Install Cinelerra in Gentoo (out-of-portage) -- Part 3
2016-04-25
Building Cinelerra 1 2 3 4 5... [in progress, hopefully]
First, why grsecurity?
If in a hurry and want to get to the cinelerra-cv technical issue, pls. just skim through this subchapter over to the meat of this page! This here only says, mainly, that I don't want to give up grsecurity to get me Cinelerra.
I believe FOSS Linux ought to be taken out of the clutches of big business. The Systemd phenomenon is all wrong, all wrong, completely. And all in the service of the bad big. It's a catastrophe brought into the FOSS, a certain disaster that is already happening. I don't believe there's any real privacy where Systemd and its associates (one of the indispensable ones being Dbus, in the strong opinion of some of us) move in.
And one of the programs that I really pin my hopes in for privacy in FOSS Linux is https://www.grsecurity.net
(
And also some of the saddest days for me last year were when I learned grsecurity went, for all stable releases, customer-only (see Intel Subsidiary's Violations Made Grsec withdraw Stable?). Testing only remains free under GPL-2.
Surely I am one of those who uses the testing grsec... Actually the change does not affect me at all, as I've always used testing. But I worry for *nix in general, brother. That's why the commercial switch (for which I don't really blame spender and Pax Team, but the story is too long for this digression) saddened me. Because I wish the real *nix stayed real live and kicking no matter the poetterware and such, for all the more numerous FOSS community, and with a path blazed for newbies, dear brothers in *nix!
)
grsec: denied RWX mmap to cinelerra
Anyway, you don't get this logging without grsecurity, and when the grsec-hardened kernel you have installed, you need to enable the exec_logging to get the logging in your syslog like below.
This is what happened when I ran:
$ cinelerra
from the command line in a terminal (and in the terminal no errors showed, but the cinelerra froze while toward the end of the opening smaller gui in the middle of the screen):
Apr 24 23:00:39 gcn kernel: [58917.235767] grsec: (miro:U:/usr/bin/cinelerra) exec of /usr/bin/cinelerra (cinelerra ) by /usr/bin/cinelerra[bash:7202] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3626] uid/euid:1000/1000 gid/egid:1000/1000 Apr 24 23:00:39 gcn kernel: [58917.541146] grsec: (miro:U:/usr/bin/cinelerra) denied RWX mmap of <anonymous mapping> by /usr/bin/cinelerra[cinelerra:7202] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3626] uid/euid:1000/1000 gid/egid:1000/1000 ...[one more line with just the serial [58917.772020] different from above]... Apr 24 23:00:39 gcn kernel: [58917.890663] grsec: (miro:U:/usr/bin/cinelerra) denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib64/cinelerra/blondtheme.so by /usr/bin/cinelerra[cinelerra:7202] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3626] uid/euid:1000/1000 gid/egid:1000/1000 Apr 24 23:00:39 gcn kernel: [58917.950650] grsec: (miro:U:/usr/bin/cinelerra) denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib64/cinelerra/bluedottheme.so by /usr/bin/cinelerra[cinelerra:7202] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3626] uid/euid:1000/1000 gid/egid:1000/1000 Apr 24 23:00:40 gcn kernel: [58918.524054] grsec: more alerts, logging disabled for 10 seconds
And I'm afraid my quest has now only started. If Cinelerra was an easy program to deploy in Portage, it would have been there all the time...
I have done a few more attempts at building Cinelerra-CV since. I have also gone with Grsecurity's RBAC (the Role Based Access Control) disabled, but to no avail. Errors are diverging a little, but the install which is successful in the sense that it completes faultlessly, gets me a Cinelerra that does not start for the above, and the below reasons, that I collected in this time.
This is with RBAC disabled:
Apr 24 23:10:49 gcn kernel: [59527.668242] grsec: exec of /usr/bin/cinelerra (cinelerra ) by /usr/bin/cinelerra[bash:7244] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3626] uid/euid:1000/1000 gid/egid:1000/1000 Apr 24 23:10:49 gcn kernel: [59527.735927] grsec: denied RWX mmap of <anonymous mapping> by /usr/bin/cinelerra[cinelerra:7244] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3626] uid/euid:1000/1000 gid/egid:1000/1000 ...[one more line with just the serial [59527.930440] different from above]... Apr 24 23:10:49 gcn kernel: [59528.048248] grsec: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib64/cinelerra/blondtheme.so by /usr/bin/cinelerra[cinelerra:7244] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3626] uid/euid:1000/1000 gid/egid:1000/1000 Apr 24 23:10:49 gcn kernel: [59528.103203] grsec: more alerts, logging disabled for 10 seconds
I rule out using a non-grsec-hardened kernel. I hope just like all the other programs that I use, Cinelerra can be talked into working grsec-friendly.
And I went ducking for more information, as well as looking into:
/usr/portage/media-video/cinelerra
and the ebuilds there for more clues.
After reading:
Bug 212959 - media-video/cinelerra has executable stack (execstack) issues
https://bugs.gentoo.org/show_bug.cgi?id=212959
, and after especially:
Hardened/GNU stack quickstart
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
I decided to try and recompile, like this:
export LDFLAGS+=-Wl,-z,noexecstack && echo $LDFLAGS; read FAKE; \ ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --with-x \ --with-buildinfo=git/recompile |& tee \ /var/log/no-portage-tmp/cinelerra-cv_$(date +%y%m%d_%H%M)_configure.log
(I'm not really a programmer, just a seasoned, but somewhat slow, user. The export worked, because the "echo..." and "read FAKE;" I put there for me to see if it did and only then continue, told me "-Wl,-z,noexecstack" back.)
Neither did these help much:
paxctl -m /usr/bin/cinelerra paxctl -m /usr/lib/cinelerra/bluedottheme.so paxctl -m /usr/lib/cinelerra/blondtheme.so paxctl -m /usr/lib/cinelerra/suv.so
nor even (find "denied RWX mprotect of /lib64/ld-2.22.so" below in more from system log):
paxctl -m /lib/ld-2.22.so
Eventually, the errors were like this:
$ cinelerra & [1] 26986 $ Cinelerra-CV 2.3 GIT::36659e9965401a124097dd26f1ecc7443e68e5a6 (C) 2006 Heroine Virtual Ltd. (C) 2006-2016 The CinelerraCV Community Internal ffmpeg Compiled on Mon Apr 25 10:19:45 CEST 2016 Cinelerra-CV is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. There is absolutely no warranty for Cinelerra-CV. PluginServer::open_plugin: /usr/lib/cinelerra/blondtheme.so: cannot change memory protections: Permission denied PluginServer::open_plugin: /usr/lib/cinelerra/bluedottheme.so: cannot change memory protections: Permission denied PluginServer::open_plugin: /usr/lib/cinelerra/suv.so: cannot change memory protections: Permission denied MWindow::init_theme: Default theme S.U.V. not exists. Maybe an install problem [1]+ Exit 1 cinelerra
And in the logs:
Apr 25 10:50:18 gcn kernel: [14513.404820] grsec: exec of /usr/bin/cinelerra (cinelerra ) by /usr/bin/cinelerra[bash:26986] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000 gid/egid:1000/1000 Apr 25 10:50:19 gcn kernel: [14513.767991] grsec: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib64/cinelerra/blondtheme.so by /usr/bin/cinelerra[cinelerra:26986] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000 gid/egid:1000/1000 Apr 25 10:50:19 gcn kernel: [14513.768030] grsec: denied RWX mprotect of /lib64/ld-2.22.so by /usr/bin/cinelerra[cinelerra:26986] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000 gid/egid:1000/1000 Apr 25 10:50:19 gcn kernel: [14513.824316] grsec: denied marking stack executable as requested by PT_GNU_STACK marking in /usr/lib64/cinelerra/bluedottheme.so by /usr/bin/cinelerra[cinelerra:26986] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000 gid/egid:1000/1000 Apr 25 10:50:19 gcn kernel: [14513.824357] grsec: denied RWX mprotect of /lib64/ld-2.22.so by /usr/bin/cinelerra[cinelerra:26986] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:3336] uid/euid:1000/1000 gid/egid:1000/1000 Apr 25 10:50:19 gcn kernel: [14514.379216] grsec: more alerts, logging disabled for 10 seconds
This whole Cinelerra build issue ought to have been posted on Gentoo Forums instead (a digression there, which is not needed for solving of this issue, don't read it if you don't have the time).
I've posted this on my NGO's website, because, as you can see, I've deployed much of what a kind developer needs to know about my issues with building and installing Cinelerra-CV, that he/she be from Gentoo or from Cinelerra-CV team, or from grsecurity.
Just a few logs and all is set up for asking developers for help with this issue.
But allow me to cut a corner or two here. I'll put all the 1.9MB of logs under this very address at which you are reading, not just because it's much faster for me, but also because lots of it is still too mumbo-jumbo for me to get the exact lines out that tell the reasons for my freshly installed cinelerra not starting.
And I think I'll need to trim it heavily, because it's hard to even figure out which is which (but the dates compare with the system log pastes above!)... When I find time.
This Part 3 of "Install Cinelerra in Gentoo Out-of-Portage" is currently left unfinished. It ought to be fitted with a few more links esp. regarding the digression about the Gentoo folks (social, political, non-technical stuff)... When I find time.
However, where I reached with my Cinelerra-CV install is completely presented (although not cleanly and precisely, as I'm not a developer).
And so now I'm going to seek help. I hope this will not be one of the issues that I end up abandoning (it happened to me on Gentoo Forums with at least two other really difficult issues).
=======================================================
A digression not necessary for the technical understanding of the issues above follows now.
He or she is a lier whoever tells you this quest of mine is not fit for a Forum, and surely it ought to be on Gentoo Forums...
The fact that I might (as I often do) solve it more on my own than by other Gentoo Forums folks' help (often I got help from people on places like Wireshark ML and Mozilla dev ML. but not from Gentoo Forums) doesn't detract from this being a query fit for forums, be it for support, or combined with pretty followed few pieces of advice for newbies that I am wont to give, as has been shown over and over on Gentoo Forums in some of my topics...
What are some of the Gentoo guys turning into? And I hope they won't be prevailing for long (but do I know?, I don't). Surveillance and big business and their shadows' interests supporters and dispensers, it looks to me. Some of you do behave like FONs, I'm sorry to say... When are we getting your bad big employers' backdoors/bugdoors?... I hope never, because I hope Gentoo will be brought back to normal moderators and developers
(
but do I know?, I don't... Just: it'll be a huge failure if that should happen, not for Gentoo being so big, it's too difficult to be hugely popular, but because Gentoo is the most advanced, the mightiest by virtue of its Portage design. Gentoo ought to remain the home or real hardening, the grsecurity hardening, the real winner over the surveillance and intrusion by the bad big and their shadows, and for something so pure to be compromised, would be a really huge failure
).
Till I find time for this (here digressive) issue, look it up here:
Open Little Book from Gentooand here:
../../cap/cap-160321-NAT/and ask about what happened on Gentoo Forums, if you feel brave.
There has never been any rule that says: don't link in your forum posts.... And yet, these Cinelerra build issues that I'm wrestling with, they can not possibly be solved for a grsec-hardened system, without advanced understanding of grsecurity and PaX, along with advanced compilation understanding applied to Cinelerra building...
Believe you me, some of the peculiar kind of liberals in charge currently at Gentoo, would not let me solve this issue there... They're ruining Gentoo.
As I would need to ask about it, as I will, but linking to here, and from here, at grsecurity forums, at Cinelerra ML, and possibly even at other places.
And I will ask, but linking to here from where I will ask. And you know what those liberals would call my linking?
They would call it blogging. Yeah... And declare it was against the rules. Never mind it has never ever been written such a rule anywhere in any FOSS forum... (Until that is, they try and... fail to write such a rule. As it doesn't hold even a drop of water. C'mon! A "don't blog" rule.)
And surely I will link to advice that I get there, so all is, hopefully, solved without cross-posting... ;-)
Read also here:
Was I really hijacking topics from other members?
https://forums.gentoo.org/viewtopic-t-1041614.html
I really never expected to get such Bolshevik-kind of attitude in a U.S. based NGO like Gentoo... Still gripped by surprise, even now after nearly one month's time (find there in bottom: "your account has been banned"). This can't be happening.
