|
Hi Stephen, With all the kind help from you and Justin, I finally made the latest refpolicy-2.20091117 boot up successfully! Hat off for you two :-) Please see my embedded replies, thanks! > Subject: RE: [refpolicy] Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken > From: sds@xxxxxxxxxxxxx > To: harrytaurus2002@xxxxxxxxxxx > CC: refpolicy@xxxxxxxxxxxxxxx; selinux@xxxxxxxxxxxxx > Date: Mon, 25 Jan 2010 10:35:45 -0500 > > On Mon, 2010-01-25 at 09:32 +0000, TaurusHarry wrote: > > Hi Stephen and Justin, > > > > I have got some new findings after I sent out the previous email. The > > weird error messages about /var/lock/subsys/ turns out to be hard disk > > inconsistency problem and could be fixed by fsck.ext2, after that, > > find and touch performed by rc.sysinit or /etc/rc3.d/* would have no > > problem at all :-) > > However, my console still hangs at "INIT: Id "0" respawning too fast: > > disabled for 5 minutes", although so far I think I have fixed all > > those obvious problems with SELinux during boot up and I could no > > longer find fishy AVC denied message except something like: > > > > type=1400 audit(1264435478.992:5): avc: denied { rawip_send } for > > pid=5 comm="sirq-timer/0" > > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3 > > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5 > > scontext=system_u:system_r:kernel_t:s15:c0.c255 > > tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif > > type=1400 audit(1264435478.992:6): avc: denied {! rawip_send } for > > pid=5 comm="sirq-timer/0" > > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3 > > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5 > >! scontext=system_u:system_r:kernel_t:s15:c0.c255 > > tcontext =system_u:object_r:node_t:s0-s15:c0.c255 tclass=node > > Hmm..so you don't have secmark enabled by default? Kernel config? $ grep SECMARK linux-sun_cp3020-cgl-build/.config CONFIG_NETWORK_SECMARK=y # CONFIG_NETFILTER_XT_TARGET_SECMARK is not set $ More secmark options should I enable? > > > But I don't think they could be the reason /sbin/init would fail to > > run /sbin/mingetty. > > > > Then I came up with the idea to toggle SELinux state into Permissive > > mode in the rc.local and finally the console on longer hangs and I > > could login normally: > > > > > > > > root@cp3020:/root> cat /proc/cmdline > > > > root=/dev/sda1 rw console=ttyS0,115200n8 ip=dhcp selinux=1 > > BOOT_IMAGE=/vlm-boards/12885/qcao/kernel > > > > root@cp3020:/root> getenforce > > > > Per! missive > > > > root@cp3020:/root> > > > > root@cp3020:/root> cat /var/log/messages > > > > ... > > > > Jan 25 16:59:15 cp3020 /etc/rc3.d/S95atd: atd startup - OK > > > > Jan 25 16:59:15 cp3020 boot: Starting cracklibd > > > > Jan 25 16:59:16 cp3020 boot: Starting local > > > > Jan 25 16:59:16 cp3020 kernel: type=1404 audit(1264438756.016:4): > > enforcing=0 ol > > > > d_enforcing=1 auid=4294967295 ses=4294967295 > > > > ... > > > > root@cp3020:/root> > > > > > > We can see selinux does boot up WITH enforcing=1 but toggled into > > enforcing=0 at rc.local, which proves that all my left problem focused > > on /sbin/mingetty > > 0:2345:respawn:/sbin/mingetty console (in my /etc/inittab) > > > > Ma! ybe I need to identify the changes from refpolicy-2.20081210 to > ; > refpolicy-2.20091117 related with getty_t. > > Rebuild policy with dontaudits removed (semodule -DB) and retry, then > look for audit messages involving getty. Yeah, I created a policy store and then do semodule -DB and reboot, I found AVC denied messages about domains of sendmail_t, hostname_t, quota_t, dmesg_t lack the read privilege against console_device_t, which is expected because we have called term_dontaudit_use_console() interface for these domains. Since so far we have identified that my problem is rooted with getty_t, so I went on to take a quick glance at getty.te and very suprisingly found this dontaudit interface has been called for getty_t too! For me I am trying to login my target through a serial console, rather than any tty device, so I assume the getty_t should be granted all necessary privileges to operate the console. Once I removed the term_dontaudit_use_console(getty_t) I could find following AVC denied message: type=1400 audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login" scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process which I guess is right the root cause to my problem. Once I replaced it by term_use_console(getty_t), I finally could login successfully! This problem made me sleepless for like 10 days and I would like to take this opportunity to summarize it here: 1. use enforcing=0 bootparam if unable to login selinux, then dmesg all those AVC denied messages for potential extra TE rules; 2. problem could be caused by files not being properly labeled, as well as necessary TE rules are missing. In my case many domains has no search right against tmpfs_t, however, tmpfs_t doesn't exist even in file_contexts, this indicates tmpfs filesystem has not been properly labeled. It turns out start_udev should have labeled tmpfs once it mounts tmpfs on /dev; 3, if perblem persists but no relevant AVC denied messsage could be referenced, use semodule -DB to rebuild policy and remove all those dontaudit rules, or remove the call to some dontaudit interface in the related .te, ! so thar SELinux could throw out as many AVC denied messages as possible. Next, I will go on play with the latest refpolicy package and bring up the extra necessary TE rules I find. Thank you so very much, again! Best regards, Harry > > -- > Stephen Smalley > National Security Agency > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with > the words "unsubscribe selinux" without quotes as the message. ����Ӧ�����������һ����-���,���ͼƬÿ���Ŷ! ������� |
