From: Stephen Smalley <sds@tycho.nsa.gov> To: TaurusHarry <harrytaurus2002@hotmail.com> Cc: refpolicy@oss1.tresys.com, selinux-mailing-list <selinux@tycho.nsa.gov> Subject: RE: [refpolicy] Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken Date: Mon, 25 Jan 2010 10:35:45 -0500 [thread overview] Message-ID: <1264433745.4297.159.camel@moss-pluto.epoch.ncsc.mil> (raw) In-Reply-To: <BAY111-W22EC1CF480A00C18111145AB5F0@phx.gbl> On Mon, 2010-01-25 at 09:32 +0000, TaurusHarry wrote: > Hi Stephen and Justin, > > I have got some new findings after I sent out the previous email. The > weird error messages about /var/lock/subsys/ turns out to be hard disk > inconsistency problem and could be fixed by fsck.ext2, after that, > find and touch performed by rc.sysinit or /etc/rc3.d/* would have no > problem at all :-) > > However, my console still hangs at "INIT: Id "0" respawning too fast: > disabled for 5 minutes", although so far I think I have fixed all > those obvious problems with SELinux during boot up and I could no > longer find fishy AVC denied message except something like: > > type=1400 audit(1264435478.992:5): avc: denied { rawip_send } for > pid=5 comm="sirq-timer/0" > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3 > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5 > scontext=system_u:system_r:kernel_t:s15:c0.c255 > tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif > type=1400 audit(1264435478.992:6): avc: denied {! rawip_send } for > pid=5 comm="sirq-timer/0" > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3 > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5 > scontext=system_u:system_r:kernel_t:s15:c0.c255 > tcontext=system_u:object_r:node_t:s0-s15:c0.c255 tclass=node Hmm..so you don't have secmark enabled by default? Kernel config? > But I don't think they could be the reason /sbin/init would fail to > run /sbin/mingetty. > > Then I came up with the idea to toggle SELinux state into Permissive > mode in the rc.local and finally the console on longer hangs and I > could login normally: > > > > root@cp3020:/root> cat /proc/cmdline > > root=/dev/sda1 rw console=ttyS0,115200n8 ip=dhcp selinux=1 > BOOT_IMAGE=/vlm-boards/12885/qcao/kernel > > root@cp3020:/root> getenforce > > Permissive > > root@cp3020:/root> > > root@cp3020:/root> cat /var/log/messages > > ... > > Jan 25 16:59:15 cp3020 /etc/rc3.d/S95atd: atd startup - OK > > Jan 25 16:59:15 cp3020 boot: Starting cracklibd > > Jan 25 16:59:16 cp3020 boot: Starting local > > Jan 25 16:59:16 cp3020 kernel: type=1404 audit(1264438756.016:4): > enforcing=0 ol > > d_enforcing=1 auid=4294967295 ses=4294967295 > > ... > > root@cp3020:/root> > > > We can see selinux does boot up WITH enforcing=1 but toggled into > enforcing=0 at rc.local, which proves that all my left problem focused > on /sbin/mingetty > 0:2345:respawn:/sbin/mingetty console (in my /etc/inittab) > > Maybe I need to identify the changes from refpolicy-2.20081210 to > refpolicy-2.20091117 related with getty_t. Rebuild policy with dontaudits removed (semodule -DB) and retry, then look for audit messages involving getty. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: sds@tycho.nsa.gov (Stephen Smalley) To: refpolicy@oss.tresys.com Subject: [refpolicy] Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken Date: Mon, 25 Jan 2010 10:35:45 -0500 [thread overview] Message-ID: <1264433745.4297.159.camel@moss-pluto.epoch.ncsc.mil> (raw) In-Reply-To: <BAY111-W22EC1CF480A00C18111145AB5F0@phx.gbl> On Mon, 2010-01-25 at 09:32 +0000, TaurusHarry wrote: > Hi Stephen and Justin, > > I have got some new findings after I sent out the previous email. The > weird error messages about /var/lock/subsys/ turns out to be hard disk > inconsistency problem and could be fixed by fsck.ext2, after that, > find and touch performed by rc.sysinit or /etc/rc3.d/* would have no > problem at all :-) > > However, my console still hangs at "INIT: Id "0" respawning too fast: > disabled for 5 minutes", although so far I think I have fixed all > those obvious problems with SELinux during boot up and I could no > longer find fishy AVC denied message except something like: > > type=1400 audit(1264435478.992:5): avc: denied { rawip_send } for > pid=5 comm="sirq-timer/0" > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3 > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5 > scontext=system_u:system_r:kernel_t:s15:c0.c255 > tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif > type=1400 audit(1264435478.992:6): avc: denied {! rawip_send } for > pid=5 comm="sirq-timer/0" > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3 > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5 > scontext=system_u:system_r:kernel_t:s15:c0.c255 > tcontext=system_u:object_r:node_t:s0-s15:c0.c255 tclass=node Hmm..so you don't have secmark enabled by default? Kernel config? > But I don't think they could be the reason /sbin/init would fail to > run /sbin/mingetty. > > Then I came up with the idea to toggle SELinux state into Permissive > mode in the rc.local and finally the console on longer hangs and I > could login normally: > > > > root at cp3020:/root> cat /proc/cmdline > > root=/dev/sda1 rw console=ttyS0,115200n8 ip=dhcp selinux=1 > BOOT_IMAGE=/vlm-boards/12885/qcao/kernel > > root at cp3020:/root> getenforce > > Permissive > > root at cp3020:/root> > > root at cp3020:/root> cat /var/log/messages > > ... > > Jan 25 16:59:15 cp3020 /etc/rc3.d/S95atd: atd startup - OK > > Jan 25 16:59:15 cp3020 boot: Starting cracklibd > > Jan 25 16:59:16 cp3020 boot: Starting local > > Jan 25 16:59:16 cp3020 kernel: type=1404 audit(1264438756.016:4): > enforcing=0 ol > > d_enforcing=1 auid=4294967295 ses=4294967295 > > ... > > root at cp3020:/root> > > > We can see selinux does boot up WITH enforcing=1 but toggled into > enforcing=0 at rc.local, which proves that all my left problem focused > on /sbin/mingetty > 0:2345:respawn:/sbin/mingetty console (in my /etc/inittab) > > Maybe I need to identify the changes from refpolicy-2.20081210 to > refpolicy-2.20091117 related with getty_t. Rebuild policy with dontaudits removed (semodule -DB) and retry, then look for audit messages involving getty. -- Stephen Smalley National Security Agency
next prev parent reply other threads:[~2010-01-25 15:35 UTC|newest] Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top 2010-01-18 2:40 Bootup problem with refpolicy-2.20091117 TaurusHarry 2010-01-18 3:00 ` Justin P. Mattock 2010-01-18 9:03 ` TaurusHarry 2010-01-18 10:35 ` Justin P. Mattock 2010-01-19 1:35 ` TaurusHarry 2010-01-19 1:45 ` Justin P. Mattock 2010-01-21 9:36 ` Bootup problem with refpolicy-2.20091117 - rules found but still can't login TaurusHarry 2010-01-21 10:46 ` Justin P. Mattock 2010-01-21 13:19 ` Stephen Smalley 2010-01-21 13:19 ` [refpolicy] " Stephen Smalley 2010-01-22 10:13 ` TaurusHarry 2010-01-22 10:13 ` [refpolicy] " TaurusHarry 2010-01-22 15:45 ` Justin P. Mattock 2010-01-22 15:45 ` [refpolicy] " Justin P. Mattock 2010-01-22 16:14 ` Stephen Smalley 2010-01-22 16:14 ` [refpolicy] " Stephen Smalley 2010-01-25 6:04 ` Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken TaurusHarry 2010-01-25 6:04 ` [refpolicy] " TaurusHarry 2010-01-25 9:32 ` TaurusHarry 2010-01-25 9:32 ` TaurusHarry 2010-01-25 15:35 ` Stephen Smalley [this message] 2010-01-25 15:35 ` Stephen Smalley 2010-01-26 8:50 ` [refpolicy] Bootup problem with refpolicy-2.20091117 - 4:login successfully finally! TaurusHarry 2010-01-26 8:50 ` TaurusHarry 2010-01-26 9:17 ` Justin P. Mattock 2010-01-26 9:17 ` Justin P. Mattock 2010-01-26 9:47 ` TaurusHarry 2010-01-26 9:47 ` TaurusHarry 2010-01-26 12:17 ` Dominick Grift 2010-01-26 13:16 ` [refpolicy] Where could I file a bug report for refpolicy package TaurusHarry 2010-01-26 17:01 ` Dominick Grift 2010-01-26 13:36 ` [refpolicy] Bootup problem with refpolicy-2.20091117 - 4:login successfully finally! Stephen Smalley 2010-01-26 13:36 ` Stephen Smalley 2010-01-26 20:15 ` Justin P. Mattock 2010-01-26 20:15 ` Justin P. Mattock
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=1264433745.4297.159.camel@moss-pluto.epoch.ncsc.mil \ --to=sds@tycho.nsa.gov \ --cc=harrytaurus2002@hotmail.com \ --cc=refpolicy@oss1.tresys.com \ --cc=selinux@tycho.nsa.gov \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.