2.6.0-test6 boot process failures

2.6.0-test6 boot process failures

[Tom]

I have a few weird dynamic linker "libselinux.so not found" errors during 
bootup, even though libselinux.so is on the initrd image, the policy
loads correctly and everything seems to work fine.

The only thing I can think about is that libselinux.so is in /usr/lib
and that is on a seperate partition, (/usr is).

Is it possible - I'm not familiar with the details of the boot process
- that somewhere inbetween it loses access to the initrd /usr/lib but
before it has mounted all the other partitions?

If so - how do I work around this?


Btw: Russel, I tried to mail you directly, but your mailserver doesn't
like my dialup-IP: Collin already made a script and that works just
fine. I tried replacing it with yours and that broke my initrd, but
that may as well have been my mistake. Well, at least it's not
drop-in-be-happy - should I do more testing? Tell me what to do, boot
details are beyond me.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 1728 bytes --]

On Tue, 2003-10-07 at 16:03, Tom wrote:
> I have a few weird dynamic linker "libselinux.so not found" errors during 
> bootup, even though libselinux.so is on the initrd image, the policy
> loads correctly and everything seems to work fine.
> 
> The only thing I can think about is that libselinux.so is in /usr/lib
> and that is on a seperate partition, (/usr is).
> 
> Is it possible - I'm not familiar with the details of the boot process
> - that somewhere inbetween it loses access to the initrd /usr/lib but
> before it has mounted all the other partitions?

Actually a Gentoo user reported this to me a couple days ago.  Yeah, its
because /usr/ is a separate partition.  I'm not familiar with the debian
initrd-tools, but I would assume that it pivot_root's at the end of the
initrd script, and then it does an exec /sbin/init.  After the
pivot_root, /usr/lib doesnt point to the initrd, since root is not the
real root, not the initrd root.  And since your /usr is a separate
partition, if something thats linked against libselinux.so is used
before /usr is mounted, you get that error.

BTW, You don't need the libraries on the initrd, because load_policy is
a static executable.

For Gentoo, I used the attached patch on libselinux to make it install
to /lib.

On a side note, I noticed that all of the coreutils programs were
mysteriously linked against libselinux for some reason (as reported by
ldd).  I don't know yet why this is happening.  Is this happening to
other people's systems?

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: libselinux-1.2-movelibs.diff --]
[-- Type: text/x-patch, Size: 359 bytes --]

diff -urN libselinux-1.2.orig/src/Makefile libselinux-1.2/src/Makefile
--- libselinux-1.2.orig/src/Makefile	2003-08-27 10:36:19.000000000 -0500
+++ libselinux-1.2/src/Makefile	2003-10-06 11:38:38.000000000 -0500
@@ -1,5 +1,5 @@
 # Installation directories.
-PREFIX ?= $(DESTDIR)/usr
+PREFIX ?= $(DESTDIR)/
 LIBDIR ?= $(PREFIX)/lib
 
 LIBVERSION = 1

Re: 2.6.0-test6 boot process failures

[Russell Coker]

On Wed, 8 Oct 2003 08:52, Chris PeBenito wrote:
> > Is it possible - I'm not familiar with the details of the boot process
> > - that somewhere inbetween it loses access to the initrd /usr/lib but
> > before it has mounted all the other partitions?
>
> Actually a Gentoo user reported this to me a couple days ago.  Yeah, its
> because /usr/ is a separate partition.  I'm not familiar with the debian
> initrd-tools, but I would assume that it pivot_root's at the end of the
> initrd script, and then it does an exec /sbin/init.  After the

Yes, this is a bug, and your analysis is correct.

Programs in /sbin or /bin must NEVER be linked against shared objects in
/usr/lib .  As /bin/ps, /bin/ls, and /lib/security/pam_selinux.so are linked 
against libselinux.so, libselinux.so should go into /lib.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Russell Coker]

On Wed, 8 Oct 2003 07:03, Tom wrote:
> Collin already made a script and that works just
> fine. I tried replacing it with yours and that broke my initrd, but
> that may as well have been my mistake. Well, at least it's not
> drop-in-be-happy - should I do more testing? Tell me what to do, boot
> details are beyond me.

I'm not really surprised that my script didn't work - I had never tested it 
and you don't expect untested code to work.

Where's Colin's script?

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Tom]

On Wed, Oct 08, 2003 at 01:39:14PM +1000, Russell Coker wrote:
> Yes, this is a bug, and your analysis is correct.
> 
> Programs in /sbin or /bin must NEVER be linked against shared objects in
> /usr/lib .  As /bin/ps, /bin/ls, and /lib/security/pam_selinux.so are linked 
> against libselinux.so, libselinux.so should go into /lib.

I moved libselinux.so to /lib and all my boot problems have gone poof.

Therefore, I second that libselinux.so should go into /lib

-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Tom]

On Wed, Oct 08, 2003 at 01:41:12PM +1000, Russell Coker wrote:
> I'm not really surprised that my script didn't work - I had never tested it 
> and you don't expect untested code to work.
> 
> Where's Colin's script?

It's in his selinux-policy-default package. Here's the script:

#!/bin/sh -e
# Install binary policy file and load_policy utility for loading it.
test -n "$INITRDDIR"
mkdir -p "$INITRDDIR"/selinux
mkdir -p "$INITRDDIR"/etc/security/selinux
mkdir -p "$INITRDDIR"/scripts
cp -a /etc/security/selinux/policy.15 "$INITRDDIR/etc/security/selinux/policy.15"
cp -a /usr/sbin/load_policy "$INITRDDIR/bin/load_policy"
cp -a /usr/share/selinux/initrd-script "$INITRDDIR/scripts/selinux"


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Russell Coker]

On Wed, 8 Oct 2003 18:00, Tom wrote:
> > Where's Colin's script?
>
> It's in his selinux-policy-default package. Here's the script:

OK, I've just released a new version of my selinux-policy-default package with 
this.  I have made a few changes, the noteworthy change is that I check for 
the policy version, so the same script will work for the old SE Linux (apart 
from trying to mount /selinux which I forgot), the new SE Linux, and future 
releases.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Stephen Smalley]

On Tue, 2003-10-07 at 23:39, Russell Coker wrote:
> Yes, this is a bug, and your analysis is correct.
> 
> Programs in /sbin or /bin must NEVER be linked against shared objects in
> /usr/lib .  As /bin/ps, /bin/ls, and /lib/security/pam_selinux.so are linked 
> against libselinux.so, libselinux.so should go into /lib.

Ok, I'll adjust the upstream Makefile accordingly, but Dan will need to
update the RPM spec file.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Stephen Smalley]

On Tue, 2003-10-07 at 18:52, Chris PeBenito wrote:
> On a side note, I noticed that all of the coreutils programs were
> mysteriously linked against libselinux for some reason (as reported by
> ldd).  I don't know yet why this is happening.  Is this happening to
> other people's systems?

Sorry, why is this surprising given the coreutils selinux patch?
Or do you mean that even coreutils programs that aren't patched for
SELinux are also showing up with dependencies on libselinux?  
The coreutil-selinux.patch does add -lselinux to the LDADD line in
the Makefile.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Chris PeBenito]

On Wed, 2003-10-08 at 08:26, Stephen Smalley wrote:
> On Tue, 2003-10-07 at 18:52, Chris PeBenito wrote:
> > On a side note, I noticed that all of the coreutils programs were
> > mysteriously linked against libselinux for some reason (as reported by
> > ldd).  I don't know yet why this is happening.  Is this happening to
> > other people's systems?
> 
> Sorry, why is this surprising given the coreutils selinux patch?
> Or do you mean that even coreutils programs that aren't patched for
> SELinux are also showing up with dependencies on libselinux?  
> The coreutil-selinux.patch does add -lselinux to the LDADD line in
> the Makefile.

Every single binary.  Even the ones that aren't patched, such as uname
and yes.  See the attached ldd outputs.  This happens on both my x86 and
PPC.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: 2.6.0-test6 boot process failures

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 407 bytes --]

On Wed, 2003-10-08 at 11:12, Chris PeBenito wrote:
> and yes.  See the attached ldd outputs.  This happens on both my x86 and
> PPC.

Hmm, it would help if I actually attached it.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer, SELinux
Hardened Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

[-- Attachment #2: typescript.gz --]
[-- Type: application/x-gzip, Size: 813 bytes --]