turn CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT on
by Eric Paris
So after a little discussion with the SELinux folks it looks like we
want to turn this option on in FC7 as well. This should not be changed
for old fedora releases. This option will enable secmark by default
instead of the legacy network hooks for selinux. It should reduce the
selinux overhead on network traffic drastically. Few if any people
actually use the old network checks, but if someone is using them they
are still available (though a /selinux tunable called 'compat_net')
I believe the necessary bits to make use of secmark exist in the
iptables packages shipped in rawhide. RHEL 5 shipped with this enabled
and since most people don't use it anyway (even people who leave selinux
on) all this will do is drop their overhead.
-Eric
17 years, 1 month
Enable SECURITY_NETWORK_XFRM
by Eric Paris
Right before FC6 we turned off CONFIG_SECURITY_NETWORK_XFRM since there
was a lot of development still going on in that areas especially
concerning secid reconciliation between that and secmark. The
reconciliation work was killed upstream and XFRM labeling has been
worked on upstream and has been tested by the LSPP group for quite some
time now with success.
I'd like to get both of them turned back on so Fedora users can make use
of xfrm labeled networking.
-Eric
17 years, 1 month
Chance of dynamic loading of alternate AML code getting in?
by Hans de Goede
Hi all,
AFAIK ubuntu includes a patch to allow dynamic loading of alternate AML code
dumps, to work around bios ACPI bugs. I know BIOS's and the kernel ACPI code
are getting betterm but for some laptops this is needed, any chance this could
be included into the Fedora kernel?
Also any chance of getting this included upstream?
Regards,
Hans
17 years, 1 month
[Fedora PATCH]: BZ 234473 Remove sparse directory listing from kernel rpmbuild
by Prarit Bhargava
Currently, rpmbuild -bp kernel-2.6.spec does
/usr/bin/bzip2 -dc /usr/src/redhat/SOURCES/sparse-0.2.tar.bz2
tar -xvvf -
which displays the directory of what has been untarred:
drwxrwxrwx git/git 0 2006-12-05 06:22:44 sparse-0.2/
(snip 123 lines)
I'm not sure if the full directory listing of sparse is needed. If it isn't,
then let's clean it up.
Resolves BZ 234473.
Signed-off-by: Prarit Bhargava <prarit(a)redhat.com>
--- kernel-2.6.spec.orig 2007-03-29 06:04:13.000000000 -0400
+++ kernel-2.6.spec 2007-03-29 06:04:16.000000000 -0400
@@ -1219,7 +1219,7 @@
# unpack sparse.
if [ ! -d sparse-%{sparsever} ] ; then
-%setup -T -D -a 3 -q
+%setup -D -T -q -a3
fi
# Unpack the Xen tarball.
17 years, 1 month
kernel build hacks for vanilla builds
by Roland McGrath
This is enough for "make vanilla-scratch-build" to work (or vanilla-i686,
vanilla-compile, etc). It might even be enough for "make vanilla-tag
vanilla-build", but I'd have to check it in to test that kludge.
Attached below is my linux-2.6.17-nonintconfig.patch, my old replacement
for linux-2.6-build-nonintconfig.patch (that didn't even need any
rediffing). It adds a second option "make loose_nonintconfig". IIRC, this
is necessary when upstream adds config options not yet in our config-*
files, so you get defconfig answers for new things instead of errors. This
probably doesn't come up with rawhide vanilla builds since those are only
"downgrades", but it can come up when trying builds from GIT branches for
experimental new things, and I found it much nicer to have defconfig win
for this instead of hand-tweak config-foo in my otherwise pristine checkout.
For doing builds from GIT branches, there's some more makefile magic and a
little script to be dusted off. If you like this stuff, I'll check it in
and then fiddle some more for the GIT variant.
Thanks,
Roland
Index: Makefile
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/Makefile,v
retrieving revision 1.45
diff -u -r1.45 Makefile
--- Makefile 19 Mar 2007 21:32:30 -0000 1.45
+++ Makefile 29 Mar 2007 10:03:08 -0000
@@ -68,3 +68,25 @@
# since i386 isn't a target...
compile compile-short: DIST_DEFINES += --target $(shell uname -m)
+
+
+vanilla-%: $(SPECFILE:.spec=-vanilla.spec)
+ @$(MAKE) $* SPECFILE=$<
+
+$(SPECFILE:.spec=-vanilla.spec): $(SPECFILE)
+ @rm -f $@
+ (echo %define nopatches 1; cat $<) > $@
+
+scratch-build: test-srpm
+ $(BUILD_CLIENT) $(BUILD_FLAGS) --scratch $(COLLECTION) \
+ $(SRCRPMDIR)/$(NAME)-$(VERSION)-$(RELEASE).src.rpm
+
+ifdef BEEHIVE_SRPM_BUILD
+export CHECKOUT_TAG ?= $(shell sed s/^.// CVS/Tag)
+tag-pattern = $(TAG_NAME)-$(TAG_VERSION)-0_%_$(TAG_RELEASE)
+ifeq (,$(filter-out $(tag-pattern),$(CHECKOUT_TAG)))
+variant := $(patsubst $(tag-pattern),%,$(CHECKOUT_TAG))
+srpm: SPECFILE := $(SPECFILE:.spec=-$(variant).spec)
+srpm beehive-sprm: RELEASE := 0.$(variant).$(RELEASE)
+endif
+endif
Index: kernel-2.6.spec
===================================================================
RCS file: /cvs/dist/rpms/kernel/devel/kernel-2.6.spec,v
retrieving revision 1.3025
diff -u -r1.3025 kernel-2.6.spec
--- kernel-2.6.spec 29 Mar 2007 00:00:55 -0000 1.3025
+++ kernel-2.6.spec 29 Mar 2007 10:03:09 -0000
@@ -32,7 +32,8 @@
%define sublevel 20
%define kversion 2.6.%{sublevel}
%define rpmversion 2.6.%{sublevel}
-%define release %(R="$Revision: 1.3025 $"; RR="${R##: }"; echo ${RR%%?})%{?dist}
+%define specrelease %(R="$Revision: 1.3025 $"; RR="${R##: }"; echo ${RR%%?})%{?dist}
+%define release %{specrelease}
%define make_target bzImage
%define kernel_image x86
@@ -45,6 +46,28 @@
%define KVERREL %{PACKAGE_VERSION}-%{PACKAGE_RELEASE}
%define hdrarch %_target_cpu
+%if 0%{!?nopatches:1}
+%define nopatches 0
+%endif
+
+%if %{nopatches}
+%define includexen 0
+%else
+%define relsuffix .fedora
+%endif
+
+%define using_upstream_branch 0
+%if 0%{?upstream_branch:1}
+%define using_upstream_branch 1
+%define release 0.%{upstream_branch}%{?relsuffix}.%{specrelease}
+%define buildxen 0
+%define buildxenPAE 0
+%else
+%if %{nopatches}
+%define release 0.vanilla.%{specrelease}
+%endif
+%endif
+
# groups of related archs
#OLPC stuff
%if 0%{?olpc}
@@ -169,6 +192,15 @@
%define xen_image vmlinux.gz
%endif
+%if %{nopatches}
+%define signmodules 0
+# Ignore unknown options in our config-* files.
+# Some options go with patches we're not applying.
+%define oldconfig_target loose_nonint_oldconfig
+%else
+%define oldconfig_target nonint_oldconfig
+%endif
+
# To temporarily exclude an architecture from being built, add it to
# %nobuildarches. Do _NOT_ use the ExclusiveArch: line, because if we
# don't build kernel-headers then the new build system will no longer let
@@ -304,9 +336,17 @@
#
# Patches 0 through 100 are meant for core subsystem upgrades
#
+
+%if %{using_upstream_branch}
+### BRANCH PATCH ###
+%else
Patch1: patch-2.6.21-rc5.bz2
+%endif
+
Patch3: git-geode.patch
+%if !%{nopatches}
+
# Patches 10 through 99 are for things that are going upstream really soon.
Patch10: linux-2.6-utrace.patch
Patch11: nouveau-drm.patch
@@ -360,7 +400,9 @@
# Patches 800 through 899 are reserved for bugfixes to the core system
# and patches related to how RPMs are build
#
-Patch800: linux-2.6-build-nonintconfig.patch
+%endif
+Patch800: linux-2.6.17-nonintconfig.patch
+%if !%{nopatches}
# Exec-shield.
Patch810: linux-2.6-execshield.patch
@@ -495,6 +537,7 @@
Patch20002: xen-dom0-reboot.patch
# END OF PATCH DEFINITIONS
+%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root-%{_target_cpu}
@@ -867,9 +910,16 @@
cd linux-%{kversion}.%{_target_cpu}
+%if %{using_upstream_branch}
+### BRANCH APPLY ###
+%else
+
# Update to latest upstream.
%patch1 -p1
+%endif
+%if !%{nopatches}
+
# Patches 10 through 100 are meant for core subsystem upgrades
# Roland's utrace ptrace replacement.
@@ -945,13 +995,14 @@
# Patches 800 through 899 are reserved for bugfixes to the core system
# and patches related to how RPMs are build
#
-
+%endif
# This patch adds a "make nonint_oldconfig" which is non-interactive and
# also gives a list of missing options at the end. Useful for automated
# builds (as used in the buildsystem).
%patch800 -p1
+%if !%{nopatches}
# Exec shield
%patch810 -p1
@@ -1171,6 +1222,7 @@
%patch10001 -p1
# END OF PATCH APPLICATIONS
+%endif
cp %{SOURCE10} Documentation/
@@ -1201,7 +1253,7 @@
do
mv $i .config
Arch=`head -1 .config | cut -b 3-`
- make ARCH=$Arch nonint_oldconfig > /dev/null
+ make ARCH=$Arch %{oldconfig_target} > /dev/null
echo "# $Arch" > configs/$i
cat .config >> configs/$i
done
@@ -1295,7 +1347,7 @@
KernelImage=arch/$Arch/boot/bzImage
fi
- make -s ARCH=$Arch nonint_oldconfig > /dev/null
+ make -s ARCH=$Arch %{oldconfig_target} > /dev/null
make -s ARCH=$Arch %{?_smp_mflags} $MakeTarget %{?sparse_mflags}
make -s ARCH=$Arch %{?_smp_mflags} modules %{?sparse_mflags} || exit 1
--- linux-2.6.17/scripts/kconfig/Makefile.nonintconfig
+++ linux-2.6.17/scripts/kconfig/Makefile
@@ -23,6 +23,11 @@ oldconfig: $(obj)/conf
silentoldconfig: $(obj)/conf
$< -s arch/$(ARCH)/Kconfig
+nonint_oldconfig: $(obj)/conf
+ $< -b arch/$(ARCH)/Kconfig
+loose_nonint_oldconfig: $(obj)/conf
+ $< -B arch/$(ARCH)/Kconfig
+
update-po-config: $(obj)/kxgettext
xgettext --default-domain=linux \
--add-comments --keyword=_ --keyword=N_ \
--- linux-2.6.17/scripts/kconfig/conf.c.nonintconfig
+++ linux-2.6.17/scripts/kconfig/conf.c
@@ -21,6 +21,8 @@ enum {
ask_all,
ask_new,
ask_silent,
+ dont_ask,
+ dont_ask_dont_tell,
set_default,
set_yes,
set_mod,
@@ -37,6 +39,8 @@ static struct menu *rootEntry;
static char nohelp_text[] = N_("Sorry, no help available for this option yet.\n");
+static int return_value = 0;
+
static void strip(char *str)
{
char *p = str;
@@ -103,6 +107,14 @@ static void conf_askvalue(struct symbol
fflush(stdout);
fgets(line, 128, stdin);
return;
+ case dont_ask:
+ if (!sym_has_value(sym)) {
+ fprintf(stderr,"CONFIG_%s\n",sym->name);
+ return_value++;
+ }
+ /*FALLTHROUGH*/
+ case dont_ask_dont_tell:
+ return;
case set_default:
printf("%s\n", def);
return;
@@ -346,6 +358,11 @@ static int conf_choice(struct menu *menu
printf("?");
printf("]: ");
switch (input_mode) {
+ case dont_ask:
+ case dont_ask_dont_tell:
+ cnt = def;
+ printf("%d\n", cnt);
+ break;
case ask_new:
case ask_silent:
if (!is_new) {
@@ -482,6 +499,10 @@ static void check_conf(struct menu *menu
if (!conf_cnt++)
printf(_("*\n* Restart config...\n*\n"));
rootEntry = menu_get_parent_menu(menu);
+ if (input_mode == dont_ask
+ || input_mode == dont_ask_dont_tell)
+ fprintf(stderr,"CONFIG_%s\n",sym->name);
+ else
conf(rootEntry);
}
}
@@ -501,6 +522,12 @@ int main(int ac, char **av)
case 'o':
input_mode = ask_new;
break;
+ case 'b':
+ input_mode = dont_ask;
+ break;
+ case 'B':
+ input_mode = dont_ask_dont_tell;
+ break;
case 's':
input_mode = ask_silent;
valid_stdin = isatty(0) && isatty(1) && isatty(2);
@@ -566,6 +593,8 @@ int main(int ac, char **av)
}
case ask_all:
case ask_new:
+ case dont_ask:
+ case dont_ask_dont_tell:
conf_read(NULL);
break;
case set_no:
@@ -612,7 +641,8 @@ int main(int ac, char **av)
do {
conf_cnt = 0;
check_conf(&rootmenu);
- } while (conf_cnt);
+ } while (conf_cnt && (input_mode != dont_ask
+ && input_mode != dont_ask_dont_tell));
if (conf_write(NULL)) {
fprintf(stderr, _("\n*** Error during writing of the kernel configuration.\n\n"));
return 1;
@@ -623,5 +653,5 @@ skip_check:
return 1;
}
- return 0;
+ return return_value;
}
17 years, 1 month
Debugging Soft Lockups in FC kernels
by Jonathan Underwood
Hi,
With FC-6 I have been seeing a lot of soft lockups with all shipped
kernels on my Dell x86_64 SMP machines. For example, inserting a USB
key triggers a soft lockup, as does the VMWare bridged interface. I
realize the latter taints the kernel, but the former happens with
untainted FC-6 kernels (i.e. the vmware stuff not installed let alone
loaded). Anyway, I have reported bugs, detailing the stack trace that
pops up in dmesg, but I get the feeling this isn't that helpful for
debugging.
So, my general question is this: What extra things could I do to provide more
information about soft lockups?
Best wishes,
Jonathan
17 years, 1 month
/dev/dvb device nodes not being created?
by Christopher Brown
Thanks for the invite Chuck. Great to read about your appointment working
with Dave by the way. I can confirm that this rocks.
To the matter at hand folks:
See:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233416
for dirty debugging output but essentially:
I'm running MythTV and the cx88-dvb driver that loaded with all the
2.6.18-2.6.19 kernels fails to do so with 2.6.20. Running modprobe loads the
drivers fine. In the not too distant past there used to be a problem with
the blackbird drivers grabbing control of the card(s) before the correct
driver did so. I therefore blacklisted the blackbird driver and the correct
driver loaded, the clouds cleared and the sun shone once more on green
fields. Now it looks like something similar has returned and I can only
force the driver to load by adding it to /etc/rc.modules
Any ideas?
Cheers
Chris
--
http://www.chruz.com
17 years, 1 month
Problems with kernel updates needing non-kernel changes
by Chuck Ebbert
So far we seem to hit a few different problems when upgrading
kernels.
1) mkinitrd may need changing, e.g. the raid4, raid5 and raid6
modules were combined into raid456 a while ago, breaking
mkinitrd completely on raid machines.
2) some modules may now work that were broken, but they need
new options, like snd-hda-intel which now works on my acer
notebook if "probe_mask=1" is added to the module options.
3) like (2) but options may need to be removed. suddenly drivers
that worked refuse to load becuase they no longer recognize
options that used to be valid.
I'm especially concerned about (2) and (3) because there doesn't
seem to be a system in place to update driver options after the
system is installed. We can collect the needed changes but the
logic to do all of this is in anaconda, and can only be applied
during system install, as far as I can tell.
17 years, 1 month
Should we be using CONFIG_PREEMPT_BKL in the Fedora kernel?
by Chuck Ebbert
I get the feeling that some of the bugs we are seeing is because
we have enabled CONFIG_PREEMPT_BKL. I remember looking at the
code when it came out and thinking it was too scary to enable,
so I never did in my own vanilla kernels.
17 years, 1 month
