[gentoo-hardened] lvm2 and selinux?

[gentoo-hardened] lvm2 and selinux?

[Jukka Palko]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is there a reason why with selinux lvm2 seems to be mandatory to be
compiled with USE=nolvmstatic set?

If it isn't set lvm2 fails this way:
- ---snip---
x86_64-pc-linux-gnu-gcc -o lvm.static dumpconfig.o formats.o lvchange.o
lvconvert.o lvcreate.o lvdisplay.o lvextend.o lvmchange.o lvmcmdline.o
lvmdiskscan.o lvreduce.o lvremove.o lvrename.o lvresize.o lvscan.o
polldaemon.o pvchange.o pvcreate.o pvdisplay.o pvmove.o pvremove.o
pvresize.o pvscan.o reporter.o segtypes.o toollib.o vgcfgbackup.o
vgcfgrestore.o vgchange.o vgck.o vgcreate.o vgconvert.o vgdisplay.o
vgexport.o vgextend.o vgimport.o vgmerge.o vgmknodes.o vgreduce.o
vgremove.o vgrename.o vgscan.o vgsplit.o lvm-static.o -static
- -Wl,--export-dynamic -L../lib -L/usr/lib64 -llvm -ldevmapper \
        -lreadline -lselinux -ldl -lncurses  -rdynamic
../lib/liblvm.a(sharedlib.o): In function `load_shared_library':
sharedlib.c:(.text+0xbe): warning: Using 'dlopen' in statically linked
applications requires at runtime the shared libraries from the glibc
version used for linking
/usr/lib64/libreadline.a(complete.o): In function
`rl_username_completion_function':
complete.c:(.text+0x25e5): warning: Using 'getpwent' in statically
linked applications requires at runtime the shared libraries from the
glibc version used for linking
/usr/lib64/libreadline.a(tilde.o): In function `tilde_expand_word':
tilde.c:(.text+0x257): warning: Using 'getpwnam' in statically linked
applications requires at runtime the shared libraries from the glibc
version used for linking
/usr/lib64/libreadline.a(shell.o): In function `sh_get_home_dir':
shell.c:(.text+0x1b7): warning: Using 'getpwuid' in statically linked
applications requires at runtime the shared libraries from the glibc
version used for linking
/usr/lib64/libreadline.a(complete.o): In function
`rl_username_completion_function':
complete.c:(.text+0x25e0): warning: Using 'setpwent' in statically
linked applications requires at runtime the shared libraries from the
glibc version used for linking
complete.c:(.text+0x26b1): warning: Using 'endpwent' in statically
linked applications requires at runtime the shared libraries from the
glibc version used for linking
/usr/lib64/libselinux.a(load_policy.o): In function `selinux_mkload_policy':
load_policy.c:(.text+0xff): undefined reference to
`sepol_policy_kern_vers_max'
load_policy.c:(.text+0x128): undefined reference to
`sepol_policy_kern_vers_min'
load_policy.c:(.text+0x1d5): undefined reference to
`sepol_policy_file_create'
load_policy.c:(.text+0x1e7): undefined reference to `sepol_policydb_create'
load_policy.c:(.text+0x203): undefined reference to
`sepol_policy_file_set_mem'
load_policy.c:(.text+0x212): undefined reference to `sepol_policydb_read'
load_policy.c:(.text+0x227): undefined reference to
`sepol_policydb_set_vers'
load_policy.c:(.text+0x241): undefined reference to
`sepol_policydb_to_image'
load_policy.c:(.text+0x251): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x25b): undefined reference to `sepol_policydb_free'
load_policy.c:(.text+0x2bd): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x2c7): undefined reference to `sepol_policydb_free'
load_policy.c:(.text+0x331): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x33b): undefined reference to `sepol_policydb_free'
load_policy.c:(.text+0x347): undefined reference to `sepol_policy_file_free'
load_policy.c:(.text+0x3d4): undefined reference to `sepol_genusers'
load_policy.c:(.text+0x413): undefined reference to `sepol_genbools'
load_policy.c:(.text+0x435): undefined reference to `sepol_genbools_array'
collect2: ld returned 1 exit status
make[1]: *** [lvm.static] Error 1
make[1]: Leaving directory
`/var/tmp/portage/lvm2-2.02.01/work/LVM2.2.02.01/tools'
make: *** [tools] Error 2

!!! ERROR: sys-fs/lvm2-2.02.01 failed.
!!! Function src_compile, Line 70, Exitcode 2
!!! compile problem
!!! If you need support, post the topmost build error, NOT this status
message.
- ---snip---

I unmasked the lvm2-2.02.1 and device-mapper newer version as the 2.02.1
and 2.01.14-r1 are the first to support the selinux USE flag and
lvm2-2.01.09 doesn't compile on selinux.

Also a bit curious on why the selinux-lvm ebuild isn't in dependencies
when installing/upgrading lvm2 on an selinux system. Doesn't it provide
the necessary policy datas?

- --
Jukka Palko    jpalko@gmail.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD6v/TgfJN/zhm0W0RAnlFAKCjW0z/WyhCQqEok/Nq7Xhrl3ouWwCbBzTy
T7r2xD7haraQHVTGG0SQ0uQ=
=UFYK
-----END PGP SIGNATURE-----
-- 
gentoo-hardened@gentoo.org mailing list

Re: [gentoo-hardened] lvm2 and selinux?

[Petre Rodan]

[-- Attachment #1: Type: text/plain, Size: 686 bytes --]


Hi,

On Thu, Feb 09, 2006 at 10:39:47AM +0200, Jukka Palko wrote:
[..] 
> Also a bit curious on why the selinux-lvm ebuild isn't in dependencies
> when installing/upgrading lvm2 on an selinux system. Doesn't it provide
> the necessary policy datas?

I do not have any LVM system to test the policy with, so I'm unsure of how gentoo-worthy it is.
The only part of the policy I was interested in was that related to dmsetup/cryptsetup.

If you feel that selinux-lvm does it's job well, please open a bug report about adding the policy to RDEPENDs and assign it to lvm maintainers.

bye,
peter

-- 
petre rodan
<kaiowas@gentoo.org>
Developer,
Hardened Gentoo Linux 

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]