Hi,
I just got yesterday's updates compiled and installed. Upon first boot, I got a message like this:
Mounting local filesystem Can't open RNG file /dev/hw_random no such file or directory enable swap...
I haven't seen this before. I traced the message string to /sbin/rngd. Is this error something that we should worry about? Something wanted a random number and it aint gonna get it.
This prompted me to look deeper into the boot messages since there's a lot of new changes regarding kudzu, hal, dbus, and the kernel. The issues I found will be listed in the sequence they appeared in my logs:
Aug 21 09:00:13 buildhost kernel: SELinux: Initializing. Aug 21 09:00:13 buildhost kernel: SELinux: Starting in permissive mode Aug 21 09:00:13 buildhost kernel: There is already a security framework initialized, register_security failed. Aug 21 09:00:13 buildhost kernel: selinux_register_security: Registering secondary module capability Aug 21 09:00:13 buildhost kernel: Capability LSM initialized as secondary
OK, why did selinux fail registering?
Aug 21 09:00:14 buildhost kernel: ksign: Installing public key data Aug 21 09:00:14 buildhost kernel: Loading keyring Aug 21 09:00:14 buildhost kernel: - Added public key D9E600F29CF41CA4 Aug 21 09:00:14 buildhost kernel: - User ID: Red Hat, Inc. (Kernel Module GPG key) Aug 21 09:00:14 buildhost kernel: ksign: invalid packet (ctb=00) Aug 21 09:00:14 buildhost kernel: Unable to load default keyring: error=74
Why is there an invalid packet and why did the keyring fail to load?
Aug 21 09:00:15 buildhost kernel: md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27 Aug 21 09:00:15 buildhost hal.hotplug[1684]: error sending message to hald Aug 21 09:00:15 buildhost kernel: NET: Registered protocol family 2 Aug 21 09:00:15 buildhost kernel: IP: routing cache hash table of 2048 buckets, 64Kbytes Aug 21 09:00:15 buildhost kernel: TCP: Hash tables configured (established 262144 bind 37449)
Hmmm something failed to send a message to hald. What was the dbus & hald boot priority?
Aug 21 09:00:16 buildhost kernel: security: 3 users, 4 roles, 251 types, 12 bools Aug 21 09:00:16 buildhost kernel: security: 53 classes, 3895 rules Aug 21 09:00:16 buildhost kernel: SELinux: Completing initialization.
SE Linux is just now finishing its init? Why have other daemons and SE Linux applications been running? Is there a synchonization barrier that stops any SE Linux aware application from running until the whole rule set is finished loading? Is there a window of opportunity that a malicious application could run before SE Linux has done its thing? Like maybe disable SE Linux?
Aug 21 09:00:16 buildhost kernel: Adding 2096440k swap on /dev/sda5. Priority:-1 extents:1 Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir
Yep, SE Linux is now active, starting to see avc's.
Aug 21 09:00:17 buildhost kernel: Attached scsi generic sg0 at scsi0, channel 0, id 0, lun 0, type 0 Aug 21 09:00:17 buildhost kernel: kudzu: Using deprecated /dev/sg mechanism instead of SG_IO on the actual device
Are there plans to fix kudzu not to use a deprecated mechanism?
Aug 21 09:00:18 buildhost crond: crond startup succeeded Aug 21 09:00:18 buildhost anacron: anacron startup succeeded Aug 21 09:00:19 buildhost messagebus: messagebus startup succeeded Aug 21 09:00:19 buildhost haldaemon: haldaemon startup succeeded
OK, way down here at the very end haldaemon is active. Isn't this way late?
-Steve Grubb
_______________________________ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush
On Sun, 22 Aug 2004 00:08, Steve G linux_4ever@yahoo.com wrote:
Mounting local filesystem Can't open RNG file /dev/hw_random no such file or directory enable swap...
I haven't seen this before. I traced the message string to /sbin/rngd. Is this error something that we should worry about? Something wanted a random number and it aint gonna get it.
rngd copies data from the hardware random number source to /dev/random (the kernel random number source). Without it /dev/random gets populated by key-press intervals, network interrupt times, and other events which may not be sufficiently random or common.
It seems that rngd expects /dev/hwrandom while udev with the FC3T1 kernel creates /dev/hw_random. I haven't checked the latest kernel to see whether this has changed.
Aug 21 09:00:13 buildhost kernel: SELinux: Initializing. Aug 21 09:00:13 buildhost kernel: SELinux: Starting in permissive mode Aug 21 09:00:13 buildhost kernel: There is already a security framework initialized, register_security failed. Aug 21 09:00:13 buildhost kernel: selinux_register_security: Registering secondary module capability Aug 21 09:00:13 buildhost kernel: Capability LSM initialized as secondary
OK, why did selinux fail registering?
Bogus error message. SE Linux needs the capability module for full functionality but you get an error when both are loaded. Things work fine anyway.
Aug 21 09:00:16 buildhost kernel: security: 3 users, 4 roles, 251 types, 12 bools Aug 21 09:00:16 buildhost kernel: security: 53 classes, 3895 rules Aug 21 09:00:16 buildhost kernel: SELinux: Completing initialization.
SE Linux is just now finishing its init? Why have other daemons and SE Linux applications been running? Is there a synchonization barrier that
I believe that hotplug is spawned by kernel threads and can start before init. The policy is loaded and SE Linux init is complete before init starts running with full functionality (IE before rc.sysinit is run).
stops any SE Linux aware application from running until the whole rule set is finished loading? Is there a window of opportunity that a malicious application could run before SE Linux has done its thing? Like maybe disable SE Linux?
No. The machine is a long way from multi-user mode at that stage.
Aug 21 09:00:16 buildhost kernel: Adding 2096440k swap on /dev/sda5. Priority:-1 extents:1 Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir
Yep, SE Linux is now active, starting to see avc's.
What script is calling this mount? It's a bug in policy but I'd like to get more info before making changes.
Aug 21 09:00:18 buildhost crond: crond startup succeeded Aug 21 09:00:18 buildhost anacron: anacron startup succeeded Aug 21 09:00:19 buildhost messagebus: messagebus startup succeeded Aug 21 09:00:19 buildhost haldaemon: haldaemon startup succeeded
OK, way down here at the very end haldaemon is active. Isn't this way late?
I was under the impression that kudzu requires hal. If that means it needs haldaemon to be active then you are correct and it is too late.
On Sun, 2004-08-22 at 01:48 +1000, Russell Coker wrote:
OK, way down here at the very end haldaemon is active. Isn't this way late?
I was under the impression that kudzu requires hal. If that means it needs haldaemon to be active then you are correct and it is too late.
kudzu does have a 'Requires: hal' line but that was only to drag in hal since /etc/fstab is now managed by fstab-sync (which is invoked by hal and currently part of the hal package) and not kudzu.
Cheers, David
rngd copies data from the hardware random number source to /dev/random (the kernel random number source). Without it /dev/random gets populated by key-press intervals, network interrupt times, and other events which may not be sufficiently random or common.
Right. That's what bothers me.
It seems that rngd expects /dev/hwrandom while udev with the FC3T1 kernel creates /dev/hw_random. I haven't checked the latest kernel to see whether this has changed.
So which one is considered wrong?
I believe that hotplug is spawned by kernel threads and can start before init. The policy is loaded and SE Linux init is complete before init starts running with full functionality (IE before rc.sysinit is run).
Is that guaranteed or just happens to work out that way?
Aug 21 09:00:16 buildhost kernel: Adding 2096440k swap on /dev/sda5. Priority:-1 extents:1 Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir
What script is calling this mount? It's a bug in policy but I'd like to get more info before making changes.
I am using the targeted policy 1.15.16-2 and initscripts 7.62. This was right after the add swap file in /etc/rc.sysinit:
# Start up swapping. update_boot_stage RCswap action $"Enabling swap space: " swapon -a -e
# Set up binfmt_misc /bin/mount -t binfmt_misc none /proc/sys/fs/binfmt_misc > /dev/null 2>&1
-Steve Grubb
_______________________________ Do you Yahoo!? Win 1 of 4,000 free domain names from Yahoo! Enter now. http://promotions.yahoo.com/goldrush
On Sun, 22 Aug 2004 04:49, Steve G linux_4ever@yahoo.com wrote:
It seems that rngd expects /dev/hwrandom while udev with the FC3T1 kernel creates /dev/hw_random. I haven't checked the latest kernel to see whether this has changed.
So which one is considered wrong?
The devices.txt file in the source tree for 2.6.8.1 says /dev/hwrng which seems to indicate that both are wrong.
I've CC'd this to fedora-devel-list for some more input to the discussion.
On Sun, 22 Aug 2004 21:00, Alan Cox alan@redhat.com wrote:
On Sun, Aug 22, 2004 at 08:04:48PM +1000, Russell Coker wrote:
The devices.txt file in the source tree for 2.6.8.1 says /dev/hwrng which seems to indicate that both are wrong.
LANANA's table agrees so the definitive source is "/dev/hwrng".
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130584
I have filed a bugzilla.
On Sun, 22 Aug 2004 04:49, Steve G linux_4ever@yahoo.com wrote:
rngd copies data from the hardware random number source to /dev/random (the kernel random number source). Without it /dev/random gets populated by key-press intervals, network interrupt times, and other events which may not be sufficiently random or common.
Right. That's what bothers me.
It's not that bad. Most machines have enough interrupts and a small enough demand for random numbers that this isn't an issue.
I believe that hotplug is spawned by kernel threads and can start before init. The policy is loaded and SE Linux init is complete before init starts running with full functionality (IE before rc.sysinit is run).
Is that guaranteed or just happens to work out that way?
It is guaranteed in the current Fedora design that /sbin/init will not start operating in a normal manner until after the SE Linux policy is loaded. In the past (before Fedora had SE Linux) things were different, and there could be a need to change things again in the future (although it's very unlikely). For the moment you can count on the SE Linux policy being loaded immediately after the initrd is complete.
Aug 21 09:00:16 buildhost kernel: Adding 2096440k swap on /dev/sda5. Priority:-1 extents:1 Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir Aug 21 09:00:16 buildhost kernel: audit(1093093168.059:0): avc: denied { mounton } for pid=1117 exe=/bin/mount path=/proc/sys/fs/binfmt_misc dev=proc ino=-268435430 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:sysctl_t tclass=dir
What script is calling this mount? It's a bug in policy but I'd like to get more info before making changes.
I am using the targeted policy 1.15.16-2 and initscripts 7.62. This was right after the add swap file in /etc/rc.sysinit:
The attached patch will fix this, Steve, please put it in the CVS.
Russell Coker (russell@coker.com.au) said:
It seems that rngd expects /dev/hwrandom while udev with the FC3T1 kernel creates /dev/hw_random. I haven't checked the latest kernel to see whether this has changed.
rngd was patched to expect /dev/hw_random.
However, only udev will create that ATM; it's not in the static dev package.
Bill
On Sat, 2004-08-21 at 07:08 -0700, Steve G wrote:
Aug 21 09:00:15 buildhost kernel: md: md driver 0.90.0 MAX_MD_DEVS=256, MD_SB_DISKS=27 Aug 21 09:00:15 buildhost hal.hotplug[1684]: error sending message to hald Aug 21 09:00:15 buildhost kernel: NET: Registered protocol family 2 Aug 21 09:00:15 buildhost kernel: IP: routing cache hash table of 2048 buckets, 64Kbytes Aug 21 09:00:15 buildhost kernel: TCP: Hash tables configured (established 262144 bind 37449)
Hmmm something failed to send a message to hald. What was the dbus & hald boot priority?
I'll probably remove that message from hal.hotplug.
Aug 21 09:00:18 buildhost crond: crond startup succeeded Aug 21 09:00:18 buildhost anacron: anacron startup succeeded Aug 21 09:00:19 buildhost messagebus: messagebus startup succeeded Aug 21 09:00:19 buildhost haldaemon: haldaemon startup succeeded
OK, way down here at the very end haldaemon is active. Isn't this way late?
Not really; the hal daemon probes sysfs when starting up (the equivalent of 'coldplugging') so there is no need to move haldaemon (and it's dependency messagebus) to an earlier stage until other initscripts needs it (or an /etc/fstab that matches the installed drives since the haldaemon invokes fstab-sync).
David