A question about installing refpolicy-2.10081210

A question about installing refpolicy-2.10081210

[TaurusHarry]

[-- Attachment #1: Type: text/plain, Size: 2480 bytes --]


Hi all,

I have a question about the error messages when installing refpolicy-2.20081210 from the tresys website on dell 610(x86_32) laptop. I have installed and compiled refpolicy-2.20081210 by the following selinux user space tools:

libsepol-2.0.36
libselinux-2.0.79
libsemanage-2.0.27
policycoreutils-2.0.55
checkpolicy-2.0.19
sepolgen-1.0.16

Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash selinux=1" to boot into a shell with selinux enabled so that I could setup proper security contexts for the whole file system in the shell before the next time I would let kernel boot into normal /sbin/init program and start everything with correct security context. Then I do the following commands:

mount -t proc none /proc
mount -t sysfs none /sys
mount -t selinuxfs none /selinux
SELINUXTYPE=refpolicy-20081210
/usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$SELINUXTYPE/" /etc/selinux/config
/usr/sbin/restorecon -v -R /

The "load_policy -q" would pop up a message of:
type=1403 audit(1255195933.120:2): policy loaded auid=4294967295 ses=4294967295

so I guess the policy.24 has been loaded successfully, and the "restorecon" could run successfully. However, when I change the kernel cmdline with "init=/sbin/init" I could see hundreds of error messages about udev and mingetty such as:

udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0) failed
udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed

and 

type=1400 audit(1248303983.579:5559): avc:  denied  { open } for  pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169 scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_t:s0 tclass=dir
type=1400 audit(1248303983.598:5560): avc:  denied  { open } for  pid=3282 comm="mingetty" name="var" dev=sda1 ino=103169 scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:object_r:var_t:s0 tclass=dir

with "INIT: no more processes left in this runlevel" in the end when I try to login through serial console.

I guess above error messages may have resulted in the file system having not been labeled correctly, does anyone know what I may have missed out when trying to relabeling the file system when first time booting into the shell?

Thanks a lot!!

Harry


_________________________________________________________________
张三挖到了元宝,小美又掉进陷阱了,快来MClub与好友齐乐乐！立刻访问！
http://club.msn.cn/?from=3

[-- Attachment #2: Type: text/html, Size: 2780 bytes --]

Re: A question about installing refpolicy-2.10081210

[Stephen Smalley]

On Tue, 2009-08-04 at 03:00 +0000, TaurusHarry wrote:
> Hi all,
> 
> I have a question about the error messages when installing
> refpolicy-2.20081210 from the tresys website on dell 610(x86_32)
> laptop. I have installed and compiled refpolicy-2.20081210 by the
> following selinux user space tools:
> 
> libsepol-2.0.36
> libselinux-2.0.79
> libsemanage-2.0.27
> policycoreutils-2.0.55
> checkpolicy-2.0.19
> sepolgen-1.0.16
> 
> Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash
> selinux=1" to boot into a shell with selinux enabled so that I could
> setup proper security contexts for the whole file system in the shell
> before the next time I would let kernel boot into normal /sbin/init
> program and start everything with correct security context. Then I do
> the following commands:
> 
> mount -t proc none /proc
> mount -t sysfs none /sys
> mount -t selinuxfs none /selinux
> SELINUXTYPE=refpolicy-20081210
> /usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
> sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$S!
> ELINUXTYPE/" /etc/selinux/config
> /usr/sbin/restorecon -v -R /
> 
> The "load_policy -q" would pop up a message of:
> type=1403 audit(1255195933.120:2): policy loaded auid=4294967295
> ses=4294967295
> 
> so I guess the policy.24 has been loaded successfully, and the
> "restorecon" could run successfully. However, when I change the kernel
> cmdline with "init=/sbin/init" I could see hundreds of error messages
> about udev and mingetty such as:
> 
> udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0)
> failed
> udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed

What did you end up with as
your /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts file?

> and 
> 
> type=1400 audit(1248303983.579:5559): avc:  denied  { open } for
> pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:object_r:var_t:s0 tclass=dir
> type=1400 audit(1248303983.598:5560): avc:  denied  { open } for
> pid=3282 comm="mingetty" name="var" dev=sda1 ! ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=
> system_u:object_r:var_t:s0 tclass=dir

That's a kernel bug.  Kernel version?  Fixed by:
http://marc.info/?l=git-commits-head&m=123049921710331&w=2
http://marc.info/?l=git-commits-head&m=123809417718576&w=2

If you can't fix your kernel, then disable open permission in your
policy (remove policycap open_perms; from policy/policy_capabilities).

> with "INIT: no more processes left in this runlevel" in the end when I
> try to login through serial console.
> 
> I guess above error messages may have resulted in the file system
> having not been labeled correctly, does anyone know what I may have
> missed out when trying to relabeling the file system when first time
> booting into the shell?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

[refpolicy] A question about installing refpolicy-2.10081210

[Stephen Smalley]

On Tue, 2009-08-04 at 03:00 +0000, TaurusHarry wrote:
> Hi all,
> 
> I have a question about the error messages when installing
> refpolicy-2.20081210 from the tresys website on dell 610(x86_32)
> laptop. I have installed and compiled refpolicy-2.20081210 by the
> following selinux user space tools:
> 
> libsepol-2.0.36
> libselinux-2.0.79
> libsemanage-2.0.27
> policycoreutils-2.0.55
> checkpolicy-2.0.19
> sepolgen-1.0.16
> 
> Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash
> selinux=1" to boot into a shell with selinux enabled so that I could
> setup proper security contexts for the whole file system in the shell
> before the next time I would let kernel boot into normal /sbin/init
> program and start everything with correct security context. Then I do
> the following commands:
> 
> mount -t proc none /proc
> mount -t sysfs none /sys
> mount -t selinuxfs none /selinux
> SELINUXTYPE=refpolicy-20081210
> /usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
> sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$S!
> ELINUXTYPE/" /etc/selinux/config
> /usr/sbin/restorecon -v -R /
> 
> The "load_policy -q" would pop up a message of:
> type=1403 audit(1255195933.120:2): policy loaded auid=4294967295
> ses=4294967295
> 
> so I guess the policy.24 has been loaded successfully, and the
> "restorecon" could run successfully. However, when I change the kernel
> cmdline with "init=/sbin/init" I could see hundreds of error messages
> about udev and mingetty such as:
> 
> udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0)
> failed
> udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed

What did you end up with as
your /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts file?

> and 
> 
> type=1400 audit(1248303983.579:5559): avc:  denied  { open } for
> pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> tcontext=system_u:object_r:var_t:s0 tclass=dir
> type=1400 audit(1248303983.598:5560): avc:  denied  { open } for
> pid=3282 comm="mingetty" name="var" dev=sda1 ! ino=103169
> scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=
> system_u:object_r:var_t:s0 tclass=dir

That's a kernel bug.  Kernel version?  Fixed by:
http://marc.info/?l=git-commits-head&m=123049921710331&w=2
http://marc.info/?l=git-commits-head&m=123809417718576&w=2

If you can't fix your kernel, then disable open permission in your
policy (remove policycap open_perms; from policy/policy_capabilities).

> with "INIT: no more processes left in this runlevel" in the end when I
> try to login through serial console.
> 
> I guess above error messages may have resulted in the file system
> having not been labeled correctly, does anyone know what I may have
> missed out when trying to relabeling the file system when first time
> booting into the shell?

-- 
Stephen Smalley
National Security Agency

RE: A question about installing refpolicy-2.10081210

[TaurusHarry]

[-- Attachment #1: Type: text/plain, Size: 3966 bytes --]


Hi Smalley,

After I tried out the kenrel patch you pointed out I finally could successfully boot up refpolicy-20081210! there won't have udev and mingetty error messages any more! Big thanks!

I also tried out the latest refpolicy-20090730 with the updated kernel, however, although there won't be any mingetty error messages but I did see many udev error messages still there, so I think for the time being I will just stick to the refpolicy-20081210 version.

Thank you very much!

Best regards,

Harry


> Subject: Re: A question about installing refpolicy-2.10081210
> From: sds@tycho.nsa.gov
> To: harrytaurus2002@hotmail.com
> CC: selinux@tycho.nsa.gov; refpolicy@oss1.tresys.com; eparis@parisplace.org
> Date: Tue, 4 Aug 2009 08:00:20 -0400
> 
> On Tue, 2009-08-04 at 03:00 +0000, TaurusHarry wrote:
> > Hi all,
> > 
> > I have a question about the error messages when installing
> > refpolicy-2.20081210 from the tresys website on dell 610(x86_32)
> > laptop. I have installed and compiled refpolicy-2.20081210 by the
> > following selinux user space tools:
> > 
> > libsepol-2.0.36
> > libselinux-2.0.79
> > libsemanage-2.0.27
> > policycoreutils-2.0.55
> > checkpolicy-2.0.19
> > sepolgen-1.0.16
> > 
> > Then I use kernel cmdline of "root=/dev/sda1 rw init=/bin/bash
> > selinux=1" to boot into a shell with selinux enabled so that I could
> > setup proper security contexts for the whole file system in the shell
> > before the next time I would let kernel boot into normal /sbin/init
> > program and start everything with correct security context. Then I do
> > the following commands:
> > 
> > mount -t proc none /proc
> > mount -t sysfs none /sys
> > mount -t selinuxfs none /selinux
> > SELINUXTYPE=refpolicy-20081210
> > /usr/sbin/load_policy -q /etc/selinux/$SELINUXTYPE/policy/policy.24
> > sed -i "s/^SELINUXTYPE=.*/SELINUXTYPE=$S!
> > ELINUXTYPE/" /etc/selinux/config
> > /usr/sbin/restorecon -v -R /
> > 
> > The "load_policy -q" would pop up a message of:
> > type=1403 audit(1255195933.120:2): policy loaded auid=4294967295
> > ses=4294967295
> > 
> > so I guess the policy.24 has been loaded successfully, and the
> > "restorecon" could run successfully. However, when I change the kernel
> > cmdline with "init=/sbin/init" I could see hundreds of error messages
> > about udev and mingetty such as:
> > 
> > udevd-event[1252]: selinux_setfscreatecon: matchpathcon(/dev/.tmp-8-0)
> > failed
> > udevd-event[1215]: selinux_setfilecon: matchpathcon(/dev/ram12) failed
> 
> What did you end up with as
> your /etc/selinux/$SELINUXTYPE/contexts/files/file_contexts file?
> 
> > and 
> > 
> > type=1400 audit(1248303983.579:5559): avc:  denied  { open } for
> > pid=3283 comm="mingetty" name="var" dev=sda1 ino=103169
> > scontext=system_u:system_r:getty_t:s0-s15:c0.c255
> > tcontext=system_u:object_r:var_t:s0 tclass=dir
> > type=1400 audit(1248303983.598:5560): avc:  denied  { open } for
> > pid=3282 comm="mingetty" name="var" dev=sda1 ! ino=103169
> > scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=
> > system_u:object_r:var_t:s0 tclass=dir
> 
> That's a kernel bug.  Kernel version?  Fixed by:
> http://marc.info/?l=git-commits-head&m=123049921710331&w=2
> http://marc.info/?l=git-commits-head&m=123809417718576&w=2
> 
> If you can't fix your kernel, then disable open permission in your
> policy (remove policycap open_perms; from policy/policy_capabilities).
> 
> > with "INIT: no more processes left in this runlevel" in the end when I
> > try to login through serial console.
> > 
> > I guess above error messages may have resulted in the file system
> > having not been labeled correctly, does anyone know what I may have
> > missed out when trying to relabeling the file system when first time
> > booting into the shell?
> 
> -- 
> Stephen Smalley
> National Security Agency
> 

_________________________________________________________________
上Windows Live 中国首页，下载最新版Messenger！
http://www.windowslive.cn

[-- Attachment #2: Type: text/html, Size: 4936 bytes --]