selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: RE: [refpolicy] Bootup problem with refpolicy-2.2009111

RE: [refpolicy] Bootup problem with refpolicy-2.20091117 - 4:login successfully finally!

From: TaurusHarry <harrytaurus2002_at_nospam>
Date: Tue Jan 26 2010 - 08:50:46 GMT
To: Stephen Smalley <sds@tycho.nsa.gov>

Hi Stephen,

With all the kind help from you and Justin, I finally made the latest refpolicy-2.20091117 boot up successfully! Hat off for you two :-)

Please see my embedded replies, thanks!

> Subject: RE: [refpolicy] Bootup problem with refpolicy-2.20091117 - 3: MAKEDEV ok but /var/lock/subsys/ broken
> From: sds@tycho.nsa.gov
> To: harrytaurus2002@hotmail.com
> CC: refpolicy@oss1.tresys.com; selinux@tycho.nsa.gov
> Date: Mon, 25 Jan 2010 10:35:45 -0500
>
> On Mon, 2010-01-25 at 09:32 +0000, TaurusHarry wrote:
> > Hi Stephen and Justin,
> >
> > I have got some new findings after I sent out the previous email. The
> > weird error messages about /var/lock/subsys/ turns out to be hard disk
> > inconsistency problem and could be fixed by fsck.ext2, after that,
> > find and touch performed by rc.sysinit or /etc/rc3.d/* would have no
> > problem at all :-)
> >
> > However, my console still hangs at "INIT: Id "0" respawning too fast:
> > disabled for 5 minutes", although so far I think I have fixed all
> > those obvious problems with SELinux during boot up and I could no
> > longer find fishy AVC denied message except something like:
> >
> > type=1400 audit(1264435478.992:5): avc: denied { rawip_send } for
> > pid=5 comm="sirq-timer/0"
> > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3
> > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5
> > scontext=system_u:system_r:kernel_t:s15:c0.c255
> > tcontext=system_u:object_r:netif_t:s0-s15:c0.c255 tclass=netif
> > type=1400 audit(1264435478.992:6): avc: denied {! rawip_send } for
> > pid=5 comm="sirq-timer/0"
> > saddr=fe80:0000:0000:0000:0203:baff:fef1:73e3
> > daddr=ff02:0000:0000:0000:0000:0000:0000:0002 netif=eth5
> > scontext=system_u:system_r:kernel_t:s15:c0.c255
> > tcontext=system_u:object_r:node_t:s0-s15:c0.c255 tclass=node
>
> Hmm..so you don't have secmark enabled by default? Kernel config?

$ grep SECMARK linux-sun_cp3020-cgl-build/.config CONFIG_NETWORK_SECMARK=y
# CONFIG_NETFILTER_XT_TARGET_SECMARK is not set $

More secmark options should I enable?

>
> > But I don't think they could be the reason /sbin/init would fail to
> > run /sbin/mingetty.
> >
> > Then I came up with the idea to toggle SELinux state into Permissive
> > mode in the rc.local and finally the console on longer hangs and I
> > could login normally:
> >
> >
> >
> > root@cp3020:/root> cat /proc/cmdline
> >
> > root=/dev/sda1 rw console=ttyS0,115200n8 ip=dhcp selinux=1
> > BOOT_IMAGE=/vlm-boards/12885/qcao/kernel
> >
> > root@cp3020:/root> getenforce
> >
> > Permissive
> >
> > root@cp3020:/root>
> >
> > root@cp3020:/root> cat /var/log/messages
> >
> > ...
> >
> > Jan 25 16:59:15 cp3020 /etc/rc3.d/S95atd: atd startup - OK
> >
> > Jan 25 16:59:15 cp3020 boot: Starting cracklibd
> >
> > Jan 25 16:59:16 cp3020 boot: Starting local
> >
> > Jan 25 16:59:16 cp3020 kernel: type=1404 audit(1264438756.016:4):
> > enforcing=0 ol
> >
> > d_enforcing=1 auid=4294967295 ses=4294967295
> >
> > ...
> >
> > root@cp3020:/root>
> >
> >
> > We can see selinux does boot up WITH enforcing=1 but toggled into
> > enforcing=0 at rc.local, which proves that all my left problem focused
> > on /sbin/mingetty
> > 0:2345:respawn:/sbin/mingetty console (in my /etc/inittab)
> >
> > Maybe I need to identify the changes from refpolicy-2.20081210 to
> > refpolicy-2.20091117 related with getty_t.
>
> Rebuild policy with dontaudits removed (semodule -DB) and retry, then
> look for audit messages involving getty.

Yeah, I created a policy store and then do semodule -DB and reboot, I found AVC denied messages about domains of sendmail_t, hostname_t, quota_t, dmesg_t lack the read privilege against console_device_t, which is expected because we have called term_dontaudit_use_console() interface for these domains.

Since so far we have identified that my problem is rooted with getty_t, so I went on to take a quick glance at getty.te and very suprisingly found this dontaudit interface has been called for getty_t too! For me I am trying to login my target through a serial console, rather than any tty device, so I assume the getty_t should be granted all necessary privileges to operate the console. Once I removed the term_dontaudit_use_console(getty_t) I could find following AVC denied message:                                    

type=1400
audit(1264520547.936:68): avc: denied { noatsecure } for pid=2292 comm="login"
scontext=system_u:system_r:getty_t:s0-s15:c0.c255 tcontext=system_u:system_r:local_login_t:s0-s15:c0.c255 tclass=process

which I guess is right the root cause to my problem. Once I replaced it by term_use_console(getty_t), I finally could login successfully!

This problem made me sleepless for like 10 days and I would like to take this opportunity to summarize it here: 1. use enforcing=0 bootparam if unable to login selinux, then dmesg all those AVC denied messages for potential extra TE rules; 2. problem could be caused by files not being properly labeled, as well as necessary TE rules are missing. In my case many domains has no search right against tmpfs_t, however, tmpfs_t doesn't exist even in file_contexts, this indicates tmpfs filesystem has not been properly labeled. It turns out start_udev should have labeled tmpfs once it mounts tmpfs on /dev; 3, if perblem persists but no relevant AVC denied messsage could be referenced, use semodule -DB to rebuild policy and remove all those dontaudit rules, or remove the call to some dontaudit interface in the related .te, so thar SELinux could throw out as many AVC denied messages as possible.

Next, I will go on play with the latest refpolicy package and bring up the extra necessary TE rules I find.

Thank you so very much, again!

Best regards,
Harry

>
> --
> Stephen Smalley
> National Security Agency
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
                                               



上Windows Live 中国首页,下载Messenger2009安全版! http://www.windowslive.cn -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.