On 02/13/2012 10:59 AM, Harald Hoyer wrote:
Am 10.02.2012 16:01, schrieb Mimi Zohar:
Hi Harald,
Originally, 98integrity/ima-policy-load.sh didn't start executing before
98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.
inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
As the IMA policy could be dependent on LSM runtime info, this is a
problem.
[ 10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
[ 10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
[ 10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
[ 10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
[ 10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
[ 10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
[ 10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
[ 10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
[ 10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
[ 10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
[ 11.898956] SELinux: Completing initialization.
I've tried adding a depend for selinux, but it doesn't seem to resolve
the problem, nor does delaying 98integrity to later. Any suggestions
would be appreciated.
thanks,
Mimi
In Fedora the selinux dracut module is disabled by default. You have to enable
it manually.
Hi Harald
this functionality seems to be broken in dracut due to a change in the
SELinux load_policy tool.
After enabling the selinux module in dracut, i obtain:
[ 3.369059] dracut: Loading SELinux policy
[ 3.449850] dracut: /sbin/load_policy: Can't load policy: No such
file or directory
[ 3.659899] dracut: Switching root
echo 'add_dracutmodules+=" selinux "'>> /etc/dracut.conf.d/99-my.conf
although, this also should do the thing:
$ git diff modules.d/98integrity/module-setup.sh
diff --git a/modules.d/98integrity/module-setup.sh
b/modules.d/98integrity/module-setup.sh
index 7d5771c..ff1b4aa 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -7,7 +7,7 @@ check() {
}
depends() {
- echo masterkey securityfs
+ echo masterkey securityfs selinux
return 0
}
--
To unsubscribe from this list: send the line "unsubscribe initramfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
