at last: info regarding boot problems on multiple partitions

at last: info regarding boot problems on multiple partitions

[Luke Kenneth Casson Leighton]

FINALLY i got a useable system when i encountered a boot problem
[well, i got a console login].

the issue is that partitions fail to be mounted.

i had noticed over a period of time that programs like pump and dhclient
and some others would stop partitions from being unmounted during
shutdown.

[remember i have /boot, /, /usr, /var and /home]

for some reason, this also caused the partitions to fail to MOUNT on
startup.

just now i was able to log in.

audit2allow shows these:

	allow local_login_t file_t:dir { search }
	allow rpcd_t file_t:dir { search }.

and, sure enough, doing a ls -Z /usr shows that it is, in fact, set to
file_t.

the question is, therefore... why?

i figure it must be because i have that partition mounted.

consequently, the context of the mount point, /usr, never gets set
to a correct context because, of course, make relabel is only ever
run with all partitions mounted.

so.

my question is:

	how do i restore the context of a mount-point....
	whilst it's actually mounted!

l.

-- 
--
Truth, honesty and respect are rare commodities that all spring from
the same well: Love.  If you love yourself and everyone and everything
around you, funnily and coincidentally enough, life gets a lot better.
--
<a href="http://lkcl.net">      lkcl.net      </a> <br />
<a href="mailto:lkcl@lkcl.net"> lkcl@lkcl.net </a> <br />


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Stephen Smalley]

On Wed, 2004-09-08 at 18:49, Luke Kenneth Casson Leighton wrote:
> FINALLY i got a useable system when i encountered a boot problem
> [well, i got a console login].
> 
> the issue is that partitions fail to be mounted.
> 
> i had noticed over a period of time that programs like pump and dhclient
> and some others would stop partitions from being unmounted during
> shutdown.
> 
> [remember i have /boot, /, /usr, /var and /home]
> 
> for some reason, this also caused the partitions to fail to MOUNT on
> startup.
> 
> just now i was able to log in.
> 
> audit2allow shows these:
> 
> 	allow local_login_t file_t:dir { search }
> 	allow rpcd_t file_t:dir { search }.
> 
> and, sure enough, doing a ls -Z /usr shows that it is, in fact, set to
> file_t.
> 
> the question is, therefore... why?
> 
> i figure it must be because i have that partition mounted.
> 
> consequently, the context of the mount point, /usr, never gets set
> to a correct context because, of course, make relabel is only ever
> run with all partitions mounted.
> 
> so.
> 
> my question is:
> 
> 	how do i restore the context of a mount-point....
> 	whilst it's actually mounted!

You can't.  And you should't need to do so, as nothing should require
access to the empty mount point directory except for mount itself, which
has access to search and mounton file_t.  What good would it do to allow
login or others to search the empty mount point when it is empty
anyway?  They will fail regardless, just a difference between errno of
ENOENT and EACCES.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Luke Kenneth Casson Leighton]

On Thu, Sep 09, 2004 at 08:22:33AM -0400, Stephen Smalley wrote:
> On Wed, 2004-09-08 at 18:49, Luke Kenneth Casson Leighton wrote:

> > my question is:
> > 
> > 	how do i restore the context of a mount-point....
> > 	whilst it's actually mounted!
> 
> You can't.  And you should't need to do so, as nothing should require
> access to the empty mount point directory except for mount itself, which
> has access to search and mounton file_t.  What good would it do to allow
> login or others to search the empty mount point when it is empty
> anyway?  They will fail regardless, just a difference between errno of
> ENOENT and EACCES.

okay, it can't be that then.

_something_ is stopping /usr from being remounted (when enforcing is on)
after a shutdown remounts it as read-only just before a halt/restart.

i can't be the only person who has - or will have - this problem.

l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Russell Coker]

On Thu, 9 Sep 2004 08:49, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> FINALLY i got a useable system when i encountered a boot problem
> [well, i got a console login].
>
> the issue is that partitions fail to be mounted.
>
> i had noticed over a period of time that programs like pump and dhclient
> and some others would stop partitions from being unmounted during
> shutdown.
>
> [remember i have /boot, /, /usr, /var and /home]
>
> for some reason, this also caused the partitions to fail to MOUNT on
> startup.

I've seen a very similar problem, but it was intermittent and didn't occur 
enough to let me debug it.  I'm not certain that I saw the same problem but 
the result of file systems not being mounted was similar.

I would be very interested in any further information you may find on this.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Luke Kenneth Casson Leighton]

On Fri, Sep 10, 2004 at 02:33:47AM +1000, Russell Coker wrote:
> On Thu, 9 Sep 2004 08:49, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > FINALLY i got a useable system when i encountered a boot problem
> > [well, i got a console login].
> >
> > the issue is that partitions fail to be mounted.
> >
> > i had noticed over a period of time that programs like pump and dhclient
> > and some others would stop partitions from being unmounted during
> > shutdown.
> >
> > [remember i have /boot, /, /usr, /var and /home]
> >
> > for some reason, this also caused the partitions to fail to MOUNT on
> > startup.
> 
> I've seen a very similar problem, but it was intermittent and didn't occur 
> enough to let me debug it.  

 yes, it is intermittent (being dependent on a program not terminating,
 thereby keeping /usr from being unmounted), and also cyclic.

 cyclic as in you run into the problem through a shutdown, then
 start up, then have to power down again to clear the problem,
 and your system is fine, but on shutdown it happens again.


 it's a pain, and i _think_ it's down to the banning of initrc_t
 from writing to /etc.

 i note that there's an audit message to attempt a touch on a file
 somewhere in /etc.

 if that causes a change in behaviour in one of the early boot-up
 scripts...



> I'm not certain that I saw the same problem but 
> the result of file systems not being mounted was similar.
 
 yes.

> I would be very interested in any further information you may find on this.

 will keep looking.

 l.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Luke Kenneth Casson Leighton]

On Fri, Sep 10, 2004 at 02:33:47AM +1000, Russell Coker wrote:

> On Thu, 9 Sep 2004 08:49, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:

> > FINALLY i got a useable system when i encountered a boot problem
> > [well, i got a console login].
> >
> > the issue is that partitions fail to be mounted.
> >
> > i had noticed over a period of time that programs like pump and dhclient
> > and some others would stop partitions from being unmounted during
> > shutdown.
> >
> > [remember i have /boot, /, /usr, /var and /home]
> >
> > for some reason, this also caused the partitions to fail to MOUNT on
> > startup.
> 
> I've seen a very similar problem, but it was intermittent and didn't occur 
> enough to let me debug it.  I'm not certain that I saw the same problem but 
> the result of file systems not being mounted was similar.
> 
> I would be very interested in any further information you may find on this.

 okay.

 i re-enabled fbmngplay.

 i also added ps ax and lsof /usr to /etc/init.d/umount

 fbmngplay, the swine, has file handles open on /usr/lib/ - 
 libz, libmng, libjpeg and one other.

 fbmngplay is the program that does the animations.

 it's enough to cause a reproducible case.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Luke Kenneth Casson Leighton]

On Fri, Sep 10, 2004 at 02:33:47AM +1000, Russell Coker wrote:
> On Thu, 9 Sep 2004 08:49, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > FINALLY i got a useable system when i encountered a boot problem
> > [well, i got a console login].
> >
> > the issue is that partitions fail to be mounted.
> >
> > i had noticed over a period of time that programs like pump and dhclient
> > and some others would stop partitions from being unmounted during
> > shutdown.
> >
> > [remember i have /boot, /, /usr, /var and /home]
> >
> > for some reason, this also caused the partitions to fail to MOUNT on
> > startup.
> 
> I've seen a very similar problem, but it was intermittent and didn't occur 
> enough to let me debug it.  I'm not certain that I saw the same problem but 
> the result of file systems not being mounted was similar.
> 
> I would be very interested in any further information you may find on this.

 *urk*!

 i'm sitting here in bewilderment.

 Mounting local filesystems...
 SeLinix: initialized (dev hda1, type ext2) uses xattr
 same for hda6
 same for hda7

 /dev/hda1 on /boot type ext2 (rw)
 /dev/hda6 on /var type ext2 (rw)
 /dev/hda7 on /home type ext2 (rw)


 .... not a sausage about /dev/hda5!!!

 so the /usr partition isn't even mounted!!

 i'm going to re-run later in permissive mode.

 l.

 p.s. i might need to know how to get all "dontaudit" rules listed in
 the log files - anyone know how i can do this?


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Luke Kenneth Casson Leighton]

On Thu, Sep 09, 2004 at 07:38:23PM +0100, Luke Kenneth Casson Leighton wrote:

> On Fri, Sep 10, 2004 at 02:33:47AM +1000, Russell Coker wrote:

> > On Thu, 9 Sep 2004 08:49, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> > > FINALLY i got a useable system when i encountered a boot problem
> > > [well, i got a console login].
> > >
> > > the issue is that partitions fail to be mounted.

>  Mounting local filesystems...
>  SeLinix: initialized (dev hda1, type ext2) uses xattr
>  same for hda6
>  same for hda7
> 
>  /dev/hda1 on /boot type ext2 (rw)
>  /dev/hda6 on /var type ext2 (rw)
>  /dev/hda7 on /home type ext2 (rw)
> 
> 
>  .... not a sausage about /dev/hda5!!!

okay, it was as i kind-of expected - that audit banning
write access of /bin/touch to /etc was wot done it.

that check is done in /etc/init.d/mountvirtfs.sh - it's a very
awful hack to check that /etc/mtab is on a writeable filesystem.

rather than check the file itself, mountvirtfs.sh checks that
the subdirectory is writeable - by attempting to touch it!

[which is of course banned under the selinux policy]

consequently, the test fails, and only if the test _succeeds_ does
mountvirtfs.sh delete /etc/mtab. (with :> $MTAB_PATH)

so, as a temporary hack, i removed the "if dir_writable ${MTAB_PATH%/*}"
check.

result?

	/etc/mtab gets deleted.

result?

	/usr doesn't end up looking like it's still mounted (read-only in the
	case of the prior shutdown...]

result?

	/usr always gets mounted.

what an arse.

bugreporting time.

l.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: at last: info regarding boot problems on multiple partitions

[Russell Coker]

On Fri, 10 Sep 2004 09:43, Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> consequently, the test fails, and only if the test _succeeds_ does
> mountvirtfs.sh delete /etc/mtab. (with :> $MTAB_PATH)
>
> so, as a temporary hack, i removed the "if dir_writable ${MTAB_PATH%/*}"
> check.
>
> result?
>
>  /etc/mtab gets deleted.
>
> bugreporting time.

Good work!  Let me know if you need help convincing the package maintainer.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.