# Can't get PAM to compile after upgrading to SELinux

## Rikai

I'm creating a firewall/proxy server, using the hardened SELinux profile.

I did an emerge -e world yesterday, to make sure that everything had been compiled with PIE/SSP. Everything compiles, except for tcp-wrappers and pam. tcp-wrappers gets an error in sandbox, but when I go though the steps manually using ebuild (from Sandbox Troubleshooting), it seems to install OK.

PAM, however, fails to compile. I've tried both the x86 (0.78-r3) and ~x86 (0.78-r5) versions. Watching it, it looks like it compiles one set of programs, which works ok, and then runs another configure, and begins to compile something else. This is where it fails. I get the error message:

```
pam_unix_passwd.c: In function '_unix_run_shadow_binary':

pam_unix_passwd.c:278: error: invalid lvalue in assignment

```

This error is repeated for every line in pam_unix_passwd.c where SELINUX_ENABLED is used, with the function names changed as appropriate, of course. Looking through pam_unix_passwd.c, nothing seems wrong to me, though I'm not some amazing C hacker.

After error messages about invalid lvalues appear these errors:

```
pam_unix_passwd.c: In function '_pam_unix_approve_pass':

pam_unix_passwd.c:955: warning: dereferencing type-punned pointer will break strict-aliasing rules

pam_unix_passwd.c: In function 'pam_sm_chauthtok':

pam_unix_passwd.c:1163: warning: dereferencing type-punned pointer will break strict-aliasing rules

pam_unix_passwd.c:1166: warning: dereferencing type-punned pointer will break strict-aliasing rules

```

I hesitate to post a bug, because no one else seems to have this problem, but I created my system following the SELinux HOWTO closely, and I'm sure the combination of hardened gentoo and SELinux is not rare. I did, however, have to unmask new versions of libselinux (1.30) and libsepol (1.12-r1) in order for portage to stop getting the "!!! SELinux module not found. Please verify that it was installed." error. So I'm fairly certain that there's just a problem with my configuration somewhere.

If anyone can tell me where I've gone wrong, I'd love to know... I don't want to reboot at the moment, in case PAM is now broken. Being able to log in is a good thing  :Smile: 

Here's my emerge --info

```
Portage 2.1_rc2-r2 (selinux/2005.1/x86/hardened, gcc-4.1.1-pre20060517, glibc-2.4-r3, 2.6.14-hardened-r8 i686)

=================================================================

System uname: 2.6.14-hardened-r8 i686 Pentium III (Coppermine)

Gentoo Base System version 1.6.14

ccache version 2.3 [enabled]

dev-lang/python:     2.4.2

dev-python/pycrypto: 2.0.1-r5

dev-util/ccache:     2.3

dev-util/confcache:  0.4.2-r1

sys-apps/sandbox:    1.2.17

sys-devel/autoconf:  2.13, 2.59-r7

sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1

sys-devel/binutils:  2.16.1

sys-devel/libtool:   1.5.22

virtual/os-headers:  2.6.11-r2

ACCEPT_KEYWORDS="x86"

AUTOCLEAN="yes"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-march=pentium3 -O2 -fomit-frame-pointer -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"

CONFIG_PROTECT_MASK="/etc/eselect/compiler /etc/gconf /etc/terminfo /etc/env.d"

CXXFLAGS="-march=pentium3 -O2 -fomit-frame-pointer -pipe -fvisibility-inlines-hidden"

DISTDIR="/usr/portage/distfiles"

FEATURES="autoconfig ccache confcache distlocks metadata-transfer sandbox selinux sfperms strict userpriv usersandbox"

GENTOO_MIRRORS="http://gentoo.osuosl.org http://www.ibiblio.org/pub/Linux/distributions/gentoo"

LDFLAGS="-Wl,-O1 -Wl,--sort-common -s"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY="/usr/local/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="berkdb chroot crypt dlloader hardened mailwrapper ncurses nls nptl nptlonly pam pic python readline selinux sftplogging ssl symlink tcpd x86 zlib elibc_glibc kernel_linux userland_GNU"

Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS

```

----------

## Rikai

Ah.... I've now realized it's even worse.

Without the selinux PAM module loaded, I can't run scripts in /etc/init.d/, among other things. It seems I can still make policy changes, and emerge new packages, so not all is lost.

----------

## Kosa

I had same problem, downgrading to gcc 3.4.6 and glibc 2.3.6 solved it (i tried to install from 2006.1 stage so i went back to 2006.0).

----------

## vaxbrat

I've been working with a stable hardened profile PIII system since a few months ago and had everything emerged nicely without too much ado on 3.4.6.  (now if only I could get the amount of selinux whining down a bit and get out of permissive  mode).  I did hit a speed bump a while back on a glibc version that borked my xorg for a while but that was taken care of at some point.

Anyhoo... I hit the pam lvalue error upgrading to gcc 4.1.1 and so far have decided to punt for the moment by just skipping it on the emerge -e system/world bit.  I still have 3.4.6 installed.

I don't recall having this heartburn when 4.1.1 was unmasked on the ~amd64 a few months back.  However I'm not running the hardened profile on that box.  I notice Pam is at 0.78-r5 over there.

----------

## dumdey

I can compile PAM with GCC 3.4.5 without a downgrade of glibc.

Regards,

Harry

----------

## dumdey

There is a Bug filed: https://bugs.gentoo.org/show_bug.cgi?id=150859

pam-0.78-r5 should fix it

Regards, Harry

----------

