Undefined refs in compile attempt

Undefined refs in compile attempt

[Dale Amon]

Not sure why I'm getting failures in the compile. I applied all 
of the patches before starting:

  532  tar zxf sm-selinux-200111191100.tgz
  541  cd selinux
  542  patch -p1 < ../delete.patch 
  543  patch -p1 < ../avc.patch 
  544  patch -p1 < ../module.patch 
  545  patch -p1 < ../util-linux.patch 
  547  cd module
  548  make insert
  549  cd ../../lsm
  550  patch -p1 < ../module.patch 
  553  make mrproper
  554  cp -a ../old.config .config
  556  make oldconfig
  558  make dep
  560  make bzImage
  561  make modules
  592  make INSTALL_MOD_PATH=/usr/src/Selinux modules_install
  594  cp -a System.map ../Selinux/boot/System.map-2.4.14-lsm 
  595  cp -a arch/i386/boot/bzImage ../Selinux/boot/vmlinuz-2.4.14-lsm 
  604  cd ../selinux/module

At which point a make install fails:

cc -o checkpolicy ebitmap.o queue.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o y.tab.o lex.yy.o checkpolicy.o -lfl
policydb.o: In function `user_destroy':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:357: undefined reference to `mls_user_destroy'
policydb.o: In function `policydb_context_isvalid':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:487: undefined reference to `mls_context_isvalid'
policydb.o: In function `context_read_and_validate':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:513: undefined reference to `mls_read_range'
policydb.o: In function `perm_read':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:552: undefined reference to `mls_read_perm'
policydb.o: In function `class_read':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:752: undefined reference to `mls_read_class'
policydb.o: In function `user_read':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:890: undefined reference to `mls_read_user'
policydb.o: In function `policydb_read':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:958: undefined reference to `mls_read_nlevels'
policydb.o: In function `context_write':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:1158: undefined reference to `mls_write_range'
policydb.o: In function `class_write':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:1317: undefined reference to `mls_write_class'
policydb.o: In function `user_write':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:1403: undefined reference to `mls_write_user'
policydb.o: In function `policydb_write':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:1444: undefined reference to `mls_write_nlevels'
policydb.o: In function `roles_init':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:47: undefined reference to `sens_index'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:47: undefined reference to `cat_index'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:50: undefined reference to `sens_destroy'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:51: undefined reference to `cat_destroy'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:53: undefined reference to `sens_read'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:55: undefined reference to `cat_read'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:56: undefined reference to `sens_write'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:56: undefined reference to `cat_write'
services.o: In function `context_struct_compute_av':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/services.c:174: undefined reference to `mls_compute_av'
services.o: In function `context_struct_to_string':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/services.c:277: undefined reference to `mls_compute_context_len'
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/services.c:295: undefined reference to `mls_sid_to_context'
services.o: In function `security_context_to_sid':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/services.c:450: undefined reference to `mls_context_to_sid'
services.o: In function `security_compute_sid':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/services.c:601: undefined reference to `mls_compute_sid'
services.o: In function `convert_context':
/usr/src/selinux/module/checkpolicy/../selinux_plug/ss/services.c:798: undefined reference to `mls_convert_context'
collect2: ld returned 1 exit status
make[1]: *** [checkpolicy] Error 1
make[1]: Leaving directory `/usr/src/selinux/module/checkpolicy'
make: *** [checkpolicy/checkpolicy] Error 2

Here is the relevant part of the .config

#
# Security options
#
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_IP=y
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
CONFIG_SECURITY_SELINUX_MLS=y

-- 
------------------------------------------------------
    Nuke bin Laden:           Dale Amon, CEO/MD
  improve the global          Islandone Society
     gene pool.               www.islandone.org
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Undefined refs in compile attempt

[James Morris]

On Wed, 12 Dec 2001, Dale Amon wrote:

> At which point a make install fails:
>
> policydb.o: In function `user_destroy':
> /usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:357:
> undefined reference to `mls_user_destroy'

Check that you've set MLS=y in module/checkpolicy/Makefile, as mentioned
in the README.MLS file.


- James
-- 
James Morris
<jmorris@intercode.com.au>






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Undefined refs in compile attempt

[Stephen Smalley]

On Wed, 12 Dec 2001, Dale Amon wrote:

> Not sure why I'm getting failures in the compile. I applied all
> of the patches before starting:
>
>   532  tar zxf sm-selinux-200111191100.tgz

Although this isn't related to your problem, you might want to use the
latest release (2001121010).  Of course, you will still need to apply
the module.patch and the util-linux.patch that I posted yesterday after
that release was made.

>   541  cd selinux
>   542  patch -p1 < ../delete.patch
>   543  patch -p1 < ../avc.patch
>   544  patch -p1 < ../module.patch

This should have failed.  The module.patch posted yesterday was relative
to the latest release, so it expected the module to already be in the lsm
tree (the SELinux module has been merged into the main LSM tree, and no
longer lives in the selinux archive).

>   545  patch -p1 < ../util-linux.patch
>   547  cd module
>   548  make insert
>   549  cd ../../lsm
>   550  patch -p1 < ../module.patch

Ok, it looks like you reapplied the patch correctly here.

> At which point a make install fails:
>
> cc -o checkpolicy ebitmap.o queue.o hashtab.o symtab.o sidtab.o avtab.o policydb.o services.o y.tab.o lex.yy.o checkpolicy.o -lfl
> policydb.o: In function `user_destroy':
> /usr/src/selinux/module/checkpolicy/../selinux_plug/ss/policydb.c:357: undefined reference to `mls_user_destroy'

These errors indicate that you enabled the MLS option without making the
other changes described in the README.MLS file.  See the help text for
this option and the README.MLS file for more information.  As noted there,
the MLS policy component is considered experimental and has not been
configured for use.  Unless you really want to experiment with it, I
wouldn't recommend it.  Our focus has been on the RBAC and TE policies.
Of course, you can even express a MLS policy as a TE configuration if you
want, although the state space explodes if you have a lot of MLS levels.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Undefined refs in compile attempt

[Dale Amon]

On Wed, Dec 12, 2001 at 08:54:46AM -0500, Stephen Smalley wrote:

> These errors indicate that you enabled the MLS option without making the
> other changes described in the README.MLS file.  See the help text for
> this option and the README.MLS file for more information.  As noted there,
> the MLS policy component is considered experimental and has not been
> configured for use.  Unless you really want to experiment with it, I
> wouldn't recommend it.  Our focus has been on the RBAC and TE policies.
> Of course, you can even express a MLS policy as a TE configuration if you
> want, although the state space explodes if you have a lot of MLS levels.
> 

Thanks. James Morris got me past the first hurdle, but 
perhaps I will go back and drop the MLS option entirely
for now.

Also, have you included the Andrew Morton patches in your
newer release? If you are having odd compile failures
on Debian systems particularly with USB enabled, it's 
either that or downgrade binutils to an older less
strict one (or enable HOTPLUG for no other reason than
that it stops the bad bit of code from being left
hanging).

-- 
------------------------------------------------------
    Nuke bin Laden:           Dale Amon, CEO/MD
  improve the global          Islandone Society
     gene pool.               www.islandone.org
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Undefined refs in compile attempt

[Stephen Smalley]

On Wed, 12 Dec 2001, Dale Amon wrote:

> Also, have you included the Andrew Morton patches in your
> newer release? If you are having odd compile failures
> on Debian systems particularly with USB enabled, it's
> either that or downgrade binutils to an older less
> strict one (or enable HOTPLUG for no other reason than
> that it stops the bad bit of code from being left
> hanging).

No, our kernel tree is simply the mainstream kernel tree plus the LSM
kernel patch and the SELinux security module.  Assuming that the patches
to which you refer will show up in 2.4.17, we'll just pick them up when we
update to 2.4.17.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com






--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Admin help, Please

[Shaun Savage]

I have selinux up and running with the latest patches and utilities.  

during "install" i have three users,   root,musterman,zot.
root and musterman have sysadm_r and user_r roles
zot only has user_r

I can't get musterman to enter sysadm_r role.
I try "newrole" but I get error musterman,sysadm_r,sysadm_t  not valid

Where/ how do I check what user has what roles and how do I change the 
user roles?
Is there a user role managment system?

Shaun Savage




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Admin help, Please

[Stephen Smalley]

On Wed, 12 Dec 2001, Shaun Savage wrote:

> I can't get musterman to enter sysadm_r role.
> I try "newrole" but I get error musterman,sysadm_r,sysadm_t  not valid
>
> Where/ how do I check what user has what roles and how do I change the
> user roles?
> Is there a user role managment system?

The authorized roles for each user are specified in the policy/users file.
So if musterman has sysadm_r listed in his authorized roles in the
policy/users file (and if you installed and booted with that policy, or
reloaded it dynamically via 'make load'), he should be able to enter that
role using newrole.

--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com




--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Undefined refs in compile attempt

[Dale Amon]

Okay, I'm making progress. I thought I'd report in just in case
our friend writing the book wants to follow what I do.

First, I took the newest version as Dr. Smalley suggested and
applied his two patches. I also applied the patch from Andrew
Morton on LKML to try to fix the problem that has shown up
because of the new, more restrictive binutils.

That failed. I believe the problem might be that there are
occurences of the problem that are in the lsm patch or the
selinux patches as it has to do with module exit code I
believe.

My second choice was to backoff to an older binutils and
do the ld using that.

  533  tar zxf 2001121010-SELINUX/lsm-selinux-2001121010.tgz 
  537  cd selinux/
  538  patch -p1 < ../2001121010-SELINUX/util-linux.patch
  545  cd ../lsm
  547  patch -p1 < ../2001121010-SELINUX/AndrewMorton-exit.patch 

  550  cd ../selinux/module/
  552  make insert
  554  cd ../../lsm
  555  patch -p1 < ../2001121010-SELINUX/module.patch 

  558  cp -a ../20011213-collective.config .config
  559  make oldconfig
  560  make menuconfig

	Downgrade to binutils_2.11.92.0.7-2_i386.deb

  562  make dep
  564  make bzImage
  565  make modules

Now since I am not building for this machine, I move everything
to a target "root" which I'll later tar up and copy over
to the test machine:

  571  cp -a System.map ../Selinux/boot/System.map-2.4.16-lsm 
  572  cp -a arch/i386/boot/bzImage ../Selinux/boot/vmlinuz-2.4.16-lsm 
  574  make INSTALL_MOD_PATH=/usr/src/Selinux/ modules_install

Since selinux doesn't have this feature, I edited the makefile and
added it. After I'm done I'd be happy to supply any patchfiles I
create in the process.

  577  cd ../selinux/module
	Patch Makefile to have ROOT variable

  587  make ROOT=/usr/src/Selinux/usr/local install

At this point I'm not yet clear whether I can
continue on the kernel factory or have to complete the
commands in the README over on the target machine. I'm
hoping not as it would be terribly awkward if I have to
move the source tree across just to finish.

So, I'm on to the next RTFM and RTFC step.

-- 
------------------------------------------------------
    Nuke bin Laden:           Dale Amon, CEO/MD
  improve the global          Islandone Society
     gene pool.               www.islandone.org
------------------------------------------------------

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.