Arch Linux User Repository

Dependency hwids as it seems got replaced by core/hwdata.

Therefore in the list of dependencies, this should be replaced.

I think I meet some problems. I am trying to upgrade systemd-selinux from 245.6-7 to 245.6-8. However, when I started building this package, I always get an error from ninja, it says failed to compile systemd-journal-remote@exe/src_journal-remote_journal-remote-main.c.o. This is github issue address: https://github.com/archlinuxhardened/selinux/issues/31 So is there anyone can help me? Thanks for your help. What's more, I also met a issiue that system cannot unmount /run/user/1000 when powering off, it results that system spends too much time on stopping. I am trying to upgrade systemd-selinux to try to solve this problem because I have googled this problem and it may be systemd's fault, but I find that I can't finish compiling new version...

IooNAg: "if you want help, please report error messages in English (you can override your locale using "export LANG=C" before running "makepkg", for example)." Thank you it does help :-)

NobodyDBG: if you want help, please report error messages in English (you can override your locale using "export LANG=C" before running "makepkg", for example). Moreover for copying large error messages, opening an issue on https://github.com/archlinuxhardened/selinux is more appropriate.

I need your help:

Found ninja-1.10.0 at /usr/bin/ninja ninja: Entering directory `build' [1555/1921] Linking target test-load-fragment FAILED: test-load-fragment cc -o test-load-fragment 'test-load-fragment@exe/src_test_test-load-fragment.c.o' -flto -Wl,--as-needed -Wl,--no-undefined -pie -Wl,-z,relro -Wl,-z,now -fstack-protector -Wl,--gc-sections -march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now -Wl,--start-group src/core/libcore.a src/core/libcore-shared.a src/shared/libsystemd-shared-245.so -pthread -lrt /usr/lib/libseccomp.so /usr/lib/libselinux.so /usr/lib/libmount.so /usr/lib/libblkid.so -lpam /usr/lib/libaudit.so /usr/lib/libkmod.so -Wl,--end-group '-Wl,-rpath,$ORIGIN/src/core:$ORIGIN/src/shared' -Wl,-rpath-link,/tmp/yaourt-tmp-kevin/aur-systemd-selinux/src/build/src/core -Wl,-rpath-link,/tmp/yaourt-tmp-kevin/aur-systemd-selinux/src/build/src/shared lto1: schwerwiegender Fehler: Bytecode-Strom in Datei »src/core/libcore.a«, mit einem älteren GCC-Compiler als 10.0 erzeugt Kompilierung beendet. lto-wrapper: schwerwiegender Fehler: /usr/bin/cc gab Ende-Status 1 zurück Kompilierung beendet. /usr/bin/ld: error: lto-wrapper failed collect2: Fehler: ld gab 1 als Ende-Status zurück [1564/1921] Linking target src/udev/scsi_id ninja: build stopped: subcommand failed. ==> FEHLER: Ein Fehler geschah in build(). Breche ab... ==> FEHLER:Makepkg konnte systemd-selinux nicht erstellen. ==> Erstellen von systemd-selinux neu starten?[j/N] ==> ----------------------------------------------- ==> n

sorin-mihai: I have updated the package. For your information, when you update your system and a dependency of systemd gets updated, you need to check whether systemctl still works and whether "ldd /usr/lib/systemd/systemd" does not report any library with "=> not found". If there are issues there, rebuilding systemd-selinux should be enough in order to fix the broken library dependencies, like any package in the AUR that depends on libraries that are upgraded to a different ".so version".

In case it helps someone, I am using a script that works like Gentoo's revdep-rebuild tool in order to detect such breakage on my system. I have published it on https://github.com/fishilico/home-files/blob/master/bin/find-broken-libdep

Just marked the package as out-of date

• core/systemd is now 242.32-3
• when trying to update iptables to 1:1.8.3-1 I got this error: /usr/bin/systemctl: error while loading shared libraries: libip4tc.so.0: cannot open shared object file: No such file or directory

As a result the rebuilt initramfs is unbootable. The only workaround I used so far is to keep iptables at 1:1.8.2-1 blacklisting it from upgrade in /etc/pacman.conf

Anyone that needs to recover from an unbootable system related to this, can get the previous iptables from https://archive.org/download/archlinux_pkg_iptables/iptables-1\:1.8.2-1-x86_64.pkg.tar.xz and install it from a live usb in a mounted chroot. Usuall recovery I'd say, while in chroot just install the package and rebuild the initramfs with mkinitcpio

Arch's systemd has already backported 2 patches to fix https://bugs.archlinux.org/task/62483 and I've submitted a pull request for you to do the same. Thanks! https://github.com/archlinuxhardened/selinux/pull/22

@kvnbai

journalctl --vacuum-size=100M

may fix the problem.

@kvnbai Does the issue also exist when you build the offical systemd package from source? This does not looks like something specific to modifications related to SELinux.

@yar: the last time I tried to use makechrootpkg, it required root privileged. Which is why I tried to use it with fakeroot+fakechroot and proot (https://github.com/fishilico/home-files/blob/master/bin/makecleanpkg + https://github.com/archlinuxhardened/selinux/blob/master/build_cleanpkg.sh). Unfortunately it does not work with systemd package, cf. https://github.com/archlinuxhardened/selinux/blob/master/build_cleanpkg.sh#L137-L147 For information, this is the major bug preventing me to set up a "user package repository" with SELinux packages which would be compiled by an Continuous Integration system every time a package is built.

I highly recommend building with makechrootpkg https://wiki.archlinux.org/index.php/DeveloperWiki:Building_in_a_clean_chroot

@IooNag

The build only fails when using 1 CPU (using VM), giving my VM atleast 2 CPUs solves the issue. I'm not sure if this is a large issue, so I'll just leave a comment here:

Is your system up-to-date? Yes tested on the newest stable manjaro-i3 release. I updated the system before following the wiki.

Are you using an x86-64 CPU? Yes

Did you try building systemd-selinux in a freshly installed system? Yes

Does /home/test/.cache/yay/systemd-selinux/src/build/test-journal-flush exist, and if yes, does it show the same error when you run it directly? Yes it exists and it shows the same error when executed, the files that the script wish to create are also created in /tmp

Is SELinux enabled on your system? SELinux is disabled

Prep before isntalling SELinux: Removed mlocate because the AUR helper I use can only remove findutils while installing findutils-selinux

@kvnbai: the package builds fine on my (up to date) system. Could you please give more details about your issue on https://github.com/archlinuxhardened/selinux/issues , which would allow me to reproduce the failure? Here are some questions which help in a bug report: Is your system up-to-date? Are you using an x86-64 CPU? Did you try building systemd-selinux in a freshly installed system? Does /home/test/.cache/yay/systemd-selinux/src/build/test-journal-flush exist, and if yes, does it show the same error when you run it directly? Is SELinux enabled on your system? If yes, in which mode and policy (cf. the output of "sestatus -v")? Does test-journal-flush trigger AVC denials in audit.log?

Cant build the package

...
228/318 test-journal-stream OK 0.02 s
229/318 test-journal-flush FAIL 0.28 s (killed by signal 6 SIGABRT)
230/318 test-journal-init OK 0.12 s ...
Full log written to /home/test/selinux/systemd-selinux/src/build/meson-logs/testlog.txt
==> ERROR: A failure occurred in check().
Aborting...

Logfile:

229/318 test-journal-flush FAIL 0.32 s (killed by signal 6 SIGABRT)
--- command ---
PATH='/home/test/.cache/yay/systemd-selinux/src/build:/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl' SYSTEMD_LANGUAGE_FALLBACK_MAP='/home/test/.cache/yay/systemd-selinux/src/systemd-stable/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/home/test/.cache/yay/systemd-selinux/src/systemd-stable/src/locale/kbd-model-map' /home/test/.cache/yay/systemd-selinux/src/build/test-journal-flush
--- stderr ---
Assertion 'r >= 0' failed at ../systemd-stable/src/journal/test-journal-flush.c:43, function main(). Aborting. Aborted (core dumped)

Thank you. It works now.

Thanks for the report! This issue was caused by glibc 2.28, which introduced "struct statx" in its headers (this structure is now defined both in /usr/include/linux/stat.h and /usr/include/bits/statx.h). systemd developers fixed this issue in https://github.com/systemd/systemd/commit/75720bff62a84896e9a0654afc7cf9408cf89a38 and I have updated systemd-selinux in order to backport this commit. Does it work better?

In file included from ../systemd-stable/src/basic/missing.h:18, from ../systemd-stable/src/basic/util.h:28, from ../systemd-stable/src/basic/hashmap.h:11, from ../systemd-stable/src/libsystemd/sd-bus/bus-match.h:9, from ../systemd-stable/src/libsystemd/sd-bus/bus-internal.h:14, from ../systemd-stable/src/libsystemd/sd-bus/bus-convenience.c:5: /usr/include/linux/stat.h:56:8: Fehler: Redefinition von »struct statx_timestamp« struct statx_timestamp { ^~~~~~~~~~~~~~~ In file included from /usr/include/sys/stat.h:446, from ../systemd-stable/src/basic/util.h:19, from ../systemd-stable/src/basic/hashmap.h:11, from ../systemd-stable/src/libsystemd/sd-bus/bus-match.h:9, from ../systemd-stable/src/libsystemd/sd-bus/bus-internal.h:14, from ../systemd-stable/src/libsystemd/sd-bus/bus-convenience.c:5: /usr/include/bits/statx.h:25:8: Anmerkung: ursprünglich hier definiert struct statx_timestamp ^~~~~~~~~~~~~~~ In file included from ../systemd-stable/src/basic/missing.h:18, from ../systemd-stable/src/basic/util.h:28, from ../systemd-stable/src/basic/hashmap.h:11, from ../systemd-stable/src/libsystemd/sd-bus/bus-match.h:9, from ../systemd-stable/src/libsystemd/sd-bus/bus-internal.h:14, from ../systemd-stable/src/libsystemd/sd-bus/bus-convenience.c:5: /usr/include/linux/stat.h:99:8: Fehler: Redefinition von »struct statx« struct statx { ^~~~~ In file included from /usr/include/sys/stat.h:446, from ../systemd-stable/src/basic/util.h:19, from ../systemd-stable/src/basic/hashmap.h:11, from ../systemd-stable/src/libsystemd/sd-bus/bus-match.h:9, from ../systemd-stable/src/libsystemd/sd-bus/bus-internal.h:14, from ../systemd-stable/src/libsystemd/sd-bus/bus-convenience.c:5: /usr/include/bits/statx.h:36:8: Anmerkung: ursprünglich hier definiert struct statx ^~~~~ [23/1574] Generating af-from-name.gperf with a meson_exe.py custom command. ninja: build stopped: subcommand failed. ==> FEHLER: Ein Fehler geschah in build(). Breche ab... ==> FEHLER:Makepkg konnte systemd-selinux nicht erstelle

For information, there is small issue with systemd's NSSwitch component in the next release (v239) which leads to spurious error messages in semanage (cf. https://marc.info/?l=selinux&m=153116776608062&w=2 , glibc bug https://sourceware.org/bugzilla/show_bug.cgi?id=23410 and systemd bug https://github.com/systemd/systemd/issues/9585). This is why this package has not been updated.

A combination of using -C with makepkg and remounting my /tmp partition as exec for the duration of the compile solved my problem, are the values that were needed for a successful compile (such as FIB_RULE_UID_RANGE and SIZEOF_*_T) searched out by something in the tmp directory? Thank you for pointing me in the direction I needed.

@KenoCooper1810: I did not succeed to reproduce your issue (linux-hardened 4.13.16.a-1, linux-api-headers 4.12.7-1). I have struct fib_rule_uid_range in /usr/include/linux/fib_rules.h and src/systemd/src/basic/missing.h, and I also have in src/systemd/build/config.h: #define HAVE_STRUCT_FIB_RULE_UID_RANGE 1 Did you try to remove the src/systemd/build/ directory before building (or even the whole src directory with "makepkg -C")?

This will not build on an Arch install running the hardened kernel with the latest version of linux-api-headers. Whether using 'configure && make' or 'makepkg -ALcs' the naming conflict is the same: ninja -C build ninja: Entering directory `build' [158/1853] Compiling C object 'src/libsystemd/systemd@sta/sd-netlink_netlink-types.c.o'. FAILED: src/libsystemd/systemd@sta/sd-netlink_netlink-types.c.o cc -Isrc/libsystemd/systemd@sta -Isrc/libsystemd -I../src/libsystemd -I. -I../ -Isrc/libsystemd-network -I../src/libsystemd-network -I../src/libsystemd/sd-network -I../src/libsystemd/sd-netlink -I../src/libsystemd/sd-id128 -I../src/libsystemd/sd-hwdb -I../src/libsystemd/sd-device -I../src/libsystemd/sd-bus -Isrc/core -I../src/core -Isrc/libudev -I../src/libudev -Isrc/udev -I../src/udev -Isrc/login -I../src/login -Isrc/timesync -I../src/timesync -Isrc/resolve -I../src/resolve -Isrc/journal -I../src/journal -Isrc/systemd -I../src/systemd -Isrc/shared -I../src/shared -Isrc/basic -I../src/basic -fdiagnostics-color=always -pipe -D_FILE_OFFSET_BITS=64 -Wall -Winvalid-pch -std=gnu99 -O0 -g -Wextra -Werror=undef -Wlogical-op -Wmissing-include-dirs -Wold-style-definition -Wpointer-arith -Winit-self -Wdeclaration-after-statement -Wfloat-equal -Wsuggest-attribute=noreturn -Werror=missing-prototypes -Werror=implicit-function-declaration -Werror=missing-declarations -Werror=return-type -Werror=incompatible-pointer-types -Werror=format=2 -Wstrict-prototypes -Wredundant-decls -Wmissing-noreturn -Wshadow -Wendif-labels -Wstrict-aliasing=2 -Wwrite-strings -Werror=overflow -Wdate-time -Wnested-externs -ffast-math -fno-common -fdiagnostics-show-option -fno-strict-aliasing -fvisibility=hidden -fstack-protector -fstack-protector-strong -fPIE --param=ssp-buffer-size=4 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-unused-result -Wno-format-signedness -Wno-error=nonnull -Werror=shadow -include config.h -fPIC -pthread -MMD -MQ 'src/libsystemd/systemd@sta/sd-netlink_netlink-types.c.o' -MF 'src/libsystemd/systemd@sta/sd-netlink_netlink-types.c.o.d' -o 'src/libsystemd/systemd@sta/sd-netlink_netlink-types.c.o' -c ../src/libsystemd/sd-netlink/netlink-types.c In file included from ../src/libsystemd/sd-netlink/netlink-types.c:40:0: ../src/basic/missing.h:1252:8: Error: ‘struct fib_rule_uid_range’ is redefined struct fib_rule_uid_range { ^~~~~~~~~~~~~~~~~~ In file included from ../src/libsystemd/sd-netlink/netlink-types.c:25:0: /usr/include/linux/fib_rules.h:32:8: Error : this is the location of the previous definition struct fib_rule_uid_range { ^~~~~~~~~~~~~~~~~~ [163/1853] Compiling C object 'src/libsystemd/systemd@sta/sd-network_sd-network.c.o'. ninja: build stopped: subcommand failed.

Done. Thanks for reporting this packaging issue!

@IooNag Please remove "replaces=("${pkgname/-selinux}")" as it results to "Replace systemd-sysvcompat with aur-archlinux/systemd-sysvcompat-selinux? [Y/n]" using "pacman -Syu" with an AUR-Repo. As side fact - the replaces array isn't set on your other selinux packages

@ashaman-crypto: I changed the source URL in order to make the git clone work in networking environments where only a few protocols are allowed (HTTP, HTTPS, FTP) but where other services like "git://" (which uses its own TCP port) are filtered. When updating you need to either remove the systemd/ git clone from your source directory, or issue this command in it: git remote set-url origin https://github.com/systemd/systemd.git You also need to download the GPG key which fingerprint is given by validpgpkeys variable (63CDA1E5D3FC22B998D20DD6327F26951A015CC4) in order to validate the authenticity of the git tag in prepare(). This validation has been introduced in systemd package in https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/systemd&id=0644d26ab7e2ea8eb09e3566cff0d197890c8d47

@ashaman-crypto, you need to import the signing key that the systemd sources are signed with. ( $ gpg --recv-keys <key-id> ) The fingerprint ID is located in the PKGBUILD under validpgpkeys. It is currently 63CDA1E5D3FC22B998D20DD6327F26951A015CC4 . Changes to the PKGBUILD appear to be recent and I assume the archlinuxhardened/selinux GitHub project has not caught up to these changes yet to include the signing key.

That was from the one currently included in the archlinux/hardened selinux. The snapshot from here results in ==> Extracting sources... -> Creating working copy of systemd git repo... Reset branch 'makepkg' ==> Starting prepare()... ==> ERROR: failed to validate tag v232 ==> ERROR: A failure occurred in prepare(). Aborting...

Refuses to build since the last update. ==> Making package: systemd-selinux 232-6 (Mon Dec 19 15:17:03 UTC 2016) ==> Checking runtime dependencies... ==> Checking buildtime dependencies... ==> Retrieving sources... ==> ERROR: /home/user/selinux/systemd-selinux/systemd is not a clone of https://github.com/systemd/systemd.git Aborting...

Renamed to systemd-selinux

If you want to use SELinux with Systemd, you can configure it normally, as the WIKI says, selinux-systemd will than load the policy automatically without any additional configuration. I will continue to support selinux-sysvinit as long as it is reasonably maintainable, that is as long as I have some sysvinit package to base selinux package on.

I updated the selinux-usr-libselinux dependency version requirement to 2.1.9.

Ok, don't worry, I can wait, besides I can start to tinker with this to see if I can update it myself, I'd like to learn,

I see, so thats why I was able to build it, I have a newer version of SELinux userspace in my test machine. Since I have SELinux userspace PKGBUILDs in a state of disarray, I cannot upload updated version till weekend.

The SELinux guy told me that it apears systemd requires a version for selinux, this is version 2.1.0 and systemd requires 2.1.9 http://lists.freedesktop.org/archives/systemd-devel/2012-September/006621.html maybe, I'll still test it when I can, I'll uninstall the procps package to be able to install the new util to test this one.

The SELinux guy told me that it apears systemd requires a version for selinux, this is version 2.1.0 and systemd requires 2.1.9 http://lists.freedesktop.org/archives/systemd-devel/2012-September/006621.html maybe, I'll still test it when I can, I'll uninstall the procps package to be able to install the new util to test this one.

Also try to rebuild it now with selinux-util-linux 2.22.2, I think, it may work.

I'm getting in touch with one of the SELinux guys, maybe he can help to, he builded and installed SELinux in a LFS machine, so he can really help with any problems we could have... I hope he has the time.

Can't test it now, will look into it during the weekend, but I built it yesterday.

Sorry, I misclicked, it is not out of date doesn't build, "SELinux support requested but libraries not found"

This package is a SELinux version of Arch's systemd splitpackage. It's part selinux-systemd-tools replaces selinux-udev. Only that part has been tested, if you are interested in using SELinux with systemd, you can use this as start but there will most likely be some more work you'll have to do. It is not in my powers to test SELinux with systemd, but if anyone is interested, I accept patches. The reason for the package to be as it is I intend SELinux packages to be just [core] packages with minimum changes necery to make them compatible with SELinux. Continuing the old branch would make the maintenance harder and would also increase the risk of bringing in more errors.