Re: libffcall and selinux

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Bruno Haible writes:
 > Hi Don,
 > 
 > > I attempted to make various things work with selinux before giving up,
 > 
 > I would be interested to hear more about problems between libffcall
 > and various security features of Linux distros.
 > 
 > If you have a "How to reproduce" of libffcall running into trouble
 > (with or without clisp), please report it to libffcall's mailing list:
 > Distro, customizations/settings of the distro, compilation flags, etc.
 > 
 > By "trouble" I mean something more serious than just a line in a log file.
 > 
 > I'm asking because I tried to reproduce something but couldn't.
 > 
 > Bruno
 > 

Here's my procedure:
dowloaded from https://getfedora.org/en/server/download/
Fedora-Server-dvd-x86_64-25-1.3.iso (2GB)
start a virtual machine (using virtual machine manager in linux,
but this shouldn't matter), install above (create user don to
do builds)
login as root at console to find ip addr, then ssh to it as root.

 yum update

[now that I think of it, this probably just makes things less repeatable
it also takes a long time, so probably should have skipped it]

 yum install emacs emacs-el gcc ncurses ncurses-devel ncurses-term
 ncurses-libs readline readline-devel

I think all the ncurses stuff us needed for readline,
gcc needed for building stuff below, 
emacs needed just to live, also good for collecting transcripts

Now I run emacs, start a shell buffer with the intent (frustrated
in part as you see below) of using that buffer as a transcript
for the rest.

I thought I'd save a little time (not clear I did) by scp'ing my
hg directory to the vm.

Interestingly at this point I already see a bunch of AVC denied messages
in /var/log/audit/audit.log

But at least I can see clisp/unix/INSTALL which says to get ligsigsegv from 
http://sourceforge.net/projects/libsigsegv 
but that says it's moved to http://savannah.gnu.org/projects/libsigsegv/
(maybe you should update unix/INSTALL ?)

I use the browser of the host machine to get 
http://ftp.gnu.org/gnu/libsigsegv/libsigsegv-2.11.tar.gz
and scp that to the VM (in /root)

gunzip, tar, cd, ./configure, make, make check, make install all
seem to go smoothly, audit.log shows no additional avc's.

unix install then says https://www.gnu.org/software/libffcall/
and that points me to
 https://haible.de/bruno/gnu/libffcall-1.13-20170225.tar.gz
which I again scp to the vm

Now gunzip,tar, read instructions and do mkdir, cd, ../configure

At this point I see a new AVC in audit.log:

type=AVC msg=audit(1495493082.183:494): avc:  denied  { execheap } for  pid=3540 comm="conftest" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0

The end of the configure shows:
  checking for working shared memory... (cached) yes
  checking for sys/sysmacros.h... (cached) yes
  checking whether code in malloc()ed memory is executable... (cached) no
  checking whether mprotect can make malloc()ed memory executable... (cached) no
  checking whether mprotect can make mmap()ed memory executable... (cached) yes
  configure: creating ./config.status
  config.status: creating Makefile
  config.status: creating config.h
  config.status: creating trampoline_r.h
  config.status: executing libtool commands
  [root@localhost builddir]# 

This is probably what you expect.
I now try make - no new AVC.
then make check - still no new AVC -- which surprises me. 
I thought the last time I tried make check it did result in AVC's.
then make install, still no avc

So now I try to build clisp:
su don, cd to hg/clisp, hg pull - hg not yet installed, back out, install,
su don, cd to hg/clisp, hg pull
(1 changeset, 4 changes to 4 files, which I hope fixed swedish problem
that prevented last night's build)

Not sure why, but this seems to be my traditional configure:
./configure CC='gcc -m64' --with-libsigsegv-prefix=/usr/local --disable-maintainer-mode --with-debug --with-module=rawsock build-dir

no new avc's
configure says FFI yes, libsigsegv yes, readline no - so I guess I had
to install something else to get that (any suggestions?)
But this was not meant as a test of readline so I continue with make

It ends up with this - looks like a problem remaining from recent
addition of swedish

gcc -m64 -I/home/don/hg/clisp/src -I/home/don/hg/clisp/build-dir/gllib -I/home/don/hg/clisp/src/gllib -g -O2 -W -Wswitch -Wcomment -Wpointer-arith -Wreturn-type -Wmissing-declarations -Wimplicit -Wno-sign-compare -Wno-format-nonliteral -Wno-shift-negative-value -fwrapv -fno-strict-aliasing -ggdb -O0 -DDEBUG_OS_ERROR -DDEBUG_SPVW -DDEBUG_BYTECODE -DSAFETY=3 -DENABLE_UNICODE -DNO_TERMCAP_NCURSES -DDYNAMIC_FFI -DDYNAMIC_MODULES -I. -I. -c ../src/modules.c
if test -d locale; then rm -rf locale; fi
mkdir locale
(cd po && make && make install datarootdir=.. localedir='$(datarootdir)/locale' INSTALL_DATA='ln') || (rm -rf locale ; exit 1)
make[1]: Entering directory '/home/don/hg/clisp/build-dir/po'
make[1]: *** No rule to make target 'sv.gmo', needed by 'all-yes'.  Stop.
make[1]: Leaving directory '/home/don/hg/clisp/build-dir/po'
Makefile:1382: recipe for target 'locale' failed
make: *** [locale] Error 1
[don@localhost build-dir]$ 

I'll leave this vm running (but idle) in hope of an update that will
allow the build to continue.