UTC
Please try it without those configparams changes. The +link change looks suspicious.
Comment 8 Wolf 2012-06-20 07:39:28 UTC
(In reply to comment #7)
> Please try it without those configparams changes. The +link change looks
> suspicious.

I can remove the +link change, but without the others it won't build since I enabled extra GCC options by default. The changes to CC, CXX, and CFLAGS-sln.c make GCC behave normally.
Comment 9 Andreas Jaeger 2012-06-20 07:48:30 UTC
Then remove the other changes as well...

You asked "I have no idea how this could be overlooked" - and to me it seems that you do a couple of changes that nobody else does - and therefore it breaks for you.

So, I'd like to see the problem you hit in your configuration (exact commandline and error message) - and also whether you can reproduce it in a clean build.
Comment 10 Wolf 2012-06-20 07:55:11 UTC
(In reply to comment #9)
> Then remove the other changes as well...
> 
> You asked "I have no idea how this could be overlooked" - and to me it seems
> that you do a couple of changes that nobody else does - and therefore it breaks
> for you.
> 
> So, I'd like to see the problem you hit in your configuration (exact
> commandline and error message) - and also whether you can reproduce it in a
> clean build.

That's what I'm working on, however, I don't see how GCC having -fstack-protector-all on by default would cause undefined symbol errors for symbols that are in libsepol.
Comment 11 Wolf 2012-06-20 08:47:05 UTC
Now it's not finding libselinux at all, despite it being in /usr/lib.
Comment 12 Mike Frysinger 2012-07-23 16:28:11 UTC
(In reply to comment #10)

the way glibc links, forcing any core files to start using more symbols that they didn't before can easily break the core glibc linkage.  linking with ssp isn't currently supported, so trying to build that way is on your own.  please verify your build fails w/out these ssp settings.
Comment 13 Mike Frysinger 2013-02-20 06:29:49 UTC
please post some actual build logs as attachments.  as it stands, people are able to build glibc w/just -lselinux including versions glibc-2.17 and libselinux-2.1.12 and libsepol-2.1.8.
Comment 14 Wolf 2013-02-20 22:04:24 UTC
Apologies for not closing this, it works now.