Hi,
I have an FC3/x86-64 system and I wanted to try the latest-greatest mainstream test kernel. The compilation went OK but it didn't boot successfully, which seems to be an FC3 bug. The last lines on the console are:
------------------------------------------------- Switching to new root Enforcing mode requested but no policy loaded. Halting now. Kernel panic - not syncing: Attempted to kil init! -------------------------------------------------
At that point, the initrd userspace already started up and loaded the required modules, e.g. ext3, SATA drivers, etc.
Is FC3 (or its mkinitrd) that old to be incompatible with the latest kernel? At this moment I cannot upgrade to FC4 to confirm this.
Best regards, Zoltán Böszörményi
At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
Hi,
I have an FC3/x86-64 system and I wanted to try the latest-greatest mainstream test kernel. The compilation went OK but it didn't boot successfully, which seems to be an FC3 bug. The last lines on the console are:
Switching to new root Enforcing mode requested but no policy loaded. Halting now. Kernel panic - not syncing: Attempted to kil init!
At that point, the initrd userspace already started up and loaded the required modules, e.g. ext3, SATA drivers, etc.
Is FC3 (or its mkinitrd) that old to be incompatible with the latest kernel? At this moment I cannot upgrade to FC4 to confirm this.
That's SELinux. Note that the name SELinux doesn't appear in SELinux error messages; this may be the Security Mindset at work. The key words in the error message are "enforcing mode" and "policy". Turn off SELinux' enforcing mode. If you run any servers you will want to be behind some other firewall and pay attention to the machine's firewall. ____________________________________________________________________ TonyN.:' mailto:tonynelson@georgeanelson.com ' http://www.georgeanelson.com/
Tony Nelson írta:
At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
Hi,
I have an FC3/x86-64 system and I wanted to try the latest-greatest mainstream test kernel. The compilation went OK but it didn't boot successfully, which seems to be an FC3 bug. The last lines on the console are:
Switching to new root Enforcing mode requested but no policy loaded. Halting now. Kernel panic - not syncing: Attempted to kil init!
At that point, the initrd userspace already started up and loaded the required modules, e.g. ext3, SATA drivers, etc.
Is FC3 (or its mkinitrd) that old to be incompatible with the latest kernel? At this moment I cannot upgrade to FC4 to confirm this.
That's SELinux. Note that the name SELinux doesn't appear in SELinux error messages; this may be the Security Mindset at work. The key words in the error message are "enforcing mode" and "policy". Turn off SELinux' enforcing mode. If you run any servers you will want to be behind some other firewall and pay attention to the machine's firewall.
Yes, thank you. I know it's SELinux, I already switched off enforcing mode, but I cannot reboot to try it at the moment. My machine is the only computer in the house, so I am a bit uneasy about switching it off.
BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed) and setting enforcing mode on boot works with these kernel versions.
Maybe the RedHat engineers can answer my real question, here it is again:
Is FC3 (or its mkinitrd or initscripts) that old to be incompatible with the latest kernel?
Best regards, Zoltán Böszörményi
At 6:01 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
Tony Nelson írta:
At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
Hi,
I have an FC3/x86-64 system and I wanted to try the latest-greatest mainstream test kernel. The compilation went OK but it didn't boot successfully, which seems to be an FC3 bug. The last lines on the console are:
Switching to new root Enforcing mode requested but no policy loaded. Halting now. Kernel panic - not syncing: Attempted to kil init!
At that point, the initrd userspace already started up and loaded the required modules, e.g. ext3, SATA drivers, etc.
Is FC3 (or its mkinitrd) that old to be incompatible with the latest kernel? At this moment I cannot upgrade to FC4 to confirm this.
That's SELinux. Note that the name SELinux doesn't appear in SELinux error messages; this may be the Security Mindset at work. The key words in the error message are "enforcing mode" and "policy". Turn off SELinux' enforcing mode. If you run any servers you will want to be behind some other firewall and pay attention to the machine's firewall.
Yes, thank you. I know it's SELinux, I already switched off enforcing mode, but I cannot reboot to try it at the moment. My machine is the only computer in the house, so I am a bit uneasy about switching it off.
If you aren't running any servers this shouldn't actually make any change, as the SELinux Targeted policy only affects servers. Since I don't run any servers, I don't have much trouble with SELinux (or much experience with SELinux).
BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed) and setting enforcing mode on boot works with these kernel versions.
Maybe the RedHat engineers can answer my real question, here it is again:
Is FC3 (or its mkinitrd or initscripts) that old to be incompatible with the latest kernel?
You didn't report a problem (yet) with the ramdisk. You reported a problem with SELinux. You don't have any reason to suspect that your initrd is bad, and some reason to think it is good. ____________________________________________________________________ TonyN.:' mailto:tonynelson@georgeanelson.com ' http://www.georgeanelson.com/
Tony Nelson írta:
At 6:01 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
Tony Nelson írta:
At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
Hi,
I have an FC3/x86-64 system and I wanted to try the latest-greatest mainstream test kernel. The compilation went OK but it didn't boot successfully, which seems to be an FC3 bug. The last lines on the console are:
Switching to new root Enforcing mode requested but no policy loaded. Halting now. Kernel panic - not syncing: Attempted to kil init!
At that point, the initrd userspace already started up and loaded the required modules, e.g. ext3, SATA drivers, etc.
Is FC3 (or its mkinitrd) that old to be incompatible with the latest kernel? At this moment I cannot upgrade to FC4 to confirm this.
That's SELinux. Note that the name SELinux doesn't appear in SELinux error messages; this may be the Security Mindset at work. The key words in the error message are "enforcing mode" and "policy". Turn off SELinux' enforcing mode. If you run any servers you will want to be behind some other firewall and pay attention to the machine's firewall.
Yes, thank you. I know it's SELinux, I already switched off enforcing mode, but I cannot reboot to try it at the moment. My machine is the only computer in the house, so I am a bit uneasy about switching it off.
If you aren't running any servers this shouldn't actually make any change, as the SELinux Targeted policy only affects servers. Since I don't run any servers, I don't have much trouble with SELinux (or much experience with SELinux).
I just run sshd so I can look at my machine remotely and cupsd. Almost nothing else is let into the machine except 3 ports for the three users who run Azureus.
BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed) and setting enforcing mode on boot works with these kernel versions.
Maybe the RedHat engineers can answer my real question, here it is again:
Is FC3 (or its mkinitrd or initscripts) that old to be incompatible with the latest kernel?
You didn't report a problem (yet) with the ramdisk. You reported a problem with SELinux. You don't have any reason to suspect that your initrd is bad, and some reason to think it is good.
I compiled 2.6.14-rc2-git6 the usual mode, taking the .config from the Fedora kernel and I did:
make oldconfig make make modules_install cp System.map /boot/System.map-<version> cp arch/x86_64/boot/bzImage /boot/vmlinuz-<version> mkinitrd /boot/initrd-<version>.img <version>
and I created an entry in grub.conf. Everything should have been working as it worked so many times. The only difference is the new kernel.
BTW, I rebooted the new kernel with SELinux permissive mode and it worked.
Well, X didn't come up, I guess I have to switch off DRI. Xorg.0.log stopped here:
... (II) RADEON(0): X context handle = 0x00000001 (II) RADEON(0): [drm] installed DRM signal handler (II) RADEON(0): [DRI] installation complete
Best regards, Zoltán Böszörményi
On Tue, 2005-09-27 at 18:01 +0200, Zoltan Boszormenyi wrote:
Tony Nelson írta:
At 1:08 PM +0200 9/27/05, Zoltan Boszormenyi wrote:
Hi,
I have an FC3/x86-64 system and I wanted to try the latest-greatest mainstream test kernel. The compilation went OK but it didn't boot successfully, which seems to be an FC3 bug. The last lines on the console are:
Switching to new root Enforcing mode requested but no policy loaded. Halting now. Kernel panic - not syncing: Attempted to kil init!
At that point, the initrd userspace already started up and loaded the required modules, e.g. ext3, SATA drivers, etc.
Is FC3 (or its mkinitrd) that old to be incompatible with the latest kernel? At this moment I cannot upgrade to FC4 to confirm this.
That's SELinux. Note that the name SELinux doesn't appear in SELinux error messages; this may be the Security Mindset at work. The key words in the error message are "enforcing mode" and "policy". Turn off SELinux' enforcing mode. If you run any servers you will want to be behind some other firewall and pay attention to the machine's firewall.
Yes, thank you. I know it's SELinux, I already switched off enforcing mode, but I cannot reboot to try it at the moment. My machine is the only computer in the house, so I am a bit uneasy about switching it off.
BTW, I am running 2.6.13-rc1-mm1 (kernel-2.6.11-1.14_FC3 is installed) and setting enforcing mode on boot works with these kernel versions.
/sbin/init tries to load the current policy version (for the binary policy format, not the package version) supported by the kernel (based on reading /selinux/policyvers), and then tries the next oldest version if that doesn't exist. I think the issue here is that the policy version has changed twice from what shipped in FC3, and /sbin/init doesn't keep trying older policy versions if the current one and its predecessor don't exist. The kernel itself will always accept older binary policy versions, so it would take the policy if /sbin/init loaded it. Naturally, there could be permission denials due to new permissions being introduced in the newer kernel that weren't allowed by the older policy, but you should at least be able to boot the system.
/sbin/init should likely keep trying older versions down to the oldest supported version in the 2.6 series. It would then ultimately load the policy that you have in FC3, which would likely work modulo new permission check denials.
cc'd fedora-selinux-list, as that is the best place to ask questions re SELinux.
-
Stephen Smalley -
Tony Nelson -
Zoltan Boszormenyi