| View previous topic :: View next topic |
| Author |
Message |
gilamonster
n00b
Joined: 10 Oct 2011
Posts: 23
|
 Posted: Thu Oct 13, 2011 5:40 pm Post subject: Help with Gentoo Hardened Install on Linode |
 |
|
I fear I have failed at my first attempt at Gentoo Hardened. But I cannot be sure. I have been following several guides to get started: a Linode-specific guide, plus a few tutorials at gentoo.org. The directions on what to do seem scattered. I did not have to build Gentoo from scratch - I used Linode's 64 bit image (old version, which I need to update).
I started with this guide: http://www.e-commo.de/2010/08/23/update-linodes-gentoo-2008-image/
I've copy/pasted my terminal input and output below in the hopes that someone knows why I am seeing so many errors:
I get message saying 3 config files in /etc need updating. After a google search, I decide to run etc-update.
I allow it to auto merge all remaining files as they seemed non-critical: /etc/local.gen
Terminal output recommends I emerge portage immediately, which I do.
I get another message in terminal recommending to update /etc files, so I run etc-update again.
I allow it to auto merge all files it wants to, including - /etc/etc-update.conf and /etc/logrotate.d/elog-save-summary
I continue with www.e-commo.de guide
| Code: | # eselect profile list
# eselect profile set 9 |
set 9 in this case means hardened/linux/amd64/selinux, because selinux sounds good? Didn't know what the optimal choice was and Google did not help.
| Code: | # eselect profile show
hardened/linux/amd64/selinux |
Next I read here: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml -- recommends recompiling your system using a hardened toolchain after setting up your profile...
| Code: | | # emerge --oneshot binutils gcc virtual/libc |
Which gives me the following weird output, pasted below:
| Code: | >>> Installing (5 of 5) sys-devel/gcc-4.5.3-r1
!!! Unable to set SELinux security labels
* The current gcc config appears valid, so it will not be
* automatically switched for you. If you would like to
* switch to the newly installed gcc version, do the
* following:
* gcc-config x86_64-pc-linux-gnu-4.5.3
* source /etc/profile
* Switching native-compiler to x86_64-pc-linux-gnu-4.4.4 ...
PORTAGE_BZIP2_COMMAND setting is invalid: 'bzip2'
PORTAGE_BZIP2_COMMAND setting from make.globals is invalid: 'bzip2'
!!! SELinux module not found. Please verify that it was installed.
>>> Regenerating /etc/ld.so.cache... [ ok ]
* If you have issues with packages unable to locate libstdc++.la,
* then try running 'fix_libtool_files.sh' on the old gcc versions.
* You might want to review the GCC upgrade guide when moving between
* major versions (like 4.2 to 4.3):
* http://www.gentoo.org/doc/en/gcc-upgrading.xml
* Messages for package sys-devel/gcc-4.5.3-r1:
* If you have issues with packages unable to locate libstdc++.la,
* then try running 'fix_libtool_files.sh' on the old gcc versions.
* You might want to review the GCC upgrade guide when moving between
* major versions (like 4.2 to 4.3):
* http://www.gentoo.org/doc/en/gcc-upgrading.xml
>>> Auto-cleaning packages...
>>> No outdated packages were found on your system. |
The output has me worried, so I google "SELinux module not found", and find: http://en.gentoo-wiki.com/wiki/SELinux#.21.21.21_SELinux_module_not_found._Please_verify_that_it_was_installed.
I then do the following:
| Code: | | # python-updater && emerge python-selinux |
This gives me more weird output, including a bunch of "!!! SELinux module not found. Please verify that it was installed.
!!! SELinux module not found. Please verify that it was installed."
At this point I google "SELinux module not found". And I find here: http://en.gentoo-wiki.com/wiki/SELinux#.21.21.21_SELinux_module_not_found._Please_verify_that_it_was_installed. That I should mkdir /selinux then reboot. I do so.
| Code: | # mkdir /selinux
(rebooting ...) |
Now I figure everything is ok, so I am back to this guide and Code Listing 2.3: Switching to Hardened Toolchain: http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml
I switch to latest version of gcc-config:
| Code: | # gcc-config x86_64-pc-linux-gnu-4.5.3
# source /etc/profile
# gcc-config -l
[1] x86_64-pc-linux-gnu-4.4.4
[2] x86_64-pc-linux-gnu-4.5.3 *
[3] x86_64-pc-linux-gnu-4.5.3-hardenednopie
[4] x86_64-pc-linux-gnu-4.5.3-hardenednopiessp
[5] x86_64-pc-linux-gnu-4.5.3-hardenednossp
[6] x86_64-pc-linux-gnu-4.5.3-vanilla |
I keep following gentoo.org's Code Listing 2.3:
| Code: | | # emerge -e --keep-going system |
several hours later ... I get the following output:
http://pastebin.com/xdAj8QQL
I assume I have messed up somewhere. Should I kill my Linode and start over? How should I do it correctly?
Last edited by gilamonster on Sun Oct 16, 2011 11:13 pm; edited 2 times in total |
|
| Back to top |
|
 |
phajdan.jr
Developer
Joined: 23 Mar 2006
Posts: 1773
Location: Poland
|
| Posted: Thu Oct 13, 2011 11:32 pm Post subject: |
|
|
I'm not sure if the SELinux stuff is fully supported yet. For now I'd suggest non-SELinux hardened. Your commands look good except from the SELinux thing.
_________________
http://phajdan-jr.blogspot.com/ |
|
| Back to top |
|
|
gilamonster
n00b
Joined: 10 Oct 2011
Posts: 23
|
| Posted: Fri Oct 14, 2011 7:31 am Post subject: |
|
|
Thanks to phajdan, I'm happy to report things went much more smoothly after eselecting the "hardened/linux/amd64" profile. However, the shell still spewed quite a few warning/error messages when running "emerge -e --keep-going system" the first time around. The command line comments seem helpful enough though. I'm going to handle the important looking ones, then run "emerge -e --keep-going system" again.
Let's see what happens! I see it's a best practice to run emerge -e system and emerge -e world twice anyway. Src: https://forums.gentoo.org/viewtopic-t-282474-highlight-toolchain.html
Edit: Word to the wise - if you're on a Mac, consider running Caffeine.app, and/or using the tee or script command when doing an emerge system. If you don't, you risk logging out and not seeing the important stdout suggestions Gentoo provides to debug your system.
I'm really close to finishing this install, but I still have a strange udev warning message. But is it relevant to a Linode install with the 3.0 kernel?
| Code: | * Messages for package sys-fs/udev-164-r2:
* Unable to find kernel sources at /usr/src/linux
* Unable to calculate Linux Kernel version for build, attempting to use running version
* CONFIG_SYSFS_DEPRECATED: should not be set. But it is.
* Please check to make sure these options are set correctly.
* Failure to do so may cause unexpected problems.
*
* udev-164 does not support Linux kernel before version 2.6.25!
* For a reliable udev, use at least kernel 2.6.27
*
* restarting udevd now.
*
* If after the udev update removable devices or CD/DVD drives
* stop working, try re-emerging HAL before filling a bug report
*
* persistent-net does assigning fixed names to network devices.
* If you have problems with the persistent-net rules,
* just delete the rules file
* rm /etc/udev/rules.d/70-persistent-net.rules
* and then reboot.
*
* This may however number your devices in a different way than they are now.
*
* If you build an initramfs including udev, then please
* make sure that the /sbin/udevadm binary gets included,
* and your scripts changed to use it,as it replaces the
* old helper apps udevinfo, udevtrigger, ...
*
* mount options for directory /dev are no longer
* set in /etc/udev/udev.conf, but in /etc/fstab
* as for other directories.
*
* If you use /dev/md/*, /dev/loop/* or /dev/rd/*,
* then please migrate over to using the device names
* /dev/md*, /dev/loop* and /dev/ram*.
* The devfs-compat rules have been removed.
* For reference see Bug #269359.
*
* Rules for /dev/hd* devices have been removed
* Please migrate to libata. |
I found a guide on migrating to libata:
https://forums.gentoo.org/viewtopic-p-6362608.html#6362608
But it appears to apply more if you've built everything from scratch, which I didn't have to do on Linode. Should I still try to migrate to libata to fix this, even though my Linode is running the 3.0 kernel?
Might this warning message have something to do with it?
| Code: | * Messages for package sys-kernel/linux-headers-2.6.36.1:
* Note: Even though you have successfully unmerged
* your kernel package, directories in kernel source location:
* /usr/src/linux-2.6.36.1
* with modified files will remain behind. By design, package managers
* will not remove these modified files and the directories they reside in. |
Thanks for your help. |
|
| Back to top |
|
|
phajdan.jr
Developer
Joined: 23 Mar 2006
Posts: 1773
Location: Poland
|
| Posted: Sat Oct 15, 2011 2:50 am Post subject: |
|
|
You definitely shouldn't have CONFIG_SYSFS_DEPRECATED enabled.
_________________
http://phajdan-jr.blogspot.com/ |
|
| Back to top |
|
|
gilamonster
n00b
Joined: 10 Oct 2011
Posts: 23
|
| Posted: Sat Oct 15, 2011 5:39 am Post subject: |
|
|
In trying to disable CONFIG_SYSFS_DEPRECATED, I've been looking in /etc/genkernel.conf, and I think I've found a problem.
| Code: | # Default location of kernel source
DEFAULT_KERNEL_SOURCE="/usr/src/linux" |
/usr/src/linux is an empty directory. I'm guessing this explains "Unable to find kernel sources at /usr/src/linux". The problem is, I have no idea where my kernel source would be. I've spent the last few hours pouring through my file system and googling to no avail. Any tips on where to start looking for the kernel source?
If relevant:
| Code: | # cat /proc/version
Linux version 3.0.4-x86_64-linode21 (root@build.linode.com) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) ) #1 SMP Thu Sep 1 21:28:01 EDT 2011
# gcc-config -l
[1] x86_64-pc-linux-gnu-4.4.5
[2] x86_64-pc-linux-gnu-4.4.5-hardenednopie
[3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp
[4] x86_64-pc-linux-gnu-4.4.5-hardenednossp
[5] x86_64-pc-linux-gnu-4.4.5-vanilla
[6] x86_64-pc-linux-gnu-4.5.3 *
[7] x86_64-pc-linux-gnu-4.5.3-hardenednopie
[8] x86_64-pc-linux-gnu-4.5.3-hardenednopiessp
[9] x86_64-pc-linux-gnu-4.5.3-hardenednossp
[10] x86_64-pc-linux-gnu-4.5.3-vanilla |
^^^ I've set GCC to 4.5.3, yet /cat/proc says 4.4.3. Weird.
I'm about ready to start all over and figure out Linode's pv-grub method of configuring a kernel from scratch.
I can't figure out how to disable CONFIG_SYSFS_DEPRECATED; I've searched everywhere. |
|
| Back to top |
|
|
phajdan.jr
Developer
Joined: 23 Mar 2006
Posts: 1773
Location: Poland
|
| Posted: Sat Oct 15, 2011 5:26 pm Post subject: |
|
|
emerge gentoo-sources, I also have no idea where linode puts them (maybe they even remove the sources from the image)
_________________
http://phajdan-jr.blogspot.com/ |
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 9533
|
| Posted: Sat Oct 15, 2011 6:33 pm Post subject: |
|
|
| gilamonster wrote: | | Any tips on where to start looking for the kernel source? |
Portage normally installs the sources into /usr/src/linux-version-specific. If you have USE=symlink, it will also update the /usr/src/linux symlink to point to the newly installed source.
| gilamonster wrote: | | Code: | # cat /proc/version
Linux version 3.0.4-x86_64-linode21 (root@build.linode.com) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) ) #1 SMP Thu Sep 1 21:28:01 EDT 2011 |
^^^ I've set GCC to 4.5.3, yet /cat/proc says 4.4.3. Weird. |
The version shown is the version that was used to build your kernel, not the version that will be run when you do gcc -v.
| gilamonster wrote: | | I can't figure out how to disable CONFIG_SYSFS_DEPRECATED; I've searched everywhere. |
Have you searched in the menuconfig tool used to configure installed kernel sources? |
|
| Back to top |
|
|
gilamonster
n00b
Joined: 10 Oct 2011
Posts: 23
|
| Posted: Sat Oct 15, 2011 9:06 pm Post subject: |
|
|
Successfully emerged hardened-sources
Now usr/src/linux/ and usr/src/linux-3.0.4-hardened-r1/ are full of files.
Rebooted
Still seeing:
| Code: | # cat /proc/version
Linux version 3.0.4-x86_64-linode21 (root@build.linode.com) (gcc version 4.4.3 (Ubuntu 4.4.3-4ubuntu5) ) #1 SMP Thu Sep 1 21:28:01 EDT 2011 |
I assume I can disable CONFIG_SYSFS_DEPRECATED now, if I knew where to find it.
In which file can I disable CONFIG_SYSFS_DEPRECATED?
Last edited by gilamonster on Sun Oct 16, 2011 3:25 am; edited 1 time in total |
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 9533
|
| Posted: Sat Oct 15, 2011 9:13 pm Post subject: |
|
|
| That is a setting in your kernel configuration, like all the other CONFIG_ symbols. You can change it using make menuconfig, make xconfig, or one of the other variants. However, if you do not boot into the newly built kernel, then changing it will have no effect. According to your /proc/version output, you are still booting into the Linode-supplied kernel. |
|
| Back to top |
|
|
gilamonster
n00b
Joined: 10 Oct 2011
Posts: 23
|
| Posted: Sun Oct 16, 2011 3:08 am Post subject: |
|
|
It appears I must choose Linode's PV-Grub kernel after I finish this Linux/x86_64 3.0.4-hardened-r1 Kernel Configuration. That's why I'm not seeing the hardened kernel in cat /proc/version, and instead seeing CONFIG_SYSFS_DEPRECATED crap. It's being forced to run Linode's kernel ...
Here's the goal right now:
1) Configure this hardened kernel correctly (questions below)
2) Modify menu.lst in accordance to Linode's PV-Grub guide
3) Run "merge -na =sys-apps/gradm-2.2.2" before booting up this kernel
4) GIANT QUESTION MARK: possibly run "make && make modules_install" to compile this kernel????
5) Reboot with Linode's PV-Grub special option, and PRAY 
At the moment, I'm inside menuconfig, and I have the following options (Xen-related):
| Code: | --- Paravirtualized guest support
│ │ [*] Xen guest support
│ │ [ ] Enable Xen debug and tuning parameters in debugfs (NEW)
│ │ [ ] Enable Xen debug checks (NEW)
│ │ [ ] KVM paravirtualized clock (NEW)
│ │ [ ] KVM Guest support (NEW)
│ │ -*- Enable paravirtualization code
│ │ [ ] Paravirtualization layer for spinlocks (NEW) |
But (of course!) ... Linode's PV-Grub guide strongly suggests enabling all of these options:
| Code: | CONFIG_PARAVIRT_GUEST=y
CONFIG_XEN=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_CLOCK=y
CONFIG_XEN_BLKDEV_FRONTEND=y
CONFIG_XEN_NETDEV_FRONTEND=y
CONFIG_HVC_XEN=y
CONFIG_XEN_BALLOON=y
CONFIG_XEN_SCRUB_PAGES=y |
So where do you enable all of these options in the menuconfig GUI? Should I be editing a dotfile instead of using the GUI?
My next question is how to write menu.lst. There is a blatant discrepancy between Linode's recommendations and Gentoo's documentation in my current menu.lst file.
According to Linode:
| Quote: | A menu.lst is necessary for unattended boot. If pv-grub cannot find one, it will drop to a command line on the lish console, waiting for you to specify a kernel. The format is the same as that used by standard grub. The only noteworthy difference is the change of root from (hd0,0) to (hd0). Note that stock Linode images do not come with a menu.lst file - you will need to create one at /boot/grub/menu.lst.
Here is an example:
default 0
timeout 5
title Gentoo GNU/Linux 2.6.27-gentoo-r5
root (hd0)
kernel /boot/kernel-2.6.27-gentoo-r5 root=/dev/xvda ro |
According to the Gentoo devs:
| Quote: | File: /boot/grub/menu.lst
# This is a sample grub.conf for use with Genkernel, per the Gentoo handbook
# http://www.gentoo.org/doc/en/handbook/handbook-x86.xml?part=1&chap=10#doc_chap2
# If you are not using Genkernel and you need help creating this file, you
# should consult the handbook. Alternatively, consult the grub.conf.sample that
# is included with the Grub documentation.
default 0
timeout 30
#splashimage=(hd0,0)/boot/grub/splash.xpm.gz
#title Gentoo Linux 2.6.24-r5
#root (hd0,0)
#kernel /boot/kernel-genkernel-x86-2.6.24-gentoo-r5 root=/dev/ram0 real_root=/dev/sda3
#initrd /boot/initramfs-genkernel-x86-2.6.24-gentoo-r5
# vim:ft=conf: |
Last edited by gilamonster on Sun Oct 16, 2011 3:28 am; edited 2 times in total |
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 9533
|
| Posted: Sun Oct 16, 2011 3:26 am Post subject: |
|
|
Never edit .config directly. There are dependencies among various features, which menuconfig will fix up for you if you use it to configure your kernel.
Yes, you must build and install the kernel if you expect to boot it later.
Since Linode uses a modified grub, you should use their instructions to configure it. |
|
| Back to top |
|
|
Sven Vermeulen
Developer
Joined: 29 Aug 2002
Posts: 1345
Location: Mechelen, Belgium
|
| Posted: Sun Oct 16, 2011 5:09 pm Post subject: |
|
|
SELinux is fully supported, but you'll need to follow the instructions on Gentoo Hardened SELinux Handbook to get it working. It's not a simple "switch" to enable or disable SELinux. It also requires some knowledge on how SELinux works, as it enhances the security methods within Linux.
_________________
Please add "[solved]" to the initial topic title when it is solved. TIA.
Linux Sea (PDF), an online e-book on Gentoo Linux |
|
| Back to top |
|
|
gilamonster
n00b
Joined: 10 Oct 2011
Posts: 23
|
| Posted: Sun Oct 16, 2011 8:52 pm Post subject: |
|
|
| Sven Vermeulen wrote: | | SELinux is fully supported, but you'll need to follow the instructions on Gentoo Hardened SELinux Handbook to get it working. It's not a simple "switch" to enable or disable SELinux. It also requires some knowledge on how SELinux works, as it enhances the security methods within Linux. |
Thanks - I've been following your SELinux handbook and the regular handbook. Note that there are multiple Gentoo websites out there, for instance gentoo-wiki.com/wiki/SELinux. In addition, I must follow Linode's directions for booting a custom kernel. It can get quite confusing.
I'm currently stalled on SELinux handbook directions, in particular:
1) I don't know if my /tmp directory is tmpfs-mounted or not. When I "ls /" the tmp directory does have a green background.
| Quote: | Optional: Setting the filesystem contexts
If your /tmp location is a tmpfs-mounted file system, then you need to tell the kernel that the root context of this location is tmp_t instead of tmpfs_t. Many SELinux policy objects (including various server-level policies) assume that /tmp is tmp_t. |
2) The file "/etc/portage/package.accept_keywords/selinux" does not exist. Should I create it manually?
| Quote: | Enabling ~Arch Packages
The current stable SELinux related packages are not fit for use anymore (or are even broken) so we seriously recommend to enable ~arch packages for SELinux. Add the following settings to the right file (for instance /etc/portage/package.accept_keywords/selinux):
Code Listing 1.3: SELinux ~arch packages
=sys-process/vixie-cron-4.1-r11 |
3) I don't know where to enable these options in menuconfig. My Linode won't boot the hardened kernel unless I enable these (Xen / PV-Grub related) options:
| Code: | CONFIG_PARAVIRT_GUEST=y
CONFIG_XEN=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_CLOCK=y
CONFIG_XEN_BLKDEV_FRONTEND=y
CONFIG_XEN_NETDEV_FRONTEND=y
CONFIG_HVC_XEN=y
CONFIG_XEN_BALLOON=y
CONFIG_XEN_SCRUB_PAGES=y |
After, I can compile the kernel and move on.
_________________________
#### Mini-Summary ####
_________________________
Looking at the official SELinux Handbook (http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=2&chap=1), I have to:
- Set the filesystem contexts
- Enable ~Arch Packages
- Update make.conf
- menuconfig the kernel
- Update fstab
- Compile the kernel
- Set up menu.lst and Linode's special PV-grub boot loader
- Reboot and continue configuring SELinux
The only steps I've taken out of order are "emerge --keep-going system" about 4 times after installing GCC, switching to the "hardened/linux/amd64" profile, and running "emerge hardened-sources". I hope this is not cause for starting over.
I am reading Hardening Linux, and all that I can about SELinux. I'm fully willing (and able!) to blow this server up in the name of learning Gentoo Hardened. |
|
| Back to top |
|
|
gilamonster
n00b
Joined: 10 Oct 2011
Posts: 23
|
| Posted: Tue Oct 18, 2011 4:16 am Post subject: |
|
|
I'm getting lots of mismatch errors when I make the kernel. By the way - previously, I couldn't find the Xen options inside menuconfig; that's because they aren't in the GUI. I manually scanned through the .config file after selecting one Xen related option in menuconfig to make sure everything Linode wanted was properly selected, and magically it was. But, going through SELinux Handbook's menuconfig, I was unable to select options "Segmentation based non-executable pages", "Randomize ET_EXEC base", or "Default Linux Capabilities". This is for the Linux/x86_64 3.0.4-hardened-r1 Kernel.
I ran make && make_modules, and got thousands of errors:
| Code: | # make CONFIG_DEBUG_SECTION_MISMATCH=y
CHK include/linux/version.h
CHK include/generated/utsrelease.h
CALL scripts/checksyscalls.sh
CHK include/generated/compile.h
Kernel: arch/x86/boot/bzImage is ready (#2)
Building modules, stage 2.
MODPOST 6 modules
WARNING: drivers/scsi/scsi_wait_scan.o(.text+0x4): Section mismatch in reference from the function __inittest() to the function .init.text:wait_scan_init()
The function __inittest() references
the function __init wait_scan_init().
This is often because __inittest lacks a __init
annotation or the annotation of wait_scan_init is wrong.
WARNING: drivers/scsi/scsi_wait_scan.o(.text+0x14): Section mismatch in reference from the function __exittest() to the function .exit.text:wait_scan_exit()
The function __exittest() references a function in an exit section.
Often the function wait_scan_exit() has valid usage outside the exit section
and the fix is to remove the __exit annotation of wait_scan_exit.
WARNING: drivers/xen/xen-gntalloc.o(.text+0xcf4): Section mismatch in reference from the function __inittest() to the function .init.text:gntalloc_init()
The function __inittest() references
the function __init gntalloc_init().
This is often because __inittest lacks a __init
annotation or the annotation of gntalloc_init is wrong.
WARNING: drivers/xen/xen-gntalloc.o(.text+0xd04): Section mismatch in reference from the function __exittest() to the function .exit.text:gntalloc_exit()
The function __exittest() references a function in an exit section.
Often the function gntalloc_exit() has valid usage outside the exit section
and the fix is to remove the __exit annotation of gntalloc_exit.
WARNING: drivers/xen/xen-gntdev.o(.text+0x15c4): Section mismatch in reference from the function __inittest() to the function .init.text:gntdev_init()
The function __inittest() references
the function __init gntdev_init().
This is often because __inittest lacks a __init
annotation or the annotation of gntdev_init is wrong.
WARNING: drivers/xen/xen-gntdev.o(.text+0x15d4): Section mismatch in reference from the function __exittest() to the function .exit.text:gntdev_exit()
The function __exittest() references a function in an exit section.
Often the function gntdev_exit() has valid usage outside the exit section
and the fix is to remove the __exit annotation of gntdev_exit.
WARNING: drivers/xen/xen-platform-pci.o(.text+0xb4): Section mismatch in reference from the function __inittest() to the function .init.text:platform_pci_module_init()
The function __inittest() references
the function __init platform_pci_module_init().
This is often because __inittest lacks a __init
annotation or the annotation of platform_pci_module_init is wrong.
WARNING: drivers/xen/xen-platform-pci.o(.data+0x40): Section mismatch in reference from the variable platform_driver to the function .text:platform_pci_resume()
WARNING: net/netfilter/xt_mark.o(.text+0x64): Section mismatch in reference from the function __inittest() to the function .init.text:mark_mt_init()
The function __inittest() references
the function __init mark_mt_init().
This is often because __inittest lacks a __init
annotation or the annotation of mark_mt_init is wrong.
WARNING: net/netfilter/xt_mark.o(.text+0x74): Section mismatch in reference from the function __exittest() to the function .exit.text:mark_mt_exit()
The function __exittest() references a function in an exit section.
Often the function mark_mt_exit() has valid usage outside the exit section
and the fix is to remove the __exit annotation of mark_mt_exit. |
Does anyone know what to make of this?
To update my previous post,
1) Figured out that my /etc dir is tmpfs mounted.
2) Added "/etc/portage/package.accept_keywords/selinux" manually
3) Enabling one xen option inside the menuconfig gui enabled all xen options required by Linode
Still haven't adjusted menu.lst; still haven't tried booting into this hardened kernel yet. |
|
| Back to top |
|
|
issiah
n00b
Joined: 23 Aug 2005
Posts: 11
Location: canada
|
| Posted: Sun Dec 04, 2011 5:17 am Post subject: |
|
|
First you have selinux profile set and not a hardened profile only. Second, if you are building selinux then follow the gentoo guide. If building hardened grsec then follow that guide. Seems like you set the wrong profile then rebuilt your entire system.
_________________
hfaaa488% |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
