* installing SELinux on Trustix
@ 2003-04-15 23:39 Christof Rath
2003-04-16 15:50 ` Stephen Smalley
0 siblings, 1 reply; 3+ messages in thread
From: Christof Rath @ 2003-04-15 23:39 UTC (permalink / raw)
To: SELinux
[-- Attachment #1: Type: text/plain, Size: 898 bytes --]
Hello,
I have done the 'make quickinstall' and got some problems while executing 'sdf' but I expected this would not be a problem if I just want to restart with the new kernel.
But when I started with the new kernel I got the following messages:
[snip]
INIT: version 2.78 booting
avc: denied { getattr } for pid=1 exe=/sbin/init path=/dev/initctl dev=08:07 ino=22610 scontext=system_u:system_r:kernel_t tcontext=system_u:objecr_r:file_t tclass=fifo_file
avc: denied { read } for pid=8 exe=/sbin/init path=/bin/sh dev=08:07 ino=55138 scontext=system_u:system_r:kernel_t tcontext=system_u:objecr_r:file_t tclass=lnk_file
[snip]
and some more of them and at the end I got a list of
[snip]
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
INIT: cannot execute "/sbin/mingetty"
[snip]
I hope someone can tell me a solution...
nice day
Christof
[-- Attachment #2: Type: text/html, Size: 2362 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: installing SELinux on Trustix
2003-04-15 23:39 installing SELinux on Trustix Christof Rath
@ 2003-04-16 15:50 ` Stephen Smalley
2003-04-17 18:35 ` Lamont R. Peterson
0 siblings, 1 reply; 3+ messages in thread
From: Stephen Smalley @ 2003-04-16 15:50 UTC (permalink / raw)
To: Christof Rath; +Cc: SELinux
On Tue, 2003-04-15 at 19:39, Christof Rath wrote:
> avc: denied { getattr } for pid=1 exe=/sbin/init path=/dev/initctl
> dev=08:07 ino=22610 scontext=system_u:system_r:kernel_t
> tcontext=system_u:objecr_r:file_t tclass=fifo_file
>
> avc: denied { read } for pid=8 exe=/sbin/init path=/bin/sh dev=08:07
> ino=55138 scontext=system_u:system_r:kernel_t
> tcontext=system_u:objecr_r:file_t tclass=lnk_file
> [snip]
The above messages suggest that you did not label your filesystems prior
to booting the SELinux kernel. This makes sense if the quickinstall
aborted without completing.
> and some more of them and at the end I got a list of
>
> [snip]
> INIT: cannot execute "/sbin/mingetty"
> INIT: cannot execute "/sbin/mingetty"
> INIT: cannot execute "/sbin/mingetty"
> [snip]
Did you configure your kernel with CONFIG_SECURITY_SELINUX_DEVELOP=y
(NSA SELinux Development Support), as per the README instructions? It
sounds like you did not enable this option and are booting an enforcing
kernel, which isn't going to work without having labeled the filesystem
(and may not work anyway, as the example policy may not cover everything
you need for your system to operate, especially if you are just using
the core policy and haven't enabled any optional policy modules). You
should build the kernel with the development option and boot it in
permissive mode (the default) initially so that you can address any
policy configuration issues and then transition to an enforcing kernel.
> I hope someone can tell me a solution...
Boot with your old kernel and follow the step-by-step instructions for
installing SELinux, since the quickinstall aborted for you.
--
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: installing SELinux on Trustix
2003-04-16 15:50 ` Stephen Smalley
@ 2003-04-17 18:35 ` Lamont R. Peterson
0 siblings, 0 replies; 3+ messages in thread
From: Lamont R. Peterson @ 2003-04-17 18:35 UTC (permalink / raw)
To: Stephen Smalley, Christof Rath; +Cc: SELinux
Christof:
<SNIP>
On Wednesday 16 April 2003 09:50 am, Stephen Smalley wrote:
> Boot with your old kernel and follow the step-by-step instructions for
> installing SELinux, since the quickinstall aborted for you.
It sounded like you might not have that old kernel installed still. For just
such situations, I always test new kernels using a separate boot selection
first, without changing my default. Personally, I like lilo better than
grub, so I will use that "terminology".
I create a section in my lilo.conf that looks like this:
image = /boot/bzImage.test
root = /dev/[whatever your root partition is]
label = Test
read-only
append = "[which whatever boot option(s) you need to pass to the kernel]"
optional
Then, all I have to do move my testing kernel to /boot/bzImage.test and run
lilo. I boot it, test it and so on until I am happy with it. Then I rename
it bzImage (usually moving the old to bzImage.YYYY-MM-DD, run lilo and I am
set!
Now, if you can not boot, then I might suggest you go to
http://www.gentoo.org/ and get one of the installation iso images. The
1.4_rc? series are just great. You can just download the smallest one. Burn
the CD and boot with it. There is a file named INSTALL.TXT (if I am
remembering correctly) in the root of the CD that is helpful. This makes a
super emergency/recovery/diagnostic CD to use. Keep it handy when you need
to fix other people's linux installs, whether or not they are Gentoo.
Hope that helps some of you out there.
--
Sincerely,
Lamont R. Peterson <lrp@xmission.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-04-17 18:35 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-04-15 23:39 installing SELinux on Trustix Christof Rath
2003-04-16 15:50 ` Stephen Smalley
2003-04-17 18:35 ` Lamont R. Peterson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.