From: Stephen Smalley <sds@tycho.nsa.gov>
To: TaurusHarry <harrytaurus2002@hotmail.com>
Cc: refpolicy@oss1.tresys.com, selinux-mailing-list <selinux@tycho.nsa.gov>
Subject: RE: [refpolicy] Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken
Date: Mon, 25 Jan 2010 10:35:45 -0500 [thread overview]
Message-ID: <1264433745.4297.159.camel@moss-pluto.epoch.ncsc.mil> (raw)
In-Reply-To: <BAY111-W22EC1CF480A00C18111145AB5F0@phx.gbl>
On Mon, 2010-01-25 at 09:32 +0000, TaurusHarry wrote:
> Hi Stephen and Justin,
>
> I have got some new findings after I sent out the previous email. The
> weird error messages about /var/lock/subsys/ turns out to be hard disk
> inconsistency problem and could be fixed by fsck.ext2, after that,
> find and touch performed by rc.sysinit or /etc/rc3.d/* would have no
> problem at all :-)
>
> However, my console still hangs at "INIT: Id "0" respawning too fast:
> disabled for 5 minutes", although so far I think I have fixed all
> those obvious problems with SELinux during boot up and I could no
> longer find fishy AVC denied message except something like:
>
> type=1400 audit(1264435478.992:5): avc: denied { rawip_send } for
> pid=5 comm="sirq-timer/0"
> saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3
> daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5
> scontext=system_u:system_r:kernel_t:s15:c0.c255
> tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif
> type=1400 audit(1264435478.992:6): avc: denied {! rawip_send } for
> pid=5 comm="sirq-timer/0"
> saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3
> daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5
> scontext=system_u:system_r:kernel_t:s15:c0.c255
> tcontext=system_u:object_r:node_t:s0-s15:c0.c255 tclass=node
Hmm..so you don't have secmark enabled by default? Kernel config?
> But I don't think they could be the reason /sbin/init would fail to
> run /sbin/mingetty.
>
> Then I came up with the idea to toggle SELinux state into Permissive
> mode in the rc.local and finally the console on longer hangs and I
> could login normally:
>
>
>
> root@cp3020:/root> cat /proc/cmdline
>
> root=/dev/sda1 rw console=ttyS0,115200n8 ip=dhcp selinux=1
> BOOT_IMAGE=/vlm-boards/12885/qcao/kernel
>
> root@cp3020:/root> getenforce
>
> Permissive
>
> root@cp3020:/root>
>
> root@cp3020:/root> cat /var/log/messages
>
> ...
>
> Jan 25 16:59:15 cp3020 /etc/rc3.d/S95atd: atd startup - OK
>
> Jan 25 16:59:15 cp3020 boot: Starting cracklibd
>
> Jan 25 16:59:16 cp3020 boot: Starting local
>
> Jan 25 16:59:16 cp3020 kernel: type=1404 audit(1264438756.016:4):
> enforcing=0 ol
>
> d_enforcing=1 auid=4294967295 ses=4294967295
>
> ...
>
> root@cp3020:/root>
>
>
> We can see selinux does boot up WITH enforcing=1 but toggled into
> enforcing=0 at rc.local, which proves that all my left problem focused
> on /sbin/mingetty
> 0:2345:respawn:/sbin/mingetty console (in my /etc/inittab)
>
> Maybe I need to identify the changes from refpolicy-2.20081210 to
> refpolicy-2.20091117 related with getty_t.
Rebuild policy with dontaudits removed (semodule -DB) and retry, then
look for audit messages involving getty.
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
WARNING: multiple messages have this Message-ID (diff)
From: sds@tycho.nsa.gov (Stephen Smalley)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken
Date: Mon, 25 Jan 2010 10:35:45 -0500 [thread overview]
Message-ID: <1264433745.4297.159.camel@moss-pluto.epoch.ncsc.mil> (raw)
In-Reply-To: <BAY111-W22EC1CF480A00C18111145AB5F0@phx.gbl>
On Mon, 2010-01-25 at 09:32 +0000, TaurusHarry wrote:
> Hi Stephen and Justin,
>
> I have got some new findings after I sent out the previous email. The
> weird error messages about /var/lock/subsys/ turns out to be hard disk
> inconsistency problem and could be fixed by fsck.ext2, after that,
> find and touch performed by rc.sysinit or /etc/rc3.d/* would have no
> problem at all :-)
>
> However, my console still hangs at "INIT: Id "0" respawning too fast:
> disabled for 5 minutes", although so far I think I have fixed all
> those obvious problems with SELinux during boot up and I could no
> longer find fishy AVC denied message except something like:
>
> type=1400 audit(1264435478.992:5): avc: denied { rawip_send } for
> pid=5 comm="sirq-timer/0"
> saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3
> daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5
> scontext=system_u:system_r:kernel_t:s15:c0.c255
> tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif
> type=1400 audit(1264435478.992:6): avc: denied {! rawip_send } for
> pid=5 comm="sirq-timer/0"
> saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3
> daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5
> scontext=system_u:system_r:kernel_t:s15:c0.c255
> tcontext=system_u:object_r:node_t:s0-s15:c0.c255 tclass=node
Hmm..so you don't have secmark enabled by default? Kernel config?
> But I don't think they could be the reason /sbin/init would fail to
> run /sbin/mingetty.
>
> Then I came up with the idea to toggle SELinux state into Permissive
> mode in the rc.local and finally the console on longer hangs and I
> could login normally:
>
>
>
> root at cp3020:/root> cat /proc/cmdline
>
> root=/dev/sda1 rw console=ttyS0,115200n8 ip=dhcp selinux=1
> BOOT_IMAGE=/vlm-boards/12885/qcao/kernel
>
> root at cp3020:/root> getenforce
>
> Permissive
>
> root at cp3020:/root>
>
> root at cp3020:/root> cat /var/log/messages
>
> ...
>
> Jan 25 16:59:15 cp3020 /etc/rc3.d/S95atd: atd startup - OK
>
> Jan 25 16:59:15 cp3020 boot: Starting cracklibd
>
> Jan 25 16:59:16 cp3020 boot: Starting local
>
> Jan 25 16:59:16 cp3020 kernel: type=1404 audit(1264438756.016:4):
> enforcing=0 ol
>
> d_enforcing=1 auid=4294967295 ses=4294967295
>
> ...
>
> root at cp3020:/root>
>
>
> We can see selinux does boot up WITH enforcing=1 but toggled into
> enforcing=0 at rc.local, which proves that all my left problem focused
> on /sbin/mingetty
> 0:2345:respawn:/sbin/mingetty console (in my /etc/inittab)
>
> Maybe I need to identify the changes from refpolicy-2.20081210 to
> refpolicy-2.20091117 related with getty_t.
Rebuild policy with dontaudits removed (semodule -DB) and retry, then
look for audit messages involving getty.
--
Stephen Smalley
National Security Agency
next prev parent reply other threads:[~2010-01-25 15:35 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-18 2:40 Bootup problem with refpolicy-2.20091117 TaurusHarry
2010-01-18 3:00 ` Justin P. Mattock
2010-01-18 9:03 ` TaurusHarry
2010-01-18 10:35 ` Justin P. Mattock
2010-01-19 1:35 ` TaurusHarry
2010-01-19 1:45 ` Justin P. Mattock
2010-01-21 9:36 ` Bootup problem with refpolicy-2.20091117 - rules found but still can't login TaurusHarry
2010-01-21 10:46 ` Justin P. Mattock
2010-01-21 13:19 ` Stephen Smalley
2010-01-21 13:19 ` [refpolicy] " Stephen Smalley
2010-01-22 10:13 ` TaurusHarry
2010-01-22 10:13 ` [refpolicy] " TaurusHarry
2010-01-22 15:45 ` Justin P. Mattock
2010-01-22 15:45 ` [refpolicy] " Justin P. Mattock
2010-01-22 16:14 ` Stephen Smalley
2010-01-22 16:14 ` [refpolicy] " Stephen Smalley
2010-01-25 6:04 ` Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken TaurusHarry
2010-01-25 6:04 ` [refpolicy] " TaurusHarry
2010-01-25 9:32 ` TaurusHarry
2010-01-25 9:32 ` TaurusHarry
2010-01-25 15:35 ` Stephen Smalley [this message]
2010-01-25 15:35 ` Stephen Smalley
2010-01-26 8:50 ` [refpolicy] Bootup problem with refpolicy-2.20091117 - 4:login successfully finally! TaurusHarry
2010-01-26 8:50 ` TaurusHarry
2010-01-26 9:17 ` Justin P. Mattock
2010-01-26 9:17 ` Justin P. Mattock
2010-01-26 9:47 ` TaurusHarry
2010-01-26 9:47 ` TaurusHarry
2010-01-26 12:17 ` Dominick Grift
2010-01-26 13:16 ` [refpolicy] Where could I file a bug report for refpolicy package TaurusHarry
2010-01-26 17:01 ` Dominick Grift
2010-01-26 13:36 ` [refpolicy] Bootup problem with refpolicy-2.20091117 - 4:login successfully finally! Stephen Smalley
2010-01-26 13:36 ` Stephen Smalley
2010-01-26 20:15 ` Justin P. Mattock
2010-01-26 20:15 ` Justin P. Mattock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1264433745.4297.159.camel@moss-pluto.epoch.ncsc.mil \
--to=sds@tycho.nsa.gov \
--cc=harrytaurus2002@hotmail.com \
--cc=refpolicy@oss1.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.