rfs xattr's, mkinitrd and other stories

rfs xattr's, mkinitrd and other stories

[Dale Amon]

If anyone is interested, I've worked with Jeff Mahoney 
and Steve Smalley and between us we've got what should
be the necessary patches for using selinux with
reiserfs on 2.6.0 kernels. They are availabe here and
possibly on the Suse site by now:

 http://www.unixthugs.org/~jeffm/technical/reiserfs/aclea/2.6.0-test4/

So I'm on to the next phase of getting a debian 
system working with 2.6.0 (with devfs and a 
reiserfs root)

I've got to sort out the initrd next. I've not needed
it before so I'm on a cold start. First question is
how to do the least damage to the debian setup. If I
just replace /usr/sbin/mkinitrd, it is going to get
overwritten the next time I do an upgrade.

Secondly, all of the examples I find are somewhat
different. Steve's patch in the HOWTO is for a
very different looking RH file so it's hard to
tell what he actually needs. Colin's July 17 looks
reasonable and I'll probably start with that... but
I am worried about the issues with debian packages.

Colin? Russ? What approach do you suggest?

BTW: I'm using Colin's policy default with a few
fixes to let syslog-ng work. Russell's set is too
divergent from Colin's for me to use it unless they've
synced up recently.

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Stephen Smalley]

On Wed, 2003-09-10 at 12:48, Dale Amon wrote:
> So I'm on to the next phase of getting a debian 
> system working with 2.6.0 (with devfs and a 
> reiserfs root)

devfs will require a patch to support labeling, and appears to be
obsolete in 2.6.

> Secondly, all of the examples I find are somewhat
> different. Steve's patch in the HOWTO is for a
> very different looking RH file so it's hard to
> tell what he actually needs. Colin's July 17 looks
> reasonable and I'll probably start with that... but
> I am worried about the issues with debian packages.

The mkinitrd script needs to copy the policy file and load_policy
program onto the initrd, and the /linuxrc script that is placed on the
initrd needs to mount selinuxfs and run load_policy before the root
filesystem is mounted.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Wed, Sep 10, 2003 at 01:02:23PM -0400, Stephen Smalley wrote:
> devfs will require a patch to support labeling, and appears to be
> obsolete in 2.6.

How so? It's still marked experimental in fact. devpts has been
made independant but I can't imagine why devfs would ever be
removed. If anything it is superseding the old static /dev.

As to the patch, I'm not sure what is needed there. I do know
I have an /etc/devfsd/conf.d/selinux that is used at boot time.
I've had some problems with it and disabled that temporarily to
avoid the /lib/devfsd/devfs-se.so error messages at boot time.

So what next? Try to get Richard Gooch's attention? 
 
> The mkinitrd script needs to copy the policy file and load_policy
> program onto the initrd, and the /linuxrc script that is placed on the
> initrd needs to mount selinuxfs and run load_policy before the root
> filesystem is mounted.

I'm still worried about what happens after the next apt-get or dselect
If it restores the standard mkinitrd during an upgrade and I don't
notice before rebooting... could be nasty.

I supposed I could make it /usr/local/sbin/mkinitrd if the path 
search order during early boot up happens to include that before
/usr/sbin.

That's why I'm wondering what Colin or Russ' thoughts are on the
matter.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Stephen Smalley]

On Wed, 2003-09-10 at 13:59, Dale Amon wrote:
> How so? It's still marked experimental in fact. devpts has been
> made independant but I can't imagine why devfs would ever be
> removed. If anything it is superseding the old static /dev.

See ftp://ftp.kernel.org/pub/linux/kernel/people/akpm/patches/2.6/2.6.0-test5/2.6.0-test5-mm1/broken-out/mark-devfs-obsolete.patch

And the related discussions on lkml.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Chris PeBenito]

Is there going to be any work getting the handler for the 2.4?  I tried
to add it on to Jeff's 2.4 patches on ftp.suse.com, but was
unsuccessful.

On Wed, 2003-09-10 at 11:48, Dale Amon wrote:
> If anyone is interested, I've worked with Jeff Mahoney 
> and Steve Smalley and between us we've got what should
> be the necessary patches for using selinux with
> reiserfs on 2.6.0 kernels. They are availabe here and
> possibly on the Suse site by now:
> 
>  http://www.unixthugs.org/~jeffm/technical/reiserfs/aclea/2.6.0-test4/

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Wed, Sep 10, 2003 at 02:03:19PM -0500, Chris PeBenito wrote:
> Is there going to be any work getting the handler for the 2.4?  I tried
> to add it on to Jeff's 2.4 patches on ftp.suse.com, but was
> unsuccessful.

Hmmm... I shouldn't think it should be too hard to do that,
assuming the format of handlers is similar. The 2.6 one was
pretty straight forward.

I'll take a look. Supper first though :-)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Chris PeBenito]

On Wed, 2003-09-10 at 14:10, Dale Amon wrote:
> Hmmm... I shouldn't think it should be too hard to do that,
> assuming the format of handlers is similar. The 2.6 one was
> pretty straight forward.
> 
> I'll take a look. Supper first though :-)

On Wed, 2003-09-10 at 14:11, Stephen Smalley wrote: 
> You should just be able to copy the trusted handler and tweak it
> slightly for the "security." namespace.

This afternoon, I tried using the 2.6 handlers to no avail.  I also
tried copying the trusted one a while back (yes, I remembered to change
the prefix), and removing the capability check, and they all resulted
the same way.  

If you ls --context, it came up null for the context, and if you do a
touch, the process hangs.  I have the appropriate change in super.c and
reiserfs_xattr.h.  I also adjusted the reiserfs_fs_sb.h, as theres a
mention by the trusted handler of making the xattrs 'always on', so I
made sure the xattrs are always on for the security labels too.  I think
there is just some little bit that I'm overlooking.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Wed, Sep 10, 2003 at 02:38:54PM -0500, Chris PeBenito wrote:
> If you ls --context, it came up null for the context, and if you do a
> touch, the process hangs.  I have the appropriate change in super.c and
> reiserfs_xattr.h.  I also adjusted the reiserfs_fs_sb.h, as theres a
> mention by the trusted handler of making the xattrs 'always on', so I
> made sure the xattrs are always on for the security labels too.  I think
> there is just some little bit that I'm overlooking.

Hmmm... Keep in mind that this code, while simple and while eyeballed
by three people, has not been well tested even on 2.6. I do not
consider it out of the question that there is an error. 

I'm still in the alligator pit with 2.6 and Steve just chucked
another one in on me :-)

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Stephen Smalley]

On Wed, 2003-09-10 at 15:03, Chris PeBenito wrote:
> Is there going to be any work getting the handler for the 2.4?  I tried
> to add it on to Jeff's 2.4 patches on ftp.suse.com, but was
> unsuccessful.

You should just be able to copy the trusted handler and tweak it
slightly for the "security." namespace.
 
-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Colin Walters]

On Wed, 2003-09-10 at 12:48, Dale Amon wrote:

> I've got to sort out the initrd next. I've not needed
> it before so I'm on a cold start. First question is
> how to do the least damage to the debian setup. If I
> just replace /usr/sbin/mkinitrd, it is going to get
> overwritten the next time I do an upgrade.

That shouldn't be necessary if you're using the Debian mkinitrd scripts
I wrote.  It has hooks for dropping things in like this.

> Secondly, all of the examples I find are somewhat
> different. Steve's patch in the HOWTO is for a
> very different looking RH file so it's hard to
> tell what he actually needs. Colin's July 17 looks
> reasonable and I'll probably start with that... but
> I am worried about the issues with debian packages.

You shouldn't have to change anything at all, just install
selinux-policy-default.  I noticed there have been a few revisions to
mkinitrd in unstable since then, but last I checked it worked.

> Colin? Russ? What approach do you suggest?
> 
> BTW: I'm using Colin's policy default with a few
> fixes to let syslog-ng work. Russell's set is too
> divergent from Colin's for me to use it unless they've
> synced up recently.

I really need to find some time to do that.  Real life and other
projects have kind of been in the way, but I do hope to do it within a
week or so.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Wed, Sep 10, 2003 at 06:30:12PM -0400, Colin Walters wrote:
> That shouldn't be necessary if you're using the Debian mkinitrd scripts
> I wrote.  It has hooks for dropping things in like this.

Sounds good...
 
> You shouldn't have to change anything at all, just install
> selinux-policy-default.  I noticed there have been a few revisions to
> mkinitrd in unstable since then, but last I checked it worked.

Okay, So are you saying mkinitrd is good as is? Your 
selinux-policy-default is installed. I guess I'll have to 
go read /usr/sbin/mkinitrd to see what you've done.
 
> I really need to find some time to do that.  Real life and other
> projects have kind of been in the way, but I do hope to do it within a
> week or so.

Not a big rush. With the devfs problem now staring at me it
may well *be* a week or two before this even comes on my
radar again. The policy I've patched up from an install of
yours should be just fine for testing.

Isn't arrow head collecting fun?

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Wed, Sep 10, 2003 at 06:30:12PM -0400, Colin Walters wrote:
> You shouldn't have to change anything at all, just install
> selinux-policy-default.  I noticed there have been a few revisions to
> mkinitrd in unstable since then, but last I checked it worked.

Okay, I see what you've done. mkinitrd loads /etc/mkinitrd/mkinitrd.conf
which calls /etc/mkinitrd/scripts/selinux.

Good show. Since that issue is all sorted, I just have
to read the man page again to make sure I'm doing it
right.

That should be one more dead gator in the 2.6.0 swamp 
then. :-)

--
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Thu, Sep 11, 2003 at 12:05:19AM +0100, Dale Amon wrote:
> Okay, I see what you've done. mkinitrd loads /etc/mkinitrd/mkinitrd.conf
> which calls /etc/mkinitrd/scripts/selinux.

Okay, next round of questions. According to Steve's HOWTO, the
line

	none /selinux selinuxfs defaults 0 0

goes into the /etc/fstab to cause this file to mount. However
Debian mkinitrd defaults to cramfs and also states it requires
a debian dist patched kernel.

I'm left with these questions:

* what is an selinuxfs???
* where do I find the cramfs patches. I don't use packaged
  kernels. I roll my own no-module jobbies.
* what should dst be?
	mkinitrd -o dst

I'm going to go back and look over Steve's howto again and
see if I can figure how to relate it to your debian set up.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Thu, Sep 11, 2003 at 12:34:24AM +0100, Dale Amon wrote:
> * what should dst be?
> 	mkinitrd -o dst

Actually, I presume this gets done on bootup as

	mkinitrd -o /selinux

if I understand what is going on... which still
leaves me wondering about selinuxfs which I had
not run across before. Or does the boot up do this:

   mkinitrd -m "make an selinuxfs cmdstr" -o /selinux


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Russell Coker]

On Thu, 11 Sep 2003 09:34, Dale Amon wrote:
> Okay, next round of questions. According to Steve's HOWTO, the
> line
>
> 	none /selinux selinuxfs defaults 0 0
>
> goes into the /etc/fstab to cause this file to mount. However
> Debian mkinitrd defaults to cramfs and also states it requires
> a debian dist patched kernel.

none                    /selinux                selinuxfs       noauto  0 0

Currently on my main development UML I have the above in /etc/fstab and the 
below as a start script.  I also have a version of the below script with 
"exec /sbin/init" in /sbin/se-init, so if I boot my machine with
"init=/sbin/se-init" on the kernel command line then it loads the policy 
before running init.  This makes it usable on a machine without an initrd.

#!/bin/sh -e

mount -n /selinux
/usr/sbin/load_policy /etc/security/selinux/policy.15
if [ -f /selinux/enforce ]; then
  echo 1 > /selinux/enforce
else
  echo "Can't set enforcing mode"
fi

> I'm left with these questions:
>
> * what is an selinuxfs???

A special file system for SE Linux related entries.  I can't understand why it 
wasn't just made part of /proc, Steve, perhaps you could explain.

> * where do I find the cramfs patches. I don't use packaged
>   kernels. I roll my own no-module jobbies.

Nothing special needs to be done for cramfs.  But I suggest not using it.  
cramfs has a long history of being broken in kernels from ftp.kernel.org, 
it's not well supported upstream, and for most things you want to do there 
are other file systems that do it better.  I suggest using a gzip compressed 
romfs, it will be considerably smaller than cramfs for the same file storage 
and work more reliably.

> * what should dst be?
> 	mkinitrd -o dst
>
> I'm going to go back and look over Steve's howto again and
> see if I can figure how to relate it to your debian set up.

The Debian mkinitrd is more flexible than the Red Hat one.  So once you have 
the correct scripts dropped in place (as Colin's package does) then you just 
create an initrd in the regular fashion.  For Red Hat a patch to mkinitrd was 
shipped because there is no other way to do it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Stephen Smalley]

On Wed, 2003-09-10 at 20:48, Russell Coker wrote:
> none                    /selinux                selinuxfs       noauto  0 0

Why noauto?  It needs to be mounted if you are running SELinux, and it
will just fail with a warning if the kernel doesn't have SELinux
enabled.

> A special file system for SE Linux related entries.  I can't understand why it 
> wasn't just made part of /proc, Steve, perhaps you could explain.

Misuse of /proc isn't viewed favorably by the kernel developers.  The
preferred approach is to create your own pseudo filesystem type. 
selinuxfs was based on the nfsd pseudo filesystem in 2.5/6.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Russell Coker]

On Thu, 11 Sep 2003 21:47, Stephen Smalley wrote:
> On Wed, 2003-09-10 at 20:48, Russell Coker wrote:
> > none                    /selinux                selinuxfs       noauto  0
> > 0
>
> Why noauto?  It needs to be mounted if you are running SELinux, and it
> will just fail with a warning if the kernel doesn't have SELinux
> enabled.

When booting without an initrd I have to mount it before init is run.  This 
means that I have two options, "mount -n" or mounting the root fs rw to allow 
writing to /etc/mtab and then umounting it again (for a possible fsck).  
However if the file system is inconsistent then this would be a bad idea, so 
"mount -n" seems the only option for a non-initrd system.

Using "mount -n" means that "mount -a" will try to mount it again if it is set 
for auto-mount, so "noauto" solves this (as long as there is an explicit 
mount command).

> > A special file system for SE Linux related entries.  I can't understand
> > why it wasn't just made part of /proc, Steve, perhaps you could explain.
>
> Misuse of /proc isn't viewed favorably by the kernel developers.  The
> preferred approach is to create your own pseudo filesystem type.
> selinuxfs was based on the nfsd pseudo filesystem in 2.5/6.

So instead of having a dozen different sub-directories of /proc we'll have a 
dozen different file systems to be individually mounted, umounted, and 
tracked.  This does not seem to be a benefit to me.  Of course my opinion 
counts for nothing in this debate even though I'm the one that'll do much of 
the user-space work of supporting this.  :(

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Thu, Sep 11, 2003 at 10:48:16AM +1000, Russell Coker wrote:
> are other file systems that do it better.  I suggest using a gzip compressed 
> romfs, it will be considerably smaller than cramfs for the same file storage 
> and work more reliably.
> 
> The Debian mkinitrd is more flexible than the Red Hat one.  So once you have 
> the correct scripts dropped in place (as Colin's package does) then you just 
> create an initrd in the regular fashion.  For Red Hat a patch to mkinitrd was 
> shipped because there is no other way to do it.

Do you edit /etc/mkinitrd/mkinitrd.conf to change
	MKIMAGE='mkcramfs %s %s > /dev/null'
to
	MKIMAGE='genromfs -d %s -f %s > /dev/null'

then? Or do you just do it all manually?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Russell Coker]

On Sat, 13 Sep 2003 00:21, Dale Amon wrote:
> Do you edit /etc/mkinitrd/mkinitrd.conf to change
> 	MKIMAGE='mkcramfs %s %s > /dev/null'
> to
> 	MKIMAGE='genromfs -d %s -f %s > /dev/null'

MKIMAGE='genromfs -f /dev/fd/1 -d %s | gzip -9 > %s'

I use the above to gzip compress it in the same command (an uncompressed gzip 
is no good).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Sat, Sep 13, 2003 at 01:00:49AM +1000, Russell Coker wrote:
> MKIMAGE='genromfs -f /dev/fd/1 -d %s | gzip -9 > %s'
> I use the above to gzip compress it in the same command (an uncompressed gzip 
> is no good).

Either way I get:

	RAMDISK: rom filesystem found at block 0
	RAMDISK: Loading 2815 blocks [1 disk] into ram disk... done.
	freeing initrd memory: 2815k freed
	sh-2021: reiserfs_fill_super: cannot find reiserfs on ram0
	Kernel panic: VFS: unable to mount root files system on sda2

at which point I have to reboot into my safety kernel for further
testing. I set things up with: 

	mkinitrd /boot.romfs

and have in lilo.conf

	append="selinux=1"
	initrd=/boot.romfs

and your fstab line in /etc/fstab. A manual mount of an unzipped boot.romfs
looks quiet reasonable. I presume something is going bonkers during the
pivot to sda2, but I can't really prove the initrd /linuxrc did anything.




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

On Fri, Sep 12, 2003 at 05:06:13PM +0100, Dale Amon wrote:
> 	mkinitrd /boot.romfs

Er, I meant:
	mkinitrd -o /boot.romfs


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Russell Coker]

On Sat, 13 Sep 2003 02:06, Dale Amon wrote:
> On Sat, Sep 13, 2003 at 01:00:49AM +1000, Russell Coker wrote:
> > MKIMAGE='genromfs -f /dev/fd/1 -d %s | gzip -9 > %s'
> > I use the above to gzip compress it in the same command (an uncompressed
> > gzip is no good).
>
> Either way I get:
>
> 	RAMDISK: rom filesystem found at block 0
> 	RAMDISK: Loading 2815 blocks [1 disk] into ram disk... done.
> 	freeing initrd memory: 2815k freed
> 	sh-2021: reiserfs_fill_super: cannot find reiserfs on ram0
> 	Kernel panic: VFS: unable to mount root files system on sda2
>
> at which point I have to reboot into my safety kernel for further
> testing. I set things up with:

Looks like you didn't compile in ROMFS support in your kernel.  You have to 
have CONFIG_ROMFS_FS=y.

It's not an SE Linux issue so it's probably best if we take discussion off the 
list.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Stephen Smalley]

On Wed, 2003-09-10 at 19:34, Dale Amon wrote:
> Okay, next round of questions. According to Steve's HOWTO, the
> line
> 
> 	none /selinux selinuxfs defaults 0 0
> 
> goes into the /etc/fstab to cause this file to mount. However
> Debian mkinitrd defaults to cramfs and also states it requires
> a debian dist patched kernel.
> 
> I'm left with these questions:
> 
> * what is an selinuxfs???

It isn't the initrd filesystem.  selinuxfs is a pseudo filesystem that
exports the security policy API to userspace.  The /linuxrc script on
the initrd needs to mount it in order to perform the initial policy
load, and you also want it mounted on the real root (which is why we put
it in /etc/fstab) for use by the SELinux-patched programs (e.g. login).
See my slides from the 2003 OLS SELinux BOF, available from
http://www.nsa.gov/selinux/docs.html, for a discussion of the API
changes for 2.5/6.  

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: rfs xattr's, mkinitrd and other stories

[Dale Amon]

I've got it sorted and the answers may be useful to
others. 

1) Don't enable BOTH cramfs and romfs if you are
   using romfs for your initrd image. initrd seems
   to default to cramfs if it is in the kernel.
   This was very unobvious from the error output.

2) Make sure you enable the shm pseudo file system
   so that tmpfs exists.

I'll try to find some time to write up the details
of getting initrd running on a 2.6.0 kernel under
a Debian dist. 

First I've got a *&^%$ load of avc's. And I still
have to prove my attribute handler kernel patch
works.

-- 
------------------------------------------------------
       IN MY NAME:            Dale Amon, CEO/MD
  No Mushroom clouds over     Islandone Society
    London and New York.      www.islandone.org
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.