base Kernel compile - how to patch for apparmor/firewall
 

I got and reasonably successfully compiled/installed the 2.6.24.2 kernel working from kernel.org. I really wanted this kernel because it has "native" support (that is, no ndiswrapper needed) for my WiFi card (b43legacy). The wireless is working, which is nice (had to get the firmware properly placed).
I have these two problems though:
1) I have to shut off the firewall in Suse 10.2 to get networking to work. I get a bunch of iptables-batch errors at boot up.
2) I cannot figure out how to get patch the kernel to get apparmor support. I've been here: http://forge.novell.com/modules/xfmod/project/?apparmor and see a/the patch, but don't know how to apply it.

Any help with either of these problems would be greatly appreciated.
Kurt

Talking *about* errors won't help, posting them in full just might.


See http://en.opensuse.org/AppArmor_Geeks

Thanks, the apparmor patch didn't seem to work - I think it's because I am using 2.6.24.2 and not just 2.6.24-only. Is it possible to apply the patch to a later version?

security/apparmor/lsm.c:908: error: unknown field ‘socket_create’ specified in initializer
security/apparmor/lsm.c:908: warning: initialization from incompatible pointer type
security/apparmor/lsm.c:909: error: unknown field ‘socket_post_create’ specified in initializer
security/apparmor/lsm.c:909: warning: initialization from incompatible pointer type
security/apparmor/lsm.c:910: error: unknown field ‘socket_bind’ specified in initializer
security/apparmor/lsm.c:910: warning: initialization from incompatible pointer type
security/apparmor/lsm.c:911: error: unknown field ‘socket_connect’ specified in initializer
security/apparmor/lsm.c:911: warning: initialization from incompatible pointer type
security/apparmor/lsm.c:912: error: unknown field ‘socket_listen’ specified in initializer
security/apparmor/lsm.c:912: warning: initialization from incompatible pointer type
security/apparmor/lsm.c:913: error: unknown field ‘socket_accept’ specified in initializer
security/apparmor/lsm.c:913: warning: excess elements in struct initializer
security/apparmor/lsm.c:913: warning: (near initialization for ‘apparmor_ops’)
security/apparmor/lsm.c:914: error: unknown field ‘socket_sendmsg’ specified in initializer
security/apparmor/lsm.c:914: warning: excess elements in struct initializer
security/apparmor/lsm.c:914: warning: (near initialization for ‘apparmor_ops’)
security/apparmor/lsm.c:915: error: unknown field ‘socket_recvmsg’ specified in initializer
security/apparmor/lsm.c:915: warning: excess elements in struct initializer
security/apparmor/lsm.c:915: warning: (near initialization for ‘apparmor_ops’)
security/apparmor/lsm.c:916: error: unknown field ‘socket_getsockname’ specified in initializer
security/apparmor/lsm.c:916: warning: excess elements in struct initializer
security/apparmor/lsm.c:916: warning: (near initialization for ‘apparmor_ops’)
security/apparmor/lsm.c:917: error: unknown field ‘socket_getpeername’ specified in initializer
security/apparmor/lsm.c:917: warning: excess elements in struct initializer
security/apparmor/lsm.c:917: warning: (near initialization for ‘apparmor_ops’)
security/apparmor/lsm.c:918: error: unknown field ‘socket_getsockopt’ specified in initializer
security/apparmor/lsm.c:918: warning: excess elements in struct initializer
security/apparmor/lsm.c:918: warning: (near initialization for ‘apparmor_ops’)
security/apparmor/lsm.c:919: error: unknown field ‘socket_setsockopt’ specified in initializer
security/apparmor/lsm.c:919: warning: excess elements in struct initializer
security/apparmor/lsm.c:919: warning: (near initialization for ‘apparmor_ops’)
security/apparmor/lsm.c:920: error: unknown field ‘socket_shutdown’ specified in initializer
security/apparmor/lsm.c:920: warning: excess elements in struct initializer
security/apparmor/lsm.c:920: warning: (near initialization for ‘apparmor_ops’)
make[2]: *** [security/apparmor/lsm.o] Error 1
make[1]: *** [security/apparmor] Error 2
make: *** [security] Error 2


Here are the iptable/susefirewall2 messages that I get:
Feb 24 21:29:23 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 24 21:30:25 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 24 21:30:40 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 24 21:30:48 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 24 21:31:46 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 24 22:22:12 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 25 07:04:10 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 25 07:07:35 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 25 21:15:11 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 25 21:15:17 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables
Feb 25 21:15:21 balder SuSEfirewall2: Error: iptables-batch failed, re-running using iptables

Kurt

Are you getting many rejects then (those should be dealt with on the apparmor development mailing list)? Are you sure you configured all AppArmor controls during kernel config?


Means that if you haven't got "/usr/sbin/iptables-batch" it'll re-run the commands using iptables. Apparently batchmode was submitted to iptables by SuSE but I don't know if it's in Patch-O-Matic (aka POM) or a specific SuSE addon.

I can't configure the kernel with AppArmor, because I can't get the patch to work on 2.6.24.3 (now).
Kurt

OK, but those errors you've shown don't look like errors from patch output?

No, I didn't get errors from quilt, I got those errors at compile time.

If you are sure you configured all AppArmor controls during kernel config then the patch didn't work for your kernel version. I'd get on a SuSE mailing list and ask the maintainers to provide one.