12-nov-05 Hello: I have a FC3 box which requires compiling the kernel from source to accomodate acpi & ec.c related hardware quirks, (its a generic laptop). When compiling & installing the latest kernels, I have discovered an apparent problem with both the 2.6.14 & 2.6.14.2 kernels and SELinux. After compiling these kernels, SELinux is silently disabled on boot; e.g.: sestatus shows SELinux as disabled regardless of /etc/selinux/config being set for 'Permissive-targeted'. ps -Z & ls -Z show no xattributes but returns these values/messages: torus:~/selinux/kernel-tests> ps -Z LABEL PID TTY TIME CMD kernel 3979 pts/6 00:00:00 tcsh kernel 4005 pts/6 00:00:00 ps torus:~/selinux/kernel-tests> ls -Z Sorry, this option can only be used on a SELinux kernel. dmesg does not have any further SELinux entries after these four: SELinux: Initializing. SELinux: Starting in permissive mode selinux_register_security: Registering secondary module capability SELinux: Registering netfilter hooks nor are there any error messages in /var/log/messages. Kernels built from the 2.6.13.4 & 2.6.12-1.1381_FC3, source trees both work normally with regard to SELinux. After a comparison of the '.config' files from the related builds, I've noticed that the 2.6.14 and 2.6.14.2 kernels no longer support extended attributes for the pseudo filesystems, while the 2.6.13.4 and 2.6.12-1.1381_FC3 kernels do support the extended attributes, this is the only significant difference I could find between these kernels' '.config' files. i.e. Referring to 'make xconfig': in linux-2.6.14/linux-2.6.14.2 these two filesystems no longer exist: 'Psuedo Filesystems -> /dev/pts Extended Attributes -> /dev/pts Security Labels''Psuedo Filesystems -> Virtual memory file system support -> tmpfs Extended Attributes -> tmpfs Security Lables'. Note these error messages were returned when using the '.config' from 2.6.13.4 as a starting point for the '.config' in the 2.6.14/2.6.14.2 trees: /boot/config-2.6.13.4:2649: trying to assign nonexistent symbol DEVPTS_FS_XATTR /boot/config-2.6.13.4:2650: trying to assign nonexistent symbol DEVPTS_FS_SECURITY The Help sections for these options from the 2.6.13.4 kernel indicate these are used by Selinux: Help for /dev/pts Security Labels (DEVPTS_FS_SECURITY) "Security labels support alternative access control models implemented by security modules like SELinux. This option enables an extended attribute handler for file security label in the /dev/pts filesystem. If you are not using a security module that requires using extended attributes for file security labels, say N." Help for tmpfs Security Labels (TMPFS_SECURITY) "Security labels support alternative access control models implemented by security modules like SELinux. This option enables an extended attribute handler for file security labels in the tmpfs filesystem. If you are not using a security module that requires using extended attributes for file security labels, say N." I would like to stress that _All_ previous 2.6 kernels that I have tried prior to 2.6.14 work as expected with regard to SELinux. Has there been a change to SELinux in the FC4 tree but not in the FC3 tree which anticipated this disappearance of the extended attributes in the 2.6.14 kernel's pseudo filesystems - or am I on the wrong track ? Here is my current selinux configuration: selinux-doc-1.14.1-1 selinux-policy-targeted-sources-1.17.30-3.16 libselinux-1.23.10-2 libselinux-devel-1.23.10-2 selinux-policy-targeted-1.17.30-3.16 setools-gui-2.1.1-2 setools-2.1.1-2 checkpolicy-1.23.1-1 I intend to upgrade to FC4/FC5 when I can get the disks, and wonder if the problem could be due to subtle conflicts in the above configuration rather than the disappearance of the extended attributes in the psuedo filesystem in the 2.6.14 kernel series. Thank you, Brgds Bob -- rhp.lpt@xxxxxxxxx -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
