# hardening w/grsex, pax, gradm checklist?

## pjp

So I've got the hardened toolchain & hardened kernel. I think the kernel is configured correctly (hardened server), but the current docs seem out of date compared with the current kernel (options don't match up completely).

No idea if this is correct, but it seems to be...

```
Mode: blackhat

Linux lab-v01 2.6.34-hardened-r6 #4 SMP Sun Oct 10 15:11:02 MDT 2010 x86_64 AMD Athlon(tm) II X4 640 Processor AuthenticAMD GNU/Linux

Executable anonymous mapping             : Killed

Executable bss                           : Killed

Executable data                          : Killed

Executable heap                          : Killed

Executable stack                         : Killed

Executable anonymous mapping (mprotect)  : Killed

Executable bss (mprotect)                : Killed

Executable data (mprotect)               : Killed

Executable heap (mprotect)               : Killed

Executable stack (mprotect)              : Killed

Executable shared library bss (mprotect) : Killed

Executable shared library data (mprotect): Killed

Writable text segments                   : Killed

Anonymous mapping randomisation test     : 29 bits (guessed)

Heap randomisation test (ET_EXEC)        : 12 bits (guessed)

Heap randomisation test (ET_DYN)         : 35 bits (guessed)

Main executable randomisation (ET_EXEC)  : No randomisation

Main executable randomisation (ET_DYN)   : No randomisation

Shared library randomisation test        : 29 bits (guessed)

Stack randomisation test (SEGMEXEC)      : No randomisation

Stack randomisation test (PAGEEXEC)      : 35 bits (guessed)

Return to function (strcpy)              : paxtest: bad luck, try different compiler options.

Return to function (memcpy)              : *** buffer overflow detected ***: rettofunc2 - terminated

rettofunc2: buffer overflow attack in function <unknown> - terminated

Report to http://bugs.gentoo.org/

Killed

Return to function (strcpy, RANDEXEC)    : paxtest: bad luck, try different compiler options.

Return to function (memcpy, RANDEXEC)    : *** buffer overflow detected ***: rettofunc2x - terminated

rettofunc2x: buffer overflow attack in function <unknown> - terminated

Report to http://bugs.gentoo.org/

Killed

Executable shared library bss            : Killed

Executable shared library data           : Killed
```

I've emerged gradm, but haven't configured it yet (on purpose).

Is there anything else I should do before continuing?  I must say, the documentation is a bit... disorganized.

----------

## nativemad

I wonder why you've got  *Quote:*   

> Main executable randomisation (ET_EXEC)  : No randomisation 
> 
> Main executable randomisation (ET_DYN)   : No randomisation 

 

at least over here i have them "32 bits (guessed)". Have you used a hardened stage or did you emerge -eD world?

----------

## kernelOfTruth

the following might come handy:

http://tk-blog.blogspot.com/2010/05/checksecsh-now-with-kernel-support.html

http://www.trapkit.de/tools/checksec.html

----------

## pjp

 *nativemad wrote:*   

> Have you used a hardened stage or did you emerge -eD world?

  I didn't use a hardened stage this time*, but I thought I ran emerge -e world (per docs).  I did have doubts though, so I'll try that again and post back when done.

* I had problems the last time I used one, but now that I think of it, I don't think they were related to the stage being hardened.

 *kernelOfTruth wrote:*   

> the following might come handy:
> 
> http://tk-blog.blogspot.com/2010/05/checksecsh-now-with-kernel-support.html
> 
> http://www.trapkit.de/tools/checksec.html

  Thanks, will take a look.

EDIT:

Hmm... made some kernel changes (grsec) last night, and now I'm getting compile errors. (unexpected PLT reloc on various libraries... libattr is one).  I've rebooted to a non pax/grsec enabled hardened kernel and compiling seems to be working.

EDIT2:

Well, I'd say the kernel is borked.  I used the hardened kernel w/o pax or grsec configured, ran emerge -eD world w/o problems.  

I then tried using the pax / grsec kernel, and I was eventually disconnected from the ssh session running emerge -eD world.  When I went to the console to try and log in, it started to slowly scroll the screen and complained about init spawning to fast.  The same then occurred when I tried the second console.  Back to the non pax / grsec kernel and re-running -eD world.  I'll have to revisit kernel options I guess.

Thanks.

----------

## skunk

hi,

i'm running hardened gentoo on all my servers since a log time ago and this is the output from paxtest:

```
Mode: blackhat

Linux fw1 2.6.34-hardened-r6 #1 SMP Mon Oct 4 02:32:46 CEST 2010 x86_64 Intel(R) Xeon(R) CPU E5520 @ 2.27GHz GenuineIntel GNU/Linux

Executable anonymous mapping             : Killed

Executable bss                           : Killed

Executable data                          : Killed

Executable heap                          : Killed

Executable stack                         : Killed

Executable shared library bss            : Killed

Executable shared library data           : Killed

Executable anonymous mapping (mprotect)  : Killed

Executable bss (mprotect)                : Killed

Executable data (mprotect)               : Killed

Executable heap (mprotect)               : Killed

Executable stack (mprotect)              : Killed

Executable shared library bss (mprotect) : Killed

Executable shared library data (mprotect): Killed

Writable text segments                   : Killed

Anonymous mapping randomisation test     : 29 bits (guessed)

Heap randomisation test (ET_EXEC)        : 35 bits (guessed)

Heap randomisation test (PIE)            : 35 bits (guessed)

Main executable randomisation (ET_EXEC)  : 27 bits (guessed)

Main executable randomisation (PIE)      : 27 bits (guessed)

Shared library randomisation test        : 29 bits (guessed)

Stack randomisation test (SEGMEXEC)      : 35 bits (guessed)

Stack randomisation test (PAGEEXEC)      : 35 bits (guessed)

Return to function (strcpy)              : paxtest: return address contains a NULL byte.

Return to function (memcpy)              : Vulnerable

Return to function (strcpy, PIE)         : paxtest: return address contains a NULL byte.

Return to function (memcpy, PIE)         : Vulnerable
```

this with latest stable gcc (4.3.4), glibc (2.11.2) and binutils (2.20.1-r1)

as the hardened stage3 isn't available anymore i usually do the following:

install latest stage3-nomultilib

enable hardened use flag

rebuild the toolchain (gcc, glibc, binutils)

emerge -e system

emerge -e world

as for the kernel i just choose "hardened gentoo [server]" as security level and nothing more.

never got any issue apart with java...

hope this will help.

----------

## pjp

Is nomultilib significant?  I pretty much did the same except a standard stage3 and selecting a hardened profile using eselect.

The kernel may be the key though.  I think I did try to match up the slightly old docs with a newer kernel.  I thought there were a couple of options recommended in the docs which were not selected, so I enabled them.

----------

## kernelOfTruth

 *pjp wrote:*   

> Is nomultilib significant?  I pretty much did the same except a standard stage3 and selecting a hardened profile using eselect.
> 
> The kernel may be the key though.  I think I did try to match up the slightly old docs with a newer kernel.  I thought there were a couple of options recommended in the docs which were not selected, so I enabled them.

 

I had the same problems when trying to compile stuff with the hardened-kernel in enforce-mode so

try pax_softmode=1 while you update your system

(perhaps you also need pax_nouderef for some drivers)

----------

## pjp

I wondered if that could have anything to do with it.  I'm going to go back to the docs and read them a bit more thoroughly, then see about redoing the kernel.  Thanks.

----------

## pjp

 *kernelOfTruth wrote:*   

> I had the same problems when trying to compile stuff with the hardened-kernel in enforce-mode so
> 
> try pax_softmode=1 while you update your system

   *Support soft mode wrote:*   

> Enabling this option will allow you to run PaX in soft mode, that is, PaX features will not be enforced by default, only on executables marked explicitly. You must also enable PT_PAX_FLAGS support as it is the only way to mark executables for soft mode use.
> 
> Soft mode can be activated by using the "pax_softmode=1" kernel command line option on boot. Furthermore you can control various PaX features at runtime via the entries in /proc/sys/kernel/pax. 

  Ouch.  So a reboot is required to update?

----------

## nativemad

It shouldn't matter if you have multilib or not.

At least on my mirror there are still updated hardened stages around (ok, not in every autobuild, but at least here for example):

http://mirror.switch.ch/ftp/mirror/gentoo/releases/amd64/autobuilds/20100909/hardened/stage3-amd64-hardened+nomultilib-20100909.tar.bz2

Sometimes i had to disable some hardened features in the Kernel on some Hardware (KVM, vmware for example), because of strange issues like taking a day to boot or oops... But that varies from Kernelversion to version.

----------

## skunk

 *nativemad wrote:*   

> At least on my mirror there are still updated hardened stages around (ok, not in every autobuild, but at least here for example):
> 
> http://mirror.switch.ch/ftp/mirror/gentoo/releases/amd64/autobuilds/20100909/hardened/stage3-amd64-hardened+nomultilib-20100909.tar.bz2

 

nice to know there are still hardened stage3 around, after reading this thread some time ago i thought it was over...

however i always rebuild all twice anyway for testing the hardware on new installations..

@pjp: i never had to use pax_softmode, but maybe you are bulding a desktop system (which i never did)...

----------

## pjp

I think my problem may be related to CHOST and USE flags?

CHOST="x86_64-pc-linux-gnu" and "amd64" is enabled as a USE flag.

I rebuilt the kernel with only selecting hardened server and then tried rebuilding the toolchain.  binutils emerged, then gcc failed.  After that, just about every command I tried failed with "Illegal insruction."

----------

## skunk

 *pjp wrote:*   

> I think my problem may be related to CHOST and USE flags?
> 
> CHOST="x86_64-pc-linux-gnu" and "amd64" is enabled as a USE flag

 

you mean amd64 as ACCEPT_KEYWORDS, there are no amd64 USE flags...

 *pjp wrote:*   

> 
> 
> I rebuilt the kernel with only selecting hardened server and then tried rebuilding the toolchain.  binutils emerged, then gcc failed.  After that, just about every command I tried failed with "Illegal insruction."

 

i think you messed something, if it's a new install i suggest to begin again from scratch using the hardened stage3 liked above.

----------

## nativemad

amd64 is indeed a useflag... see able via emerge --info!  :Wink: 

I don't see anything wrong with that chost!?

# emerge --info                                              

Portage 2.1.8.3 (hardened/linux/amd64/10.0/no-multilib, gcc-4.3.4, glibc-2.11.2-r0, 2.6.34-hardened-r1 x86_64)

=================================================================                                             

System uname: Linux-2.6.34-hardened-r1-x86_64-QEMU_Virtual_CPU_version_0.12.5-with-gentoo-1.12.13             

Timestamp of tree: Fri, 30 Jul 2010 01:45:01 +0000                                                            

app-shells/bash:     4.0_p37                                                                                  

dev-lang/python:     2.6.5-r3, 3.1.2-r4                                                                       

dev-util/cmake:      2.8.1-r2                                                                                 

sys-apps/baselayout: 1.12.13

sys-apps/sandbox:    1.6-r2

sys-devel/autoconf:  2.65-r1

sys-devel/automake:  1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.3.4

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.6b

virtual/os-headers:  2.6.30-r1

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch"

GENTOO_MIRRORS="http://distfiles.gentoo.org"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="acl amd64 authlib berkdb bzip2 cli cracklib crypt cxx dovecot-sasl dri gdbm gpm hardened iconv justify ldap mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection sasl session slang spl sse sse2 ssl sysfs tcpd unicode urandom xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

----------

## pjp

 *skunk wrote:*   

> i think you messed something, if it's a new install i suggest to begin again from scratch using the hardened stage3 liked above.

  Possibly, but it seems to work fine with the pax/grsec not enabled in the kernel.  That I started getting those errors only after emerging binutils with pax/grsec enabled in the kernel seems suspicious.  I can reboot to the non pax/grsec kernel, reemerge binutils (not sure if it is required) and everything is fine again.  I may start over, but it would be nice to know what the actual problem is.

----------

## skunk

 *nativemad wrote:*   

> amd64 is indeed a useflag... see able via emerge --info!  

 

ok, but afaik it's not supposed to be set into make.conf

----------

## pjp

It isn't in make.conf, but it shows up with emerge --info.  That's how I thought it could be causing a conflict with CHOST some how.  If it isn't that, I'm skeptical of different results by starting over.  But I think I'm going to, just because I'm tired of messing with it.  A week to get a basic (hardened) install done isn't my idea of a good time :)

----------

## nativemad

I only know that it can be very tricky to get the toolchain properly set up... it's binutils, glibc and gcc, but i don't know the exact order anymore nor if they maybe even need to be compiled twice, to get all options properly! But it shouldn't matter if you have a hardened kernel or not, to get the toolchain right.

Ah, here it is:

http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml

```
Code Listing 2.1: Hardened Toolchain Installation

# emerge --oneshot binutils gcc virtual/libc

# emerge -e world
```

----------

## skunk

 *pjp wrote:*   

>  *skunk wrote:*   i think you messed something, if it's a new install i suggest to begin again from scratch using the hardened stage3 liked above.  Possibly, but it seems to work fine with the pax/grsec not enabled in the kernel.  That I started getting those errors only after emerging binutils with pax/grsec enabled in the kernel seems suspicious.  I can reboot to the non pax/grsec kernel, reemerge binutils (not sure if it is required) and everything is fine again.  I may start over, but it would be nice to know what the actual problem is.

 

post emerge --info and any relevant message into /var/log/grsec.log and /var/log/pax.log

----------

## pjp

@nativemad:  That's what I've followed, but it is still possible something got messed up along the way.

@skunk:  Will do this evening (~8 - 8.5hrs from now).

Thanks.

----------

## nativemad

 *pjp wrote:*   

> @nativemad:  That's what I've followed, but it is still possible something got messed up along the way.
> 
> 

  hmmm... as i look at it... shouldn't there be a "gcc-config" between gcc and glibc!?

----------

## pjp

I thought gcc-config was just a control script to show and select which gcc was active?

----------

## nativemad

 *pjp wrote:*   

> I thought gcc-config was just a control script to show and select which gcc was active?

 

Yes, but if a non hardened gcc is still selected, then it wouldn't build hardened binaries!  :Wink: 

This could happen if an older gcc was installed and you just rebuilt the newer one from an update which doesn't get selected automatically!

----------

## pjp

It is a new install, so I think only the one is available.  I'll confirm.

----------

## cach0rr0

drat. someone beat me to it 

was just going to say, what profile are you using, and what build of gcc? (gcc-config -l, eselect profile list)

----------

## pjp

 *skunk wrote:*   

> post emerge --info and any relevant message into /var/log/grsec.log and /var/log/pax.log

  There are no grsec.log or pax.log files.  I haven't yet looked to see if they could be anywhere else.  

```
# emerge --info

Portage 2.1.8.3 (hardened/linux/amd64/10.0, gcc-4.4.3, glibc-2.11.2-r0, 2.6.34-hardened-r6 x86_64)

=================================================================

System uname: Linux-2.6.34-hardened-r6-x86_64-AMD_Athlon-tm-_II_X4_640_Processor-with-gentoo-1.12.13

Timestamp of tree: Mon, 11 Oct 2010 23:45:02 +0000

app-shells/bash:     4.1_p7

dev-lang/python:     2.6.5-r3, 3.1.2-r4

sys-apps/baselayout: 1.12.13

sys-apps/sandbox:    2.3-r1

sys-devel/autoconf:  2.65-r1

sys-devel/automake:  1.11.1

sys-devel/binutils:  2.20.1-r1

sys-devel/gcc:       4.3.4, 4.4.3-r2

sys-devel/gcc-config: 1.4.1

sys-devel/libtool:   2.2.10

sys-devel/make:      3.81-r2

virtual/os-headers:  2.6.30-r1

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-O2 -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests buildpkg collision-protect distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync"

GENTOO_MIRRORS="ftp://mirror.iawnet.sandia.gov/pub/gentoo/ http://mirror.usu.edu/mirrors/gentoo/"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j5"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"

USE="acl amd64 berkdb bzip2 cli cracklib crypt cups cxx dri gdbm gpm hardened iconv justify mmx modules mudflap multilib ncurses nls nptl nptlonly openmp pam pcre perl pic pppd python readline reflection session sse sse2 ssl sysfs tcpd urandom zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php-5.2" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware voodoo" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
```

 

```
# eselect profile list

Available profile symlink targets:

  [1]   default/linux/amd64/10.0

  [2]   default/linux/amd64/10.0/desktop

  [3]   default/linux/amd64/10.0/desktop/gnome

  [4]   default/linux/amd64/10.0/desktop/kde

  [5]   default/linux/amd64/10.0/developer

  [6]   default/linux/amd64/10.0/no-multilib

  [7]   default/linux/amd64/10.0/server

  [8]   hardened/linux/amd64/10.0 *

  [9]   hardened/linux/amd64/10.0/no-multilib

  [10]  selinux/2007.0/amd64

  [11]  selinux/2007.0/amd64/hardened

  [12]  selinux/v2refpolicy/amd64

  [13]  selinux/v2refpolicy/amd64/desktop

  [14]  selinux/v2refpolicy/amd64/developer

  [15]  selinux/v2refpolicy/amd64/hardened

  [16]  selinux/v2refpolicy/amd64/server

# gcc-config -l

 [1] x86_64-pc-linux-gnu-4.3.4

 [2] x86_64-pc-linux-gnu-4.3.4-hardenednopie

 [3] x86_64-pc-linux-gnu-4.3.4-vanilla

 [4] x86_64-pc-linux-gnu-4.4.3 *
```

  Thanks.

EDIT:

Couple of related threads (maybe).

gcc-4.3.4 - xgcc: Internal error: Killed (program cc[Solved]

I've got 4G RAM w/1G swap.  Haven't had the opportunity to switch kernels and monitor free memory, but I wouldn't think that was it?

ERROR: sys-libs/glibc-2.11.2 failed during emerge

I'm not really having the problem with glibc, but I think the first time I attempted this, the toolchain compiled fine and the failure happened while emerging other packages.

----------

## cach0rr0

 *pjp wrote:*   

>  *skunk wrote:*   post emerge --info and any relevant message into /var/log/grsec.log and /var/log/pax.log  There are no grsec.log or pax.log files.  I haven't yet looked to see if they could be anywhere else.  

 

the segregation into pax.log, grsec.log, so on and so forth, is a hardened profile thing. Did you merge syslog-ng prior to switching over to the hardened profile? 

Or, well...it's a "hardened" USE flag thing, but that should be automatically selected by the hardened profile. 

```

    # Install default configuration

    insinto /etc/syslog-ng

    if use hardened || use selinux ; then

        newins "${FILESDIR}/syslog-ng.conf.gentoo.hardened.${PV%%.*}" syslog-ng.conf

    elif use userland_BSD ; then

        newins "${FILESDIR}/syslog-ng.conf.gentoo.fbsd.${PV%%.*}" syslog-ng.conf

    else

        newins "${FILESDIR}/syslog-ng.conf.gentoo.${PV%%.*}" syslog-ng.conf

    fi

```

 *pjp wrote:*   

> 
> 
> ```
> 
> # gcc-config -l
> ...

 

hrmm...

```

 # equery uses gcc

```

For me:

```

[ Found these USE variables for sys-devel/gcc-4.3.4 ]

 U I

 - - altivec     : Adds support for optimizations for G4 and G5/ppc970 processors

 - - bootstrap   : !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used during original system bootstrapping [make stage2]

 - - build       : !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for creating build images and the first half of bootstrapping [make stage1]

 - - doc         : Adds extra documentation (API, Javadoc, etc)

 - - fixed-point : Enable fixed-point arithmetic support for MIPS targets in gcc (Warning: significantly increases compile time!)

 - - fortran     : Adds support for fortran (formerly f77)

 - - gcj         : Enable building with gcj (The GNU Compiler for the Javatm Programming Language)

 - - gtk         : Adds support for x11-libs/gtk+ (The GIMP Toolkit)

 + + hardened    : activate default security enhancements for toolchain (gcc, glibc, binutils)

 - - libffi      : Build the portable foreign function interface library

 + + mudflap     : Add support for mudflap, a pointer use checking library

 + - multilib    : On 64bit systems, if you want to be able to compile 32bit and 64bit binaries

 - - multislot   : Allow for SLOTs to include minor version (3.3.4 instead of just 3.3)

 - - n32         : Enable n32 ABI support on mips

 - - n64         : Enable n64 ABI support on mips

 + + nls         : Adds Native Language Support (using gettext - GNU locale utilities)

 - - nocxx       : Disable support for C++ (DON'T USE THIS UNLESS YOU KNOW WHAT YOU'RE DOING)

 - - nopie       : Disable PIE support (NOT FOR GENERAL USE)

 + + nptl        : Enable support for Native POSIX Threads Library, the new threading module (requires linux-2.6 or better usually)

 - - objc        : Build support for the Objective C code language

 - - objc++      : Build support for the Objective C++ language

 - - objc-gc     : Build support for the Objective C code language Garbage Collector

 + + openmp      : Build support for the OpenMP (support parallel computing), requires >=sys-devel/gcc-4.2 built with USE="openmp"

 - - test        : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore

 - - vanilla     : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically

```

ALSO: Did you build the kernel with the same toolchain you're running now?

----------

## pjp

I edited my previous post with a couple of possibly related threads.

syslog-ng.conf seems correct?

```
# egrep "pax|grsec" /etc/syslog-ng/syslog-ng.conf

destination pax { file("/var/log/pax.log"); };

destination grsec { file("/var/log/grsec.log"); };

filter f_pax { message("^(\\[.*\..*\] |)PAX:.*"); };

filter f_grsec { message("^(\\[.*\..*\] |)grsec:.*"); };

log { source(kernsrc); filter(f_pax); destination(pax); };

log { source(kernsrc); filter(f_grsec); destination(grsec); };
```

Not sure what I'm supposed to be looking for with equery uses gcc...

```
# equery uses gcc

[ Searching for packages matching gcc... ]

[ Colour Code : set unset ]

[ Legend : Left column  (U) - USE flags from make.conf              ]

[        : Right column (I) - USE flags packages was installed with ]

[ Found these USE variables for sys-devel/gcc-4.3.4 ]

 U I

 - - altivec     : Adds support for optimizations for G4 and G5/ppc970 processors

 - - bootstrap   : !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used during original system bootstrapping [make stage2]

 - - build       : !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for creating build images and the first half of bootstrapping [make stage1]

 - - doc         : Adds extra documentation (API, Javadoc, etc)

 - - fixed-point : Enable fixed-point arithmetic support for MIPS targets in gcc (Warning: significantly increases compile time!)

 - - fortran     : Adds support for fortran (formerly f77)

 - - gcj         : Enable building with gcj (The GNU Compiler for the Javatm Programming Language)

 - - gtk         : Adds support for x11-libs/gtk+ (The GIMP Toolkit)

 + + hardened    : activate default security enhancements for toolchain (gcc, glibc, binutils)

 - - libffi      : Build the portable foreign function interface library

 + + mudflap     : Add support for mudflap, a pointer use checking library

 + + multilib    : On 64bit systems, if you want to be able to compile 32bit and 64bit binaries

 - - multislot   : Allow for SLOTs to include minor version (3.3.4 instead of just 3.3)

 - - n32         : Enable n32 ABI support on mips

 - - n64         : Enable n64 ABI support on mips

 + + nls         : Adds Native Language Support (using gettext - GNU locale utilities)

 - - nocxx       : Disable support for C++ (DON'T USE THIS UNLESS YOU KNOW WHAT YOU'RE DOING)

 - - nopie       : Disable PIE support (NOT FOR GENERAL USE)

 - - nossp       : Disable SSP support (NOT FOR GENERAL USE)

 + + nptl        : Enable support for Native POSIX Threads Library, the new threading module (requires linux-2.6 or better usually)

 - - objc        : Build support for the Objective C code language

 - - objc++      : Build support for the Objective C++ language

 - - objc-gc     : Build support for the Objective C code language Garbage Collector

 + + openmp      : Build support for the OpenMP (support parallel computing), requires >=sys-devel/gcc-4.2 built with USE="openmp"

 - - test        : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore

 - - vanilla     : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically

[ Found these USE variables for sys-devel/gcc-4.4.3-r2 ]

 U I

 - - altivec     : Adds support for optimizations for G4 and G5/ppc970 processors

 - - bootstrap   : !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used during original system bootstrapping [make stage2]

 - - build       : !!internal use only!! DO NOT SET THIS FLAG YOURSELF!, used for creating build images and the first half of bootstrapping [make stage1]

 - - doc         : Adds extra documentation (API, Javadoc, etc)

 - - fixed-point : Enable fixed-point arithmetic support for MIPS targets in gcc (Warning: significantly increases compile time!)

 - + fortran     : Adds support for fortran (formerly f77)

 - - gcj         : Enable building with gcj (The GNU Compiler for the Javatm Programming Language)

 - - graphite    : Add support for the framework for loop optimizations based on a polyhedral intermediate representation

 - - gtk         : Adds support for x11-libs/gtk+ (The GIMP Toolkit)

 + - hardened    : activate default security enhancements for toolchain (gcc, glibc, binutils)

 - - libffi      : Build the portable foreign function interface library

 + + mudflap     : Add support for mudflap, a pointer use checking library

 + + multilib    : On 64bit systems, if you want to be able to compile 32bit and 64bit binaries

 - - multislot   : Allow for SLOTs to include minor version (3.3.4 instead of just 3.3)

 - - n32         : Enable n32 ABI support on mips

 - - n64         : Enable n64 ABI support on mips

 + + nls         : Adds Native Language Support (using gettext - GNU locale utilities)

 - - nocxx       : Disable support for C++ (DON'T USE THIS UNLESS YOU KNOW WHAT YOU'RE DOING)

 + + nptl        : Enable support for Native POSIX Threads Library, the new threading module (requires linux-2.6 or better usually)

 - - objc        : Build support for the Objective C code language

 - - objc++      : Build support for the Objective C++ language

 - - objc-gc     : Build support for the Objective C code language Garbage Collector

 + + openmp      : Build support for the OpenMP (support parallel computing), requires >=sys-devel/gcc-4.2 built with USE="openmp"

 - - test        : Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore

 - - vanilla     : Do not add extra patches which change default behaviour; DO NOT USE THIS ON A GLOBAL SCALE as the severity of the meaning changes drastically
```

 *cach0rr0 wrote:*   

> ALSO: Did you build the kernel with the same toolchain you're running now?

  The hardened kernel w/o pax / grsec enabled was compiled with my current toolchain.  The kernel with pax / grsec enabled was also built with the current toolchain.  When I boot to that kernel and try to rebuild the toolchain, it fails.  

I think so anyway... I can certainly rebuild the toolchain and then recompile the current kernel to make sure.  Come to think of it, I've tried recompiling the whole system multiple times.  On one occasion, I recompiled twice just to be safe.

EDIT:  Actually, I can't be sure the non pax/grsec kernel was compiled with my current toolchain any more (though at one point that was certainly true).

----------

## nativemad

 *Quote:*   

> # gcc-config -l 
> 
>  [1] x86_64-pc-linux-gnu-4.3.4 
> 
>  [2] x86_64-pc-linux-gnu-4.3.4-hardenednopie 
> ...

 

You should choose #1, as it is the hardened gcc!!

----------

## pjp

 *nativemad wrote:*   

> You should choose #1, as it is the hardened gcc!!

  Did not know that, thanks.  Will report back (hopefully) later today.

----------

## pjp

Got started a little later than I'd hoped, but it seems to be working (still too soon to tell based on track record).

Switched gcc, recompiled the kernel with pax / grsec enabled and booted with that kernel.  binutils compiled, and gcc is underway.  If it goes well, I'm thinking I'll recompile them for the heck of it, then emerge -eD world.  Probably won't have an update until tomorrow some time.

EDIT:  No such luck.  Unfortunately I don't have time to troubleshoot tonight, so looks like I have a weekend project.  I probably won't spend much time on it before starting over unless there is something obvious.  

```
var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_queue.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_raw_storage_iter.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_relops.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_set.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_stack.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_tempbuf.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_tree.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_uninitialized.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stl_vector.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/streambuf.tcc /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/stringfwd.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/valarray_array.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/valarray_array.tcc /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/valarray_before.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/valarray_after.h /var/tmp/portage/sys-devel/gcc-4.3.4/work/gcc-4.3.4/libstdc++-v3/include/bits/vector.tcc; do \

          /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits; done

/bin/sh: line 1:  6474 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6475 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6476 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6477 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6478 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6479 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6480 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6481 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6482 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6483 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6484 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6485 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6486 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6487 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6488 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6489 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6490 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6491 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6492 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6493 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6494 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6495 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6496 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6497 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6498 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6499 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6500 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6501 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6502 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6503 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6504 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6505 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6506 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6507 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6508 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6509 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6510 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6511 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6512 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6513 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6514 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6515 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6516 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6517 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6518 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6519 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6520 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6521 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6522 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6523 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6524 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6525 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6526 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6527 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6528 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6529 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6530 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6531 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

/bin/sh: line 1:  6532 Illegal instruction     /usr/bin/install -c -m 644 ${file} /var/tmp/portage/sys-devel/gcc-4.3.4/image//usr/lib/gcc/x86_64-pc-linux-gnu/4.3.4/include/g++-v4/./bits

make[8]: *** [install-headers] Error 132

make[8]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build/x86_64-pc-linux-gnu/32/libstdc++-v3/include'

make[7]: *** [install-am] Error 2

make[7]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build/x86_64-pc-linux-gnu/32/libstdc++-v3/include'

make[6]: *** [install-recursive] Error 1

make[6]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build/x86_64-pc-linux-gnu/32/libstdc++-v3'

make[5]: *** [multi-do] Error 1

make[5]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build/x86_64-pc-linux-gnu/libstdc++-v3'

make[4]: *** [install-multi] Error 2

make[4]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build/x86_64-pc-linux-gnu/libstdc++-v3'

make[3]: *** [install-am] Error 2

make[3]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build/x86_64-pc-linux-gnu/libstdc++-v3'

make[2]: *** [install-recursive] Error 1

make[2]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build/x86_64-pc-linux-gnu/libstdc++-v3'

make[1]: *** [install-target-libstdc++-v3] Error 2

make[1]: Leaving directory `/var/tmp/portage/sys-devel/gcc-4.3.4/work/build'

make: *** [install] Error 2

 * ERROR: sys-devel/gcc-4.3.4 failed:

 *   (no error message)

 *

 * Call stack:

 *              , line   54:  Called src_install

 *              , line 4943:  Called toolchain_src_install

 *              , line 5538:  Called gcc-compiler_src_install

 *   environment, line 2488:  Called die

 * The specific snippet of code:

 *

 * If you need support, post the output of 'emerge --info =sys-devel/gcc-4.3.4',

 * the complete build log and the output of 'emerge -pqv =sys-devel/gcc-4.3.4'.

 * The complete build log is located at '/var/tmp/portage/sys-devel/gcc-4.3.4/temp/build.log'.

 * The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.4/temp/environment'.

 * S: '/var/tmp/portage/sys-devel/gcc-4.3.4/work/build'

 * The ebuild phase 'die_hooks' has exited unexpectedly. This type of

 * behavior is known to be triggered by things such as failed variable

 * assignments (bug #190128) or bad substitution errors (bug #200313).

 * Normally, before exiting, bash should have displayed an error message

 * above. If bash did not produce an error message above, it's possible

 * that the ebuild has called `exit` when it should have called `die`

 * instead. This behavior may also be triggered by a corrupt bash binary or

 * a hardware problem such as memory or cpu malfunction. If the problem is

 * not reproducible or it appears to occur randomly, then it is likely to

 * be triggered by a hardware problem. If you suspect a hardware problem

 * then you should try some basic hardware diagnostics such as memtest.

 * Please do not report this as a bug unless it is consistently

 * reproducible and you are sure that your bash binary and hardware are

 * functioning properly.

>>> Failed to emerge sys-devel/gcc-4.3.4, Log file:

>>>  '/var/tmp/portage/sys-devel/gcc-4.3.4/temp/build.log'

 * Messages for package sys-devel/gcc-4.3.4:

 * SSP has not been enabled by default

 * ERROR: sys-devel/gcc-4.3.4 failed:

 *   (no error message)

 *

 * Call stack:

 *              , line   54:  Called src_install

 *              , line 4943:  Called toolchain_src_install

 *              , line 5538:  Called gcc-compiler_src_install

 *   environment, line 2488:  Called die

 * The specific snippet of code:

 *

 * If you need support, post the output of 'emerge --info =sys-devel/gcc-4.3.4',

 * the complete build log and the output of 'emerge -pqv =sys-devel/gcc-4.3.4'.

 * The complete build log is located at '/var/tmp/portage/sys-devel/gcc-4.3.4/temp/build.log'.

 * The ebuild environment file is located at '/var/tmp/portage/sys-devel/gcc-4.3.4/temp/environment'.

 * S: '/var/tmp/portage/sys-devel/gcc-4.3.4/work/build'

 * Regenerating GNU info directory index...

 * Processed 12 info files.

 * IMPORTANT: 2 news items need reading for repository 'gentoo'.

 * Use eselect news to read news items.
```

----------

## nativemad

h!? looks like your /usr/bin/install is screwed!? Could you try it "dry" like 

```
/usr/bin/install -c -m 664 /some/file /some/new/file
```

...It would belong to sys-apps/coreutils...

----------

## pjp

 *nativemad wrote:*   

> h!? looks like your /usr/bin/install is screwed!? Could you try it "dry" like 
> 
> ```
> /usr/bin/install -c -m 664 /some/file /some/new/file
> ```
> ...

  Weird.  I'm assuming that is what portage uses to install a package which successfully compiled?  Any idea why it would work for binutils then fail for gcc?

I'll test it this afternoon.

----------

## pjp

 *nativemad wrote:*   

> h!? looks like your /usr/bin/install is screwed!? Could you try it "dry" like 
> 
> ```
> /usr/bin/install -c -m 664 /some/file /some/new/file
> ```
> ...

  Couldn't ssh in this afternoon and found the system was having the init respawning problem.  Rebooted to the pax / gresec kernel and that seems to be resolved for now.

```
# /usr/bin/install -c -m 664 /usr/bin/install /tmp/install

# ls -l /usr/bin/install

-rwxr-xr-x 1 root root 101288 Oct 12 00:55 /usr/bin/install

# ls -l /tmp/install

-rw-rw-r-- 1 root root 101288 Oct 15 09:44 /tmp/install
```

EDIT:

I give up.  I was periodically getting a hypertransport syncing too fast error during boot, so I tried updating the BIOS.  That didn't seem to solve the compiling problem.

I'm just going to start over (with hardened stage) and hope it was an error I made along the way.

Thanks.

----------

## pjp

 *pjp wrote:*   

> I give up.  I was periodically getting a hypertransport syncing too fast error during boot, so I tried updating the BIOS.  That didn't seem to solve the compiling problem.

  I started over from scratch and now the system is crashing during compiles and giving the same HT message during crash/rebboots now.  Looks like I've got several hundred dollars worth of crap in a shiny new box.  *sigh*

----------

