4:38 p.m.
I have installed Fedora Core 4 on my machine with selinux enabled
and have followed the instructions to enable MLS. Both are working.
I have compiled a 2.6.13 kernel from kernel.org with selinux enabled in
my kernel. However, I am unable to boot into my 2.6.13 kernel.
When I disable selinux (selinux=0) or set (enforcing=0) my kernel
boots up ok. When I boot into my 2.6.13 kernel with selinux enabled, the
boot hangs after the SELinux initializations and at the point I believe
udev is suppose to get started.
When I tried booting into my 2.6.13 kernel with "enforcing=0 single"
and did a restorecon /etc/mtab, then did a setenforce 1 to switch to
enforcing mode and exited the single user shell to come up in multi-user
mode, it worked. I am sure I am stepping around something. :-)
(These steps are similar to those in README.mls instructions.) I did get
a bunch of the following messages from "dmesg"
though:
audit(1126300655.450:2839259): avc: denied { search } for pid=2199
comm="klogd" name="/" dev=tmpfs ino=1168
scontext=system_u:system_r:klogd_t:s0-s9:c0.c127
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
I do not understand but am very curious to know why I cannot boot
straight into my 2.6.13 kernel? Does 2.6.13 introduce some changes?
A colleague experienced similar problem. Has anyone else experienced
this problem or can explain to me what is happening?
Thanks!
Joy Latten
7:21 a.m.
On Fri, 2005-09-09 at 16:38 -0500, Joy Latten wrote:
I have installed Fedora Core 4 on my machine with selinux enabled
and have followed the instructions to enable MLS. Both are working.
I have compiled a 2.6.13 kernel from kernel.org with selinux enabled in
my kernel. However, I am unable to boot into my 2.6.13 kernel.
When I disable selinux (selinux=0) or set (enforcing=0) my kernel
boots up ok. When I boot into my 2.6.13 kernel with selinux enabled, the
boot hangs after the SELinux initializations and at the point I believe
udev is suppose to get started.
When I tried booting into my 2.6.13 kernel with "enforcing=0 single"
and did a restorecon /etc/mtab, then did a setenforce 1 to switch to
enforcing mode and exited the single user shell to come up in multi-user
mode, it worked. I am sure I am stepping around something. :-)
(These steps are similar to those in README.mls instructions.) I did get
a bunch of the following messages from "dmesg"
though:
audit(1126300655.450:2839259): avc: denied { search } for pid=2199
comm="klogd" name="/" dev=tmpfs ino=1168
scontext=system_u:system_r:klogd_t:s0-s9:c0.c127
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
I do not understand but am very curious to know why I cannot boot
straight into my 2.6.13 kernel? Does 2.6.13 introduce some changes?
A colleague experienced similar problem. Has anyone else experienced
this problem or can explain to me what is happening?
Sounds like you didn't enable the tmpfs security labeling support in
your kernel .config (CONFIG_TMPFS_SECURITY). That would prevent
setting/getting security labels on the tmpfs /dev managed by udev, and
thus /dev would be inaccessible to most processes.
--
Stephen Smalley
National Security Agency
9:12 a.m.
On Mon, 2005-09-12 at 08:21 -0400, Stephen Smalley wrote:
Sounds like you didn't enable the tmpfs security labeling support
in
your kernel .config (CONFIG_TMPFS_SECURITY). That would prevent
setting/getting security labels on the tmpfs /dev managed by udev, and
thus /dev would be inaccessible to most processes.
BTW, 2.6.13-git11 obsoletes this option and the DEVPTS_FS_SECURITY
option, as it includes the generic VFS fallback for security attributes.
--
Stephen Smalley
National Security Agency
6801
days inactive
6804
days old
selinux@lists.fedoraproject.org
2 comments
2 participants
participants (2)
-
Joy Latten -
Stephen Smalley