* A question about installing refpolicy-2.10081210
@ 2009-08-04 3:00 TaurusHarry
2009-08-04 12:00 ` [refpolicy] " Stephen Smalley
0 siblings, 1 reply; 4+ messages in thread
From: TaurusHarry @ 2009-08-04 3:00 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 2480 bytes --]
Hi all,
I have a question about the error messages when installing refpolicy-2.20081210 from the tresys website on dell 610(x86_32) laptop. I have installed and compiled refpolicy-2.20081210 by the following selinux user space tools:
libsepol-2.0.36
libselinux-2.0.79
libsemanage-2.0.27
policycoreutils-2.0.55
checkpolicy-2.0.19
sepolgen-1.0.16
Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash selinux=1" to boot into a shell with selinux enabled so that I could setup proper security contexts for the whole file system in the shell before the next time I would let kernel boot into normal /sbin/init program and start everything with correct security context. Then I do the following commands:
mount -t proc none /proc
mount -t sysfs none /sys
mount -t selinuxfs none /selinux
SELINUXTYPE=refpolicy-20081210
/usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$SELINUXTYPE/" /etc/selinux/config
/usr/sbin/restorecon -v -R /
The "load_policy -q" would pop up a message of:
type=1403 audit(1255195933.120:2): policy loaded auid=4294967295 ses=4294967295
so I guess the policy.24 has been loaded successfully, and the "restorecon" could run successfully. However, when I change the kernel cmdline with "init=/sbin/init" I could see hundreds of error messages about udev and mingetty such as:
udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0) failed
udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed
and
type=1400 audit(1248303983.579:5559): avc: denied { open } for pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169 scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=1400 audit(1248303983.598:5560): avc: denied { open } for pid=3282 comm="mingetty" name="var" dev=sda1 ino=103169 scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_t:s0 tclass=dir
with "INIT: no more processes left in this runlevel" in the end when I try to login through serial console.
I guess above error messages may have resulted in the file system having not been labeled correctly, does anyone know what I may have missed out when trying to relabeling the file system when first time booting into the shell?
Thanks a lot!!
Harry
_________________________________________________________________
张三挖到了元宝,小美又掉进陷阱了,快来MClub与好友齐乐乐!立刻访问!
http://club.msn.cn/?from=3
[-- Attachment #2: Type: text/html, Size: 2780 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: A question about installing refpolicy-2.10081210
2009-08-04 3:00 A question about installing refpolicy-2.10081210 TaurusHarry
@ 2009-08-04 12:00 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2009-08-04 12:00 UTC (permalink / raw)
To: TaurusHarry; +Cc: selinux, refpolicy, Eric Paris
On Tue, 2009-08-04 at 03:00 +0000, TaurusHarry wrote:
> Hi all,
>
> I have a question about the error messages when installing
> refpolicy-2.20081210 from the tresys website on dell 610(x86_32)
> laptop. I have installed and compiled refpolicy-2.20081210 by the
> following selinux user space tools:
>
> libsepol-2.0.36
> libselinux-2.0.79
> libsemanage-2.0.27
> policycoreutils-2.0.55
> checkpolicy-2.0.19
> sepolgen-1.0.16
>
> Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash
> selinux=1" to boot into a shell with selinux enabled so that I could
> setup proper security contexts for the whole file system in the shell
> before the next time I would let kernel boot into normal /sbin/init
> program and start everything with correct security context. Then I do
> the following commands:
>
> mount -t proc none /proc
> mount -t sysfs none /sys
> mount -t selinuxfs none /selinux
> SELINUXTYPE=refpolicy-20081210
> /usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
> sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$S!
> ELINUXTYPE/" /etc/selinux/config
> /usr/sbin/restorecon -v -R /
>
> The "load_policy -q" would pop up a message of:
> type=1403 audit(1255195933.120:2): policy loaded auid=4294967295
> ses=4294967295
>
> so I guess the policy.24 has been loaded successfully, and the
> "restorecon" could run successfully. However, when I change the kernel
> cmdline with "init=/sbin/init" I could see hundreds of error messages
> about udev and mingetty such as:
>
> udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0)
> failed
> udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed
What did you end up with as
your /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts file?
> and
>
> type=1400 audit(1248303983.579:5559): avc: denied { open } for
> pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:object_r:var_t:s0 tclass=dir
> type=1400 audit(1248303983.598:5560): avc: denied { open } for
> pid=3282 comm="mingetty" name="var" dev=sda1 ! ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=
> system_u:object_r:var_t:s0 tclass=dir
That's a kernel bug. Kernel version? Fixed by:
http://marc.info/?l=git-commits-head&m=123049921710331&w=2
http://marc.info/?l=git-commits-head&m=123809417718576&w=2
If you can't fix your kernel, then disable open permission in your
policy (remove policycap open_perms; from policy/policy_capabilities).
> with "INIT: no more processes left in this runlevel" in the end when I
> try to login through serial console.
>
> I guess above error messages may have resulted in the file system
> having not been labeled correctly, does anyone know what I may have
> missed out when trying to relabeling the file system when first time
> booting into the shell?
--
Stephen Smalley
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [refpolicy] A question about installing refpolicy-2.10081210
@ 2009-08-04 12:00 ` Stephen Smalley
0 siblings, 0 replies; 4+ messages in thread
From: Stephen Smalley @ 2009-08-04 12:00 UTC (permalink / raw)
To: refpolicy
On Tue, 2009-08-04 at 03:00 +0000, TaurusHarry wrote:
> Hi all,
>
> I have a question about the error messages when installing
> refpolicy-2.20081210 from the tresys website on dell 610(x86_32)
> laptop. I have installed and compiled refpolicy-2.20081210 by the
> following selinux user space tools:
>
> libsepol-2.0.36
> libselinux-2.0.79
> libsemanage-2.0.27
> policycoreutils-2.0.55
> checkpolicy-2.0.19
> sepolgen-1.0.16
>
> Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash
> selinux=1" to boot into a shell with selinux enabled so that I could
> setup proper security contexts for the whole file system in the shell
> before the next time I would let kernel boot into normal /sbin/init
> program and start everything with correct security context. Then I do
> the following commands:
>
> mount -t proc none /proc
> mount -t sysfs none /sys
> mount -t selinuxfs none /selinux
> SELINUXTYPE=refpolicy-20081210
> /usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
> sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$S!
> ELINUXTYPE/" /etc/selinux/config
> /usr/sbin/restorecon -v -R /
>
> The "load_policy -q" would pop up a message of:
> type=1403 audit(1255195933.120:2): policy loaded auid=4294967295
> ses=4294967295
>
> so I guess the policy.24 has been loaded successfully, and the
> "restorecon" could run successfully. However, when I change the kernel
> cmdline with "init=/sbin/init" I could see hundreds of error messages
> about udev and mingetty such as:
>
> udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0)
> failed
> udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed
What did you end up with as
your /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts file?
> and
>
> type=1400 audit(1248303983.579:5559): avc: denied { open } for
> pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:object_r:var_t:s0 tclass=dir
> type=1400 audit(1248303983.598:5560): avc: denied { open } for
> pid=3282 comm="mingetty" name="var" dev=sda1 ! ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=
> system_u:object_r:var_t:s0 tclass=dir
That's a kernel bug. Kernel version? Fixed by:
http://marc.info/?l=git-commits-head&m=123049921710331&w=2
http://marc.info/?l=git-commits-head&m=123809417718576&w=2
If you can't fix your kernel, then disable open permission in your
policy (remove policycap open_perms; from policy/policy_capabilities).
> with "INIT: no more processes left in this runlevel" in the end when I
> try to login through serial console.
>
> I guess above error messages may have resulted in the file system
> having not been labeled correctly, does anyone know what I may have
> missed out when trying to relabeling the file system when first time
> booting into the shell?
--
Stephen Smalley
National Security Agency
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: A question about installing refpolicy-2.10081210
2009-08-04 12:00 ` [refpolicy] " Stephen Smalley
(?)
@ 2009-08-05 6:21 ` TaurusHarry
-1 siblings, 0 replies; 4+ messages in thread
From: TaurusHarry @ 2009-08-05 6:21 UTC (permalink / raw)
To: Stephen Smalley; +Cc: selinux-mailing-list, refpolicy, eparis
[-- Attachment #1: Type: text/plain, Size: 3966 bytes --]
Hi Smalley,
After I tried out the kenrel patch you pointed out I finally could successfully boot up refpolicy-20081210! there won't have udev and mingetty error messages any more! Big thanks!
I also tried out the latest refpolicy-20090730 with the updated kernel, however, although there won't be any mingetty error messages but I did see many udev error messages still there, so I think for the time being I will just stick to the refpolicy-20081210 version.
Thank you very much!
Best regards,
Harry
> Subject: Re: A question about installing refpolicy-2.10081210
> From: sds@tycho.nsa.gov
> To: harrytaurus2002@hotmail.com
> CC: selinux@tycho.nsa.gov; refpolicy@oss1.tresys.com; eparis@parisplace.org
> Date: Tue, 4 Aug 2009 08:00:20 -0400
>
> On Tue, 2009-08-04 at 03:00 +0000, TaurusHarry wrote:
> > Hi all,
> >
> > I have a question about the error messages when installing
> > refpolicy-2.20081210 from the tresys website on dell 610(x86_32)
> > laptop. I have installed and compiled refpolicy-2.20081210 by the
> > following selinux user space tools:
> >
> > libsepol-2.0.36
> > libselinux-2.0.79
> > libsemanage-2.0.27
> > policycoreutils-2.0.55
> > checkpolicy-2.0.19
> > sepolgen-1.0.16
> >
> > Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash
> > selinux=1" to boot into a shell with selinux enabled so that I could
> > setup proper security contexts for the whole file system in the shell
> > before the next time I would let kernel boot into normal /sbin/init
> > program and start everything with correct security context. Then I do
> > the following commands:
> >
> > mount -t proc none /proc
> > mount -t sysfs none /sys
> > mount -t selinuxfs none /selinux
> > SELINUXTYPE=refpolicy-20081210
> > /usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
> > sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$S!
> > ELINUXTYPE/" /etc/selinux/config
> > /usr/sbin/restorecon -v -R /
> >
> > The "load_policy -q" would pop up a message of:
> > type=1403 audit(1255195933.120:2): policy loaded auid=4294967295
> > ses=4294967295
> >
> > so I guess the policy.24 has been loaded successfully, and the
> > "restorecon" could run successfully. However, when I change the kernel
> > cmdline with "init=/sbin/init" I could see hundreds of error messages
> > about udev and mingetty such as:
> >
> > udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0)
> > failed
> > udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed
>
> What did you end up with as
> your /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts file?
>
> > and
> >
> > type=1400 audit(1248303983.579:5559): avc: denied { open } for
> > pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169
> > scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> > tcontext=system_u:object_r:var_t:s0 tclass=dir
> > type=1400 audit(1248303983.598:5560): avc: denied { open } for
> > pid=3282 comm="mingetty" name="var" dev=sda1 ! ino=103169
> > scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=
> > system_u:object_r:var_t:s0 tclass=dir
>
> That's a kernel bug. Kernel version? Fixed by:
> http://marc.info/?l=git-commits-head&m=123049921710331&w=2
> http://marc.info/?l=git-commits-head&m=123809417718576&w=2
>
> If you can't fix your kernel, then disable open permission in your
> policy (remove policycap open_perms; from policy/policy_capabilities).
>
> > with "INIT: no more processes left in this runlevel" in the end when I
> > try to login through serial console.
> >
> > I guess above error messages may have resulted in the file system
> > having not been labeled correctly, does anyone know what I may have
> > missed out when trying to relabeling the file system when first time
> > booting into the shell?
>
> --
> Stephen Smalley
> National Security Agency
>
_________________________________________________________________
上Windows Live 中国首页,下载最新版Messenger!
http://www.windowslive.cn
[-- Attachment #2: Type: text/html, Size: 4936 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-08-05 6:21 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-08-04 3:00 A question about installing refpolicy-2.10081210 TaurusHarry
2009-08-04 12:00 ` Stephen Smalley
2009-08-04 12:00 ` [refpolicy] " Stephen Smalley
2009-08-05 6:21 ` TaurusHarry
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.