avc: denied null

avc: denied null

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 862 bytes --]

I have enabled XACE on my systems and sometimes i get weird avc denials:

avc:  denied  null for request=GLX:MakeCurrent comm=glxinfo
resid=2600001 restype=<unknown>
scontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023
tcontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023 tclass=x_resource

avc:  denied  null for request=X11:GetInputFocus comm=/usr/bin/ggl-qt
xdevice="Virtual core keyboard"
scontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device

avc:  denied  null for request=X11:UnmapWindow comm=/usr/bin/ggl-qt
xdevice="Virtual core keyboard"
scontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023
tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device

I was wondering if this is a bug or of this is expected behaviour.

I do not notice any loss in functionality.

Thanks

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: avc: denied null

[Stephen Smalley]

On Mon, 2009-05-18 at 12:19 +0200, Dominick Grift wrote:
> I have enabled XACE on my systems and sometimes i get weird avc denials:
> 
> avc:  denied  null for request=GLX:MakeCurrent comm=glxinfo
> resid=2600001 restype=<unknown>
> scontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023
> tcontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023 tclass=x_resource
> 
> avc:  denied  null for request=X11:GetInputFocus comm=/usr/bin/ggl-qt
> xdevice="Virtual core keyboard"
> scontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> 
> avc:  denied  null for request=X11:UnmapWindow comm=/usr/bin/ggl-qt
> xdevice="Virtual core keyboard"
> scontext=dgrift:dgrift_r:dgrift_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tclass=x_device
> 
> I was wondering if this is a bug or of this is expected behaviour.
> 
> I do not notice any loss in functionality.

That would be a bug.  Details?  rpm -q -f /usr/bin/Xorg /etc/selinux

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied null

[Dominick Grift]

On Mon, 2009-05-18 at 08:50 -0400, Stephen Smalley wrote:
> rpm -q -f /usr/bin/Xorg /etc/selinux

xorg-x11-server-Xorg-1.6.1-11.fc11.x86_64
selinux-policy-3.6.12-36.fc11.noarch



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied null

[Eamon Walsh]

Dominick Grift wrote:
> On Mon, 2009-05-18 at 08:50 -0400, Stephen Smalley wrote:
>   
>> rpm -q -f /usr/bin/Xorg /etc/selinux
>>     
>
> xorg-x11-server-Xorg-1.6.1-11.fc11.x86_64
> selinux-policy-3.6.12-36.fc11.noarch
>
>
>   

Hmm, I thought this was fixed earlier:
https://bugzilla.redhat.com/show_bug.cgi?id=485609

But I'll try to track this down.  The "null" denials won't break
anything they just cause log noise.



-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied null

[Eamon Walsh]

Dominick Grift wrote:
> On Mon, 2009-05-18 at 08:50 -0400, Stephen Smalley wrote:
>   
>> rpm -q -f /usr/bin/Xorg /etc/selinux
>>     
>
> xorg-x11-server-Xorg-1.6.1-11.fc11.x86_64
> selinux-policy-3.6.12-36.fc11.noarch
>   

I found the cause of the "x_device" null avc's.  It was a bad hook call.

I'm still stumped on the GLXMakeCurrent null avc's though.  I can't
reproduce the problem here running glxinfo/glxgears.  I suspect it
depends on the video driver / acceleration architecture being used.


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Policy loading problem

[Dennis Wronka]

Hello folks,

currently I am experiencing quite a strange problem during system-boot.
The problem is that the policy only gets loaded when I boot into enforcing-mode. Booting into permissive mode (doesn't matter if via kernel-parameter or config-file) does not load the policy at all.

I am using Kernel 2.6.29.3 and Reference Policy 2.20081210.
Did anything change in the latest kernel or policy that triggers this? Is it possible to create a policy that cannot be loaded in permissive mode?

Any help or suggestion would be great.

Thanks,
Dennis
-- 
Neu: GMX FreeDSL Komplettanschluss mit DSL 6.000 Flatrate + Telefonanschluss für nur 17,95 Euro/mtl.!* http://dslspecial.gmx.de/freedsl-surfflat/?ac=OM.AD.PD003K11308T4569a

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied null

[Dominick Grift]

On Tue, 2009-05-19 at 23:11 -0400, Eamon Walsh wrote:

> I found the cause of the "x_device" null avc's.  It was a bad hook call.
> 
> I'm still stumped on the GLXMakeCurrent null avc's though.  I can't
> reproduce the problem here running glxinfo/glxgears.  I suspect it
> depends on the video driver / acceleration architecture being used.

For what it is worth, that particular system has nvidia geforce 8600M GT and is using the proprietary blob (kmod-nvidia)

Thanks


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 09:21 +0200, Dennis Wronka wrote:
> Hello folks,
> 
> currently I am experiencing quite a strange problem during system-boot.
> The problem is that the policy only gets loaded when I boot into enforcing-mode. Booting into permissive mode (doesn't matter if via kernel-parameter or config-file) does not load the policy at all.
> 
> I am using Kernel 2.6.29.3 and Reference Policy 2.20081210.
> Did anything change in the latest kernel or policy that triggers this? Is it possible to create a policy that cannot be loaded in permissive mode?
> 
> Any help or suggestion would be great.

What mechanism are you using to perform the initial policy load (Fedora
originally patched /sbin/init then migrated to performing the load from
the initrd; Ubuntu does the load from initrd but in a different manner;
Debian still uses a patched init I believe)?

Can you post the logic for your initial policy load, whether it is a
patch to /sbin/init or an initrd script?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 2032 bytes --]

I have actually tried both.
The way it's usually done is through a patched init, which used to work some 
time ago (I don't remember which version of the kernel, the policy and the 
SELinux-tools/-libraries I used then, as everything always is being updated 
and I worked on a lot of other stuff in between).
I also tried the approach Fedora uses, pretty much taking apart their initrd 
and reimplementing the load_policy-command from nash into a seperate program 
as I had trouble compiling nash). I got it partially working later, but not in 
the way I used to do it and not the way it's supposed to be.

So, as said, the it's supposed to be is a patched init, although I could live 
with doing it in my initramfs (I use that instead of an initrd, but it's 
basically the same anyway).

Still I find it quite confusing that the policy gets loaded when I set SELinux 
to enforcing, but not when I set it to permissive.

On Wednesday 20 May 2009 19:46:49 you wrote:
> On Wed, 2009-05-20 at 09:21 +0200, Dennis Wronka wrote:
> > Hello folks,
> >
> > currently I am experiencing quite a strange problem during system-boot.
> > The problem is that the policy only gets loaded when I boot into
> > enforcing-mode. Booting into permissive mode (doesn't matter if via
> > kernel-parameter or config-file) does not load the policy at all.
> >
> > I am using Kernel 2.6.29.3 and Reference Policy 2.20081210.
> > Did anything change in the latest kernel or policy that triggers this? Is
> > it possible to create a policy that cannot be loaded in permissive mode?
> >
> > Any help or suggestion would be great.
>
> What mechanism are you using to perform the initial policy load (Fedora
> originally patched /sbin/init then migrated to performing the load from
> the initrd; Ubuntu does the load from initrd but in a different manner;
> Debian still uses a patched init I believe)?
>
> Can you post the logic for your initial policy load, whether it is a
> patch to /sbin/init or an initrd script?



[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 21:46 +0800, Dennis Wronka wrote:
> I have actually tried both.
> The way it's usually done is through a patched init, which used to work some 
> time ago (I don't remember which version of the kernel, the policy and the 
> SELinux-tools/-libraries I used then, as everything always is being updated 
> and I worked on a lot of other stuff in between).
> I also tried the approach Fedora uses, pretty much taking apart their initrd 
> and reimplementing the load_policy-command from nash into a seperate program 
> as I had trouble compiling nash). I got it partially working later, but not in 
> the way I used to do it and not the way it's supposed to be.
> 
> So, as said, the it's supposed to be is a patched init, although I could live 
> with doing it in my initramfs (I use that instead of an initrd, but it's 
> basically the same anyway).
> 
> Still I find it quite confusing that the policy gets loaded when I set SELinux 
> to enforcing, but not when I set it to permissive.

You didn't post your initial policy loading logic like I asked.  I agree
that there is no reason why it shouldn't get loaded when permissive, and
I don't see that behavior in Fedora, so I have to assume there is a bug
in the way you've integrated initial policy load in your distribution.

So, once again:  if you want help, show us how you are performing your
initial policy load (the actual code).

Also, if you boot permissive and then manually run load_policy, does
that work?  If so, then that even more strongly indicates a bug in how
you've integrated initial policy load in your distro.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Dennis Wronka]

[-- Attachment #1.1: Type: text/plain, Size: 2915 bytes --]

Sorry I got to ask, but what do you actually mean by "initial policy loading 
logic"?

I haven't actually written any code that handles the policy. I took the 
attached patch for SysVInit and applied it. From what I know this is the 
commonly used patch for this, as it seems to be pretty identical wherever I'm 
looking.

One thing that has changed recently, although I am not sure if this could be 
the reason, is that I have switched the second run of compiling GLibC to a 
later time. Usually I compile GLibC without SELinux, the the SELinux-libraries 
and then GLibC with SELinux. Currently this way results in an infinite loop 
when compiling GLibC, so to resolve this (although I hope this to be a 
temporary solution) I moved compiling GLibC with SELinux after compiling 
BinUtils and GCC.

I pretty much follow the LFS-book, except for a few adjustments and additions 
for SELinux.

In terms of code I haven't written much except shell-scripts, which do the 
actual installation of the software.

So, please clarify what you mean by "initial policy loading logic", then I'll 
do my best to provide more information.

Regards,
Dennis

On Wednesday 20 May 2009 21:49:52 Stephen Smalley wrote:
> On Wed, 2009-05-20 at 21:46 +0800, Dennis Wronka wrote:
> > I have actually tried both.
> > The way it's usually done is through a patched init, which used to work
> > some time ago (I don't remember which version of the kernel, the policy
> > and the SELinux-tools/-libraries I used then, as everything always is
> > being updated and I worked on a lot of other stuff in between).
> > I also tried the approach Fedora uses, pretty much taking apart their
> > initrd and reimplementing the load_policy-command from nash into a
> > seperate program as I had trouble compiling nash). I got it partially
> > working later, but not in the way I used to do it and not the way it's
> > supposed to be.
> >
> > So, as said, the it's supposed to be is a patched init, although I could
> > live with doing it in my initramfs (I use that instead of an initrd, but
> > it's basically the same anyway).
> >
> > Still I find it quite confusing that the policy gets loaded when I set
> > SELinux to enforcing, but not when I set it to permissive.
>
> You didn't post your initial policy loading logic like I asked.  I agree
> that there is no reason why it shouldn't get loaded when permissive, and
> I don't see that behavior in Fedora, so I have to assume there is a bug
> in the way you've integrated initial policy load in your distribution.
>
> So, once again:  if you want help, show us how you are performing your
> initial policy load (the actual code).
>
> Also, if you boot permissive and then manually run load_policy, does
> that work?  If so, then that even more strongly indicates a bug in how
> you've integrated initial policy load in your distro.



[-- Attachment #1.2: sysvinit-2.86-selinux.patch --]
[-- Type: text/x-patch, Size: 79635 bytes --]

diff -U 3 -H -d -r -N -- sysvinit-2.86/src/Makefile sysvinit-2.86-selinux/src/Makefile
--- sysvinit-2.86/src/Makefile	2004-06-09 20:47:45.000000000 +0800
+++ sysvinit-2.86-selinux/src/Makefile	2007-03-09 22:30:14.000000000 +0800
@@ -57,7 +57,7 @@
 all:		$(BIN) $(SBIN) $(USRBIN)
 
 init:		init.o init_utmp.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o -lsepol -lselinux
 
 halt:		halt.o ifdown.o hddown.o utmp.o reboot.h
 		$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
@@ -78,7 +78,7 @@
 		$(CC) $(LDFLAGS) -o $@ runlevel.o
 
 sulogin:	sulogin.o
-		$(CC) $(LDFLAGS) $(STATIC) -o $@ sulogin.o $(LCRYPT)
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ sulogin.o $(LCRYPT) -lselinux
 
 wall:		dowall.o wall.o
 		$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
diff -U 3 -H -d -r -N -- sysvinit-2.86/src/Makefile~ sysvinit-2.86-selinux/src/Makefile~
--- sysvinit-2.86/src/Makefile~	1970-01-01 08:00:00.000000000 +0800
+++ sysvinit-2.86-selinux/src/Makefile~	2004-06-09 20:47:45.000000000 +0800
@@ -0,0 +1,148 @@
+#
+# Makefile	Makefile for the systemV init suite.
+#		Targets:   all      compiles everything
+#		           install  installs the binaries (not the scripts)
+#                          clean    cleans up object files
+#			   clobber  really cleans up
+#
+# Version:	@(#)Makefile  2.85-13  23-Mar-2004  miquels@cistron.nl
+#
+
+CC	= gcc
+CFLAGS	= -Wall -O2 -fomit-frame-pointer -D_GNU_SOURCE
+LDFLAGS	= -s
+STATIC	=
+
+# For some known distributions we do not build all programs, otherwise we do.
+BIN	=
+SBIN	= init halt shutdown runlevel killall5
+USRBIN	= last mesg
+
+MAN1	= last.1 lastb.1 mesg.1
+MAN5	= initscript.5 inittab.5
+MAN8	= halt.8 init.8 killall5.8 pidof.8 poweroff.8 reboot.8 runlevel.8
+MAN8	+= shutdown.8 telinit.8
+
+ifeq ($(DISTRO),)
+BIN	+= mountpoint
+SBIN	+= sulogin bootlogd
+USRBIN	+= utmpdump wall
+MAN1	+= mountpoint.1 wall.1
+MAN8	+= sulogin.8 bootlogd.8
+endif
+
+ifeq ($(DISTRO),Debian)
+BIN	+= mountpoint
+SBIN	+= sulogin bootlogd
+MAN1	+= mountpoint.1
+MAN8	+= sulogin.8 bootlogd.8
+endif
+
+ifeq ($(DISTRO),Owl)
+USRBIN	+= wall
+MAN1	+= wall.1
+endif
+
+BIN_OWNER	= root
+BIN_GROUP	= root
+BIN_COMBO	= $(BIN_OWNER):$(BIN_GROUP)
+INSTALL		= install -o $(BIN_OWNER) -g $(BIN_GROUP)
+MANDIR		= /usr/share/man
+
+# Additional libs for GNU libc.
+ifneq ($(wildcard /usr/lib/libcrypt.a),)
+LCRYPT		= -lcrypt
+endif
+
+all:		$(BIN) $(SBIN) $(USRBIN)
+
+init:		init.o init_utmp.o
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ init.o init_utmp.o
+
+halt:		halt.o ifdown.o hddown.o utmp.o reboot.h
+		$(CC) $(LDFLAGS) -o $@ halt.o ifdown.o hddown.o utmp.o
+
+last:		last.o oldutmp.h
+		$(CC) $(LDFLAGS) -o $@ last.o
+
+mesg:		mesg.o
+		$(CC) $(LDFLAGS) -o $@ mesg.o
+
+mountpoint:	mountpoint.o
+		$(CC) $(LDFLAGS) -o $@ mountpoint.o
+
+utmpdump:	utmpdump.o
+		$(CC) $(LDFLAGS) -o $@ utmpdump.o
+
+runlevel:	runlevel.o
+		$(CC) $(LDFLAGS) -o $@ runlevel.o
+
+sulogin:	sulogin.o
+		$(CC) $(LDFLAGS) $(STATIC) -o $@ sulogin.o $(LCRYPT)
+
+wall:		dowall.o wall.o
+		$(CC) $(LDFLAGS) -o $@ dowall.o wall.o
+
+shutdown:	dowall.o shutdown.o utmp.o reboot.h
+		$(CC) $(LDFLAGS) -o $@ dowall.o shutdown.o utmp.o
+
+bootlogd:	bootlogd.o
+		$(CC) $(LDFLAGS) -o $@ bootlogd.o -lutil
+
+init.o:		init.c init.h set.h reboot.h initreq.h
+		$(CC) -c $(CFLAGS) init.c
+
+utmp.o:		utmp.c init.h
+		$(CC) -c $(CFLAGS) utmp.c
+
+init_utmp.o:	utmp.c init.h
+		$(CC) -c $(CFLAGS) -DINIT_MAIN utmp.c -o init_utmp.o
+
+cleanobjs:
+		rm -f *.o *.bak
+
+clean:		cleanobjs
+		@echo Type \"make clobber\" to really clean up.
+
+clobber:	cleanobjs
+		rm -f $(BIN) $(SBIN) $(USRBIN)
+
+distclean:	clobber
+
+install:
+		for i in $(BIN); do \
+			$(INSTALL) -m 755 $$i $(ROOT)/bin/; \
+		done
+		for i in $(SBIN); do \
+			$(INSTALL) -m 755 $$i $(ROOT)/sbin/; \
+		done
+		for i in $(USRBIN); do \
+			$(INSTALL) -m 755 $$i $(ROOT)/usr/bin/; \
+		done
+		# $(INSTALL) -m 755 etc/initscript.sample $(ROOT)/etc/
+		ln -sf halt $(ROOT)/sbin/reboot
+		ln -sf halt $(ROOT)/sbin/poweroff
+		ln -sf init $(ROOT)/sbin/telinit
+		ln -sf ../sbin/killall5 $(ROOT)/bin/pidof
+		if [ ! -f $(ROOT)/usr/bin/lastb ]; then \
+			ln -sf last $(ROOT)/usr/bin/lastb; \
+		fi
+		$(INSTALL) -m 644 initreq.h $(ROOT)/usr/include/
+		for i in $(MAN1); do \
+			$(INSTALL) -m 644 ../man/$$i $(ROOT)$(MANDIR)/man1/; \
+		done
+		for i in $(MAN5); do \
+			$(INSTALL) -m 644 ../man/$$i $(ROOT)$(MANDIR)/man5/; \
+		done
+		for i in $(MAN8); do \
+			$(INSTALL) -m 644 ../man/$$i $(ROOT)$(MANDIR)/man8/; \
+		done
+ifeq ($(ROOT),)
+		#
+		# This part is skipped on Debian systems, the
+		# debian.preinst script takes care of it.
+		@if [ ! -p /dev/initctl ]; then \
+		 echo "Creating /dev/initctl"; \
+		 rm -f /dev/initctl; \
+		 mknod -m 600 /dev/initctl p; fi
+endif
diff -U 3 -H -d -r -N -- sysvinit-2.86/src/init.c sysvinit-2.86-selinux/src/init.c
--- sysvinit-2.86/src/init.c	2004-07-30 20:16:20.000000000 +0800
+++ sysvinit-2.86-selinux/src/init.c	2007-03-09 22:28:38.000000000 +0800
@@ -42,6 +42,8 @@
 #include <stdarg.h>
 #include <sys/syslog.h>
 #include <sys/time.h>
+#include <selinux/selinux.h>
+
 
 #ifdef __i386__
 #  if (__GLIBC__ >= 2)
@@ -2599,6 +2601,7 @@
 	char			*p;
 	int			f;
 	int			isinit;
+	int			enforce = 0;
 
 	/* Get my own name */
 	if ((p = strrchr(argv[0], '/')) != NULL)
@@ -2662,6 +2665,20 @@
 		maxproclen += strlen(argv[f]) + 1;
 	}
 
+  	if (getenv("SELINUX_INIT") == NULL) {
+	  putenv("SELINUX_INIT=YES");
+	  if (selinux_init_load_policy(&enforce) == 0 ) {
+	    execv(myname, argv);
+	  } else {
+	    if (enforce > 0) {
+	      /* SELinux in enforcing mode but load_policy failed */
+	      /* At this point, we probably can't open /dev/console, so log() won't work */
+		    printf("Unable to load SELinux Policy. Machine is in enforcing mode. Halting now.\n");
+	      exit(1);
+	    }
+	  }
+	}
+  
 	/* Start booting. */
 	argv0 = argv[0];
 	argv[1] = NULL;
diff -U 3 -H -d -r -N -- sysvinit-2.86/src/init.c~ sysvinit-2.86-selinux/src/init.c~
--- sysvinit-2.86/src/init.c~	1970-01-01 08:00:00.000000000 +0800
+++ sysvinit-2.86-selinux/src/init.c~	2004-07-30 20:16:20.000000000 +0800
@@ -0,0 +1,2673 @@
+/*
+ * Init		A System-V Init Clone.
+ *
+ * Usage:	/sbin/init
+ *		     init [0123456SsQqAaBbCc]
+ *		  telinit [0123456SsQqAaBbCc]
+ *
+ * Version:	@(#)init.c  2.86  30-Jul-2004  miquels@cistron.nl
+ */
+#define VERSION "2.86"
+#define DATE    "31-Jul-2004"
+/*
+ *		This file is part of the sysvinit suite,
+ *		Copyright 1991-2004 Miquel van Smoorenburg.
+ *
+ *		This program is free software; you can redistribute it and/or
+ *		modify it under the terms of the GNU General Public License
+ *		as published by the Free Software Foundation; either version
+ *		2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <sys/wait.h>
+#ifdef __linux__
+#include <sys/kd.h>
+#endif
+#include <sys/resource.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <time.h>
+#include <fcntl.h>
+#include <string.h>
+#include <signal.h>
+#include <termios.h>
+#include <utmp.h>
+#include <ctype.h>
+#include <stdarg.h>
+#include <sys/syslog.h>
+#include <sys/time.h>
+
+#ifdef __i386__
+#  if (__GLIBC__ >= 2)
+     /* GNU libc 2.x */
+#    define STACK_DEBUG 1
+#    if (__GLIBC__ == 2 && __GLIBC_MINOR__ == 0)
+       /* Only glibc 2.0 needs this */
+#      include <sigcontext.h>
+#    endif
+#  endif
+#endif
+
+#include "init.h"
+#include "initreq.h"
+#include "paths.h"
+#include "reboot.h"
+#include "set.h"
+
+#ifndef SIGPWR
+#  define SIGPWR SIGUSR2
+#endif
+
+#ifndef CBAUD
+#  define CBAUD		0
+#endif
+#ifndef CBAUDEX
+#  define CBAUDEX	0
+#endif
+
+/* Set a signal handler. */
+#define SETSIG(sa, sig, fun, flags) \
+		do { \
+			sa.sa_handler = fun; \
+			sa.sa_flags = flags; \
+			sigemptyset(&sa.sa_mask); \
+			sigaction(sig, &sa, NULL); \
+		} while(0)
+
+/* Version information */
+char *Version = "@(#) init " VERSION "  " DATE "  miquels@cistron.nl";
+char *bootmsg = "version " VERSION " %s";
+#define E_VERSION "INIT_VERSION=sysvinit-" VERSION
+
+CHILD *family = NULL;		/* The linked list of all entries */
+CHILD *newFamily = NULL;	/* The list after inittab re-read */
+
+CHILD ch_emerg = {		/* Emergency shell */
+	0, 0, 0, 0, 0,
+	"~~",
+	"S",
+	3,
+	"/sbin/sulogin",
+	NULL,
+	NULL
+};
+
+char runlevel = 'S';		/* The current run level */
+char thislevel = 'S';		/* The current runlevel */
+char prevlevel = 'N';		/* Previous runlevel */
+int dfl_level = 0;		/* Default runlevel */
+sig_atomic_t got_cont = 0;	/* Set if we received the SIGCONT signal */
+sig_atomic_t got_signals;	/* Set if we received a signal. */
+int emerg_shell = 0;		/* Start emergency shell? */
+int wrote_wtmp_reboot = 1;	/* Set when we wrote the reboot record */
+int wrote_utmp_reboot = 1;	/* Set when we wrote the reboot record */
+int sltime = 5;			/* Sleep time between TERM and KILL */
+char *argv0;			/* First arguments; show up in ps listing */
+int maxproclen;			/* Maximal length of argv[0] with \0 */
+struct utmp utproto;		/* Only used for sizeof(utproto.ut_id) */
+char *user_console = NULL;	/* User console device */
+char *console_dev;		/* Console device. */
+int pipe_fd = -1;		/* /dev/initctl */
+int did_boot = 0;		/* Did we already do BOOT* stuff? */
+int main(int, char **);
+
+/*	Used by re-exec part */
+int reload = 0;			/* Should we do initialization stuff? */
+char *myname="/sbin/init";	/* What should we exec */
+int oops_error;			/* Used by some of the re-exec code. */
+const char *Signature = "12567362";	/* Signature for re-exec fd */
+
+/* Macro to see if this is a special action */
+#define ISPOWER(i) ((i) == POWERWAIT || (i) == POWERFAIL || \
+		    (i) == POWEROKWAIT || (i) == POWERFAILNOW || \
+		    (i) == CTRLALTDEL)
+
+/* ascii values for the `action' field. */
+struct actions {
+  char *name;
+  int act;
+} actions[] = {
+  { "respawn", 	   RESPAWN	},
+  { "wait",	   WAIT		},
+  { "once",	   ONCE		},
+  { "boot",	   BOOT		},
+  { "bootwait",	   BOOTWAIT	},
+  { "powerfail",   POWERFAIL	},
+  { "powerfailnow",POWERFAILNOW },
+  { "powerwait",   POWERWAIT	},
+  { "powerokwait", POWEROKWAIT	},
+  { "ctrlaltdel",  CTRLALTDEL	},
+  { "off",	   OFF		},
+  { "ondemand",	   ONDEMAND	},
+  { "initdefault", INITDEFAULT	},
+  { "sysinit",	   SYSINIT	},
+  { "kbrequest",   KBREQUEST    },
+  { NULL,	   0		},
+};
+
+/*
+ *	State parser token table (see receive_state)
+ */
+struct {
+  char name[4];	
+  int cmd;
+} cmds[] = {
+  { "VER", 	   C_VER	},
+  { "END",	   C_END	},
+  { "REC",	   C_REC	},
+  { "EOR",	   C_EOR	},
+  { "LEV",	   C_LEV	},
+  { "FL ",	   C_FLAG	},
+  { "AC ",	   C_ACTION	},
+  { "CMD",	   C_PROCESS	},
+  { "PID",	   C_PID	},
+  { "EXS",	   C_EXS	},
+  { "-RL",	   D_RUNLEVEL	},
+  { "-TL",	   D_THISLEVEL	},
+  { "-PL",	   D_PREVLEVEL	},
+  { "-SI",	   D_GOTSIGN	},
+  { "-WR",	   D_WROTE_WTMP_REBOOT},
+  { "-WU",	   D_WROTE_UTMP_REBOOT},
+  { "-ST",	   D_SLTIME	},
+  { "-DB",	   D_DIDBOOT	},
+  { "",	   	   0		}
+};
+struct {
+	char *name;
+	int mask;
+} flags[]={
+	{"RU",RUNNING},
+	{"DE",DEMAND},
+	{"XD",XECUTED},
+	{NULL,0}
+};
+
+#define NR_EXTRA_ENV	16
+char *extra_env[NR_EXTRA_ENV];
+
+
+/*
+ *	Sleep a number of seconds.
+ *
+ *	This only works correctly because the linux select updates
+ *	the elapsed time in the struct timeval passed to select!
+ */
+void do_sleep(int sec)
+{
+	struct timeval tv;
+
+	tv.tv_sec = sec;
+	tv.tv_usec = 0;
+
+	while(select(0, NULL, NULL, NULL, &tv) < 0 && errno == EINTR)
+		;
+}
+
+
+/*
+ *	Non-failing allocation routines (init cannot fail).
+ */
+void *imalloc(size_t size)
+{
+	void	*m;
+
+	while ((m = malloc(size)) == NULL) {
+		initlog(L_VB, "out of memory");
+		do_sleep(5);
+	}
+	memset(m, 0, size);
+	return m;
+}
+
+
+char *istrdup(char *s)
+{
+	char	*m;
+	int	l;
+
+	l = strlen(s) + 1;
+	m = imalloc(l);
+	memcpy(m, s, l);
+	return m;
+}
+
+
+/*
+ *	Send the state info of the previous running init to
+ *	the new one, in a version-independant way.
+ */
+void send_state(int fd)
+{
+	FILE	*fp;
+	CHILD	*p;
+	int	i,val;
+
+	fp = fdopen(fd,"w");
+
+	fprintf(fp, "VER%s\n", Version);
+	fprintf(fp, "-RL%c\n", runlevel);
+	fprintf(fp, "-TL%c\n", thislevel);
+	fprintf(fp, "-PL%c\n", prevlevel);
+	fprintf(fp, "-SI%u\n", got_signals);
+	fprintf(fp, "-WR%d\n", wrote_wtmp_reboot);
+	fprintf(fp, "-WU%d\n", wrote_utmp_reboot);
+	fprintf(fp, "-ST%d\n", sltime);
+	fprintf(fp, "-DB%d\n", did_boot);
+
+	for (p = family; p; p = p->next) {
+		fprintf(fp, "REC%s\n", p->id);
+		fprintf(fp, "LEV%s\n", p->rlevel);
+		for (i = 0, val = p->flags; flags[i].mask; i++)
+			if (val & flags[i].mask) {
+				val &= ~flags[i].mask;
+				fprintf(fp, "FL %s\n",flags[i].name);
+			}
+		fprintf(fp, "PID%d\n",p->pid);
+		fprintf(fp, "EXS%u\n",p->exstat);
+		for(i = 0; actions[i].act; i++)
+			if (actions[i].act == p->action) {
+				fprintf(fp, "AC %s\n", actions[i].name);
+				break;
+			}
+		fprintf(fp, "CMD%s\n", p->process);
+		fprintf(fp, "EOR\n");
+	}
+	fprintf(fp, "END\n");
+	fclose(fp);
+}
+
+/*
+ *	Read a string from a file descriptor.
+ *	FIXME: why not use fgets() ?
+ */
+static int get_string(char *p, int size, FILE *f)
+{
+	int	c;
+
+	while ((c = getc(f)) != EOF && c != '\n') {
+		if (--size > 0)
+			*p++ = c;
+	}
+	*p = '\0';
+	return (c != EOF) && (size > 0);
+}
+
+/*
+ *	Read trailing data from the state pipe until we see a newline.
+ */
+static int get_void(FILE *f)
+{
+	int	c;
+
+	while ((c = getc(f)) != EOF && c != '\n')
+		;
+
+	return (c != EOF);
+}
+
+/*
+ *	Read the next "command" from the state pipe.
+ */
+static int get_cmd(FILE *f)
+{
+	char	cmd[4] = "   ";
+	int	i;
+
+	if (fread(cmd, 1, sizeof(cmd) - 1, f) != sizeof(cmd) - 1)
+		return C_EOF;
+
+	for(i = 0; cmds[i].cmd && strcmp(cmds[i].name, cmd) != 0; i++)
+		;
+	return cmds[i].cmd;
+}
+
+/*
+ *	Read a CHILD * from the state pipe.
+ */
+static CHILD *get_record(FILE *f)
+{
+	int	cmd;
+	char	s[32];
+	int	i;
+	CHILD	*p;
+
+	do {
+		switch (cmd = get_cmd(f)) {
+			case C_END:
+				get_void(f);
+				return NULL;
+			case 0:
+				get_void(f);
+				break;
+			case C_REC:
+				break;
+			case D_RUNLEVEL:
+				fscanf(f, "%c\n", &runlevel);
+				break;
+			case D_THISLEVEL:
+				fscanf(f, "%c\n", &thislevel);
+				break;
+			case D_PREVLEVEL:
+				fscanf(f, "%c\n", &prevlevel);
+				break;
+			case D_GOTSIGN:
+				fscanf(f, "%u\n", &got_signals);
+				break;
+			case D_WROTE_WTMP_REBOOT:
+				fscanf(f, "%d\n", &wrote_wtmp_reboot);
+				break;
+			case D_WROTE_UTMP_REBOOT:
+				fscanf(f, "%d\n", &wrote_utmp_reboot);
+				break;
+			case D_SLTIME:
+				fscanf(f, "%d\n", &sltime);
+				break;
+			case D_DIDBOOT:
+				fscanf(f, "%d\n", &did_boot);
+				break;
+			default:
+				if (cmd > 0 || cmd == C_EOF) {
+					oops_error = -1;
+					return NULL;
+				}
+		}
+	} while (cmd != C_REC);
+
+	p = imalloc(sizeof(CHILD));
+	get_string(p->id, sizeof(p->id), f);
+
+	do switch(cmd = get_cmd(f)) {
+		case 0:
+		case C_EOR:
+			get_void(f);
+			break;
+		case C_PID:
+			fscanf(f, "%d\n", &(p->pid));
+			break;
+		case C_EXS:
+			fscanf(f, "%u\n", &(p->exstat));
+			break;
+		case C_LEV:
+			get_string(p->rlevel, sizeof(p->rlevel), f);
+			break;
+		case C_PROCESS:
+			get_string(p->process, sizeof(p->process), f);
+			break;
+		case C_FLAG:
+			get_string(s, sizeof(s), f);
+			for(i = 0; flags[i].name; i++) {
+				if (strcmp(flags[i].name,s) == 0)
+					break;
+			}
+			p->flags |= flags[i].mask;
+			break;
+		case C_ACTION:
+			get_string(s, sizeof(s), f);
+			for(i = 0; actions[i].name; i++) {
+				if (strcmp(actions[i].name, s) == 0)
+					break;
+			}
+			p->action = actions[i].act ? actions[i].act : OFF;
+			break;
+		default:
+			free(p);
+			oops_error = -1;
+			return NULL;
+	} while( cmd != C_EOR);
+
+	return p;
+}
+
+/*
+ *	Read the complete state info from the state pipe.
+ *	Returns 0 on success
+ */
+int receive_state(int fd)
+{
+	FILE	*f;
+	char	old_version[256];
+	CHILD	**pp;
+
+	f = fdopen(fd, "r");
+
+ 	if (get_cmd(f) != C_VER)
+		return -1;
+	get_string(old_version, sizeof(old_version), f);
+	oops_error = 0;
+	for (pp = &family; (*pp = get_record(f)) != NULL; pp = &((*pp)->next))
+		;
+	fclose(f);
+	return oops_error;
+}
+
+/*
+ *	Set the process title.
+ */
+#ifdef __GNUC__
+__attribute__ ((format (printf, 1, 2)))
+#endif
+static int setproctitle(char *fmt, ...)
+{
+	va_list ap;
+	int len;
+	char buf[256];
+
+	buf[0] = 0;
+
+	va_start(ap, fmt);
+	len = vsnprintf(buf, sizeof(buf), fmt, ap);
+	va_end(ap);
+
+	if (maxproclen > 2) {
+		memset(argv0, 0, maxproclen);
+		strncpy(argv0, buf, maxproclen - 2);
+	}
+
+	return len;
+}
+
+/*
+ *	Set console_dev to a working console.
+ */
+void console_init(void)
+{
+	int fd;
+	int tried_devcons = 0;
+	int tried_vtmaster = 0;
+	char *s;
+
+	if (user_console) {
+		console_dev = user_console;
+	} else if ((s = getenv("CONSOLE")) != NULL)
+		console_dev = s;
+	else {
+		console_dev = CONSOLE;
+		tried_devcons++;
+	}
+
+	while ((fd = open(console_dev, O_RDONLY|O_NONBLOCK)) < 0) {
+		if (!tried_devcons) {
+			tried_devcons++;
+			console_dev = CONSOLE;
+			continue;
+		}
+		if (!tried_vtmaster) {
+			tried_vtmaster++;
+			console_dev = VT_MASTER;
+			continue;
+		}
+		break;
+	}
+	if (fd < 0)
+		console_dev = "/dev/null";
+	else
+		close(fd);
+}
+
+
+/*
+ *	Open the console with retries.
+ */
+int console_open(int mode)
+{
+	int f, fd = -1;
+	int m;
+
+	/*
+	 *	Open device in nonblocking mode.
+	 */
+	m = mode | O_NONBLOCK;
+
+	/*
+	 *	Retry the open five times.
+	 */
+	for(f = 0; f < 5; f++)
+		if ((fd = open(console_dev, m)) >= 0) break;
+
+	if (fd < 0) return fd;
+
+	/*
+	 *	Set original flags.
+	 */
+	if (m != mode)
+  		fcntl(fd, F_SETFL, mode);
+	return fd;
+}
+
+/*
+ *	We got a signal (HUP PWR WINCH ALRM INT)
+ */
+void signal_handler(int sig)
+{
+	ADDSET(got_signals, sig);
+}
+
+/*
+ *	SIGCHLD: one of our children has died.
+ */
+void chld_handler()
+{
+	CHILD		*ch;
+	int		pid, st;
+	int		saved_errno = errno;
+
+	/*
+	 *	Find out which process(es) this was (were)
+	 */
+	while((pid = waitpid(-1, &st, WNOHANG)) != 0) {
+		if (errno == ECHILD) break;
+		for( ch = family; ch; ch = ch->next )
+			if ( ch->pid == pid && (ch->flags & RUNNING) ) {
+				INITDBG(L_VB,
+					"chld_handler: marked %d as zombie",
+					ch->pid);
+				ADDSET(got_signals, SIGCHLD);
+				ch->exstat = st;
+				ch->flags |= ZOMBIE;
+				if (ch->new) {
+					ch->new->exstat = st;
+					ch->new->flags |= ZOMBIE;
+				}
+				break;
+			}
+		if (ch == NULL)
+			INITDBG(L_VB, "chld_handler: unknown child %d exited.",
+				pid);
+	}
+	errno = saved_errno;
+}
+
+/*
+ *	Linux ignores all signals sent to init when the
+ *	SIG_DFL handler is installed. Therefore we must catch SIGTSTP
+ *	and SIGCONT, or else they won't work....
+ *
+ *	The SIGCONT handler
+ */
+void cont_handler()
+{
+	got_cont = 1;
+}
+
+/*
+ *	Fork and dump core in /.
+ */
+void coredump(void)
+{
+	static int		dumped = 0;
+	struct rlimit		rlim;
+	sigset_t		mask;
+
+	if (dumped) return;
+	dumped = 1;
+
+	if (fork() != 0) return;
+
+	sigfillset(&mask);
+	sigprocmask(SIG_SETMASK, &mask, NULL);
+
+	rlim.rlim_cur = RLIM_INFINITY;
+	rlim.rlim_max = RLIM_INFINITY;
+	setrlimit(RLIMIT_CORE, &rlim);
+	chdir("/");
+
+	signal(SIGSEGV, SIG_DFL);
+	raise(SIGSEGV);
+	sigdelset(&mask, SIGSEGV);
+	sigprocmask(SIG_SETMASK, &mask, NULL);
+
+	do_sleep(5);
+	exit(0);
+}
+
+/*
+ *	OOPS: segmentation violation!
+ *	If we have the info, print where it occured.
+ *	Then sleep 30 seconds and try to continue.
+ */
+#if defined(STACK_DEBUG) && defined(__linux__)
+void segv_handler(int sig, struct sigcontext ctx)
+{
+	char	*p = "";
+	int	saved_errno = errno;
+
+	if ((void *)ctx.eip >= (void *)do_sleep &&
+	    (void *)ctx.eip < (void *)main)
+		p = " (code)";
+	initlog(L_VB, "PANIC: segmentation violation at %p%s! "
+		  "sleeping for 30 seconds.", (void *)ctx.eip, p);
+	coredump();
+	do_sleep(30);
+	errno = saved_errno;
+}
+#else
+void segv_handler()
+{
+	int	saved_errno = errno;
+
+	initlog(L_VB,
+		"PANIC: segmentation violation! sleeping for 30 seconds.");
+	coredump();
+	do_sleep(30);
+	errno = saved_errno;
+}
+#endif
+
+/*
+ *	The SIGSTOP & SIGTSTP handler
+ */
+void stop_handler()
+{
+	int	saved_errno = errno;
+
+	got_cont = 0;
+	while(!got_cont) pause();
+	got_cont = 0;
+	errno = saved_errno;
+}
+
+/*
+ *	Set terminal settings to reasonable defaults
+ */
+void console_stty(void)
+{
+	struct termios tty;
+	int fd;
+
+	if ((fd = console_open(O_RDWR|O_NOCTTY)) < 0) {
+		initlog(L_VB, "can't open %s", console_dev);
+		return;
+	}
+
+	(void) tcgetattr(fd, &tty);
+
+	tty.c_cflag &= CBAUD|CBAUDEX|CSIZE|CSTOPB|PARENB|PARODD;
+	tty.c_cflag |= HUPCL|CLOCAL|CREAD;
+
+	tty.c_cc[VINTR]  = 3;	/* ctrl('c') */
+	tty.c_cc[VQUIT]  = 28;	/* ctrl('\\') */
+	tty.c_cc[VERASE] = 127;
+	tty.c_cc[VKILL]  = 24;	/* ctrl('x') */
+	tty.c_cc[VEOF]   = 4;	/* ctrl('d') */
+	tty.c_cc[VTIME]  = 0;
+	tty.c_cc[VMIN]   = 1;
+	tty.c_cc[VSTART] = 17;	/* ctrl('q') */
+	tty.c_cc[VSTOP]  = 19;	/* ctrl('s') */
+	tty.c_cc[VSUSP]  = 26;	/* ctrl('z') */
+
+	/*
+	 *	Set pre and post processing
+	 */
+	tty.c_iflag = IGNPAR|ICRNL|IXON|IXANY;
+	tty.c_oflag = OPOST|ONLCR;
+	tty.c_lflag = ISIG|ICANON|ECHO|ECHOCTL|ECHOPRT|ECHOKE;
+
+	/*
+	 *	Now set the terminal line.
+	 *	We don't care about non-transmitted output data
+	 *	and non-read input data.
+	 */
+	(void) tcsetattr(fd, TCSANOW, &tty);
+	(void) tcflush(fd, TCIOFLUSH);
+	(void) close(fd);
+}
+
+/*
+ *	Print to the system console
+ */
+void print(char *s)
+{
+	int fd;
+
+	if ((fd = console_open(O_WRONLY|O_NOCTTY|O_NDELAY)) >= 0) {
+		write(fd, s, strlen(s));
+		close(fd);
+	}
+}
+
+/*
+ *	Log something to a logfile and the console.
+ */
+#ifdef __GNUC__
+__attribute__ ((format (printf, 2, 3)))
+#endif
+void initlog(int loglevel, char *s, ...)
+{
+	va_list va_alist;
+	char buf[256];
+	sigset_t nmask, omask;
+
+	va_start(va_alist, s);
+	vsnprintf(buf, sizeof(buf), s, va_alist);
+	va_end(va_alist);
+
+	if (loglevel & L_SY) {
+		/*
+		 *	Re-establish connection with syslogd every time.
+		 *	Block signals while talking to syslog.
+		 */
+		sigfillset(&nmask);
+		sigprocmask(SIG_BLOCK, &nmask, &omask);
+		openlog("init", 0, LOG_DAEMON);
+		syslog(LOG_INFO, "%s", buf);
+		closelog();
+		sigprocmask(SIG_SETMASK, &omask, NULL);
+	}
+
+	/*
+	 *	And log to the console.
+	 */
+	if (loglevel & L_CO) {
+		print("\rINIT: ");
+		print(buf);
+		print("\r\n");
+	}
+}
+
+
+/*
+ *	Build a new environment for execve().
+ */
+char **init_buildenv(int child)
+{
+	char		i_lvl[] = "RUNLEVEL=x";
+	char		i_prev[] = "PREVLEVEL=x";
+	char		i_cons[32];
+	char		**e;
+	int		n, i;
+
+	for (n = 0; environ[n]; n++)
+		;
+	n += NR_EXTRA_ENV + 8;
+	e = calloc(n, sizeof(char *));
+
+	for (n = 0; environ[n]; n++)
+		e[n] = istrdup(environ[n]);
+
+	for (i = 0; i < NR_EXTRA_ENV; i++)
+		if (extra_env[i])
+			e[n++] = istrdup(extra_env[i]);
+
+	if (child) {
+		snprintf(i_cons, sizeof(i_cons), "CONSOLE=%s", console_dev);
+		i_lvl[9]   = thislevel;
+		i_prev[10] = prevlevel;
+		e[n++] = istrdup(i_lvl);
+		e[n++] = istrdup(i_prev);
+		e[n++] = istrdup(i_cons);
+		e[n++] = istrdup(E_VERSION);
+	}
+
+	e[n++] = NULL;
+
+	return e;
+}
+
+
+void init_freeenv(char **e)
+{
+	int		n;
+
+	for (n = 0; e[n]; n++)
+		free(e[n]);
+	free(e);
+}
+
+
+/*
+ *	Fork and execute.
+ *
+ *	This function is too long and indents too deep.
+ *
+ */
+int spawn(CHILD *ch, int *res)
+{
+  char *args[16];		/* Argv array */
+  char buf[136];		/* Line buffer */
+  int f, st, rc;		/* Scratch variables */
+  char *ptr;			/* Ditto */
+  time_t t;			/* System time */
+  int oldAlarm;			/* Previous alarm value */
+  char *proc = ch->process;	/* Command line */
+  pid_t pid, pgrp;		/* child, console process group. */
+  sigset_t nmask, omask;	/* For blocking SIGCHLD */
+  struct sigaction sa;
+
+  *res = -1;
+  buf[sizeof(buf) - 1] = 0;
+
+  /* Skip '+' if it's there */
+  if (proc[0] == '+') proc++;
+
+  ch->flags |= XECUTED;
+
+  if (ch->action == RESPAWN || ch->action == ONDEMAND) {
+	/* Is the date stamp from less than 2 minutes ago? */
+	time(&t);
+	if (ch->tm + TESTTIME > t) {
+		ch->count++;
+	} else {
+		ch->count = 0;
+		ch->tm = t;
+	}
+
+	/* Do we try to respawn too fast? */
+	if (ch->count >= MAXSPAWN) {
+
+	  initlog(L_VB,
+		"Id \"%s\" respawning too fast: disabled for %d minutes",
+		ch->id, SLEEPTIME / 60);
+	  ch->flags &= ~RUNNING;
+	  ch->flags |= FAILING;
+
+	  /* Remember the time we stopped */
+	  ch->tm = t;
+
+	  /* Try again in 5 minutes */
+	  oldAlarm = alarm(0);
+	  if (oldAlarm > SLEEPTIME || oldAlarm <= 0) oldAlarm = SLEEPTIME;
+	  alarm(oldAlarm);
+	  return(-1);
+	}
+  }
+
+  /* See if there is an "initscript" (except in single user mode). */
+  if (access(INITSCRIPT, R_OK) == 0 && runlevel != 'S') {
+	/* Build command line using "initscript" */
+	args[1] = SHELL;
+	args[2] = INITSCRIPT;
+	args[3] = ch->id;
+	args[4] = ch->rlevel;
+	args[5] = "unknown";
+	for(f = 0; actions[f].name; f++) {
+		if (ch->action == actions[f].act) {
+			args[5] = actions[f].name;
+			break;
+		}
+	}
+	args[6] = proc;
+	args[7] = NULL;
+  } else if (strpbrk(proc, "~`!$^&*()=|\\{}[];\"'<>?")) {
+  /* See if we need to fire off a shell for this command */
+  	/* Give command line to shell */
+  	args[1] = SHELL;
+  	args[2] = "-c";
+  	strcpy(buf, "exec ");
+  	strncat(buf, proc, sizeof(buf) - strlen(buf) - 1);
+  	args[3] = buf;
+  	args[4] = NULL;
+  } else {
+	/* Split up command line arguments */
+	buf[0] = 0;
+  	strncat(buf, proc, sizeof(buf) - 1);
+  	ptr = buf;
+  	for(f = 1; f < 15; f++) {
+  		/* Skip white space */
+  		while(*ptr == ' ' || *ptr == '\t') ptr++;
+  		args[f] = ptr;
+  		
+		/* May be trailing space.. */
+		if (*ptr == 0) break;
+
+  		/* Skip this `word' */
+  		while(*ptr && *ptr != ' ' && *ptr != '\t' && *ptr != '#')
+  			ptr++;
+  		
+  		/* If end-of-line, break */	
+  		if (*ptr == '#' || *ptr == 0) {
+  			f++;
+  			*ptr = 0;
+  			break;
+  		}
+  		/* End word with \0 and continue */
+  		*ptr++ = 0;
+  	}
+  	args[f] = NULL;
+  }
+  args[0] = args[1];
+  while(1) {
+	/*
+	 *	Block sigchild while forking.
+	 */
+	sigemptyset(&nmask);
+	sigaddset(&nmask, SIGCHLD);
+	sigprocmask(SIG_BLOCK, &nmask, &omask);
+
+	if ((pid = fork()) == 0) {
+
+		close(0);
+		close(1);
+		close(2);
+		if (pipe_fd >= 0) close(pipe_fd);
+
+  		sigprocmask(SIG_SETMASK, &omask, NULL);
+
+		/*
+		 *	In sysinit, boot, bootwait or single user mode:
+		 *	for any wait-type subprocess we _force_ the console
+		 *	to be its controlling tty.
+		 */
+  		if (strchr("*#sS", runlevel) && ch->flags & WAITING) {
+			/*
+			 *	We fork once extra. This is so that we can
+			 *	wait and change the process group and session
+			 *	of the console after exit of the leader.
+			 */
+			setsid();
+			if ((f = console_open(O_RDWR|O_NOCTTY)) >= 0) {
+				/* Take over controlling tty by force */
+				(void)ioctl(f, TIOCSCTTY, 1);
+  				dup(f);
+  				dup(f);
+			}
+			if ((pid = fork()) < 0) {
+  				initlog(L_VB, "cannot fork");
+				exit(1);
+			}
+			if (pid > 0) {
+				/*
+				 *	Ignore keyboard signals etc.
+				 *	Then wait for child to exit.
+				 */
+				SETSIG(sa, SIGINT, SIG_IGN, SA_RESTART);
+				SETSIG(sa, SIGTSTP, SIG_IGN, SA_RESTART);
+				SETSIG(sa, SIGQUIT, SIG_IGN, SA_RESTART);
+				SETSIG(sa, SIGCHLD, SIG_DFL, SA_RESTART);
+
+				while ((rc = waitpid(pid, &st, 0)) != pid)
+					if (rc < 0 && errno == ECHILD)
+						break;
+
+				/*
+				 *	Small optimization. See if stealing
+				 *	controlling tty back is needed.
+				 */
+				pgrp = tcgetpgrp(f);
+				if (pgrp != getpid())
+					exit(0);
+
+				/*
+				 *	Steal controlling tty away. We do
+				 *	this with a temporary process.
+				 */
+				if ((pid = fork()) < 0) {
+  					initlog(L_VB, "cannot fork");
+					exit(1);
+				}
+				if (pid == 0) {
+					setsid();
+					(void)ioctl(f, TIOCSCTTY, 1);
+					exit(0);
+				}
+				while((rc = waitpid(pid, &st, 0)) != pid)
+					if (rc < 0 && errno == ECHILD)
+						break;
+				exit(0);
+			}
+
+			/* Set ioctl settings to default ones */
+			console_stty();
+
+  		} else {
+			setsid();
+			if ((f = console_open(O_RDWR|O_NOCTTY)) < 0) {
+				initlog(L_VB, "open(%s): %s", console_dev,
+					strerror(errno));
+				f = open("/dev/null", O_RDWR);
+			}
+			dup(f);
+			dup(f);
+		}
+
+  		/* Reset all the signals, set up environment */
+  		for(f = 1; f < NSIG; f++) SETSIG(sa, f, SIG_DFL, SA_RESTART);
+		environ = init_buildenv(1);
+
+		/*
+		 *	Execute prog. In case of ENOEXEC try again
+		 *	as a shell script.
+		 */
+  		execvp(args[1], args + 1);
+		if (errno == ENOEXEC) {
+  			args[1] = SHELL;
+  			args[2] = "-c";
+  			strcpy(buf, "exec ");
+  			strncat(buf, proc, sizeof(buf) - strlen(buf) - 1);
+  			args[3] = buf;
+  			args[4] = NULL;
+			execvp(args[1], args + 1);
+		}
+  		initlog(L_VB, "cannot execute \"%s\"", args[1]);
+  		exit(1);
+  	}
+	*res = pid;
+  	sigprocmask(SIG_SETMASK, &omask, NULL);
+
+	INITDBG(L_VB, "Started id %s (pid %d)", ch->id, pid);
+
+	if (pid == -1) {
+		initlog(L_VB, "cannot fork, retry..");
+		do_sleep(5);
+		continue;
+	}
+	return(pid);
+  }
+}
+
+/*
+ *	Start a child running!
+ */
+void startup(CHILD *ch)
+{
+	/*
+	 *	See if it's disabled
+	 */
+	if (ch->flags & FAILING) return;
+
+	switch(ch->action) {
+
+		case SYSINIT:
+		case BOOTWAIT:
+		case WAIT:
+		case POWERWAIT:
+		case POWERFAILNOW:
+		case POWEROKWAIT:
+		case CTRLALTDEL:
+			if (!(ch->flags & XECUTED)) ch->flags |= WAITING;
+		case KBREQUEST:
+		case BOOT:
+		case POWERFAIL:
+		case ONCE:
+			if (ch->flags & XECUTED) break;
+		case ONDEMAND:
+		case RESPAWN:
+  			ch->flags |= RUNNING;
+  			if (spawn(ch, &(ch->pid)) < 0) break;
+			/*
+			 *	Do NOT log if process field starts with '+'
+			 *	FIXME: that's for compatibility with *very*
+			 *	old getties - probably it can be taken out.
+			 */
+  			if (ch->process[0] != '+')
+				write_utmp_wtmp("", ch->id, ch->pid,
+					INIT_PROCESS, "");
+  			break;
+	}
+}
+
+
+/*
+ *	Read the inittab file.
+ */
+void read_inittab(void)
+{
+  FILE		*fp;			/* The INITTAB file */
+  CHILD		*ch, *old, *i;		/* Pointers to CHILD structure */
+  CHILD		*head = NULL;		/* Head of linked list */
+#ifdef INITLVL
+  struct stat	st;			/* To stat INITLVL */
+#endif
+  sigset_t	nmask, omask;		/* For blocking SIGCHLD. */
+  char		buf[256];		/* Line buffer */
+  char		err[64];		/* Error message. */
+  char		*id, *rlevel,
+		*action, *process;	/* Fields of a line */
+  char		*p;
+  int		lineNo = 0;		/* Line number in INITTAB file */
+  int		actionNo;		/* Decoded action field */
+  int		f;			/* Counter */
+  int		round;			/* round 0 for SIGTERM, 1 for SIGKILL */
+  int		foundOne = 0;		/* No killing no sleep */
+  int		talk;			/* Talk to the user */
+  int		done = 0;		/* Ready yet? */
+
+#if DEBUG
+  if (newFamily != NULL) {
+	INITDBG(L_VB, "PANIC newFamily != NULL");
+	exit(1);
+  }
+  INITDBG(L_VB, "Reading inittab");
+#endif
+
+  /*
+   *	Open INITTAB and real line by line.
+   */
+  if ((fp = fopen(INITTAB, "r")) == NULL)
+	initlog(L_VB, "No inittab file found");
+
+  while(!done) {
+	/*
+	 *	Add single user shell entry at the end.
+	 */
+	if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) {
+		done = 1;
+		/*
+		 *	See if we have a single user entry.
+		 */
+		for(old = newFamily; old; old = old->next)
+			if (strpbrk(old->rlevel, "S")) break;
+		if (old == NULL)
+			snprintf(buf, sizeof(buf), "~~:S:wait:%s\n", SULOGIN);
+		else
+			continue;
+	}
+	lineNo++;
+	/*
+	 *	Skip comments and empty lines
+	 */
+	for(p = buf; *p == ' ' || *p == '\t'; p++)
+		;
+	if (*p == '#' || *p == '\n') continue;
+
+	/*
+	 *	Decode the fields
+	 */
+	id =      strsep(&p, ":");
+	rlevel =  strsep(&p, ":");
+	action =  strsep(&p, ":");
+	process = strsep(&p, "\n");
+
+	/*
+	 *	Check if syntax is OK. Be very verbose here, to
+	 *	avoid newbie postings on comp.os.linux.setup :)
+	 */
+	err[0] = 0;
+	if (!id || !*id) strcpy(err, "missing id field");
+	if (!rlevel)     strcpy(err, "missing runlevel field");
+	if (!process)    strcpy(err, "missing process field");
+	if (!action || !*action)
+			strcpy(err, "missing action field");
+	if (id && strlen(id) > sizeof(utproto.ut_id))
+		sprintf(err, "id field too long (max %d characters)",
+			(int)sizeof(utproto.ut_id));
+	if (rlevel && strlen(rlevel) > 11)
+		strcpy(err, "rlevel field too long (max 11 characters)");
+	if (process && strlen(process) > 127)
+		strcpy(err, "process field too long");
+	if (action && strlen(action) > 32)
+		strcpy(err, "action field too long");
+	if (err[0] != 0) {
+		initlog(L_VB, "%s[%d]: %s", INITTAB, lineNo, err);
+		INITDBG(L_VB, "%s:%s:%s:%s", id, rlevel, action, process);
+		continue;
+	}
+  
+	/*
+	 *	Decode the "action" field
+	 */
+	actionNo = -1;
+	for(f = 0; actions[f].name; f++)
+		if (strcasecmp(action, actions[f].name) == 0) {
+			actionNo = actions[f].act;
+			break;
+		}
+	if (actionNo == -1) {
+		initlog(L_VB, "%s[%d]: %s: unknown action field",
+			INITTAB, lineNo, action);
+		continue;
+	}
+
+	/*
+	 *	See if the id field is unique
+	 */
+	for(old = newFamily; old; old = old->next) {
+		if(strcmp(old->id, id) == 0 && strcmp(id, "~~")) {
+			initlog(L_VB, "%s[%d]: duplicate ID field \"%s\"",
+				INITTAB, lineNo, id);
+			break;
+		}
+	}
+	if (old) continue;
+
+	/*
+	 *	Allocate a CHILD structure
+	 */
+	ch = imalloc(sizeof(CHILD));
+
+	/*
+	 *	And fill it in.
+	 */
+	ch->action = actionNo;
+	strncpy(ch->id, id, sizeof(utproto.ut_id) + 1); /* Hack for different libs. */
+	strncpy(ch->process, process, sizeof(ch->process) - 1);
+	if (rlevel[0]) {
+		for(f = 0; f < sizeof(rlevel) - 1 && rlevel[f]; f++) {
+			ch->rlevel[f] = rlevel[f];
+			if (ch->rlevel[f] == 's') ch->rlevel[f] = 'S';
+		}
+		strncpy(ch->rlevel, rlevel, sizeof(ch->rlevel) - 1);
+	} else {
+		strcpy(ch->rlevel, "0123456789");
+		if (ISPOWER(ch->action))
+			strcpy(ch->rlevel, "S0123456789");
+	}
+	/*
+	 *	We have the fake runlevel '#' for SYSINIT  and
+	 *	'*' for BOOT and BOOTWAIT.
+	 */
+	if (ch->action == SYSINIT) strcpy(ch->rlevel, "#");
+	if (ch->action == BOOT || ch->action == BOOTWAIT)
+		strcpy(ch->rlevel, "*");
+
+	/*
+	 *	Now add it to the linked list. Special for powerfail.
+	 */
+	if (ISPOWER(ch->action)) {
+
+		/*
+		 *	Disable by default
+		 */
+		ch->flags |= XECUTED;
+
+		/*
+		 *	Tricky: insert at the front of the list..
+		 */
+		old = NULL;
+		for(i = newFamily; i; i = i->next) {
+			if (!ISPOWER(i->action)) break;
+			old = i;
+		}
+		/*
+		 *	Now add after entry "old"
+		 */
+		if (old) {
+			ch->next = i;
+			old->next = ch;
+			if (i == NULL) head = ch;
+		} else {
+			ch->next = newFamily;
+			newFamily = ch;
+			if (ch->next == NULL) head = ch;
+		}
+	} else {
+		/*
+		 *	Just add at end of the list
+		 */
+		if (ch->action == KBREQUEST) ch->flags |= XECUTED;
+		ch->next = NULL;
+		if (head)
+			head->next = ch;
+		else
+			newFamily = ch;
+		head = ch;
+	}
+
+	/*
+	 *	Walk through the old list comparing id fields
+	 */
+	for(old = family; old; old = old->next)
+		if (strcmp(old->id, ch->id) == 0) {
+			old->new = ch;
+			break;
+		}
+  }
+  /*
+   *	We're done.
+   */
+  if (fp) fclose(fp);
+
+  /*
+   *	Loop through the list of children, and see if they need to
+   *	be killed. 
+   */
+
+  INITDBG(L_VB, "Checking for children to kill");
+  for(round = 0; round < 2; round++) {
+    talk = 1;
+    for(ch = family; ch; ch = ch->next) {
+	ch->flags &= ~KILLME;
+
+	/*
+	 *	Is this line deleted?
+	 */
+	if (ch->new == NULL) ch->flags |= KILLME;
+
+	/*
+	 *	If the entry has changed, kill it anyway. Note that
+	 *	we do not check ch->process, only the "action" field.
+	 *	This way, you can turn an entry "off" immediately, but
+	 *	changes in the command line will only become effective
+	 *	after the running version has exited.
+	 */
+	if (ch->new && ch->action != ch->new->action) ch->flags |= KILLME;
+
+	/*
+	 *	Only BOOT processes may live in all levels
+	 */
+	if (ch->action != BOOT &&
+	    strchr(ch->rlevel, runlevel) == NULL) {
+		/*
+		 *	Ondemand procedures live always,
+		 *	except in single user
+		 */
+		if (runlevel == 'S' || !(ch->flags & DEMAND))
+			ch->flags |= KILLME;
+	}
+
+	/*
+	 *	Now, if this process may live note so in the new list
+	 */
+	if ((ch->flags & KILLME) == 0) {
+		ch->new->flags  = ch->flags;
+		ch->new->pid    = ch->pid;
+		ch->new->exstat = ch->exstat;
+		continue;
+	}
+
+
+	/*
+	 *	Is this process still around?
+	 */
+	if ((ch->flags & RUNNING) == 0) {
+		ch->flags &= ~KILLME;
+		continue;
+	}
+	INITDBG(L_VB, "Killing \"%s\"", ch->process);
+	switch(round) {
+		case 0: /* Send TERM signal */
+			if (talk)
+				initlog(L_CO,
+					"Sending processes the TERM signal");
+			kill(-(ch->pid), SIGTERM);
+			foundOne = 1;
+			break;
+		case 1: /* Send KILL signal and collect status */
+			if (talk)
+				initlog(L_CO,
+					"Sending processes the KILL signal");
+			kill(-(ch->pid), SIGKILL);
+			break;
+	}
+	talk = 0;
+	
+    }
+    /*
+     *	See if we have to wait 5 seconds
+     */
+    if (foundOne && round == 0) {
+	/*
+	 *	Yup, but check every second if we still have children.
+	 */
+	for(f = 0; f < sltime; f++) {
+		for(ch = family; ch; ch = ch->next) {
+			if (!(ch->flags & KILLME)) continue;
+			if ((ch->flags & RUNNING) && !(ch->flags & ZOMBIE))
+				break;
+		}
+		if (ch == NULL) {
+			/*
+			 *	No running children, skip SIGKILL
+			 */
+			round = 1;
+			foundOne = 0; /* Skip the sleep below. */
+			break;
+		}
+		do_sleep(1);
+	}
+    }
+  }
+
+  /*
+   *	Now give all processes the chance to die and collect exit statuses.
+   */
+  if (foundOne) do_sleep(1);
+  for(ch = family; ch; ch = ch->next)
+	if (ch->flags & KILLME) {
+		if (!(ch->flags & ZOMBIE))
+		    initlog(L_CO, "Pid %d [id %s] seems to hang", ch->pid,
+				ch->id);
+		else {
+		    INITDBG(L_VB, "Updating utmp for pid %d [id %s]",
+				ch->pid, ch->id);
+		    ch->flags &= ~RUNNING;
+		    if (ch->process[0] != '+')
+		    	write_utmp_wtmp("", ch->id, ch->pid, DEAD_PROCESS, NULL);
+		}
+	}
+
+  /*
+   *	Both rounds done; clean up the list.
+   */
+  sigemptyset(&nmask);
+  sigaddset(&nmask, SIGCHLD);
+  sigprocmask(SIG_BLOCK, &nmask, &omask);
+  for(ch = family; ch; ch = old) {
+	old = ch->next;
+	free(ch);
+  }
+  family = newFamily;
+  for(ch = family; ch; ch = ch->next) ch->new = NULL;
+  newFamily = NULL;
+  sigprocmask(SIG_SETMASK, &omask, NULL);
+
+#ifdef INITLVL
+  /*
+   *	Dispose of INITLVL file.
+   */
+  if (lstat(INITLVL, &st) >= 0 && S_ISLNK(st.st_mode)) {
+	/*
+	 *	INITLVL is a symbolic link, so just truncate the file.
+	 */
+	close(open(INITLVL, O_WRONLY|O_TRUNC));
+  } else {
+	/*
+	 *	Delete INITLVL file.
+	 */
+  	unlink(INITLVL);
+  }
+#endif
+#ifdef INITLVL2
+  /*
+   *	Dispose of INITLVL2 file.
+   */
+  if (lstat(INITLVL2, &st) >= 0 && S_ISLNK(st.st_mode)) {
+	/*
+	 *	INITLVL2 is a symbolic link, so just truncate the file.
+	 */
+	close(open(INITLVL2, O_WRONLY|O_TRUNC));
+  } else {
+	/*
+	 *	Delete INITLVL2 file.
+	 */
+  	unlink(INITLVL2);
+  }
+#endif
+}
+
+/*
+ *	Walk through the family list and start up children.
+ *	The entries that do not belong here at all are removed
+ *	from the list.
+ */
+void start_if_needed(void)
+{
+	CHILD *ch;		/* Pointer to child */
+	int delete;		/* Delete this entry from list? */
+
+	INITDBG(L_VB, "Checking for children to start");
+
+	for(ch = family; ch; ch = ch->next) {
+
+#if DEBUG
+		if (ch->rlevel[0] == 'C') {
+			INITDBG(L_VB, "%s: flags %d", ch->process, ch->flags);
+		}
+#endif
+
+		/* Are we waiting for this process? Then quit here. */
+		if (ch->flags & WAITING) break;
+
+		/* Already running? OK, don't touch it */
+		if (ch->flags & RUNNING) continue;
+
+		/* See if we have to start it up */
+		delete = 1;
+		if (strchr(ch->rlevel, runlevel) ||
+		    ((ch->flags & DEMAND) && !strchr("#*Ss", runlevel))) {
+			startup(ch);
+			delete = 0;
+		}
+
+		if (delete) {
+			/* FIXME: is this OK? */
+			ch->flags &= ~(RUNNING|WAITING);
+			if (!ISPOWER(ch->action) && ch->action != KBREQUEST)
+				ch->flags &= ~XECUTED;
+			ch->pid = 0;
+		} else
+			/* Do we have to wait for this process? */
+			if (ch->flags & WAITING) break;
+	}
+	/* Done. */
+}
+
+/*
+ *	Ask the user on the console for a runlevel
+ */
+int ask_runlevel(void)
+{
+	const char	prompt[] = "\nEnter runlevel: ";
+	char		buf[8];
+	int		lvl = -1;
+	int		fd;
+
+	console_stty();
+	fd = console_open(O_RDWR|O_NOCTTY);
+
+	if (fd < 0) return('S');
+
+	while(!strchr("0123456789S", lvl)) {
+  		write(fd, prompt, sizeof(prompt) - 1);
+		buf[0] = 0;
+  		read(fd, buf, sizeof(buf));
+  		if (buf[0] != 0 && (buf[1] == '\r' || buf[1] == '\n'))
+			lvl = buf[0];
+		if (islower(lvl)) lvl = toupper(lvl);
+	}
+	close(fd);
+	return lvl;
+}
+
+/*
+ *	Search the INITTAB file for the 'initdefault' field, with the default
+ *	runlevel. If this fails, ask the user to supply a runlevel.
+ */
+int get_init_default(void)
+{
+	CHILD *ch;
+	int lvl = -1;
+	char *p;
+
+	/*
+	 *	Look for initdefault.
+	 */
+	for(ch = family; ch; ch = ch->next)
+		if (ch->action == INITDEFAULT) {
+			p = ch->rlevel;
+			while(*p) {
+				if (*p > lvl) lvl = *p;
+				p++;
+			}
+			break;
+		}
+	/*
+	 *	See if level is valid
+	 */
+	if (lvl > 0) {
+		if (islower(lvl)) lvl = toupper(lvl);
+		if (strchr("0123456789S", lvl) == NULL) {
+			initlog(L_VB,
+				"Initdefault level '%c' is invalid", lvl);
+			lvl = 0;
+		}
+	}
+	/*
+	 *	Ask for runlevel on console if needed.
+	 */
+	if (lvl <= 0) lvl = ask_runlevel();
+
+	/*
+	 *	Log the fact that we have a runlevel now.
+	 */
+	return lvl;
+}
+
+
+/*
+ *	We got signaled.
+ *
+ *	Do actions for the new level. If we are compatible with
+ *	the "old" INITLVL and arg == 0, try to read the new
+ *	runlevel from that file first.
+ */
+int read_level(int arg)
+{
+	CHILD		*ch;			/* Walk through list */
+	unsigned char	foo = 'X';		/* Contents of INITLVL */
+	int		ok = 1;
+#ifdef INITLVL
+	FILE		*fp;
+	struct stat	stt;
+	int		st;
+#endif
+
+	if (arg) foo = arg;
+
+#ifdef INITLVL
+	ok = 0;
+
+	if (arg == 0) {
+		fp = NULL;
+		if (stat(INITLVL, &stt) != 0 || stt.st_size != 0L)
+			fp = fopen(INITLVL, "r");
+#ifdef INITLVL2
+		if (fp == NULL &&
+		    (stat(INITLVL2, &stt) != 0 || stt.st_size != 0L))
+			fp = fopen(INITLVL2, "r");
+#endif
+		if (fp == NULL) {
+			/* INITLVL file empty or not there - act as 'init q' */
+			initlog(L_SY, "Re-reading inittab");
+  			return(runlevel);
+		}
+		ok = fscanf(fp, "%c %d", &foo, &st);
+		fclose(fp);
+	} else {
+		/* We go to the new runlevel passed as an argument. */
+		foo = arg;
+		ok = 1;
+	}
+	if (ok == 2) sltime = st;
+
+#endif /* INITLVL */
+
+	if (islower(foo)) foo = toupper(foo);
+	if (ok < 1 || ok > 2 || strchr("QS0123456789ABCU", foo) == NULL) {
+ 		initlog(L_VB, "bad runlevel: %c", foo);
+  		return runlevel;
+	}
+
+	/* Log this action */
+	switch(foo) {
+		case 'S':
+  			initlog(L_VB, "Going single user");
+			break;
+		case 'Q':
+			initlog(L_SY, "Re-reading inittab");
+			break;
+		case 'A':
+		case 'B':
+		case 'C':
+			initlog(L_SY,
+				"Activating demand-procedures for '%c'", foo);
+			break;
+		case 'U':
+			initlog(L_SY, "Trying to re-exec init");
+			return 'U';
+		default:
+		  	initlog(L_VB, "Switching to runlevel: %c", foo);
+	}
+
+	if (foo == 'Q') return runlevel;
+
+	/* Check if this is a runlevel a, b or c */
+	if (strchr("ABC", foo)) {
+		if (runlevel == 'S') return(runlevel);
+
+		/* Read inittab again first! */
+		read_inittab();
+
+  		/* Mark those special tasks */
+		for(ch = family; ch; ch = ch->next)
+			if (strchr(ch->rlevel, foo) != NULL ||
+			    strchr(ch->rlevel, tolower(foo)) != NULL) {
+				ch->flags |= DEMAND;
+				ch->flags &= ~XECUTED;
+				INITDBG(L_VB,
+					"Marking (%s) as ondemand, flags %d",
+					ch->id, ch->flags);
+			}
+  		return runlevel;
+	}
+
+	/* Store both the old and the new runlevel. */
+	write_utmp_wtmp("runlevel", "~~", foo + 256*runlevel, RUN_LVL, "~");
+	thislevel = foo;
+	prevlevel = runlevel;
+	return foo;
+}
+
+
+/*
+ *	This procedure is called after every signal (SIGHUP, SIGALRM..)
+ *
+ *	Only clear the 'failing' flag if the process is sleeping
+ *	longer than 5 minutes, or inittab was read again due
+ *	to user interaction.
+ */
+void fail_check(void)
+{
+	CHILD	*ch;			/* Pointer to child structure */
+	time_t	t;			/* System time */
+	time_t	next_alarm = 0;		/* When to set next alarm */
+
+	time(&t);
+
+	for(ch = family; ch; ch = ch->next) {
+
+		if (ch->flags & FAILING) {
+			/* Can we free this sucker? */
+			if (ch->tm + SLEEPTIME < t) {
+				ch->flags &= ~FAILING;
+				ch->count = 0;
+				ch->tm = 0;
+			} else {
+				/* No, we'll look again later */
+				if (next_alarm == 0 ||
+				    ch->tm + SLEEPTIME > next_alarm)
+					next_alarm = ch->tm + SLEEPTIME;
+			}
+		}
+	}
+	if (next_alarm) {
+		next_alarm -= t;
+		if (next_alarm < 1) next_alarm = 1;
+		alarm(next_alarm);
+	}
+}
+
+/* Set all 'Fail' timers to 0 */
+void fail_cancel(void)
+{
+	CHILD *ch;
+
+	for(ch = family; ch; ch = ch->next) {
+		ch->count = 0;
+		ch->tm = 0;
+		ch->flags &= ~FAILING;
+	}
+}
+
+/*
+ *	Start up powerfail entries.
+ */
+void do_power_fail(int pwrstat)
+{
+	CHILD *ch;
+
+	/*
+	 *	Tell powerwait & powerfail entries to start up
+	 */
+	for (ch = family; ch; ch = ch->next) {
+		if (pwrstat == 'O') {
+			/*
+		 	 *	The power is OK again.
+		 	 */
+			if (ch->action == POWEROKWAIT)
+				ch->flags &= ~XECUTED;
+		} else if (pwrstat == 'L') {
+			/*
+			 *	Low battery, shut down now.
+			 */
+			if (ch->action == POWERFAILNOW)
+				ch->flags &= ~XECUTED;
+		} else {
+			/*
+			 *	Power is failing, shutdown imminent
+			 */
+			if (ch->action == POWERFAIL || ch->action == POWERWAIT)
+				ch->flags &= ~XECUTED;
+		}
+	}
+}
+
+/*
+ *	Check for state-pipe presence
+ */
+int check_pipe(int fd)
+{
+	struct timeval	t;
+	fd_set		s;
+	char		signature[8];
+
+	FD_ZERO(&s);
+	FD_SET(fd, &s);
+	t.tv_sec = t.tv_usec = 0;
+
+	if (select(fd+1, &s, NULL, NULL, &t) != 1)
+		return 0;
+	if (read(fd, signature, 8) != 8)
+		 return 0;
+	return strncmp(Signature, signature, 8) == 0;
+}
+
+/*
+ *	 Make a state-pipe.
+ */
+int make_pipe(int fd)
+{
+	int fds[2];
+
+	pipe(fds);
+	dup2(fds[0], fd);
+	close(fds[0]);
+	fcntl(fds[1], F_SETFD, 1);
+	fcntl(fd, F_SETFD, 0);
+	write(fds[1], Signature, 8);
+
+	return fds[1];
+}
+
+/*
+ *	Attempt to re-exec.
+ */
+void re_exec(void)
+{
+	CHILD		*ch;
+	sigset_t	mask, oldset;
+	pid_t		pid;
+	char		**env;
+	int		fd;
+
+	if (strchr("S12345",runlevel) == NULL)
+		return;
+
+	/*
+	 *	Reset the alarm, and block all signals.
+	 */
+	alarm(0);
+	sigfillset(&mask);
+	sigprocmask(SIG_BLOCK, &mask, &oldset);
+
+	/*
+	 *	construct a pipe fd --> STATE_PIPE and write a signature
+	 */
+	fd = make_pipe(STATE_PIPE);
+
+	/* 
+	 * It's a backup day today, so I'm pissed off.  Being a BOFH, however, 
+	 * does have it's advantages...
+	 */
+	fail_cancel();
+	close(pipe_fd);
+	pipe_fd = -1;
+	DELSET(got_signals, SIGCHLD);
+	DELSET(got_signals, SIGHUP);
+	DELSET(got_signals, SIGUSR1);
+
+	/*
+	 *	That should be cleaned.
+	 */
+	for(ch = family; ch; ch = ch->next)
+	    if (ch->flags & ZOMBIE) {
+		INITDBG(L_VB, "Child died, PID= %d", ch->pid);
+		ch->flags &= ~(RUNNING|ZOMBIE|WAITING);
+		if (ch->process[0] != '+')
+			write_utmp_wtmp("", ch->id, ch->pid, DEAD_PROCESS, NULL);
+	    }
+
+	if ((pid = fork()) == 0) {
+		/*
+		 *	Child sends state information to the parent.
+		 */
+		send_state(fd);
+		exit(0);
+	}
+
+	/*
+	 *	The existing init process execs a new init binary.
+	 */
+	env = init_buildenv(0);
+	execl(myname, myname, "--init", NULL, env);
+
+	/*
+	 *	We shouldn't be here, something failed. 
+	 *	Bitch, close the state pipe, unblock signals and return.
+	 */
+	close(fd);
+	close(STATE_PIPE);
+	sigprocmask(SIG_SETMASK, &oldset, NULL);
+	init_freeenv(env);
+	initlog(L_CO, "Attempt to re-exec failed");
+}
+
+
+/*
+ *	We got a change runlevel request through the
+ *	init.fifo. Process it.
+ */
+void fifo_new_level(int level)
+{
+#if CHANGE_WAIT
+	CHILD	*ch;
+#endif
+	int	oldlevel;
+
+	if (level == runlevel) return;
+
+#if CHANGE_WAIT
+	/* Are we waiting for a child? */
+	for(ch = family; ch; ch = ch->next)
+		if (ch->flags & WAITING) break;
+	if (ch == NULL)
+#endif
+	{
+		/* We need to go into a new runlevel */
+		oldlevel = runlevel;
+		runlevel = read_level(level);
+		if (runlevel == 'U') {
+			runlevel = oldlevel;
+			re_exec();
+		} else {
+			if (oldlevel != 'S' && runlevel == 'S') console_stty();
+			if (runlevel == '6' || runlevel == '0' ||
+			    runlevel == '1') console_stty();
+			read_inittab();
+			fail_cancel();
+			setproctitle("init [%c]", runlevel);
+		}
+	}
+}
+
+
+/*
+ *	Set/unset environment variables. The variables are
+ *	encoded as KEY=VAL\0KEY=VAL\0\0. With "=VAL" it means
+ *	setenv, without it means unsetenv.
+ */
+void initcmd_setenv(char *data, int size)
+{
+	char		*env, *p, *e, *eq;
+	int		i, sz;
+
+	e = data + size;
+
+	while (*data && data < e) {
+		eq = NULL;
+		for (p = data; *p && p < e; p++)
+			if (*p == '=') eq = p;
+		if (*p) break;
+		env = data;
+		data = ++p;
+
+		sz = eq ? (eq - env) : (p - env);
+
+		/*initlog(L_SY, "init_setenv: %s, %s, %d", env, eq, sz);*/
+
+		/*
+		 *	We only allow INIT_* to be set.
+		 */
+		if (strncmp(env, "INIT_", 5) != 0)
+			continue;
+
+		/* Free existing vars. */
+		for (i = 0; i < NR_EXTRA_ENV; i++) {
+			if (extra_env[i] == NULL) continue;
+			if (!strncmp(extra_env[i], env, sz) &&
+			    extra_env[i][sz] == '=') {
+				free(extra_env[i]);
+				extra_env[i] = NULL;
+			}
+		}
+
+		/* Set new vars if needed. */
+		if (eq == NULL) continue;
+		for (i = 0; i < NR_EXTRA_ENV; i++) {
+			if (extra_env[i] == NULL) {
+				extra_env[i] = istrdup(env);
+				break;
+			}
+		}
+	}
+}
+
+
+/*
+ *	Read from the init FIFO. Processes like telnetd and rlogind can
+ *	ask us to create login processes on their behalf.
+ *
+ *	FIXME:	this needs to be finished. NOT that it is buggy, but we need
+ *		to add the telnetd/rlogind stuff so people can start using it.
+ *		Maybe move to using an AF_UNIX socket so we can use
+ *		the 2.2 kernel credential stuff to see who we're talking to.
+ *	
+ */
+void check_init_fifo(void)
+{
+  struct init_request	request;
+  struct timeval	tv;
+  struct stat		st, st2;
+  fd_set		fds;
+  int			n;
+  int			quit = 0;
+
+  /*
+   *	First, try to create /dev/initctl if not present.
+   */
+  if (stat(INIT_FIFO, &st2) < 0 && errno == ENOENT)
+	(void)mkfifo(INIT_FIFO, 0600);
+
+  /*
+   *	If /dev/initctl is open, stat the file to see if it
+   *	is still the _same_ inode.
+   */
+  if (pipe_fd >= 0) {
+	fstat(pipe_fd, &st);
+	if (stat(INIT_FIFO, &st2) < 0 ||
+	    st.st_dev != st2.st_dev ||
+	    st.st_ino != st2.st_ino) {
+		close(pipe_fd);
+		pipe_fd = -1;
+	}
+  }
+
+  /*
+   *	Now finally try to open /dev/initctl
+   */
+  if (pipe_fd < 0) {
+	if ((pipe_fd = open(INIT_FIFO, O_RDWR|O_NONBLOCK)) >= 0) {
+		fstat(pipe_fd, &st);
+		if (!S_ISFIFO(st.st_mode)) {
+			initlog(L_VB, "%s is not a fifo", INIT_FIFO);
+			close(pipe_fd);
+			pipe_fd = -1;
+		}
+	}
+	if (pipe_fd >= 0) {
+		/*
+		 *	Don't use fd's 0, 1 or 2.
+		 */
+		(void) dup2(pipe_fd, PIPE_FD);
+		close(pipe_fd);
+		pipe_fd = PIPE_FD;
+
+		/*
+		 *	Return to caller - we'll be back later.
+		 */
+	}
+  }
+
+  /* Wait for data to appear, _if_ the pipe was opened. */
+  if (pipe_fd >= 0) while(!quit) {
+
+	/* Do select, return on EINTR. */
+	FD_ZERO(&fds);
+	FD_SET(pipe_fd, &fds);
+	tv.tv_sec = 5;
+	tv.tv_usec = 0;
+	n = select(pipe_fd + 1, &fds, NULL, NULL, &tv);
+	if (n <= 0) {
+		if (n == 0 || errno == EINTR) return;
+		continue;
+	}
+
+	/* Read the data, return on EINTR. */
+	n = read(pipe_fd, &request, sizeof(request));
+	if (n == 0) {
+		/*
+		 *	End of file. This can't happen under Linux (because
+		 *	the pipe is opened O_RDWR - see select() in the
+		 *	kernel) but you never know...
+		 */
+		close(pipe_fd);
+		pipe_fd = -1;
+		return;
+	}
+	if (n <= 0) {
+		if (errno == EINTR) return;
+		initlog(L_VB, "error reading initrequest");
+		continue;
+	}
+
+	/*
+	 *	This is a convenient point to also try to
+	 *	find the console device or check if it changed.
+	 */
+	console_init();
+
+	/*
+	 *	Process request.
+	 */
+	if (request.magic != INIT_MAGIC || n != sizeof(request)) {
+		initlog(L_VB, "got bogus initrequest");
+		continue;
+	}
+	switch(request.cmd) {
+		case INIT_CMD_RUNLVL:
+			sltime = request.sleeptime;
+			fifo_new_level(request.runlevel);
+			quit = 1;
+			break;
+		case INIT_CMD_POWERFAIL:
+			sltime = request.sleeptime;
+			do_power_fail('F');
+			quit = 1;
+			break;
+		case INIT_CMD_POWERFAILNOW:
+			sltime = request.sleeptime;
+			do_power_fail('L');
+			quit = 1;
+			break;
+		case INIT_CMD_POWEROK:
+			sltime = request.sleeptime;
+			do_power_fail('O');
+			quit = 1;
+			break;
+		case INIT_CMD_SETENV:
+			initcmd_setenv(request.i.data, sizeof(request.i.data));
+			break;
+		case INIT_CMD_CHANGECONS:
+			if (user_console) {
+				free(user_console);
+				user_console = NULL;
+			}
+			if (!request.i.bsd.reserved[0])
+				user_console = NULL;
+			else
+				user_console = strdup(request.i.bsd.reserved);
+			console_init();
+			quit = 1;
+			break;
+		default:
+			initlog(L_VB, "got unimplemented initrequest.");
+			break;
+	}
+  }
+
+  /*
+   *	We come here if the pipe couldn't be opened.
+   */
+  if (pipe_fd < 0) pause();
+
+}
+
+
+/*
+ *	This function is used in the transition
+ *	sysinit (-> single user) boot -> multi-user.
+ */
+void boot_transitions()
+{
+  CHILD		*ch;
+  static int	newlevel = 0;
+  static int	warn = 1;
+  int		loglevel;
+  int		oldlevel;
+
+  /* Check if there is something to wait for! */
+  for( ch = family; ch; ch = ch->next )
+	if ((ch->flags & RUNNING) && ch->action != BOOT) break;
+     
+  if (ch == NULL) {
+	/* No processes left in this level, proceed to next level. */
+	loglevel = -1;
+	oldlevel = 'N';
+	switch(runlevel) {
+		case '#': /* SYSINIT -> BOOT */
+			INITDBG(L_VB, "SYSINIT -> BOOT");
+
+			/* Write a boot record. */
+			wrote_utmp_reboot = 0;
+			wrote_wtmp_reboot = 0;
+			write_utmp_wtmp("reboot", "~~", 0, BOOT_TIME, "~");
+
+  			/* Get our run level */
+  			newlevel = dfl_level ? dfl_level : get_init_default();
+			if (newlevel == 'S') {
+				runlevel = newlevel;
+				/* Not really 'S' but show anyway. */
+				setproctitle("init [S]");
+			} else
+				runlevel = '*';
+			break;
+		case '*': /* BOOT -> NORMAL */
+			INITDBG(L_VB, "BOOT -> NORMAL");
+			if (runlevel != newlevel)
+				loglevel = newlevel;
+			runlevel = newlevel;
+			did_boot = 1;
+			warn = 1;
+			break;
+		case 'S': /* Ended SU mode */
+		case 's':
+			INITDBG(L_VB, "END SU MODE");
+			newlevel = get_init_default();
+			if (!did_boot && newlevel != 'S')
+				runlevel = '*';
+			else {
+				if (runlevel != newlevel)
+					loglevel = newlevel;
+				runlevel = newlevel;
+				oldlevel = 'S';
+			}
+			warn = 1;
+			for(ch = family; ch; ch = ch->next)
+			    if (strcmp(ch->rlevel, "S") == 0)
+				ch->flags &= ~(FAILING|WAITING|XECUTED);
+			break;
+		default:
+			if (warn)
+			  initlog(L_VB,
+				"no more processes left in this runlevel");
+			warn = 0;
+			loglevel = -1;
+			if (got_signals == 0)
+				check_init_fifo();
+			break;
+	}
+	if (loglevel > 0) {
+		initlog(L_VB, "Entering runlevel: %c", runlevel);
+		write_utmp_wtmp("runlevel", "~~", runlevel + 256 * oldlevel, RUN_LVL, "~");
+		thislevel = runlevel;
+		prevlevel = oldlevel;
+		setproctitle("init [%c]", runlevel);
+	}
+  }
+}
+
+/*
+ *	Init got hit by a signal. See which signal it is,
+ *	and act accordingly.
+ */
+void process_signals()
+{
+  CHILD		*ch;
+  int		pwrstat;
+  int		oldlevel;
+  int		fd;
+  char		c;
+
+  if (ISMEMBER(got_signals, SIGPWR)) {
+	INITDBG(L_VB, "got SIGPWR");
+	/* See _what_ kind of SIGPWR this is. */
+	pwrstat = 0;
+	if ((fd = open(PWRSTAT, O_RDONLY)) >= 0) {
+		c = 0;
+		read(fd, &c, 1);
+		pwrstat = c;
+		close(fd);
+		unlink(PWRSTAT);
+	}
+	do_power_fail(pwrstat);
+	DELSET(got_signals, SIGPWR);
+  }
+
+  if (ISMEMBER(got_signals, SIGINT)) {
+	INITDBG(L_VB, "got SIGINT");
+	/* Tell ctrlaltdel entry to start up */
+	for(ch = family; ch; ch = ch->next)
+		if (ch->action == CTRLALTDEL)
+			ch->flags &= ~XECUTED;
+	DELSET(got_signals, SIGINT);
+  }
+
+  if (ISMEMBER(got_signals, SIGWINCH)) {
+	INITDBG(L_VB, "got SIGWINCH");
+	/* Tell kbrequest entry to start up */
+	for(ch = family; ch; ch = ch->next)
+		if (ch->action == KBREQUEST)
+			ch->flags &= ~XECUTED;
+	DELSET(got_signals, SIGWINCH);
+  }
+
+  if (ISMEMBER(got_signals, SIGALRM)) {
+	INITDBG(L_VB, "got SIGALRM");
+	/* The timer went off: check it out */
+	DELSET(got_signals, SIGALRM);
+  }
+
+  if (ISMEMBER(got_signals, SIGCHLD)) {
+	INITDBG(L_VB, "got SIGCHLD");
+	/* First set flag to 0 */
+	DELSET(got_signals, SIGCHLD);
+
+	/* See which child this was */
+	for(ch = family; ch; ch = ch->next)
+	    if (ch->flags & ZOMBIE) {
+		INITDBG(L_VB, "Child died, PID= %d", ch->pid);
+		ch->flags &= ~(RUNNING|ZOMBIE|WAITING);
+		if (ch->process[0] != '+')
+			write_utmp_wtmp("", ch->id, ch->pid, DEAD_PROCESS, NULL);
+	    }
+
+  }
+
+  if (ISMEMBER(got_signals, SIGHUP)) {
+	INITDBG(L_VB, "got SIGHUP");
+#if CHANGE_WAIT
+	/* Are we waiting for a child? */
+	for(ch = family; ch; ch = ch->next)
+		if (ch->flags & WAITING) break;
+	if (ch == NULL)
+#endif
+	{
+		/* We need to go into a new runlevel */
+		oldlevel = runlevel;
+#ifdef INITLVL
+		runlevel = read_level(0);
+#endif
+		if (runlevel == 'U') {
+			runlevel = oldlevel;
+			re_exec();
+		} else {
+			if (oldlevel != 'S' && runlevel == 'S') console_stty();
+			if (runlevel == '6' || runlevel == '0' ||
+			    runlevel == '1') console_stty();
+			read_inittab();
+			fail_cancel();
+			setproctitle("init [%c]", runlevel);
+			DELSET(got_signals, SIGHUP);
+		}
+	}
+  }
+  if (ISMEMBER(got_signals, SIGUSR1)) {
+	/*
+	 *	SIGUSR1 means close and reopen /dev/initctl
+	 */
+	INITDBG(L_VB, "got SIGUSR1");
+	close(pipe_fd);
+	pipe_fd = -1;
+	DELSET(got_signals, SIGUSR1);
+  }
+}
+
+/*
+ *	The main loop
+ */ 
+int init_main()
+{
+  CHILD			*ch;
+  struct sigaction	sa;
+  sigset_t		sgt;
+  pid_t			rc;
+  int			f, st;
+
+  if (!reload) {
+  
+#if INITDEBUG
+	/*
+	 * Fork so we can debug the init process.
+	 */
+	if ((f = fork()) > 0) {
+		static const char killmsg[] = "PRNT: init killed.\r\n";
+		pid_t rc;
+
+		while((rc = wait(&st)) != f)
+			if (rc < 0 && errno == ECHILD)
+				break;
+		write(1, killmsg, sizeof(killmsg) - 1);
+		while(1) pause();
+	}
+#endif
+
+#ifdef __linux__
+	/*
+	 *	Tell the kernel to send us SIGINT when CTRL-ALT-DEL
+	 *	is pressed, and that we want to handle keyboard signals.
+	 */
+	init_reboot(BMAGIC_SOFT);
+	if ((f = open(VT_MASTER, O_RDWR | O_NOCTTY)) >= 0) {
+		(void) ioctl(f, KDSIGACCEPT, SIGWINCH);
+		close(f);
+	} else
+		(void) ioctl(0, KDSIGACCEPT, SIGWINCH);
+#endif
+
+	/*
+	 *	Ignore all signals.
+	 */
+	for(f = 1; f <= NSIG; f++)
+		SETSIG(sa, f, SIG_IGN, SA_RESTART);
+  }
+
+  SETSIG(sa, SIGALRM,  signal_handler, 0);
+  SETSIG(sa, SIGHUP,   signal_handler, 0);
+  SETSIG(sa, SIGINT,   signal_handler, 0);
+  SETSIG(sa, SIGCHLD,  chld_handler, SA_RESTART);
+  SETSIG(sa, SIGPWR,   signal_handler, 0);
+  SETSIG(sa, SIGWINCH, signal_handler, 0);
+  SETSIG(sa, SIGUSR1,  signal_handler, 0);
+  SETSIG(sa, SIGSTOP,  stop_handler, SA_RESTART);
+  SETSIG(sa, SIGTSTP,  stop_handler, SA_RESTART);
+  SETSIG(sa, SIGCONT,  cont_handler, SA_RESTART);
+  SETSIG(sa, SIGSEGV,  (void (*)(int))segv_handler, SA_RESTART);
+
+  console_init();
+
+  if (!reload) {
+
+  	/* Close whatever files are open, and reset the console. */
+	close(0);
+	close(1);
+	close(2);
+  	console_stty();
+  	setsid();
+
+  	/*
+	 *	Set default PATH variable.
+	 */
+  	putenv(PATH_DFL);
+
+  	/*
+	 *	Initialize /var/run/utmp (only works if /var is on
+	 *	root and mounted rw)
+	 */
+  	(void) close(open(UTMP_FILE, O_WRONLY|O_CREAT|O_TRUNC, 0644));
+
+  	/*
+	 *	Say hello to the world
+	 */
+  	initlog(L_CO, bootmsg, "booting");
+
+  	/*
+	 *	See if we have to start an emergency shell.
+	 */
+	if (emerg_shell) {
+		SETSIG(sa, SIGCHLD, SIG_DFL, SA_RESTART);
+		if (spawn(&ch_emerg, &f) > 0) {
+			while((rc = wait(&st)) != f)
+				if (rc < 0 && errno == ECHILD)
+					break;
+		}
+  		SETSIG(sa, SIGCHLD,  chld_handler, SA_RESTART);
+  	}
+
+  	/*
+	 *	Start normal boot procedure.
+	 */
+  	runlevel = '#';
+  	read_inittab();
+  
+  } else {
+	/*
+	 *	Restart: unblock signals and let the show go on
+	 */
+	initlog(L_CO, bootmsg, "reloading");
+	sigfillset(&sgt);
+	sigprocmask(SIG_UNBLOCK, &sgt, NULL);
+  }
+  start_if_needed();
+
+  while(1) {
+
+     /* See if we need to make the boot transitions. */
+     boot_transitions();
+     INITDBG(L_VB, "init_main: waiting..");
+
+     /* Check if there are processes to be waited on. */
+     for(ch = family; ch; ch = ch->next)
+	if ((ch->flags & RUNNING) && ch->action != BOOT) break;
+
+#if CHANGE_WAIT
+     /* Wait until we get hit by some signal. */
+     while (ch != NULL && got_signals == 0) {
+	if (ISMEMBER(got_signals, SIGHUP)) {
+		/* See if there are processes to be waited on. */
+		for(ch = family; ch; ch = ch->next)
+			if (ch->flags & WAITING) break;
+	}
+	if (ch != NULL) check_init_fifo();
+     }
+#else /* CHANGE_WAIT */
+     if (ch != NULL && got_signals == 0) check_init_fifo();
+#endif /* CHANGE_WAIT */
+
+     /* Check the 'failing' flags */
+     fail_check();
+
+     /* Process any signals. */
+     process_signals();
+
+     /* See what we need to start up (again) */
+     start_if_needed();
+  }
+  /*NOTREACHED*/
+}
+
+/*
+ * Tell the user about the syntax we expect.
+ */
+void usage(char *s)
+{
+	fprintf(stderr, "Usage: %s 0123456SsQqAaBbCcUu\n", s);
+	exit(1);
+}
+
+int telinit(char *progname, int argc, char **argv)
+{
+#ifdef TELINIT_USES_INITLVL
+	FILE			*fp;
+#endif
+	struct init_request	request;
+	struct sigaction	sa;
+	int			f, fd, l;
+	char			*env = NULL;
+
+	memset(&request, 0, sizeof(request));
+	request.magic     = INIT_MAGIC;
+
+	while ((f = getopt(argc, argv, "t:e:")) != EOF) switch(f) {
+		case 't':
+			sltime = atoi(optarg);
+			break;
+		case 'e':
+			if (env == NULL)
+				env = request.i.data;
+			l = strlen(optarg);
+			if (env + l + 2 > request.i.data + sizeof(request.i.data)) {
+				fprintf(stderr, "%s: -e option data "
+					"too large\n", progname);
+				exit(1);
+			}
+			memcpy(env, optarg, l);
+			env += l;
+			*env++ = 0;
+			break;
+		default:
+			usage(progname);
+			break;
+	}
+
+	if (env) *env++ = 0;
+
+	if (env) {
+		if (argc != optind)
+			usage(progname);
+		request.cmd = INIT_CMD_SETENV;
+	} else {
+		if (argc - optind != 1 || strlen(argv[optind]) != 1)
+			usage(progname);
+		if (!strchr("0123456789SsQqAaBbCcUu", argv[optind][0]))
+			usage(progname);
+		request.cmd = INIT_CMD_RUNLVL;
+		request.runlevel  = env ? 0 : argv[optind][0];
+		request.sleeptime = sltime;
+	}
+
+	/* Open the fifo and write a command. */
+	/* Make sure we don't hang on opening /dev/initctl */
+	SETSIG(sa, SIGALRM, signal_handler, 0);
+	alarm(3);
+	if ((fd = open(INIT_FIFO, O_WRONLY)) >= 0 &&
+	    write(fd, &request, sizeof(request)) == sizeof(request)) {
+		close(fd);
+		alarm(0);
+		return 0;
+	}
+
+#ifdef TELINIT_USES_INITLVL
+	if (request.cmd == INIT_CMD_RUNLVL) {
+		/* Fallthrough to the old method. */
+
+		/* Now write the new runlevel. */
+		if ((fp = fopen(INITLVL, "w")) == NULL) {
+			fprintf(stderr, "%s: cannot create %s\n",
+				progname, INITLVL);
+			exit(1);
+		}
+		fprintf(fp, "%s %d", argv[optind], sltime);
+		fclose(fp);
+
+		/* And tell init about the pending runlevel change. */
+		if (kill(INITPID, SIGHUP) < 0) perror(progname);
+
+		return 0;
+	}
+#endif
+
+	fprintf(stderr, "%s: ", progname);
+	if (ISMEMBER(got_signals, SIGALRM)) {
+		fprintf(stderr, "timeout opening/writing control channel %s\n",
+			INIT_FIFO);
+	} else {
+		perror(INIT_FIFO);
+	}
+	return 1;
+}
+
+/*
+ * Main entry for init and telinit.
+ */
+int main(int argc, char **argv)
+{
+	char			*p;
+	int			f;
+	int			isinit;
+
+	/* Get my own name */
+	if ((p = strrchr(argv[0], '/')) != NULL)
+  		p++;
+	else
+  		p = argv[0];
+	umask(022);
+
+	/* Quick check */
+	if (geteuid() != 0) {
+		fprintf(stderr, "%s: must be superuser.\n", p);
+		exit(1);
+	}
+
+	/*
+	 *	Is this telinit or init ?
+	 */
+	isinit = (getpid() == 1);
+	for (f = 1; f < argc; f++) {
+		if (!strcmp(argv[f], "-i") || !strcmp(argv[f], "--init"))
+			isinit = 1;
+			break;
+	}
+	if (!isinit) exit(telinit(p, argc, argv));
+
+	/*
+	 *	Check for re-exec
+	 */ 	
+	if (check_pipe(STATE_PIPE)) {
+
+		receive_state(STATE_PIPE);
+
+		myname = istrdup(argv[0]);
+		argv0 = argv[0];
+		maxproclen = 0;
+		for (f = 0; f < argc; f++)
+			maxproclen += strlen(argv[f]) + 1;
+		reload = 1;
+		setproctitle("init [%c]",runlevel);
+
+		init_main();
+	}
+
+  	/* Check command line arguments */
+	maxproclen = strlen(argv[0]) + 1;
+  	for(f = 1; f < argc; f++) {
+		if (!strcmp(argv[f], "single") || !strcmp(argv[f], "-s"))
+			dfl_level = 'S';
+		else if (!strcmp(argv[f], "-a") || !strcmp(argv[f], "auto"))
+			putenv("AUTOBOOT=YES");
+		else if (!strcmp(argv[f], "-b") || !strcmp(argv[f],"emergency"))
+			emerg_shell = 1;
+		else if (!strcmp(argv[f], "-z")) {
+			/* Ignore -z xxx */
+			if (argv[f + 1]) f++;
+		} else if (strchr("0123456789sS", argv[f][0])
+			&& strlen(argv[f]) == 1)
+			dfl_level = argv[f][0];
+		/* "init u" in the very beginning makes no sense */
+		if (dfl_level == 's') dfl_level = 'S';
+		maxproclen += strlen(argv[f]) + 1;
+	}
+
+	/* Start booting. */
+	argv0 = argv[0];
+	argv[1] = NULL;
+	setproctitle("init boot");
+	init_main(dfl_level);
+
+	/*NOTREACHED*/
+	return 0;
+}
diff -U 3 -H -d -r -N -- sysvinit-2.86/src/sulogin.c sysvinit-2.86-selinux/src/sulogin.c
--- sysvinit-2.86/src/sulogin.c	2004-07-30 19:40:28.000000000 +0800
+++ sysvinit-2.86-selinux/src/sulogin.c	2007-03-09 22:30:59.000000000 +0800
@@ -28,6 +28,9 @@
 #  include <crypt.h>
 #endif
 
+#include <selinux/selinux.h>
+#include <selinux/get_context_list.h>
+
 #define CHECK_DES	1
 #define CHECK_MD5	1
 
@@ -335,6 +338,19 @@
 	signal(SIGINT, SIG_DFL);
 	signal(SIGTSTP, SIG_DFL);
 	signal(SIGQUIT, SIG_DFL);
+	if (is_selinux_enabled > 0) {
+	  security_context_t scon=NULL;
+	  char *seuser=NULL;
+	  char *level=NULL;
+	  if (getseuserbyname("root", &seuser, &level) == 0)
+		  if (get_default_context_with_level(seuser, level, 0, &scon) > 0) {
+			  if (setexeccon(scon) != 0) 
+				  fprintf(stderr, "setexeccon faile\n");
+			  freecon(scon);
+		  }
+		free(seuser);
+		free(level);
+	}
 	execl(sushell, shell, NULL);
 	perror(sushell);
 
diff -U 3 -H -d -r -N -- sysvinit-2.86/src/sulogin.c~ sysvinit-2.86-selinux/src/sulogin.c~
--- sysvinit-2.86/src/sulogin.c~	1970-01-01 08:00:00.000000000 +0800
+++ sysvinit-2.86-selinux/src/sulogin.c~	2004-07-30 19:40:28.000000000 +0800
@@ -0,0 +1,456 @@
+/*
+ * sulogin	This program gives Linux machines a reasonable
+ *		secure way to boot single user. It forces the
+ *		user to supply the root password before a
+ *		shell is started.
+ *
+ *		If there is a shadow password file and the
+ *		encrypted root password is "x" the shadow
+ *		password will be used.
+ *
+ * Version:	@(#)sulogin 2.85-3 23-Apr-2003 miquels@cistron.nl
+ *
+ */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <signal.h>
+#include <pwd.h>
+#include <shadow.h>
+#include <termios.h>
+#include <sys/ioctl.h>
+#if defined(__GLIBC__)
+#  include <crypt.h>
+#endif
+
+#define CHECK_DES	1
+#define CHECK_MD5	1
+
+#define F_PASSWD	"/etc/passwd"
+#define F_SHADOW	"/etc/shadow"
+#define BINSH		"/bin/sh"
+
+char *Version = "@(#)sulogin 2.85-3 23-Apr-2003 miquels@cistron.nl";
+
+int timeout = 0;
+int profile = 0;
+
+#ifndef IUCLC
+#  define IUCLC	0
+#endif
+
+#if 0
+/*
+ *	Fix the tty modes and set reasonable defaults.
+ *	(I'm not sure if this is needed under Linux, but..)
+ */
+void fixtty(void)
+{
+	struct termios tty;
+
+	tcgetattr(0, &tty);
+
+	/*
+	 *	Set or adjust tty modes.
+	 */
+	tty.c_iflag &= ~(INLCR|IGNCR|IUCLC);
+	tty.c_iflag |= ICRNL;
+	tty.c_oflag &= ~(OCRNL|OLCUC|ONOCR|ONLRET|OFILL);
+	tty.c_oflag |= OPOST|ONLCR;
+	tty.c_cflag |= CLOCAL;
+	tty.c_lflag  = ISIG|ICANON|ECHO|ECHOE|ECHOK|ECHOCTL|ECHOKE;
+
+	/*
+	 *	Set the most important characters */
+	 */
+	tty.c_cc[VINTR]  = 3;
+	tty.c_cc[VQUIT]  = 28;
+	tty.c_cc[VERASE] = 127;
+	tty.c_cc[VKILL]  = 24;
+	tty.c_cc[VEOF]   = 4;
+	tty.c_cc[VTIME]  = 0;
+	tty.c_cc[VMIN]   = 1;
+	tty.c_cc[VSTART] = 17;
+	tty.c_cc[VSTOP]  = 19;
+	tty.c_cc[VSUSP]  = 26;
+ 
+	tcsetattr(0, TCSANOW, &tty);
+}
+#endif
+
+
+/*
+ *	Called at timeout.
+ */
+void alrm_handler()
+{
+}
+
+/*
+ *	See if an encrypted password is valid. The encrypted
+ *	password is checked for traditional-style DES and
+ *	FreeBSD-style MD5 encryption.
+ */
+int valid(char *pass)
+{
+	char *s;
+	int len;
+
+	if (pass[0] == 0) return 1;
+#if CHECK_MD5
+	/*
+	 *	3 bytes for the signature $1$
+	 *	up to 8 bytes for the salt
+	 *	$
+	 *	the MD5 hash (128 bits or 16 bytes) encoded in base64 = 22 bytes
+	 */
+	if (strncmp(pass, "$1$", 3) == 0) {
+		for(s = pass + 3; *s && *s != '$'; s++)
+			;
+		if (*s++ != '$') return 0;
+		len = strlen(s);
+		if (len < 22 || len > 24) return 0;
+
+		return 1;
+	}
+#endif
+#if CHECK_DES
+	if (strlen(pass) != 13) return 0;
+	for (s = pass; *s; s++) {
+		if ((*s < '0' || *s > '9') &&
+		    (*s < 'a' || *s > 'z') &&
+		    (*s < 'A' || *s > 'Z') &&
+		    *s != '.' && *s != '/') return 0;
+	}
+#endif
+	return 1;
+}
+
+/*
+ *	Set a variable if the value is not NULL.
+ */
+void set(char **var, char *val)
+{
+	if (val) *var = val;
+}
+
+/*
+ *	Get the root password entry.
+ */
+struct passwd *getrootpwent(int try_manually)
+{
+	static struct passwd pwd;
+	struct passwd *pw;
+	struct spwd *spw;
+	FILE *fp;
+	static char line[256];
+	static char sline[256];
+	char *p;
+
+	/*
+	 *	First, we try to get the password the standard
+	 *	way using normal library calls.
+	 */
+	if ((pw = getpwnam("root")) &&
+	    !strcmp(pw->pw_passwd, "x") &&
+	    (spw = getspnam("root")))
+		pw->pw_passwd = spw->sp_pwdp;
+	if (pw || !try_manually) return pw;
+
+	/*
+	 *	If we come here, we could not retrieve the root
+	 *	password through library calls and we try to
+	 *	read the password and shadow files manually.
+	 */
+	pwd.pw_name = "root";
+	pwd.pw_passwd = "";
+	pwd.pw_gecos = "Super User";
+	pwd.pw_dir = "/";
+	pwd.pw_shell = "";
+	pwd.pw_uid = 0;
+	pwd.pw_gid = 0;
+
+	if ((fp = fopen(F_PASSWD, "r")) == NULL) {
+		perror(F_PASSWD);
+		return &pwd;
+	}
+
+	/*
+	 *	Find root in the password file.
+	 */
+	while((p = fgets(line, 256, fp)) != NULL) {
+		if (strncmp(line, "root:", 5) != 0)
+			continue;
+		p += 5;
+		set(&pwd.pw_passwd, strsep(&p, ":"));
+		(void)strsep(&p, ":");
+		(void)strsep(&p, ":");
+		set(&pwd.pw_gecos, strsep(&p, ":"));
+		set(&pwd.pw_dir, strsep(&p, ":"));
+		set(&pwd.pw_shell, strsep(&p, "\n"));
+		p = line;
+		break;
+	}
+	fclose(fp);
+
+	/*
+	 *	If the encrypted password is valid
+	 *	or not found, return.
+	 */
+	if (p == NULL) {
+		fprintf(stderr, "%s: no entry for root\n", F_PASSWD);
+		return &pwd;
+	}
+	if (valid(pwd.pw_passwd)) return &pwd;
+
+	/*
+	 *	The password is invalid. If there is a
+	 *	shadow password, try it.
+	 */
+	strcpy(pwd.pw_passwd, "");
+	if ((fp = fopen(F_SHADOW, "r")) == NULL) {
+		fprintf(stderr, "%s: root password garbled\n", F_PASSWD);
+		return &pwd;
+	}
+	while((p = fgets(sline, 256, fp)) != NULL) {
+		if (strncmp(sline, "root:", 5) != 0)
+			continue;
+		p += 5;
+		set(&pwd.pw_passwd, strsep(&p, ":"));
+		break;
+	}
+	fclose(fp);
+
+	/*
+	 *	If the password is still invalid,
+	 *	NULL it, and return.
+	 */
+	if (p == NULL) {
+		fprintf(stderr, "%s: no entry for root\n", F_SHADOW);
+		strcpy(pwd.pw_passwd, "");
+	}
+	if (!valid(pwd.pw_passwd)) {
+		fprintf(stderr, "%s: root password garbled\n", F_SHADOW);
+		strcpy(pwd.pw_passwd, ""); }
+	return &pwd;
+}
+
+/*
+ *	Ask for the password. Note that there is no
+ *	default timeout as we normally skip this during boot.
+ */
+char *getpasswd(char *crypted)
+{
+	struct sigaction sa;
+	struct termios old, tty;
+	static char pass[128];
+	char *ret = pass;
+	int i;
+
+	if (crypted[0])
+		printf("Give root password for maintenance\n");
+	else
+		printf("Press enter for maintenance\n");
+	printf("(or type Control-D to continue): ");
+	fflush(stdout);
+
+	tcgetattr(0, &old);
+	tcgetattr(0, &tty);
+	tty.c_iflag &= ~(IUCLC|IXON|IXOFF|IXANY);
+	tty.c_lflag &= ~(ECHO|ECHOE|ECHOK|ECHONL|TOSTOP);
+	tcsetattr(0, TCSANOW, &tty);
+
+	pass[sizeof(pass) - 1] = 0;
+
+	sa.sa_handler = alrm_handler;
+	sa.sa_flags = 0;
+	sigaction(SIGALRM, &sa, NULL);
+	if (timeout) alarm(timeout);
+
+	if (read(0, pass, sizeof(pass) - 1) <= 0)
+		ret = NULL;
+	else {
+		for(i = 0; i < sizeof(pass) && pass[i]; i++)
+			if (pass[i] == '\r' || pass[i] == '\n') {
+				pass[i] = 0;
+				break;
+			}
+	}
+	alarm(0);
+	tcsetattr(0, TCSANOW, &old);
+	printf("\n");
+
+	return ret;
+}
+
+/*
+ *	Password was OK, execute a shell.
+ */
+void sushell(struct passwd *pwd)
+{
+	char shell[128];
+	char home[128];
+	char *p;
+	char *sushell;
+
+	/*
+	 *	Set directory and shell.
+	 */
+	(void)chdir(pwd->pw_dir);
+	if ((p = getenv("SUSHELL")) != NULL)
+		sushell = p;
+	else if ((p = getenv("sushell")) != NULL)
+		sushell = p;
+	else {
+		if (pwd->pw_shell[0])
+			sushell = pwd->pw_shell;
+		else
+			sushell = BINSH;
+	}
+	if ((p = strrchr(sushell, '/')) == NULL)
+		p = sushell;
+	else
+		p++;
+	snprintf(shell, sizeof(shell), profile ? "-%s" : "%s", p);
+
+	/*
+	 *	Set some important environment variables.
+	 */
+	getcwd(home, sizeof(home));
+	setenv("HOME", home, 1);
+	setenv("LOGNAME", "root", 1);
+	setenv("USER", "root", 1);
+	if (!profile)
+		setenv("SHLVL","0",1);
+
+	/*
+	 *	Try to execute a shell.
+	 */
+	setenv("SHELL", sushell, 1);
+	signal(SIGINT, SIG_DFL);
+	signal(SIGTSTP, SIG_DFL);
+	signal(SIGQUIT, SIG_DFL);
+	execl(sushell, shell, NULL);
+	perror(sushell);
+
+	setenv("SHELL", BINSH, 1);
+	execl(BINSH, profile ? "-sh" : "sh", NULL);
+	perror(BINSH);
+}
+
+void usage(void)
+{
+	fprintf(stderr, "Usage: sulogin [-e] [-p] [-t timeout] [tty device]\n");
+}
+
+int main(int argc, char **argv)
+{
+	char *tty = NULL;
+	char *p;
+	struct passwd *pwd;
+	int c, fd = -1;
+	int opt_e = 0;
+	pid_t pid, pgrp, ppgrp, ttypgrp;
+
+	/*
+	 *	See if we have a timeout flag.
+	 */
+	opterr = 0;
+	while((c = getopt(argc, argv, "ept:")) != EOF) switch(c) {
+		case 't':
+			timeout = atoi(optarg);
+			break;
+		case 'p':
+			profile = 1;
+			break;
+		case 'e':
+			opt_e = 1;
+			break;
+		default:
+			usage();
+			/* Do not exit! */
+			break;
+	}
+
+	if (geteuid() != 0) {
+		fprintf(stderr, "sulogin: only root can run sulogin.\n");
+		exit(1);
+	}
+
+	/*
+	 *	See if we need to open an other tty device.
+	 */
+	signal(SIGINT, SIG_IGN);
+	signal(SIGQUIT, SIG_IGN);
+	signal(SIGTSTP, SIG_IGN);
+	if (optind < argc) tty = argv[optind];
+	if (tty) {
+		if ((fd = open(tty, O_RDWR)) < 0) {
+			perror(tty);
+		} else if (!isatty(fd)) {
+			fprintf(stderr, "%s: not a tty\n", tty);
+			close(fd);
+		} else {
+
+			/*
+			 *	Only go through this trouble if the new
+			 *	tty doesn't fall in this process group.
+			 */
+			pid = getpid();
+			pgrp = getpgid(0);
+			ppgrp = getpgid(getppid());
+			ioctl(fd, TIOCGPGRP, &ttypgrp);
+
+			if (pgrp != ttypgrp && ppgrp != ttypgrp) {
+				if (pid != getsid(0)) {
+					if (pid == getpgid(0))
+						setpgid(0, getpgid(getppid()));
+					setsid();
+				}
+
+				signal(SIGHUP, SIG_IGN);
+				ioctl(0, TIOCNOTTY, (char *)1);
+				signal(SIGHUP, SIG_DFL);
+				close(0);
+				close(1);
+				close(2);
+				close(fd);
+				fd = open(tty, O_RDWR);
+				ioctl(0, TIOCSCTTY, (char *)1);
+				dup(fd);
+				dup(fd);
+			} else
+				close(fd);
+		}
+	}
+
+	/*
+	 *	Get the root password.
+	 */
+	if ((pwd = getrootpwent(opt_e)) == NULL) {
+		fprintf(stderr, "sulogin: cannot open password database!\n");
+		sleep(2);
+	}
+
+	/*
+	 *	Ask for the password.
+	 */
+	while(pwd) {
+		if ((p = getpasswd(pwd->pw_passwd)) == NULL) break;
+		if (pwd->pw_passwd[0] == 0 ||
+		    strcmp(crypt(p, pwd->pw_passwd), pwd->pw_passwd) == 0)
+			sushell(pwd);
+		printf("Login incorrect.\n");
+	}
+
+	/*
+	 *	User pressed Control-D.
+	 */
+	return 0;
+}
+

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 22:07 +0800, Dennis Wronka wrote:
> Sorry I got to ask, but what do you actually mean by "initial policy loading 
> logic"?
> 
> I haven't actually written any code that handles the policy. I took the 
> attached patch for SysVInit and applied it. From what I know this is the 
> commonly used patch for this, as it seems to be pretty identical wherever I'm 
> looking.

That's what I wanted to see, thanks.

Now, if you boot permissive in single-user mode (enforcing=0 single) and
run "load_policy -i" (note the -i option), does that work?  That calls
the same function for initial policy loading as the patch for sysvinit.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 10:09 -0400, Stephen Smalley wrote:
> On Wed, 2009-05-20 at 22:07 +0800, Dennis Wronka wrote:
> > Sorry I got to ask, but what do you actually mean by "initial policy loading 
> > logic"?
> > 
> > I haven't actually written any code that handles the policy. I took the 
> > attached patch for SysVInit and applied it. From what I know this is the 
> > commonly used patch for this, as it seems to be pretty identical wherever I'm 
> > looking.
> 
> That's what I wanted to see, thanks.
> 
> Now, if you boot permissive in single-user mode (enforcing=0 single) and
> run "load_policy -i" (note the -i option), does that work?  That calls
> the same function for initial policy loading as the patch for sysvinit.

If it doesn't work (i.e. policy is still not loaded by it, as shown by
e.g. running id -Z), then try running strace load_policy -i 2>& out and
send the output file.

Also, please identify your version of libselinux.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 22:42 +0800, Dennis Wronka wrote:
> Thanks for this, I think we're going somewhere.
> 
> Booting into single-user and running load_policy -i I get this:
> Mount failed for selinuxfs on /selinux: Device or resource busy
> load_policy: Can't load policy: Device or resource busy

Ok, this error just means that something (presumably /sbin/init) has
already mounted selinuxfs on /selinux, so it doesn't really help in
diagnosing the problem.  umount /selinux and try again.

BTW, can we see your kernel .config, particularly the SELINUX options?

> I've seen this before when I was testing around, but didn't find much about 
> this.
> 
> I'll see that I install strace in order to provide a trace.
> 
> libselinux is 2.0.79

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 1480 bytes --]

Thanks for this, I think we're going somewhere.

Booting into single-user and running load_policy -i I get this:
Mount failed for selinuxfs on /selinux: Device or resource busy
load_policy: Can't load policy: Device or resource busy

I've seen this before when I was testing around, but didn't find much about 
this.

I'll see that I install strace in order to provide a trace.

libselinux is 2.0.79

On Wednesday 20 May 2009 22:21:01 Stephen Smalley wrote:
> On Wed, 2009-05-20 at 10:09 -0400, Stephen Smalley wrote:
> > On Wed, 2009-05-20 at 22:07 +0800, Dennis Wronka wrote:
> > > Sorry I got to ask, but what do you actually mean by "initial policy
> > > loading logic"?
> > >
> > > I haven't actually written any code that handles the policy. I took the
> > > attached patch for SysVInit and applied it. From what I know this is
> > > the commonly used patch for this, as it seems to be pretty identical
> > > wherever I'm looking.
> >
> > That's what I wanted to see, thanks.
> >
> > Now, if you boot permissive in single-user mode (enforcing=0 single) and
> > run "load_policy -i" (note the -i option), does that work?  That calls
> > the same function for initial policy loading as the patch for sysvinit.
>
> If it doesn't work (i.e. policy is still not loaded by it, as shown by
> e.g. running id -Z), then try running strace load_policy -i 2>& out and
> send the output file.
>
> Also, please identify your version of libselinux.



[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Policy loading problem

[Dennis Wronka]

[-- Attachment #1.1: Type: text/plain, Size: 1113 bytes --]

Okay, here we go:

I unmounted /selinux and then got this:
load_policy: Can't load policy: Invalid argument

I attached my kernel-config and the two traces (trace1 for the "Device or 
resource busy"-error, trace2 for the "Invalid argument"-error).

On Wednesday 20 May 2009 22:40:33 Stephen Smalley wrote:
> On Wed, 2009-05-20 at 22:42 +0800, Dennis Wronka wrote:
> > Thanks for this, I think we're going somewhere.
> >
> > Booting into single-user and running load_policy -i I get this:
> > Mount failed for selinuxfs on /selinux: Device or resource busy
> > load_policy: Can't load policy: Device or resource busy
>
> Ok, this error just means that something (presumably /sbin/init) has
> already mounted selinuxfs on /selinux, so it doesn't really help in
> diagnosing the problem.  umount /selinux and try again.
>
> BTW, can we see your kernel .config, particularly the SELINUX options?
>
> > I've seen this before when I was testing around, but didn't find much
> > about this.
> >
> > I'll see that I install strace in order to provide a trace.
> >
> > libselinux is 2.0.79



[-- Attachment #1.2: kernel-config --]
[-- Type: text/plain, Size: 47746 bytes --]

#
# Automatically generated make config: don't edit
# Linux kernel version: 2.6.29.3
# Wed May 20 12:27:14 2009
#
# CONFIG_64BIT is not set
CONFIG_X86_32=y
# CONFIG_X86_64 is not set
CONFIG_X86=y
CONFIG_ARCH_DEFCONFIG="arch/x86/configs/i386_defconfig"
CONFIG_GENERIC_TIME=y
CONFIG_GENERIC_CMOS_UPDATE=y
CONFIG_CLOCKSOURCE_WATCHDOG=y
CONFIG_GENERIC_CLOCKEVENTS=y
CONFIG_GENERIC_CLOCKEVENTS_BROADCAST=y
CONFIG_LOCKDEP_SUPPORT=y
CONFIG_STACKTRACE_SUPPORT=y
CONFIG_HAVE_LATENCYTOP_SUPPORT=y
CONFIG_FAST_CMPXCHG_LOCAL=y
CONFIG_MMU=y
CONFIG_ZONE_DMA=y
CONFIG_GENERIC_ISA_DMA=y
CONFIG_GENERIC_IOMAP=y
CONFIG_GENERIC_BUG=y
CONFIG_GENERIC_HWEIGHT=y
CONFIG_ARCH_MAY_HAVE_PC_FDC=y
# CONFIG_RWSEM_GENERIC_SPINLOCK is not set
CONFIG_RWSEM_XCHGADD_ALGORITHM=y
CONFIG_ARCH_HAS_CPU_IDLE_WAIT=y
CONFIG_GENERIC_CALIBRATE_DELAY=y
# CONFIG_GENERIC_TIME_VSYSCALL is not set
CONFIG_ARCH_HAS_CPU_RELAX=y
CONFIG_ARCH_HAS_DEFAULT_IDLE=y
CONFIG_ARCH_HAS_CACHE_LINE_SIZE=y
CONFIG_HAVE_SETUP_PER_CPU_AREA=y
# CONFIG_HAVE_CPUMASK_OF_CPU_MAP is not set
CONFIG_ARCH_HIBERNATION_POSSIBLE=y
CONFIG_ARCH_SUSPEND_POSSIBLE=y
# CONFIG_ZONE_DMA32 is not set
CONFIG_ARCH_POPULATES_NODE_MAP=y
# CONFIG_AUDIT_ARCH is not set
CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING=y
CONFIG_GENERIC_HARDIRQS=y
CONFIG_GENERIC_IRQ_PROBE=y
CONFIG_GENERIC_PENDING_IRQ=y
CONFIG_X86_SMP=y
CONFIG_USE_GENERIC_SMP_HELPERS=y
CONFIG_X86_32_SMP=y
CONFIG_X86_HT=y
CONFIG_X86_BIOS_REBOOT=y
CONFIG_X86_TRAMPOLINE=y
CONFIG_KTIME_SCALAR=y
CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config"

#
# General setup
#
CONFIG_EXPERIMENTAL=y
CONFIG_LOCK_KERNEL=y
CONFIG_INIT_ENV_ARG_LIMIT=32
CONFIG_LOCALVERSION=""
# CONFIG_LOCALVERSION_AUTO is not set
CONFIG_SWAP=y
CONFIG_SYSVIPC=y
CONFIG_SYSVIPC_SYSCTL=y
CONFIG_POSIX_MQUEUE=y
CONFIG_BSD_PROCESS_ACCT=y
# CONFIG_BSD_PROCESS_ACCT_V3 is not set
# CONFIG_TASKSTATS is not set
CONFIG_AUDIT=y
CONFIG_AUDITSYSCALL=y
CONFIG_AUDIT_TREE=y

#
# RCU Subsystem
#
CONFIG_CLASSIC_RCU=y
# CONFIG_TREE_RCU is not set
# CONFIG_PREEMPT_RCU is not set
# CONFIG_TREE_RCU_TRACE is not set
# CONFIG_PREEMPT_RCU_TRACE is not set
# CONFIG_IKCONFIG is not set
CONFIG_LOG_BUF_SHIFT=17
CONFIG_HAVE_UNSTABLE_SCHED_CLOCK=y
CONFIG_GROUP_SCHED=y
CONFIG_FAIR_GROUP_SCHED=y
CONFIG_RT_GROUP_SCHED=y
CONFIG_USER_SCHED=y
# CONFIG_CGROUP_SCHED is not set
# CONFIG_CGROUPS is not set
# CONFIG_SYSFS_DEPRECATED_V2 is not set
CONFIG_RELAY=y
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
# CONFIG_USER_NS is not set
# CONFIG_PID_NS is not set
# CONFIG_NET_NS is not set
# CONFIG_BLK_DEV_INITRD is not set
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
CONFIG_SYSCTL=y
CONFIG_ANON_INODES=y
# CONFIG_EMBEDDED is not set
CONFIG_UID16=y
CONFIG_SYSCTL_SYSCALL=y
CONFIG_KALLSYMS=y
CONFIG_KALLSYMS_EXTRA_PASS=y
CONFIG_HOTPLUG=y
CONFIG_PRINTK=y
CONFIG_BUG=y
CONFIG_ELF_CORE=y
CONFIG_PCSPKR_PLATFORM=y
CONFIG_BASE_FULL=y
CONFIG_FUTEX=y
CONFIG_EPOLL=y
CONFIG_SIGNALFD=y
CONFIG_TIMERFD=y
CONFIG_EVENTFD=y
CONFIG_SHMEM=y
CONFIG_AIO=y
CONFIG_VM_EVENT_COUNTERS=y
CONFIG_PCI_QUIRKS=y
# CONFIG_COMPAT_BRK is not set
CONFIG_SLAB=y
# CONFIG_SLUB is not set
# CONFIG_SLOB is not set
# CONFIG_PROFILING is not set
CONFIG_TRACEPOINTS=y
# CONFIG_MARKERS is not set
CONFIG_HAVE_OPROFILE=y
# CONFIG_KPROBES is not set
CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS=y
CONFIG_HAVE_IOREMAP_PROT=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KRETPROBES=y
CONFIG_HAVE_ARCH_TRACEHOOK=y
CONFIG_HAVE_GENERIC_DMA_COHERENT=y
CONFIG_SLABINFO=y
CONFIG_RT_MUTEXES=y
CONFIG_BASE_SMALL=0
CONFIG_MODULES=y
# CONFIG_MODULE_FORCE_LOAD is not set
CONFIG_MODULE_UNLOAD=y
# CONFIG_MODULE_FORCE_UNLOAD is not set
# CONFIG_MODVERSIONS is not set
# CONFIG_MODULE_SRCVERSION_ALL is not set
CONFIG_STOP_MACHINE=y
CONFIG_BLOCK=y
CONFIG_LBD=y
CONFIG_BLK_DEV_IO_TRACE=y
# CONFIG_BLK_DEV_BSG is not set
# CONFIG_BLK_DEV_INTEGRITY is not set

#
# IO Schedulers
#
CONFIG_IOSCHED_NOOP=y
CONFIG_IOSCHED_AS=y
CONFIG_IOSCHED_DEADLINE=y
CONFIG_IOSCHED_CFQ=y
# CONFIG_DEFAULT_AS is not set
# CONFIG_DEFAULT_DEADLINE is not set
CONFIG_DEFAULT_CFQ=y
# CONFIG_DEFAULT_NOOP is not set
CONFIG_DEFAULT_IOSCHED="cfq"
# CONFIG_FREEZER is not set

#
# Processor type and features
#
CONFIG_TICK_ONESHOT=y
CONFIG_NO_HZ=y
CONFIG_HIGH_RES_TIMERS=y
CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
CONFIG_SMP=y
# CONFIG_SPARSE_IRQ is not set
CONFIG_X86_FIND_SMP_CONFIG=y
CONFIG_X86_MPPARSE=y
CONFIG_X86_PC=y
# CONFIG_X86_ELAN is not set
# CONFIG_X86_VOYAGER is not set
# CONFIG_X86_GENERICARCH is not set
# CONFIG_X86_VSMP is not set
# CONFIG_X86_RDC321X is not set
CONFIG_SCHED_OMIT_FRAME_POINTER=y
CONFIG_PARAVIRT_GUEST=y
# CONFIG_XEN is not set
# CONFIG_VMI is not set
CONFIG_KVM_CLOCK=y
CONFIG_KVM_GUEST=y
CONFIG_PARAVIRT=y
CONFIG_PARAVIRT_CLOCK=y
# CONFIG_MEMTEST is not set
# CONFIG_M386 is not set
# CONFIG_M486 is not set
# CONFIG_M586 is not set
# CONFIG_M586TSC is not set
# CONFIG_M586MMX is not set
# CONFIG_M686 is not set
CONFIG_MPENTIUMII=y
# CONFIG_MPENTIUMIII is not set
# CONFIG_MPENTIUMM is not set
# CONFIG_MPENTIUM4 is not set
# CONFIG_MK6 is not set
# CONFIG_MK7 is not set
# CONFIG_MK8 is not set
# CONFIG_MCRUSOE is not set
# CONFIG_MEFFICEON is not set
# CONFIG_MWINCHIPC6 is not set
# CONFIG_MWINCHIP3D is not set
# CONFIG_MGEODEGX1 is not set
# CONFIG_MGEODE_LX is not set
# CONFIG_MCYRIXIII is not set
# CONFIG_MVIAC3_2 is not set
# CONFIG_MVIAC7 is not set
# CONFIG_MPSC is not set
# CONFIG_MCORE2 is not set
# CONFIG_GENERIC_CPU is not set
# CONFIG_X86_GENERIC is not set
CONFIG_X86_CPU=y
CONFIG_X86_CMPXCHG=y
CONFIG_X86_L1_CACHE_SHIFT=5
CONFIG_X86_XADD=y
CONFIG_X86_WP_WORKS_OK=y
CONFIG_X86_INVLPG=y
CONFIG_X86_BSWAP=y
CONFIG_X86_POPAD_OK=y
CONFIG_X86_INTEL_USERCOPY=y
CONFIG_X86_USE_PPRO_CHECKSUM=y
CONFIG_X86_TSC=y
CONFIG_X86_CMPXCHG64=y
CONFIG_X86_CMOV=y
CONFIG_X86_MINIMUM_CPU_FAMILY=4
CONFIG_X86_DEBUGCTLMSR=y
CONFIG_CPU_SUP_INTEL=y
CONFIG_CPU_SUP_CYRIX_32=y
CONFIG_CPU_SUP_AMD=y
CONFIG_CPU_SUP_CENTAUR_32=y
CONFIG_CPU_SUP_TRANSMETA_32=y
CONFIG_CPU_SUP_UMC_32=y
# CONFIG_X86_DS is not set
CONFIG_HPET_TIMER=y
CONFIG_HPET_EMULATE_RTC=y
CONFIG_DMI=y
# CONFIG_IOMMU_HELPER is not set
# CONFIG_IOMMU_API is not set
CONFIG_NR_CPUS=8
# CONFIG_SCHED_SMT is not set
CONFIG_SCHED_MC=y
# CONFIG_PREEMPT_NONE is not set
CONFIG_PREEMPT_VOLUNTARY=y
# CONFIG_PREEMPT is not set
CONFIG_X86_LOCAL_APIC=y
CONFIG_X86_IO_APIC=y
# CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS is not set
CONFIG_X86_MCE=y
# CONFIG_X86_MCE_NONFATAL is not set
# CONFIG_X86_MCE_P4THERMAL is not set
CONFIG_VM86=y
# CONFIG_TOSHIBA is not set
# CONFIG_I8K is not set
CONFIG_X86_REBOOTFIXUPS=y
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y
CONFIG_MICROCODE_OLD_INTERFACE=y
CONFIG_X86_MSR=y
CONFIG_X86_CPUID=y
CONFIG_NOHIGHMEM=y
# CONFIG_HIGHMEM4G is not set
# CONFIG_HIGHMEM64G is not set
CONFIG_PAGE_OFFSET=0xC0000000
CONFIG_X86_PAE=y
CONFIG_ARCH_PHYS_ADDR_T_64BIT=y
CONFIG_ARCH_FLATMEM_ENABLE=y
CONFIG_ARCH_SPARSEMEM_ENABLE=y
CONFIG_ARCH_SELECT_MEMORY_MODEL=y
CONFIG_SELECT_MEMORY_MODEL=y
CONFIG_FLATMEM_MANUAL=y
# CONFIG_DISCONTIGMEM_MANUAL is not set
# CONFIG_SPARSEMEM_MANUAL is not set
CONFIG_FLATMEM=y
CONFIG_FLAT_NODE_MEM_MAP=y
CONFIG_SPARSEMEM_STATIC=y
CONFIG_PAGEFLAGS_EXTENDED=y
CONFIG_SPLIT_PTLOCK_CPUS=4
CONFIG_PHYS_ADDR_T_64BIT=y
CONFIG_ZONE_DMA_FLAG=1
CONFIG_BOUNCE=y
CONFIG_VIRT_TO_BUS=y
CONFIG_UNEVICTABLE_LRU=y
# CONFIG_X86_CHECK_BIOS_CORRUPTION is not set
CONFIG_X86_RESERVE_LOW_64K=y
# CONFIG_MATH_EMULATION is not set
CONFIG_MTRR=y
CONFIG_MTRR_SANITIZER=y
CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0
CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1
CONFIG_X86_PAT=y
CONFIG_EFI=y
CONFIG_SECCOMP=y
# CONFIG_HZ_100 is not set
# CONFIG_HZ_250 is not set
# CONFIG_HZ_300 is not set
CONFIG_HZ_1000=y
CONFIG_HZ=1000
CONFIG_SCHED_HRTICK=y
# CONFIG_KEXEC is not set
CONFIG_PHYSICAL_START=0x100000
# CONFIG_RELOCATABLE is not set
CONFIG_PHYSICAL_ALIGN=0x200000
# CONFIG_HOTPLUG_CPU is not set
# CONFIG_COMPAT_VDSO is not set
# CONFIG_CMDLINE_BOOL is not set

#
# Power management and ACPI options
#
CONFIG_PM=y
CONFIG_PM_DEBUG=y
# CONFIG_PM_VERBOSE is not set
# CONFIG_SUSPEND is not set
# CONFIG_HIBERNATION is not set
CONFIG_ACPI=y
# CONFIG_ACPI_PROCFS is not set
# CONFIG_ACPI_PROCFS_POWER is not set
CONFIG_ACPI_SYSFS_POWER=y
# CONFIG_ACPI_PROC_EVENT is not set
# CONFIG_ACPI_AC is not set
# CONFIG_ACPI_BATTERY is not set
CONFIG_ACPI_BUTTON=y
CONFIG_ACPI_FAN=y
CONFIG_ACPI_DOCK=y
CONFIG_ACPI_PROCESSOR=y
CONFIG_ACPI_THERMAL=y
# CONFIG_ACPI_CUSTOM_DSDT is not set
CONFIG_ACPI_BLACKLIST_YEAR=0
# CONFIG_ACPI_DEBUG is not set
# CONFIG_ACPI_PCI_SLOT is not set
CONFIG_X86_PM_TIMER=y
# CONFIG_ACPI_CONTAINER is not set
# CONFIG_ACPI_SBS is not set

#
# CPU Frequency scaling
#
# CONFIG_CPU_FREQ is not set
CONFIG_CPU_IDLE=y
CONFIG_CPU_IDLE_GOV_LADDER=y
CONFIG_CPU_IDLE_GOV_MENU=y

#
# Bus options (PCI etc.)
#
CONFIG_PCI=y
# CONFIG_PCI_GOBIOS is not set
# CONFIG_PCI_GOMMCONFIG is not set
# CONFIG_PCI_GODIRECT is not set
# CONFIG_PCI_GOOLPC is not set
CONFIG_PCI_GOANY=y
CONFIG_PCI_BIOS=y
CONFIG_PCI_DIRECT=y
CONFIG_PCI_MMCONFIG=y
CONFIG_PCI_DOMAINS=y
CONFIG_PCIEPORTBUS=y
CONFIG_PCIEAER=y
# CONFIG_PCIEASPM is not set
CONFIG_ARCH_SUPPORTS_MSI=y
# CONFIG_PCI_MSI is not set
# CONFIG_PCI_LEGACY is not set
# CONFIG_PCI_STUB is not set
CONFIG_HT_IRQ=y
CONFIG_ISA_DMA_API=y
# CONFIG_ISA is not set
# CONFIG_MCA is not set
# CONFIG_SCx200 is not set
# CONFIG_OLPC is not set
CONFIG_K8_NB=y
# CONFIG_PCCARD is not set
# CONFIG_HOTPLUG_PCI is not set

#
# Executable file formats / Emulations
#
CONFIG_BINFMT_ELF=y
# CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS is not set
CONFIG_HAVE_AOUT=y
# CONFIG_BINFMT_AOUT is not set
CONFIG_BINFMT_MISC=y
CONFIG_HAVE_ATOMIC_IOMAP=y
CONFIG_NET=y

#
# Networking options
#
CONFIG_COMPAT_NET_DEV_OPS=y
CONFIG_PACKET=y
CONFIG_PACKET_MMAP=y
CONFIG_UNIX=y
CONFIG_XFRM=y
CONFIG_XFRM_USER=y
# CONFIG_XFRM_SUB_POLICY is not set
# CONFIG_XFRM_MIGRATE is not set
# CONFIG_XFRM_STATISTICS is not set
CONFIG_XFRM_IPCOMP=y
CONFIG_NET_KEY=y
# CONFIG_NET_KEY_MIGRATE is not set
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_ASK_IP_FIB_HASH=y
# CONFIG_IP_FIB_TRIE is not set
CONFIG_IP_FIB_HASH=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_PNP=y
CONFIG_IP_PNP_DHCP=y
# CONFIG_IP_PNP_BOOTP is not set
# CONFIG_IP_PNP_RARP is not set
# CONFIG_NET_IPIP is not set
# CONFIG_NET_IPGRE is not set
CONFIG_IP_MROUTE=y
CONFIG_IP_PIMSM_V1=y
CONFIG_IP_PIMSM_V2=y
# CONFIG_ARPD is not set
CONFIG_SYN_COOKIES=y
CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
CONFIG_INET_XFRM_TUNNEL=y
CONFIG_INET_TUNNEL=y
CONFIG_INET_XFRM_MODE_TRANSPORT=y
CONFIG_INET_XFRM_MODE_TUNNEL=y
CONFIG_INET_XFRM_MODE_BEET=y
CONFIG_INET_LRO=y
# CONFIG_INET_DIAG is not set
CONFIG_TCP_CONG_ADVANCED=y
# CONFIG_TCP_CONG_BIC is not set
CONFIG_TCP_CONG_CUBIC=y
# CONFIG_TCP_CONG_WESTWOOD is not set
# CONFIG_TCP_CONG_HTCP is not set
# CONFIG_TCP_CONG_HSTCP is not set
# CONFIG_TCP_CONG_HYBLA is not set
# CONFIG_TCP_CONG_VEGAS is not set
# CONFIG_TCP_CONG_SCALABLE is not set
# CONFIG_TCP_CONG_LP is not set
# CONFIG_TCP_CONG_VENO is not set
# CONFIG_TCP_CONG_YEAH is not set
# CONFIG_TCP_CONG_ILLINOIS is not set
# CONFIG_DEFAULT_BIC is not set
CONFIG_DEFAULT_CUBIC=y
# CONFIG_DEFAULT_HTCP is not set
# CONFIG_DEFAULT_VEGAS is not set
# CONFIG_DEFAULT_WESTWOOD is not set
# CONFIG_DEFAULT_RENO is not set
CONFIG_DEFAULT_TCP_CONG="cubic"
# CONFIG_TCP_MD5SIG is not set
CONFIG_IPV6=y
CONFIG_IPV6_PRIVACY=y
CONFIG_IPV6_ROUTER_PREF=y
# CONFIG_IPV6_ROUTE_INFO is not set
# CONFIG_IPV6_OPTIMISTIC_DAD is not set
CONFIG_INET6_AH=y
CONFIG_INET6_ESP=y
CONFIG_INET6_IPCOMP=y
# CONFIG_IPV6_MIP6 is not set
CONFIG_INET6_XFRM_TUNNEL=y
CONFIG_INET6_TUNNEL=y
CONFIG_INET6_XFRM_MODE_TRANSPORT=y
CONFIG_INET6_XFRM_MODE_TUNNEL=y
CONFIG_INET6_XFRM_MODE_BEET=y
# CONFIG_INET6_XFRM_MODE_ROUTEOPTIMIZATION is not set
CONFIG_IPV6_SIT=y
CONFIG_IPV6_NDISC_NODETYPE=y
CONFIG_IPV6_TUNNEL=y
# CONFIG_IPV6_MULTIPLE_TABLES is not set
# CONFIG_IPV6_MROUTE is not set
CONFIG_NETLABEL=y
CONFIG_NETWORK_SECMARK=y
# CONFIG_NETFILTER is not set
# CONFIG_IP_DCCP is not set
# CONFIG_IP_SCTP is not set
# CONFIG_TIPC is not set
# CONFIG_ATM is not set
# CONFIG_BRIDGE is not set
# CONFIG_NET_DSA is not set
# CONFIG_VLAN_8021Q is not set
# CONFIG_DECNET is not set
# CONFIG_LLC2 is not set
# CONFIG_IPX is not set
# CONFIG_ATALK is not set
# CONFIG_X25 is not set
# CONFIG_LAPB is not set
# CONFIG_ECONET is not set
# CONFIG_WAN_ROUTER is not set
# CONFIG_NET_SCHED is not set
# CONFIG_DCB is not set

#
# Network testing
#
# CONFIG_NET_PKTGEN is not set
# CONFIG_HAMRADIO is not set
# CONFIG_CAN is not set
# CONFIG_IRDA is not set
# CONFIG_BT is not set
# CONFIG_AF_RXRPC is not set
# CONFIG_PHONET is not set
CONFIG_FIB_RULES=y
# CONFIG_WIRELESS is not set
# CONFIG_WIMAX is not set
# CONFIG_RFKILL is not set
# CONFIG_NET_9P is not set

#
# Device Drivers
#

#
# Generic Driver Options
#
CONFIG_UEVENT_HELPER_PATH="/sbin/hotplug"
CONFIG_STANDALONE=y
CONFIG_PREVENT_FIRMWARE_BUILD=y
CONFIG_FW_LOADER=y
CONFIG_FIRMWARE_IN_KERNEL=y
CONFIG_EXTRA_FIRMWARE=""
# CONFIG_SYS_HYPERVISOR is not set
CONFIG_CONNECTOR=y
CONFIG_PROC_EVENTS=y
# CONFIG_MTD is not set
# CONFIG_PARPORT is not set
CONFIG_PNP=y
CONFIG_PNP_DEBUG_MESSAGES=y

#
# Protocols
#
CONFIG_PNPACPI=y
CONFIG_BLK_DEV=y
# CONFIG_BLK_DEV_FD is not set
# CONFIG_BLK_CPQ_DA is not set
# CONFIG_BLK_CPQ_CISS_DA is not set
# CONFIG_BLK_DEV_DAC960 is not set
# CONFIG_BLK_DEV_UMEM is not set
# CONFIG_BLK_DEV_COW_COMMON is not set
CONFIG_BLK_DEV_LOOP=y
CONFIG_BLK_DEV_CRYPTOLOOP=y
# CONFIG_BLK_DEV_NBD is not set
# CONFIG_BLK_DEV_SX8 is not set
# CONFIG_BLK_DEV_UB is not set
CONFIG_BLK_DEV_RAM=y
CONFIG_BLK_DEV_RAM_COUNT=16
CONFIG_BLK_DEV_RAM_SIZE=16384
# CONFIG_BLK_DEV_XIP is not set
CONFIG_CDROM_PKTCDVD=y
CONFIG_CDROM_PKTCDVD_BUFFERS=8
# CONFIG_CDROM_PKTCDVD_WCACHE is not set
# CONFIG_ATA_OVER_ETH is not set
CONFIG_VIRTIO_BLK=y
# CONFIG_BLK_DEV_HD is not set
# CONFIG_MISC_DEVICES is not set
CONFIG_HAVE_IDE=y
# CONFIG_IDE is not set

#
# SCSI device support
#
# CONFIG_RAID_ATTRS is not set
CONFIG_SCSI=y
CONFIG_SCSI_DMA=y
# CONFIG_SCSI_TGT is not set
# CONFIG_SCSI_NETLINK is not set
CONFIG_SCSI_PROC_FS=y

#
# SCSI support type (disk, tape, CD-ROM)
#
CONFIG_BLK_DEV_SD=y
# CONFIG_CHR_DEV_ST is not set
# CONFIG_CHR_DEV_OSST is not set
CONFIG_BLK_DEV_SR=y
CONFIG_BLK_DEV_SR_VENDOR=y
CONFIG_CHR_DEV_SG=y
# CONFIG_CHR_DEV_SCH is not set

#
# Some SCSI devices (e.g. CD jukebox) support multiple LUNs
#
# CONFIG_SCSI_MULTI_LUN is not set
CONFIG_SCSI_CONSTANTS=y
# CONFIG_SCSI_LOGGING is not set
# CONFIG_SCSI_SCAN_ASYNC is not set
CONFIG_SCSI_WAIT_SCAN=m

#
# SCSI Transports
#
# CONFIG_SCSI_SPI_ATTRS is not set
# CONFIG_SCSI_FC_ATTRS is not set
# CONFIG_SCSI_ISCSI_ATTRS is not set
# CONFIG_SCSI_SAS_LIBSAS is not set
# CONFIG_SCSI_SRP_ATTRS is not set
# CONFIG_SCSI_LOWLEVEL is not set
# CONFIG_SCSI_DH is not set
CONFIG_ATA=y
# CONFIG_ATA_NONSTANDARD is not set
CONFIG_ATA_ACPI=y
CONFIG_SATA_PMP=y
CONFIG_SATA_AHCI=y
# CONFIG_SATA_SIL24 is not set
CONFIG_ATA_SFF=y
# CONFIG_SATA_SVW is not set
CONFIG_ATA_PIIX=y
# CONFIG_SATA_MV is not set
# CONFIG_SATA_NV is not set
# CONFIG_PDC_ADMA is not set
# CONFIG_SATA_QSTOR is not set
# CONFIG_SATA_PROMISE is not set
# CONFIG_SATA_SX4 is not set
# CONFIG_SATA_SIL is not set
# CONFIG_SATA_SIS is not set
# CONFIG_SATA_ULI is not set
# CONFIG_SATA_VIA is not set
# CONFIG_SATA_VITESSE is not set
# CONFIG_SATA_INIC162X is not set
# CONFIG_PATA_ACPI is not set
# CONFIG_PATA_ALI is not set
# CONFIG_PATA_AMD is not set
# CONFIG_PATA_ARTOP is not set
# CONFIG_PATA_ATIIXP is not set
# CONFIG_PATA_CMD640_PCI is not set
# CONFIG_PATA_CMD64X is not set
# CONFIG_PATA_CS5520 is not set
# CONFIG_PATA_CS5530 is not set
# CONFIG_PATA_CS5535 is not set
# CONFIG_PATA_CS5536 is not set
# CONFIG_PATA_CYPRESS is not set
# CONFIG_PATA_EFAR is not set
CONFIG_ATA_GENERIC=y
# CONFIG_PATA_HPT366 is not set
# CONFIG_PATA_HPT37X is not set
# CONFIG_PATA_HPT3X2N is not set
# CONFIG_PATA_HPT3X3 is not set
# CONFIG_PATA_IT821X is not set
# CONFIG_PATA_IT8213 is not set
# CONFIG_PATA_JMICRON is not set
# CONFIG_PATA_TRIFLEX is not set
# CONFIG_PATA_MARVELL is not set
# CONFIG_PATA_MPIIX is not set
# CONFIG_PATA_OLDPIIX is not set
# CONFIG_PATA_NETCELL is not set
# CONFIG_PATA_NINJA32 is not set
# CONFIG_PATA_NS87410 is not set
# CONFIG_PATA_NS87415 is not set
# CONFIG_PATA_OPTI is not set
# CONFIG_PATA_OPTIDMA is not set
# CONFIG_PATA_PDC_OLD is not set
# CONFIG_PATA_RADISYS is not set
# CONFIG_PATA_RZ1000 is not set
# CONFIG_PATA_SC1200 is not set
# CONFIG_PATA_SERVERWORKS is not set
# CONFIG_PATA_PDC2027X is not set
# CONFIG_PATA_SIL680 is not set
# CONFIG_PATA_SIS is not set
# CONFIG_PATA_VIA is not set
# CONFIG_PATA_WINBOND is not set
# CONFIG_PATA_SCH is not set
CONFIG_MD=y
CONFIG_BLK_DEV_MD=y
CONFIG_MD_AUTODETECT=y
CONFIG_MD_LINEAR=y
CONFIG_MD_RAID0=y
CONFIG_MD_RAID1=y
# CONFIG_MD_RAID10 is not set
CONFIG_MD_RAID456=y
CONFIG_MD_RAID5_RESHAPE=y
CONFIG_MD_MULTIPATH=y
# CONFIG_MD_FAULTY is not set
CONFIG_BLK_DEV_DM=y
# CONFIG_DM_DEBUG is not set
CONFIG_DM_CRYPT=y
CONFIG_DM_SNAPSHOT=y
CONFIG_DM_MIRROR=y
CONFIG_DM_ZERO=y
CONFIG_DM_MULTIPATH=y
# CONFIG_DM_DELAY is not set
# CONFIG_DM_UEVENT is not set
# CONFIG_FUSION is not set

#
# IEEE 1394 (FireWire) support
#

#
# Enable only one of the two stacks, unless you know what you are doing
#
# CONFIG_FIREWIRE is not set
# CONFIG_IEEE1394 is not set
# CONFIG_I2O is not set
# CONFIG_MACINTOSH_DRIVERS is not set
CONFIG_NETDEVICES=y
# CONFIG_DUMMY is not set
# CONFIG_BONDING is not set
# CONFIG_MACVLAN is not set
# CONFIG_EQUALIZER is not set
# CONFIG_TUN is not set
# CONFIG_VETH is not set
# CONFIG_NET_SB1000 is not set
# CONFIG_ARCNET is not set
CONFIG_PHYLIB=y

#
# MII PHY device drivers
#
CONFIG_MARVELL_PHY=m
CONFIG_DAVICOM_PHY=m
CONFIG_QSEMI_PHY=m
CONFIG_LXT_PHY=m
CONFIG_CICADA_PHY=m
CONFIG_VITESSE_PHY=m
CONFIG_SMSC_PHY=m
CONFIG_BROADCOM_PHY=m
CONFIG_ICPLUS_PHY=m
CONFIG_REALTEK_PHY=m
# CONFIG_NATIONAL_PHY is not set
# CONFIG_STE10XP is not set
# CONFIG_LSI_ET1011C_PHY is not set
# CONFIG_FIXED_PHY is not set
CONFIG_MDIO_BITBANG=m
CONFIG_NET_ETHERNET=y
CONFIG_MII=y
# CONFIG_HAPPYMEAL is not set
# CONFIG_SUNGEM is not set
# CONFIG_CASSINI is not set
CONFIG_NET_VENDOR_3COM=y
CONFIG_VORTEX=m
CONFIG_TYPHOON=m
# CONFIG_DNET is not set
# CONFIG_NET_TULIP is not set
# CONFIG_HP100 is not set
# CONFIG_IBM_NEW_EMAC_ZMII is not set
# CONFIG_IBM_NEW_EMAC_RGMII is not set
# CONFIG_IBM_NEW_EMAC_TAH is not set
# CONFIG_IBM_NEW_EMAC_EMAC4 is not set
# CONFIG_IBM_NEW_EMAC_NO_FLOW_CTRL is not set
# CONFIG_IBM_NEW_EMAC_MAL_CLR_ICINTSTAT is not set
# CONFIG_IBM_NEW_EMAC_MAL_COMMON_ERR is not set
CONFIG_NET_PCI=y
CONFIG_PCNET32=m
CONFIG_AMD8111_ETH=m
CONFIG_ADAPTEC_STARFIRE=m
CONFIG_B44=m
CONFIG_B44_PCI_AUTOSELECT=y
CONFIG_B44_PCICORE_AUTOSELECT=y
CONFIG_B44_PCI=y
CONFIG_FORCEDETH=m
# CONFIG_FORCEDETH_NAPI is not set
CONFIG_E100=m
CONFIG_FEALNX=m
CONFIG_NATSEMI=m
CONFIG_NE2K_PCI=m
CONFIG_8139CP=m
CONFIG_8139TOO=m
# CONFIG_8139TOO_PIO is not set
CONFIG_8139TOO_TUNE_TWISTER=y
CONFIG_8139TOO_8129=y
# CONFIG_8139_OLD_RX_RESET is not set
# CONFIG_R6040 is not set
CONFIG_SIS900=m
CONFIG_EPIC100=m
# CONFIG_SMSC9420 is not set
CONFIG_SUNDANCE=m
# CONFIG_SUNDANCE_MMIO is not set
CONFIG_TLAN=m
CONFIG_VIA_RHINE=m
CONFIG_VIA_RHINE_MMIO=y
# CONFIG_SC92031 is not set
CONFIG_ATL2=m
CONFIG_NETDEV_1000=y
CONFIG_ACENIC=m
# CONFIG_ACENIC_OMIT_TIGON_I is not set
CONFIG_DL2K=m
CONFIG_E1000=m
CONFIG_E1000E=m
CONFIG_IP1000=m
CONFIG_IGB=m
# CONFIG_IGB_LRO is not set
CONFIG_NS83820=m
CONFIG_HAMACHI=m
# CONFIG_YELLOWFIN is not set
CONFIG_R8169=m
CONFIG_SIS190=m
CONFIG_SKGE=m
# CONFIG_SKGE_DEBUG is not set
CONFIG_SKY2=m
# CONFIG_SKY2_DEBUG is not set
CONFIG_VIA_VELOCITY=m
CONFIG_TIGON3=m
CONFIG_BNX2=m
CONFIG_QLA3XXX=m
CONFIG_ATL1=m
# CONFIG_ATL1E is not set
# CONFIG_ATL1C is not set
CONFIG_JME=m
CONFIG_NETDEV_10000=y
CONFIG_CHELSIO_T1=m
CONFIG_CHELSIO_T1_1G=y
CONFIG_CHELSIO_T3_DEPENDS=y
CONFIG_CHELSIO_T3=m
CONFIG_ENIC=m
CONFIG_IXGBE=m
CONFIG_IXGB=m
CONFIG_S2IO=m
CONFIG_MYRI10GE=m
CONFIG_NETXEN_NIC=m
CONFIG_NIU=m
CONFIG_MLX4_EN=m
CONFIG_MLX4_CORE=m
CONFIG_MLX4_DEBUG=y
CONFIG_TEHUTI=m
CONFIG_BNX2X=m
CONFIG_QLGE=m
CONFIG_SFC=m
# CONFIG_BE2NET is not set
# CONFIG_TR is not set

#
# Wireless LAN
#
# CONFIG_WLAN_PRE80211 is not set
# CONFIG_WLAN_80211 is not set
# CONFIG_IWLWIFI_LEDS is not set

#
# Enable WiMAX (Networking options) to see the WiMAX drivers
#

#
# USB Network Adapters
#
# CONFIG_USB_CATC is not set
# CONFIG_USB_KAWETH is not set
# CONFIG_USB_PEGASUS is not set
# CONFIG_USB_RTL8150 is not set
# CONFIG_USB_USBNET is not set
# CONFIG_WAN is not set
# CONFIG_FDDI is not set
# CONFIG_HIPPI is not set
# CONFIG_PPP is not set
# CONFIG_SLIP is not set
# CONFIG_NET_FC is not set
# CONFIG_NETCONSOLE is not set
# CONFIG_NETPOLL is not set
# CONFIG_NET_POLL_CONTROLLER is not set
CONFIG_VIRTIO_NET=m
# CONFIG_ISDN is not set
# CONFIG_PHONE is not set

#
# Input device support
#
CONFIG_INPUT=y
CONFIG_INPUT_FF_MEMLESS=y
CONFIG_INPUT_POLLDEV=y

#
# Userland interfaces
#
CONFIG_INPUT_MOUSEDEV=y
# CONFIG_INPUT_MOUSEDEV_PSAUX is not set
CONFIG_INPUT_MOUSEDEV_SCREEN_X=1024
CONFIG_INPUT_MOUSEDEV_SCREEN_Y=768
# CONFIG_INPUT_JOYDEV is not set
CONFIG_INPUT_EVDEV=y
# CONFIG_INPUT_EVBUG is not set

#
# Input Device Drivers
#
CONFIG_INPUT_KEYBOARD=y
CONFIG_KEYBOARD_ATKBD=y
# CONFIG_KEYBOARD_SUNKBD is not set
# CONFIG_KEYBOARD_LKKBD is not set
# CONFIG_KEYBOARD_XTKBD is not set
# CONFIG_KEYBOARD_NEWTON is not set
# CONFIG_KEYBOARD_STOWAWAY is not set
CONFIG_INPUT_MOUSE=y
CONFIG_MOUSE_PS2=y
CONFIG_MOUSE_PS2_ALPS=y
CONFIG_MOUSE_PS2_LOGIPS2PP=y
CONFIG_MOUSE_PS2_SYNAPTICS=y
CONFIG_MOUSE_PS2_LIFEBOOK=y
CONFIG_MOUSE_PS2_TRACKPOINT=y
# CONFIG_MOUSE_PS2_ELANTECH is not set
# CONFIG_MOUSE_PS2_TOUCHKIT is not set
# CONFIG_MOUSE_SERIAL is not set
# CONFIG_MOUSE_APPLETOUCH is not set
# CONFIG_MOUSE_BCM5974 is not set
# CONFIG_MOUSE_VSXXXAA is not set
# CONFIG_INPUT_JOYSTICK is not set
# CONFIG_INPUT_TABLET is not set
# CONFIG_INPUT_TOUCHSCREEN is not set
CONFIG_INPUT_MISC=y
CONFIG_INPUT_PCSPKR=y
# CONFIG_INPUT_WISTRON_BTNS is not set
# CONFIG_INPUT_ATLAS_BTNS is not set
# CONFIG_INPUT_ATI_REMOTE is not set
# CONFIG_INPUT_ATI_REMOTE2 is not set
# CONFIG_INPUT_KEYSPAN_REMOTE is not set
# CONFIG_INPUT_POWERMATE is not set
# CONFIG_INPUT_YEALINK is not set
# CONFIG_INPUT_CM109 is not set
# CONFIG_INPUT_UINPUT is not set

#
# Hardware I/O ports
#
CONFIG_SERIO=y
CONFIG_SERIO_I8042=y
CONFIG_SERIO_SERPORT=y
# CONFIG_SERIO_CT82C710 is not set
# CONFIG_SERIO_PCIPS2 is not set
CONFIG_SERIO_LIBPS2=y
# CONFIG_SERIO_RAW is not set
# CONFIG_GAMEPORT is not set

#
# Character devices
#
CONFIG_VT=y
CONFIG_CONSOLE_TRANSLATIONS=y
CONFIG_VT_CONSOLE=y
CONFIG_HW_CONSOLE=y
CONFIG_VT_HW_CONSOLE_BINDING=y
CONFIG_DEVKMEM=y
CONFIG_SERIAL_NONSTANDARD=y
# CONFIG_COMPUTONE is not set
# CONFIG_ROCKETPORT is not set
# CONFIG_CYCLADES is not set
# CONFIG_DIGIEPCA is not set
# CONFIG_MOXA_INTELLIO is not set
# CONFIG_MOXA_SMARTIO is not set
# CONFIG_ISI is not set
# CONFIG_SYNCLINK is not set
# CONFIG_SYNCLINKMP is not set
# CONFIG_SYNCLINK_GT is not set
# CONFIG_N_HDLC is not set
# CONFIG_RISCOM8 is not set
# CONFIG_SPECIALIX is not set
# CONFIG_SX is not set
# CONFIG_RIO is not set
# CONFIG_STALDRV is not set
# CONFIG_NOZOMI is not set

#
# Serial drivers
#
CONFIG_SERIAL_8250=y
CONFIG_SERIAL_8250_CONSOLE=y
CONFIG_FIX_EARLYCON_MEM=y
CONFIG_SERIAL_8250_PCI=y
CONFIG_SERIAL_8250_PNP=y
CONFIG_SERIAL_8250_NR_UARTS=32
CONFIG_SERIAL_8250_RUNTIME_UARTS=4
CONFIG_SERIAL_8250_EXTENDED=y
CONFIG_SERIAL_8250_MANY_PORTS=y
CONFIG_SERIAL_8250_SHARE_IRQ=y
CONFIG_SERIAL_8250_DETECT_IRQ=y
CONFIG_SERIAL_8250_RSA=y

#
# Non-8250 serial port support
#
CONFIG_SERIAL_CORE=y
CONFIG_SERIAL_CORE_CONSOLE=y
# CONFIG_SERIAL_JSM is not set
CONFIG_UNIX98_PTYS=y
# CONFIG_DEVPTS_MULTIPLE_INSTANCES is not set
# CONFIG_LEGACY_PTYS is not set
# CONFIG_VIRTIO_CONSOLE is not set
# CONFIG_IPMI_HANDLER is not set
CONFIG_HW_RANDOM=y
CONFIG_HW_RANDOM_INTEL=y
CONFIG_HW_RANDOM_AMD=y
CONFIG_HW_RANDOM_GEODE=y
CONFIG_HW_RANDOM_VIA=y
# CONFIG_HW_RANDOM_VIRTIO is not set
CONFIG_NVRAM=y
# CONFIG_R3964 is not set
# CONFIG_APPLICOM is not set
# CONFIG_SONYPI is not set
# CONFIG_MWAVE is not set
# CONFIG_PC8736x_GPIO is not set
# CONFIG_NSC_GPIO is not set
# CONFIG_CS5535_GPIO is not set
# CONFIG_RAW_DRIVER is not set
CONFIG_HPET=y
# CONFIG_HPET_MMAP is not set
# CONFIG_HANGCHECK_TIMER is not set
# CONFIG_TCG_TPM is not set
# CONFIG_TELCLOCK is not set
CONFIG_DEVPORT=y
CONFIG_I2C=y
CONFIG_I2C_BOARDINFO=y
# CONFIG_I2C_CHARDEV is not set
# CONFIG_I2C_HELPER_AUTO is not set

#
# I2C Algorithms
#
CONFIG_I2C_ALGOBIT=y
# CONFIG_I2C_ALGOPCF is not set
# CONFIG_I2C_ALGOPCA is not set

#
# I2C Hardware Bus support
#

#
# PC SMBus host controller drivers
#
# CONFIG_I2C_ALI1535 is not set
# CONFIG_I2C_ALI1563 is not set
# CONFIG_I2C_ALI15X3 is not set
# CONFIG_I2C_AMD756 is not set
# CONFIG_I2C_AMD8111 is not set
CONFIG_I2C_I801=m
# CONFIG_I2C_ISCH is not set
# CONFIG_I2C_PIIX4 is not set
# CONFIG_I2C_NFORCE2 is not set
# CONFIG_I2C_SIS5595 is not set
# CONFIG_I2C_SIS630 is not set
# CONFIG_I2C_SIS96X is not set
# CONFIG_I2C_VIA is not set
# CONFIG_I2C_VIAPRO is not set

#
# I2C system bus drivers (mostly embedded / system-on-chip)
#
# CONFIG_I2C_OCORES is not set
# CONFIG_I2C_SIMTEC is not set

#
# External I2C/SMBus adapter drivers
#
# CONFIG_I2C_PARPORT_LIGHT is not set
# CONFIG_I2C_TAOS_EVM is not set
# CONFIG_I2C_TINY_USB is not set

#
# Graphics adapter I2C/DDC channel drivers
#
# CONFIG_I2C_VOODOO3 is not set

#
# Other I2C/SMBus bus drivers
#
# CONFIG_I2C_PCA_PLATFORM is not set
# CONFIG_I2C_STUB is not set
# CONFIG_SCx200_ACB is not set

#
# Miscellaneous I2C Chip support
#
# CONFIG_DS1682 is not set
# CONFIG_SENSORS_PCF8574 is not set
# CONFIG_PCF8575 is not set
# CONFIG_SENSORS_PCA9539 is not set
# CONFIG_SENSORS_PCF8591 is not set
# CONFIG_SENSORS_MAX6875 is not set
# CONFIG_SENSORS_TSL2550 is not set
# CONFIG_I2C_DEBUG_CORE is not set
# CONFIG_I2C_DEBUG_ALGO is not set
# CONFIG_I2C_DEBUG_BUS is not set
# CONFIG_I2C_DEBUG_CHIP is not set
# CONFIG_SPI is not set
CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y
# CONFIG_GPIOLIB is not set
# CONFIG_W1 is not set
CONFIG_POWER_SUPPLY=y
# CONFIG_POWER_SUPPLY_DEBUG is not set
# CONFIG_PDA_POWER is not set
# CONFIG_BATTERY_DS2760 is not set
# CONFIG_BATTERY_BQ27x00 is not set
# CONFIG_HWMON is not set
CONFIG_THERMAL=y
# CONFIG_WATCHDOG is not set
CONFIG_SSB_POSSIBLE=y

#
# Sonics Silicon Backplane
#
CONFIG_SSB=m
CONFIG_SSB_SPROM=y
CONFIG_SSB_PCIHOST_POSSIBLE=y
CONFIG_SSB_PCIHOST=y
# CONFIG_SSB_B43_PCI_BRIDGE is not set
# CONFIG_SSB_DEBUG is not set
CONFIG_SSB_DRIVER_PCICORE_POSSIBLE=y
CONFIG_SSB_DRIVER_PCICORE=y

#
# Multifunction device drivers
#
# CONFIG_MFD_CORE is not set
# CONFIG_MFD_SM501 is not set
# CONFIG_HTC_PASIC3 is not set
# CONFIG_TWL4030_CORE is not set
# CONFIG_MFD_TMIO is not set
# CONFIG_PMIC_DA903X is not set
# CONFIG_MFD_WM8400 is not set
# CONFIG_MFD_WM8350_I2C is not set
# CONFIG_MFD_PCF50633 is not set
# CONFIG_REGULATOR is not set

#
# Multimedia devices
#

#
# Multimedia core support
#
# CONFIG_VIDEO_DEV is not set
# CONFIG_DVB_CORE is not set
# CONFIG_VIDEO_MEDIA is not set

#
# Multimedia drivers
#
# CONFIG_DAB is not set

#
# Graphics support
#
CONFIG_AGP=y
# CONFIG_AGP_ALI is not set
# CONFIG_AGP_ATI is not set
# CONFIG_AGP_AMD is not set
CONFIG_AGP_AMD64=y
CONFIG_AGP_INTEL=y
# CONFIG_AGP_NVIDIA is not set
# CONFIG_AGP_SIS is not set
# CONFIG_AGP_SWORKS is not set
# CONFIG_AGP_VIA is not set
# CONFIG_AGP_EFFICEON is not set
CONFIG_DRM=y
# CONFIG_DRM_TDFX is not set
# CONFIG_DRM_R128 is not set
# CONFIG_DRM_RADEON is not set
# CONFIG_DRM_I810 is not set
# CONFIG_DRM_I830 is not set
CONFIG_DRM_I915=y
# CONFIG_DRM_I915_KMS is not set
# CONFIG_DRM_MGA is not set
# CONFIG_DRM_SIS is not set
# CONFIG_DRM_VIA is not set
# CONFIG_DRM_SAVAGE is not set
# CONFIG_VGASTATE is not set
# CONFIG_VIDEO_OUTPUT_CONTROL is not set
CONFIG_FB=y
# CONFIG_FIRMWARE_EDID is not set
# CONFIG_FB_DDC is not set
# CONFIG_FB_BOOT_VESA_SUPPORT is not set
CONFIG_FB_CFB_FILLRECT=y
CONFIG_FB_CFB_COPYAREA=y
CONFIG_FB_CFB_IMAGEBLIT=y
# CONFIG_FB_CFB_REV_PIXELS_IN_BYTE is not set
# CONFIG_FB_SYS_FILLRECT is not set
# CONFIG_FB_SYS_COPYAREA is not set
# CONFIG_FB_SYS_IMAGEBLIT is not set
# CONFIG_FB_FOREIGN_ENDIAN is not set
# CONFIG_FB_SYS_FOPS is not set
# CONFIG_FB_SVGALIB is not set
# CONFIG_FB_MACMODES is not set
# CONFIG_FB_BACKLIGHT is not set
CONFIG_FB_MODE_HELPERS=y
CONFIG_FB_TILEBLITTING=y

#
# Frame buffer hardware drivers
#
# CONFIG_FB_CIRRUS is not set
# CONFIG_FB_PM2 is not set
# CONFIG_FB_CYBER2000 is not set
# CONFIG_FB_ARC is not set
# CONFIG_FB_ASILIANT is not set
# CONFIG_FB_IMSTT is not set
# CONFIG_FB_VGA16 is not set
# CONFIG_FB_UVESA is not set
# CONFIG_FB_VESA is not set
CONFIG_FB_EFI=y
# CONFIG_FB_N411 is not set
# CONFIG_FB_HGA is not set
# CONFIG_FB_S1D13XXX is not set
# CONFIG_FB_NVIDIA is not set
# CONFIG_FB_RIVA is not set
# CONFIG_FB_I810 is not set
# CONFIG_FB_LE80578 is not set
# CONFIG_FB_INTEL is not set
# CONFIG_FB_MATROX is not set
# CONFIG_FB_RADEON is not set
# CONFIG_FB_ATY128 is not set
# CONFIG_FB_ATY is not set
# CONFIG_FB_S3 is not set
# CONFIG_FB_SAVAGE is not set
# CONFIG_FB_SIS is not set
# CONFIG_FB_VIA is not set
# CONFIG_FB_NEOMAGIC is not set
# CONFIG_FB_KYRO is not set
# CONFIG_FB_3DFX is not set
# CONFIG_FB_VOODOO1 is not set
# CONFIG_FB_VT8623 is not set
# CONFIG_FB_CYBLA is not set
# CONFIG_FB_TRIDENT is not set
# CONFIG_FB_ARK is not set
# CONFIG_FB_PM3 is not set
# CONFIG_FB_CARMINE is not set
# CONFIG_FB_GEODE is not set
# CONFIG_FB_VIRTUAL is not set
# CONFIG_FB_METRONOME is not set
# CONFIG_FB_MB862XX is not set
# CONFIG_BACKLIGHT_LCD_SUPPORT is not set

#
# Display device support
#
# CONFIG_DISPLAY_SUPPORT is not set

#
# Console display driver support
#
CONFIG_VGA_CONSOLE=y
CONFIG_VGACON_SOFT_SCROLLBACK=y
CONFIG_VGACON_SOFT_SCROLLBACK_SIZE=64
CONFIG_DUMMY_CONSOLE=y
# CONFIG_FRAMEBUFFER_CONSOLE is not set
CONFIG_LOGO=y
# CONFIG_LOGO_LINUX_MONO is not set
# CONFIG_LOGO_LINUX_VGA16 is not set
CONFIG_LOGO_LINUX_CLUT224=y
CONFIG_SOUND=y
CONFIG_SOUND_OSS_CORE=y
CONFIG_SND=y
CONFIG_SND_TIMER=y
CONFIG_SND_PCM=y
CONFIG_SND_HWDEP=y
CONFIG_SND_JACK=y
CONFIG_SND_SEQUENCER=y
CONFIG_SND_SEQ_DUMMY=y
CONFIG_SND_OSSEMUL=y
CONFIG_SND_MIXER_OSS=y
CONFIG_SND_PCM_OSS=y
CONFIG_SND_PCM_OSS_PLUGINS=y
CONFIG_SND_SEQUENCER_OSS=y
# CONFIG_SND_HRTIMER is not set
CONFIG_SND_DYNAMIC_MINORS=y
CONFIG_SND_SUPPORT_OLD_API=y
CONFIG_SND_VERBOSE_PROCFS=y
# CONFIG_SND_VERBOSE_PRINTK is not set
# CONFIG_SND_DEBUG is not set
CONFIG_SND_VMASTER=y
CONFIG_SND_DRIVERS=y
# CONFIG_SND_PCSP is not set
# CONFIG_SND_DUMMY is not set
# CONFIG_SND_VIRMIDI is not set
# CONFIG_SND_MTPAV is not set
# CONFIG_SND_SERIAL_U16550 is not set
# CONFIG_SND_MPU401 is not set
CONFIG_SND_PCI=y
# CONFIG_SND_AD1889 is not set
# CONFIG_SND_ALS300 is not set
# CONFIG_SND_ALS4000 is not set
# CONFIG_SND_ALI5451 is not set
# CONFIG_SND_ATIIXP is not set
# CONFIG_SND_ATIIXP_MODEM is not set
# CONFIG_SND_AU8810 is not set
# CONFIG_SND_AU8820 is not set
# CONFIG_SND_AU8830 is not set
# CONFIG_SND_AW2 is not set
# CONFIG_SND_AZT3328 is not set
# CONFIG_SND_BT87X is not set
# CONFIG_SND_CA0106 is not set
# CONFIG_SND_CMIPCI is not set
# CONFIG_SND_OXYGEN is not set
# CONFIG_SND_CS4281 is not set
# CONFIG_SND_CS46XX is not set
# CONFIG_SND_CS5530 is not set
# CONFIG_SND_CS5535AUDIO is not set
# CONFIG_SND_DARLA20 is not set
# CONFIG_SND_GINA20 is not set
# CONFIG_SND_LAYLA20 is not set
# CONFIG_SND_DARLA24 is not set
# CONFIG_SND_GINA24 is not set
# CONFIG_SND_LAYLA24 is not set
# CONFIG_SND_MONA is not set
# CONFIG_SND_MIA is not set
# CONFIG_SND_ECHO3G is not set
# CONFIG_SND_INDIGO is not set
# CONFIG_SND_INDIGOIO is not set
# CONFIG_SND_INDIGODJ is not set
# CONFIG_SND_EMU10K1 is not set
# CONFIG_SND_EMU10K1X is not set
# CONFIG_SND_ENS1370 is not set
# CONFIG_SND_ENS1371 is not set
# CONFIG_SND_ES1938 is not set
# CONFIG_SND_ES1968 is not set
# CONFIG_SND_FM801 is not set
CONFIG_SND_HDA_INTEL=y
CONFIG_SND_HDA_HWDEP=y
# CONFIG_SND_HDA_RECONFIG is not set
# CONFIG_SND_HDA_INPUT_BEEP is not set
CONFIG_SND_HDA_CODEC_REALTEK=y
CONFIG_SND_HDA_CODEC_ANALOG=y
CONFIG_SND_HDA_CODEC_SIGMATEL=y
CONFIG_SND_HDA_CODEC_VIA=y
CONFIG_SND_HDA_CODEC_ATIHDMI=y
CONFIG_SND_HDA_CODEC_NVHDMI=y
CONFIG_SND_HDA_CODEC_INTELHDMI=y
CONFIG_SND_HDA_ELD=y
CONFIG_SND_HDA_CODEC_CONEXANT=y
CONFIG_SND_HDA_CODEC_CMEDIA=y
CONFIG_SND_HDA_CODEC_SI3054=y
CONFIG_SND_HDA_GENERIC=y
# CONFIG_SND_HDA_POWER_SAVE is not set
# CONFIG_SND_HDSP is not set
# CONFIG_SND_HDSPM is not set
# CONFIG_SND_HIFIER is not set
# CONFIG_SND_ICE1712 is not set
# CONFIG_SND_ICE1724 is not set
# CONFIG_SND_INTEL8X0 is not set
# CONFIG_SND_INTEL8X0M is not set
# CONFIG_SND_KORG1212 is not set
# CONFIG_SND_MAESTRO3 is not set
# CONFIG_SND_MIXART is not set
# CONFIG_SND_NM256 is not set
# CONFIG_SND_PCXHR is not set
# CONFIG_SND_RIPTIDE is not set
# CONFIG_SND_RME32 is not set
# CONFIG_SND_RME96 is not set
# CONFIG_SND_RME9652 is not set
# CONFIG_SND_SIS7019 is not set
# CONFIG_SND_SONICVIBES is not set
# CONFIG_SND_TRIDENT is not set
# CONFIG_SND_VIA82XX is not set
# CONFIG_SND_VIA82XX_MODEM is not set
# CONFIG_SND_VIRTUOSO is not set
# CONFIG_SND_VX222 is not set
# CONFIG_SND_YMFPCI is not set
CONFIG_SND_USB=y
# CONFIG_SND_USB_AUDIO is not set
# CONFIG_SND_USB_USX2Y is not set
# CONFIG_SND_USB_CAIAQ is not set
# CONFIG_SND_USB_US122L is not set
# CONFIG_SND_SOC is not set
# CONFIG_SOUND_PRIME is not set
CONFIG_HID_SUPPORT=y
CONFIG_HID=y
CONFIG_HID_DEBUG=y
CONFIG_HIDRAW=y

#
# USB Input Devices
#
CONFIG_USB_HID=y
CONFIG_HID_PID=y
CONFIG_USB_HIDDEV=y

#
# Special HID drivers
#
CONFIG_HID_COMPAT=y
CONFIG_HID_A4TECH=y
CONFIG_HID_APPLE=y
CONFIG_HID_BELKIN=y
CONFIG_HID_CHERRY=y
CONFIG_HID_CHICONY=y
CONFIG_HID_CYPRESS=y
CONFIG_HID_EZKEY=y
CONFIG_HID_GYRATION=y
CONFIG_HID_LOGITECH=y
CONFIG_LOGITECH_FF=y
# CONFIG_LOGIRUMBLEPAD2_FF is not set
CONFIG_HID_MICROSOFT=y
CONFIG_HID_MONTEREY=y
CONFIG_HID_NTRIG=y
CONFIG_HID_PANTHERLORD=y
CONFIG_PANTHERLORD_FF=y
CONFIG_HID_PETALYNX=y
CONFIG_HID_SAMSUNG=y
CONFIG_HID_SONY=y
CONFIG_HID_SUNPLUS=y
# CONFIG_GREENASIA_FF is not set
CONFIG_HID_TOPSEED=y
CONFIG_THRUSTMASTER_FF=y
CONFIG_ZEROPLUS_FF=y
CONFIG_USB_SUPPORT=y
CONFIG_USB_ARCH_HAS_HCD=y
CONFIG_USB_ARCH_HAS_OHCI=y
CONFIG_USB_ARCH_HAS_EHCI=y
CONFIG_USB=y
CONFIG_USB_DEBUG=y
CONFIG_USB_ANNOUNCE_NEW_DEVICES=y

#
# Miscellaneous USB options
#
CONFIG_USB_DEVICEFS=y
# CONFIG_USB_DEVICE_CLASS is not set
# CONFIG_USB_DYNAMIC_MINORS is not set
CONFIG_USB_SUSPEND=y
# CONFIG_USB_OTG is not set
CONFIG_USB_MON=y
# CONFIG_USB_WUSB is not set
# CONFIG_USB_WUSB_CBAF is not set

#
# USB Host Controller Drivers
#
# CONFIG_USB_C67X00_HCD is not set
CONFIG_USB_EHCI_HCD=m
CONFIG_USB_EHCI_ROOT_HUB_TT=y
# CONFIG_USB_EHCI_TT_NEWSCHED is not set
# CONFIG_USB_OXU210HP_HCD is not set
CONFIG_USB_ISP116X_HCD=m
CONFIG_USB_ISP1760_HCD=m
CONFIG_USB_OHCI_HCD=m
# CONFIG_USB_OHCI_HCD_SSB is not set
# CONFIG_USB_OHCI_BIG_ENDIAN_DESC is not set
# CONFIG_USB_OHCI_BIG_ENDIAN_MMIO is not set
CONFIG_USB_OHCI_LITTLE_ENDIAN=y
CONFIG_USB_UHCI_HCD=m
CONFIG_USB_SL811_HCD=m
CONFIG_USB_R8A66597_HCD=m
# CONFIG_USB_WHCI_HCD is not set
# CONFIG_USB_HWA_HCD is not set

#
# USB Device Class drivers
#
# CONFIG_USB_ACM is not set
CONFIG_USB_PRINTER=y
# CONFIG_USB_WDM is not set
# CONFIG_USB_TMC is not set

#
# NOTE: USB_STORAGE depends on SCSI but BLK_DEV_SD may also be needed;
#

#
# see USB_STORAGE Help for more information
#
CONFIG_USB_STORAGE=y
# CONFIG_USB_STORAGE_DEBUG is not set
# CONFIG_USB_STORAGE_DATAFAB is not set
# CONFIG_USB_STORAGE_FREECOM is not set
# CONFIG_USB_STORAGE_ISD200 is not set
# CONFIG_USB_STORAGE_USBAT is not set
# CONFIG_USB_STORAGE_SDDR09 is not set
# CONFIG_USB_STORAGE_SDDR55 is not set
# CONFIG_USB_STORAGE_JUMPSHOT is not set
# CONFIG_USB_STORAGE_ALAUDA is not set
# CONFIG_USB_STORAGE_ONETOUCH is not set
# CONFIG_USB_STORAGE_KARMA is not set
# CONFIG_USB_STORAGE_CYPRESS_ATACB is not set
CONFIG_USB_LIBUSUAL=y

#
# USB Imaging devices
#
# CONFIG_USB_MDC800 is not set
# CONFIG_USB_MICROTEK is not set

#
# USB port drivers
#
# CONFIG_USB_SERIAL is not set

#
# USB Miscellaneous drivers
#
# CONFIG_USB_EMI62 is not set
# CONFIG_USB_EMI26 is not set
# CONFIG_USB_ADUTUX is not set
# CONFIG_USB_SEVSEG is not set
# CONFIG_USB_RIO500 is not set
# CONFIG_USB_LEGOTOWER is not set
# CONFIG_USB_LCD is not set
# CONFIG_USB_BERRY_CHARGE is not set
# CONFIG_USB_LED is not set
# CONFIG_USB_CYPRESS_CY7C63 is not set
# CONFIG_USB_CYTHERM is not set
# CONFIG_USB_PHIDGET is not set
# CONFIG_USB_IDMOUSE is not set
# CONFIG_USB_FTDI_ELAN is not set
# CONFIG_USB_APPLEDISPLAY is not set
# CONFIG_USB_SISUSBVGA is not set
# CONFIG_USB_LD is not set
# CONFIG_USB_TRANCEVIBRATOR is not set
# CONFIG_USB_IOWARRIOR is not set
# CONFIG_USB_TEST is not set
# CONFIG_USB_ISIGHTFW is not set
# CONFIG_USB_VST is not set
# CONFIG_USB_GADGET is not set

#
# OTG and related infrastructure
#
# CONFIG_UWB is not set
# CONFIG_MMC is not set
# CONFIG_MEMSTICK is not set
# CONFIG_NEW_LEDS is not set
# CONFIG_ACCESSIBILITY is not set
# CONFIG_INFINIBAND is not set
# CONFIG_EDAC is not set
CONFIG_RTC_LIB=y
CONFIG_RTC_CLASS=y
# CONFIG_RTC_HCTOSYS is not set
# CONFIG_RTC_DEBUG is not set

#
# RTC interfaces
#
CONFIG_RTC_INTF_SYSFS=y
CONFIG_RTC_INTF_PROC=y
CONFIG_RTC_INTF_DEV=y
# CONFIG_RTC_INTF_DEV_UIE_EMUL is not set
# CONFIG_RTC_DRV_TEST is not set

#
# I2C RTC drivers
#
# CONFIG_RTC_DRV_DS1307 is not set
# CONFIG_RTC_DRV_DS1374 is not set
# CONFIG_RTC_DRV_DS1672 is not set
# CONFIG_RTC_DRV_MAX6900 is not set
# CONFIG_RTC_DRV_RS5C372 is not set
# CONFIG_RTC_DRV_ISL1208 is not set
# CONFIG_RTC_DRV_X1205 is not set
# CONFIG_RTC_DRV_PCF8563 is not set
# CONFIG_RTC_DRV_PCF8583 is not set
# CONFIG_RTC_DRV_M41T80 is not set
# CONFIG_RTC_DRV_S35390A is not set
# CONFIG_RTC_DRV_FM3130 is not set
# CONFIG_RTC_DRV_RX8581 is not set

#
# SPI RTC drivers
#

#
# Platform RTC drivers
#
CONFIG_RTC_DRV_CMOS=y
# CONFIG_RTC_DRV_DS1286 is not set
# CONFIG_RTC_DRV_DS1511 is not set
# CONFIG_RTC_DRV_DS1553 is not set
# CONFIG_RTC_DRV_DS1742 is not set
# CONFIG_RTC_DRV_STK17TA8 is not set
# CONFIG_RTC_DRV_M48T86 is not set
# CONFIG_RTC_DRV_M48T35 is not set
# CONFIG_RTC_DRV_M48T59 is not set
# CONFIG_RTC_DRV_BQ4802 is not set
# CONFIG_RTC_DRV_V3020 is not set

#
# on-CPU RTC drivers
#
# CONFIG_DMADEVICES is not set
# CONFIG_UIO is not set
# CONFIG_STAGING is not set
CONFIG_X86_PLATFORM_DEVICES=y
# CONFIG_ASUS_LAPTOP is not set
# CONFIG_TC1100_WMI is not set
# CONFIG_SONY_LAPTOP is not set
# CONFIG_THINKPAD_ACPI is not set
# CONFIG_INTEL_MENLOW is not set
# CONFIG_EEEPC_LAPTOP is not set
# CONFIG_ACPI_WMI is not set
# CONFIG_ACPI_ASUS is not set
# CONFIG_ACPI_TOSHIBA is not set

#
# Firmware Drivers
#
# CONFIG_EDD is not set
CONFIG_FIRMWARE_MEMMAP=y
CONFIG_EFI_VARS=y
# CONFIG_DELL_RBU is not set
# CONFIG_DCDBAS is not set
CONFIG_DMIID=y
CONFIG_ISCSI_IBFT_FIND=y
CONFIG_ISCSI_IBFT=y

#
# File systems
#
CONFIG_EXT2_FS=y
CONFIG_EXT2_FS_XATTR=y
CONFIG_EXT2_FS_POSIX_ACL=y
CONFIG_EXT2_FS_SECURITY=y
# CONFIG_EXT2_FS_XIP is not set
CONFIG_EXT3_FS=y
CONFIG_EXT3_FS_XATTR=y
CONFIG_EXT3_FS_POSIX_ACL=y
CONFIG_EXT3_FS_SECURITY=y
CONFIG_EXT4_FS=y
# CONFIG_EXT4DEV_COMPAT is not set
CONFIG_EXT4_FS_XATTR=y
CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_EXT4_FS_SECURITY=y
CONFIG_JBD=y
# CONFIG_JBD_DEBUG is not set
CONFIG_JBD2=y
# CONFIG_JBD2_DEBUG is not set
CONFIG_FS_MBCACHE=y
# CONFIG_REISERFS_FS is not set
# CONFIG_JFS_FS is not set
CONFIG_FS_POSIX_ACL=y
CONFIG_FILE_LOCKING=y
# CONFIG_XFS_FS is not set
# CONFIG_GFS2_FS is not set
# CONFIG_OCFS2_FS is not set
# CONFIG_BTRFS_FS is not set
CONFIG_DNOTIFY=y
CONFIG_INOTIFY=y
CONFIG_INOTIFY_USER=y
CONFIG_QUOTA=y
CONFIG_QUOTA_NETLINK_INTERFACE=y
# CONFIG_PRINT_QUOTA_WARNING is not set
CONFIG_QUOTA_TREE=y
# CONFIG_QFMT_V1 is not set
CONFIG_QFMT_V2=y
CONFIG_QUOTACTL=y
# CONFIG_AUTOFS_FS is not set
CONFIG_AUTOFS4_FS=y
# CONFIG_FUSE_FS is not set
CONFIG_GENERIC_ACL=y

#
# CD-ROM/DVD Filesystems
#
CONFIG_ISO9660_FS=y
CONFIG_JOLIET=y
CONFIG_ZISOFS=y
CONFIG_UDF_FS=y
CONFIG_UDF_NLS=y

#
# DOS/FAT/NT Filesystems
#
# CONFIG_MSDOS_FS is not set
# CONFIG_VFAT_FS is not set
# CONFIG_NTFS_FS is not set

#
# Pseudo filesystems
#
CONFIG_PROC_FS=y
CONFIG_PROC_KCORE=y
CONFIG_PROC_SYSCTL=y
CONFIG_PROC_PAGE_MONITOR=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_HUGETLBFS=y
CONFIG_HUGETLB_PAGE=y
# CONFIG_CONFIGFS_FS is not set
CONFIG_MISC_FILESYSTEMS=y
# CONFIG_ADFS_FS is not set
# CONFIG_AFFS_FS is not set
# CONFIG_ECRYPT_FS is not set
# CONFIG_HFS_FS is not set
# CONFIG_HFSPLUS_FS is not set
# CONFIG_BEFS_FS is not set
# CONFIG_BFS_FS is not set
# CONFIG_EFS_FS is not set
# CONFIG_CRAMFS is not set
# CONFIG_SQUASHFS is not set
# CONFIG_VXFS_FS is not set
# CONFIG_MINIX_FS is not set
# CONFIG_OMFS_FS is not set
# CONFIG_HPFS_FS is not set
# CONFIG_QNX4FS_FS is not set
# CONFIG_ROMFS_FS is not set
# CONFIG_SYSV_FS is not set
# CONFIG_UFS_FS is not set
# CONFIG_NETWORK_FILESYSTEMS is not set

#
# Partition Types
#
CONFIG_PARTITION_ADVANCED=y
# CONFIG_ACORN_PARTITION is not set
CONFIG_OSF_PARTITION=y
CONFIG_AMIGA_PARTITION=y
# CONFIG_ATARI_PARTITION is not set
CONFIG_MAC_PARTITION=y
CONFIG_MSDOS_PARTITION=y
CONFIG_BSD_DISKLABEL=y
CONFIG_MINIX_SUBPARTITION=y
CONFIG_SOLARIS_X86_PARTITION=y
CONFIG_UNIXWARE_DISKLABEL=y
# CONFIG_LDM_PARTITION is not set
CONFIG_SGI_PARTITION=y
# CONFIG_ULTRIX_PARTITION is not set
CONFIG_SUN_PARTITION=y
CONFIG_KARMA_PARTITION=y
CONFIG_EFI_PARTITION=y
# CONFIG_SYSV68_PARTITION is not set
CONFIG_NLS=y
CONFIG_NLS_DEFAULT="utf8"
CONFIG_NLS_CODEPAGE_437=y
# CONFIG_NLS_CODEPAGE_737 is not set
# CONFIG_NLS_CODEPAGE_775 is not set
# CONFIG_NLS_CODEPAGE_850 is not set
# CONFIG_NLS_CODEPAGE_852 is not set
# CONFIG_NLS_CODEPAGE_855 is not set
# CONFIG_NLS_CODEPAGE_857 is not set
# CONFIG_NLS_CODEPAGE_860 is not set
# CONFIG_NLS_CODEPAGE_861 is not set
# CONFIG_NLS_CODEPAGE_862 is not set
# CONFIG_NLS_CODEPAGE_863 is not set
# CONFIG_NLS_CODEPAGE_864 is not set
# CONFIG_NLS_CODEPAGE_865 is not set
# CONFIG_NLS_CODEPAGE_866 is not set
# CONFIG_NLS_CODEPAGE_869 is not set
# CONFIG_NLS_CODEPAGE_936 is not set
# CONFIG_NLS_CODEPAGE_950 is not set
# CONFIG_NLS_CODEPAGE_932 is not set
# CONFIG_NLS_CODEPAGE_949 is not set
# CONFIG_NLS_CODEPAGE_874 is not set
# CONFIG_NLS_ISO8859_8 is not set
# CONFIG_NLS_CODEPAGE_1250 is not set
# CONFIG_NLS_CODEPAGE_1251 is not set
CONFIG_NLS_ASCII=y
CONFIG_NLS_ISO8859_1=y
# CONFIG_NLS_ISO8859_2 is not set
# CONFIG_NLS_ISO8859_3 is not set
# CONFIG_NLS_ISO8859_4 is not set
# CONFIG_NLS_ISO8859_5 is not set
# CONFIG_NLS_ISO8859_6 is not set
# CONFIG_NLS_ISO8859_7 is not set
# CONFIG_NLS_ISO8859_9 is not set
# CONFIG_NLS_ISO8859_13 is not set
# CONFIG_NLS_ISO8859_14 is not set
# CONFIG_NLS_ISO8859_15 is not set
# CONFIG_NLS_KOI8_R is not set
# CONFIG_NLS_KOI8_U is not set
CONFIG_NLS_UTF8=y
# CONFIG_DLM is not set

#
# Kernel hacking
#
CONFIG_TRACE_IRQFLAGS_SUPPORT=y
# CONFIG_PRINTK_TIME is not set
# CONFIG_ENABLE_WARN_DEPRECATED is not set
# CONFIG_ENABLE_MUST_CHECK is not set
CONFIG_FRAME_WARN=2048
CONFIG_MAGIC_SYSRQ=y
# CONFIG_UNUSED_SYMBOLS is not set
CONFIG_DEBUG_FS=y
# CONFIG_HEADERS_CHECK is not set
# CONFIG_DEBUG_KERNEL is not set
CONFIG_DEBUG_BUGVERBOSE=y
CONFIG_DEBUG_MEMORY_INIT=y
CONFIG_ARCH_WANT_FRAME_POINTERS=y
CONFIG_FRAME_POINTER=y
# CONFIG_RCU_CPU_STALL_DETECTOR is not set
# CONFIG_LATENCYTOP is not set
# CONFIG_SYSCTL_SYSCALL_CHECK is not set
CONFIG_USER_STACKTRACE_SUPPORT=y
CONFIG_HAVE_FUNCTION_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
CONFIG_HAVE_FUNCTION_TRACE_MCOUNT_TEST=y
CONFIG_HAVE_DYNAMIC_FTRACE=y
CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y

#
# Tracers
#
# CONFIG_SYSPROF_TRACER is not set
# CONFIG_PROVIDE_OHCI1394_DMA_INIT is not set
# CONFIG_DYNAMIC_PRINTK_DEBUG is not set
# CONFIG_SAMPLES is not set
CONFIG_HAVE_ARCH_KGDB=y
# CONFIG_STRICT_DEVMEM is not set
# CONFIG_X86_VERBOSE_BOOTUP is not set
CONFIG_EARLY_PRINTK=y
# CONFIG_EARLY_PRINTK_DBGP is not set
# CONFIG_4KSTACKS is not set
CONFIG_DOUBLEFAULT=y
CONFIG_HAVE_MMIOTRACE_SUPPORT=y
CONFIG_IO_DELAY_TYPE_0X80=0
CONFIG_IO_DELAY_TYPE_0XED=1
CONFIG_IO_DELAY_TYPE_UDELAY=2
CONFIG_IO_DELAY_TYPE_NONE=3
CONFIG_IO_DELAY_0X80=y
# CONFIG_IO_DELAY_0XED is not set
# CONFIG_IO_DELAY_UDELAY is not set
# CONFIG_IO_DELAY_NONE is not set
CONFIG_DEFAULT_IO_DELAY_TYPE=0
CONFIG_OPTIMIZE_INLINING=y

#
# Security options
#
CONFIG_KEYS=y
# CONFIG_KEYS_DEBUG_PROC_KEYS is not set
CONFIG_SECURITY=y
# CONFIG_SECURITYFS is not set
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_NETWORK_XFRM=y
# CONFIG_SECURITY_PATH is not set
CONFIG_SECURITY_FILE_CAPABILITIES=y
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_DEFAULT_MMAP_MIN_ADDR=65536
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
# CONFIG_SECURITY_SMACK is not set
CONFIG_XOR_BLOCKS=y
CONFIG_ASYNC_CORE=y
CONFIG_ASYNC_MEMCPY=y
CONFIG_ASYNC_XOR=y
CONFIG_CRYPTO=y

#
# Crypto core or helper
#
CONFIG_CRYPTO_FIPS=y
CONFIG_CRYPTO_ALGAPI=y
CONFIG_CRYPTO_ALGAPI2=y
CONFIG_CRYPTO_AEAD=y
CONFIG_CRYPTO_AEAD2=y
CONFIG_CRYPTO_BLKCIPHER=y
CONFIG_CRYPTO_BLKCIPHER2=y
CONFIG_CRYPTO_HASH=y
CONFIG_CRYPTO_HASH2=y
CONFIG_CRYPTO_RNG=y
CONFIG_CRYPTO_RNG2=y
CONFIG_CRYPTO_MANAGER=y
CONFIG_CRYPTO_MANAGER2=y
CONFIG_CRYPTO_GF128MUL=y
CONFIG_CRYPTO_NULL=y
# CONFIG_CRYPTO_CRYPTD is not set
CONFIG_CRYPTO_AUTHENC=y
# CONFIG_CRYPTO_TEST is not set

#
# Authenticated Encryption with Associated Data
#
CONFIG_CRYPTO_CCM=y
CONFIG_CRYPTO_GCM=y
CONFIG_CRYPTO_SEQIV=y

#
# Block modes
#
CONFIG_CRYPTO_CBC=y
CONFIG_CRYPTO_CTR=y
CONFIG_CRYPTO_CTS=y
CONFIG_CRYPTO_ECB=y
# CONFIG_CRYPTO_LRW is not set
CONFIG_CRYPTO_PCBC=y
# CONFIG_CRYPTO_XTS is not set

#
# Hash modes
#
CONFIG_CRYPTO_HMAC=y
CONFIG_CRYPTO_XCBC=y

#
# Digest
#
CONFIG_CRYPTO_CRC32C=y
CONFIG_CRYPTO_CRC32C_INTEL=y
CONFIG_CRYPTO_MD4=y
CONFIG_CRYPTO_MD5=y
CONFIG_CRYPTO_MICHAEL_MIC=y
CONFIG_CRYPTO_RMD128=y
CONFIG_CRYPTO_RMD160=y
CONFIG_CRYPTO_RMD256=y
CONFIG_CRYPTO_RMD320=y
CONFIG_CRYPTO_SHA1=y
CONFIG_CRYPTO_SHA256=y
CONFIG_CRYPTO_SHA512=y
CONFIG_CRYPTO_TGR192=y
CONFIG_CRYPTO_WP512=y

#
# Ciphers
#
CONFIG_CRYPTO_AES=y
CONFIG_CRYPTO_AES_586=y
CONFIG_CRYPTO_ANUBIS=y
CONFIG_CRYPTO_ARC4=y
CONFIG_CRYPTO_BLOWFISH=y
CONFIG_CRYPTO_CAMELLIA=y
CONFIG_CRYPTO_CAST5=y
CONFIG_CRYPTO_CAST6=y
CONFIG_CRYPTO_DES=y
CONFIG_CRYPTO_FCRYPT=y
CONFIG_CRYPTO_KHAZAD=y
# CONFIG_CRYPTO_SALSA20 is not set
# CONFIG_CRYPTO_SALSA20_586 is not set
CONFIG_CRYPTO_SEED=y
CONFIG_CRYPTO_SERPENT=y
CONFIG_CRYPTO_TEA=y
CONFIG_CRYPTO_TWOFISH=y
CONFIG_CRYPTO_TWOFISH_COMMON=y
CONFIG_CRYPTO_TWOFISH_586=y

#
# Compression
#
CONFIG_CRYPTO_DEFLATE=y
CONFIG_CRYPTO_LZO=y

#
# Random Number Generation
#
CONFIG_CRYPTO_ANSI_CPRNG=y
CONFIG_CRYPTO_HW=y
CONFIG_CRYPTO_DEV_PADLOCK=m
CONFIG_CRYPTO_DEV_PADLOCK_AES=m
CONFIG_CRYPTO_DEV_PADLOCK_SHA=m
CONFIG_CRYPTO_DEV_GEODE=m
CONFIG_CRYPTO_DEV_HIFN_795X=m
CONFIG_CRYPTO_DEV_HIFN_795X_RNG=y
CONFIG_HAVE_KVM=y
CONFIG_HAVE_KVM_IRQCHIP=y
CONFIG_VIRTUALIZATION=y
# CONFIG_KVM is not set
CONFIG_VIRTIO=y
CONFIG_VIRTIO_RING=y
CONFIG_VIRTIO_PCI=y
CONFIG_VIRTIO_BALLOON=y

#
# Library routines
#
CONFIG_BITREVERSE=y
CONFIG_GENERIC_FIND_FIRST_BIT=y
CONFIG_GENERIC_FIND_NEXT_BIT=y
CONFIG_GENERIC_FIND_LAST_BIT=y
CONFIG_CRC_CCITT=y
CONFIG_CRC16=y
CONFIG_CRC_T10DIF=y
CONFIG_CRC_ITU_T=y
CONFIG_CRC32=y
CONFIG_CRC7=y
CONFIG_LIBCRC32C=y
CONFIG_AUDIT_GENERIC=y
CONFIG_ZLIB_INFLATE=y
CONFIG_ZLIB_DEFLATE=y
CONFIG_LZO_COMPRESS=y
CONFIG_LZO_DECOMPRESS=y
CONFIG_PLIST=y
CONFIG_HAS_IOMEM=y
CONFIG_HAS_IOPORT=y
CONFIG_HAS_DMA=y

[-- Attachment #1.3: trace1 --]
[-- Type: text/plain, Size: 5487 bytes --]

execve("/usr/sbin/load_policy", ["load_policy", "-i"], [/* 16 vars */]) = 0
brk(0)                                  = 0x9603000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f49000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9017, ...}) = 0
mmap2(NULL, 9017, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f46000
close(3)                                = 0
open("/lib/libsepol.so.1", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\00000\0\0004\0\0\0\270"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=297134, ...}) = 0
mmap2(NULL, 256672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f07000
mmap2(0xb7f45000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3e) = 0xb7f45000
close(3)                                = 0
open("/lib/libselinux.so.1", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240?\0\0004\0\0\0\374"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=128440, ...}) = 0
mmap2(NULL, 109480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7eec000
mmap2(0xb7f05000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18) = 0xb7f05000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220k\1\0004\0\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1623650, ...}) = 0
mmap2(NULL, 1399048, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d96000
mmap2(0xb7ee6000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x150) = 0xb7ee6000
mmap2(0xb7ee9000, 10504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ee9000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\0004\0\0\0h"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=17583, ...}) = 0
mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d92000
mmap2(0xb7d94000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7d94000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d91000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d90000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d90720, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7d94000, 4096, PROT_READ)   = 0
mprotect(0xb7ee6000, 8192, PROT_READ)   = 0
mprotect(0xb7f05000, 4096, PROT_READ)   = 0
mprotect(0xb7f68000, 4096, PROT_READ)   = 0
munmap(0xb7f46000, 9017)                = 0
brk(0)                                  = 0x9603000
brk(0x9624000)                          = 0x9624000
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=62, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000
read(3, "SELINUX=permissive\nSELINUXTYPE=ea"..., 4096) = 62
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0xb7f48000, 4096)                = 0
statfs64("/selinux", 84, {f_type=0xf97cff8c, f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0
stat64("/selinux/class", {st_mode=S_IFDIR|0555, st_size=0, ...}) = 0
open("/selinux/mls", O_RDONLY|O_LARGEFILE) = 3
read(3, "0"..., 19)                     = 1
close(3)                                = 0
gettid()                                = 1154
open("/proc/self/task/1154/attr/current", O_RDONLY|O_LARGEFILE) = 3
read(3, "kernel\0"..., 4095)            = 7
close(3)                                = 0
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=62, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000
read(3, "SELINUX=permissive\nSELINUXTYPE=ea"..., 4096) = 62
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0xb7f48000, 4096)                = 0
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=62, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000
read(3, "SELINUX=permissive\nSELINUXTYPE=ea"..., 4096) = 62
close(3)                                = 0
munmap(0xb7f48000, 4096)                = 0
mount("none", "/proc", "proc", 0, NULL) = -1 EBUSY (Device or resource busy)
open("/proc/cmdline", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f48000
read(3, "BOOT_IMAGE=EasyLFS ro enforcing=0"..., 1024) = 41
close(3)                                = 0
munmap(0xb7f48000, 4096)                = 0
mount("none", "/selinux", "selinuxfs", 0, NULL) = -1 EBUSY (Device or resource busy)
write(2, "Mount failed for selinuxfs on /se"..., 65Mount failed for selinuxfs on /selinux:  Device or resource busy
) = 65
write(2, "load_policy:  Can't load policy: "..., 58load_policy:  Can't load policy:  Device or resource busy
) = 58
exit_group(2)                           = ?

[-- Attachment #1.4: trace2 --]
[-- Type: text/plain, Size: 6206 bytes --]

execve("/usr/sbin/load_policy", ["load_policy", "-i"], [/* 16 vars */]) = 0
brk(0)                                  = 0x85de000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f42000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=9017, ...}) = 0
mmap2(NULL, 9017, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f3f000
close(3)                                = 0
open("/lib/libsepol.so.1", O_RDONLY)    = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\00000\0\0004\0\0\0\270"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=297134, ...}) = 0
mmap2(NULL, 256672, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7f00000
mmap2(0xb7f3e000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3e) = 0xb7f3e000
close(3)                                = 0
open("/lib/libselinux.so.1", O_RDONLY)  = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240?\0\0004\0\0\0\374"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=128440, ...}) = 0
mmap2(NULL, 109480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7ee5000
mmap2(0xb7efe000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18) = 0xb7efe000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220k\1\0004\0\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1623650, ...}) = 0
mmap2(NULL, 1399048, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d8f000
mmap2(0xb7edf000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x150) = 0xb7edf000
mmap2(0xb7ee2000, 10504, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7ee2000
close(3)                                = 0
open("/lib/libdl.so.2", O_RDONLY)       = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\n\0\0004\0\0\0h"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=17583, ...}) = 0
mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7d8b000
mmap2(0xb7d8d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2) = 0xb7d8d000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d8a000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7d89000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7d89720, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
mprotect(0xb7d8d000, 4096, PROT_READ)   = 0
mprotect(0xb7edf000, 8192, PROT_READ)   = 0
mprotect(0xb7efe000, 4096, PROT_READ)   = 0
mprotect(0xb7f61000, 4096, PROT_READ)   = 0
munmap(0xb7f3f000, 9017)                = 0
brk(0)                                  = 0x85de000
brk(0x85ff000)                          = 0x85ff000
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=62, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f41000
read(3, "SELINUX=permissive\nSELINUXTYPE=ea"..., 4096) = 62
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0xb7f41000, 4096)                = 0
statfs64("/selinux", 84, {f_type="EXT2_SUPER_MAGIC", f_bsize=4096, f_blocks=1804616, f_bfree=1306082, f_bavail=1214412, f_files=458752, f_ffree=385326, f_fsid={1295833611, -634315345}, f_namelen=255, f_frsize=4096}) = 0
open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f41000
read(3, "rootfs / rootfs rw 0 0\n/dev/root "..., 1024) = 321
read(3, ""..., 1024)                    = 0
close(3)                                = 0
munmap(0xb7f41000, 4096)                = 0
open("/proc/filesystems", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f41000
read(3, "nodev\tsysfs\nnodev\trootfs\nnodev\tbd"..., 1024) = 279
gettid()                                = 1164
open("/proc/self/task/1164/attr/current", O_RDONLY|O_LARGEFILE) = 4
read(4, "kernel\0"..., 4095)            = 7
close(4)                                = 0
close(3)                                = 0
munmap(0xb7f41000, 4096)                = 0
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=62, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f41000
read(3, "SELINUX=permissive\nSELINUXTYPE=ea"..., 4096) = 62
read(3, ""..., 4096)                    = 0
close(3)                                = 0
munmap(0xb7f41000, 4096)                = 0
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=62, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f41000
read(3, "SELINUX=permissive\nSELINUXTYPE=ea"..., 4096) = 62
close(3)                                = 0
munmap(0xb7f41000, 4096)                = 0
mount("none", "/proc", "proc", 0, NULL) = -1 EBUSY (Device or resource busy)
open("/proc/cmdline", O_RDONLY|O_LARGEFILE) = 3
fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f41000
read(3, "BOOT_IMAGE=EasyLFS ro enforcing=0"..., 1024) = 41
close(3)                                = 0
munmap(0xb7f41000, 4096)                = 0
mount("none", "/selinux", "selinuxfs", 0, NULL) = 0
open("/selinux/enforce", O_RDONLY|O_LARGEFILE) = 3
read(3, "1"..., 19)                     = 1
close(3)                                = 0
open("/selinux/enforce", O_RDWR|O_LARGEFILE) = 3
write(3, "0"..., 1)                     = -1 EINVAL (Invalid argument)
close(3)                                = 0
write(2, "load_policy:  Can't load policy: "..., 51load_policy:  Can't load policy:  Invalid argument
) = 51
exit_group(2)                           = ?

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote:
> Okay, here we go:
> 
> I unmounted /selinux and then got this:
> load_policy: Can't load policy: Invalid argument
> 
> I attached my kernel-config and the two traces (trace1 for the "Device or 
> resource busy"-error, trace2 for the "Invalid argument"-error).

Ahem.  Your kernel config has these SELinux options:
CONFIG_SECURITY_SELINUX=y
# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
# CONFIG_SECURITY_SELINUX_DISABLE is not set
# CONFIG_SECURITY_SELINUX_DEVELOP is not set
CONFIG_SECURITY_SELINUX_AVC_STATS=y
CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
# CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set

Note that your kernel config does not support:
1) The selinux= kernel boot parameter
(CONFIG_SECURITY_SELINUX_BOOTPARAM),
2) The ability to disable SELinux from /sbin/init based on
SELINUX=disabled in /etc/selinux/config
(CONFIG_SECURITY_SELINUX_DISABLE),
3) Permissive mode (CONFIG_SECURITY_SELINUX_DEVELOP)

Is that what you intended?  IOW, you cannot boot permissive, and the
load policy logic is failing when it tries to switch to permissive mode
(write to /selinux/enforce).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote:
> Okay, here we go:
> 
> I unmounted /selinux and then got this:
> load_policy: Can't load policy: Invalid argument
> 
> I attached my kernel-config and the two traces (trace1 for the "Device or 
> resource busy"-error, trace2 for the "Invalid argument"-error).

Possible patch for libselinux to a) gracefully handle the situation
where selinuxfs is already mounted, b) report errors when switching to
permissive, and c) proceed with the policy load even if we cannot switch
to permissive mode as requested, as proceeding without a policy when the
kernel only supports enforcing mode is not desirable.

diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index a3a28a0..a7800da 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -369,7 +369,7 @@ int selinux_init_load_policy(int *enforce)
 	 * Check for the existence of SELinux via selinuxfs, and 
 	 * mount it if present for use in the calls below.  
 	 */
-	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0) {
+	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0) < 0 && errno != EBUSY) {
 		if (errno == ENODEV) {
 			/*
 			 * SELinux was disabled in the kernel, either
@@ -416,8 +416,11 @@ int selinux_init_load_policy(int *enforce)
 		goto noload;
 	if (orig_enforce != *enforce) {
 		rc = security_setenforce(*enforce);
-		if (rc < 0)
-			goto noload;
+		if (rc < 0) {
+			fprintf(stderr, "SELinux:  Unable to switch to %s mode:  %s\n", (*enforce ? "enforcing" : "permissive"), strerror(errno));
+			if (*enforce)
+				goto noload;
+		}
 	}
 
 	/* Load the policy. */

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 1690 bytes --]

Well, I guess I must have misunderstood the development-option.
The way I thought it to work was that it provides the kernel-parameter 
enforcing=... but that I can still set SELinux to run in permissive mode 
through /etc/selinux/config
So that's not the case, right?

Just recompiled the kernel with CONFIG_SECURITY_SELINUX_DEVELOP set and now it 
seems to work.

Thanks a lot!

On Wednesday 20 May 2009 22:59:13 Stephen Smalley wrote:
> On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote:
> > Okay, here we go:
> >
> > I unmounted /selinux and then got this:
> > load_policy: Can't load policy: Invalid argument
> >
> > I attached my kernel-config and the two traces (trace1 for the "Device or
> > resource busy"-error, trace2 for the "Invalid argument"-error).
>
> Ahem.  Your kernel config has these SELinux options:
> CONFIG_SECURITY_SELINUX=y
> # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
> # CONFIG_SECURITY_SELINUX_DISABLE is not set
> # CONFIG_SECURITY_SELINUX_DEVELOP is not set
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
>
> Note that your kernel config does not support:
> 1) The selinux= kernel boot parameter
> (CONFIG_SECURITY_SELINUX_BOOTPARAM),
> 2) The ability to disable SELinux from /sbin/init based on
> SELINUX=disabled in /etc/selinux/config
> (CONFIG_SECURITY_SELINUX_DISABLE),
> 3) Permissive mode (CONFIG_SECURITY_SELINUX_DEVELOP)
>
> Is that what you intended?  IOW, you cannot boot permissive, and the
> load policy logic is failing when it tries to switch to permissive mode
> (write to /selinux/enforce).



[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Policy loading problem

[Dennis Wronka]

[-- Attachment #1: Type: text/plain, Size: 1786 bytes --]

Just an idea:
Wouldn't it be possible to split CONFIG_SECURITY_SELINUX_DEVELOP into two 
options, pretty much like CONFIG_SECURITY_SELINUX_BOOTPARAM and 
CONFIG_SECURITY_SELINUX_DISABLE?

I like the idea because it would prevent somebody that has physical access to 
set SELinux to permissive (and thus practically disabling its protection) on 
boot, but still keep the option for root (either as sysadm_r or, preferably, 
as secadm_r) to switch to permissive mode after boot.

On Wednesday 20 May 2009 22:59:13 Stephen Smalley wrote:
> On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote:
> > Okay, here we go:
> >
> > I unmounted /selinux and then got this:
> > load_policy: Can't load policy: Invalid argument
> >
> > I attached my kernel-config and the two traces (trace1 for the "Device or
> > resource busy"-error, trace2 for the "Invalid argument"-error).
>
> Ahem.  Your kernel config has these SELinux options:
> CONFIG_SECURITY_SELINUX=y
> # CONFIG_SECURITY_SELINUX_BOOTPARAM is not set
> # CONFIG_SECURITY_SELINUX_DISABLE is not set
> # CONFIG_SECURITY_SELINUX_DEVELOP is not set
> CONFIG_SECURITY_SELINUX_AVC_STATS=y
> CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
> # CONFIG_SECURITY_SELINUX_POLICYDB_VERSION_MAX is not set
>
> Note that your kernel config does not support:
> 1) The selinux= kernel boot parameter
> (CONFIG_SECURITY_SELINUX_BOOTPARAM),
> 2) The ability to disable SELinux from /sbin/init based on
> SELINUX=disabled in /etc/selinux/config
> (CONFIG_SECURITY_SELINUX_DISABLE),
> 3) Permissive mode (CONFIG_SECURITY_SELINUX_DEVELOP)
>
> Is that what you intended?  IOW, you cannot boot permissive, and the
> load policy logic is failing when it tries to switch to permissive mode
> (write to /selinux/enforce).



[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: Policy loading problem

[Stephen Smalley]

On Wed, 2009-05-20 at 23:44 +0800, Dennis Wronka wrote:
> Just an idea:
> Wouldn't it be possible to split CONFIG_SECURITY_SELINUX_DEVELOP into two 
> options, pretty much like CONFIG_SECURITY_SELINUX_BOOTPARAM and 
> CONFIG_SECURITY_SELINUX_DISABLE?
> 
> I like the idea because it would prevent somebody that has physical access to 
> set SELinux to permissive (and thus practically disabling its protection) on 
> boot, but still keep the option for root (either as sysadm_r or, preferably, 
> as secadm_r) to switch to permissive mode after boot.

Possible, yes.  Useful, I don't think so.  If you want to prevent users
with physical access from specifying selinux=0 or enforcing=0, then use
a grub password (and more, if you are really concerned about physical
access).

A more likely scenario is that people want to be able to boot permissive
without being able to switch to permissive at runtime.  But that can be
enforced by not allowing setenforce permission to any domain in your
policy.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Paul Howarth]

On Wed, 20 May 2009 12:44:48 -0400
Stephen Smalley <sds@tycho.nsa.gov> wrote:

> On Wed, 2009-05-20 at 23:44 +0800, Dennis Wronka wrote:
> > Just an idea:
> > Wouldn't it be possible to split CONFIG_SECURITY_SELINUX_DEVELOP
> > into two options, pretty much like
> > CONFIG_SECURITY_SELINUX_BOOTPARAM and
> > CONFIG_SECURITY_SELINUX_DISABLE?
> > 
> > I like the idea because it would prevent somebody that has physical
> > access to set SELinux to permissive (and thus practically disabling
> > its protection) on boot, but still keep the option for root (either
> > as sysadm_r or, preferably, as secadm_r) to switch to permissive
> > mode after boot.
> 
> Possible, yes.  Useful, I don't think so.  If you want to prevent
> users with physical access from specifying selinux=0 or enforcing=0,
> then use a grub password (and more, if you are really concerned about
> physical access).
> 
> A more likely scenario is that people want to be able to boot
> permissive without being able to switch to permissive at runtime.
> But that can be enforced by not allowing setenforce permission to any
> domain in your policy.

One might also get into a state where the system wouldn't boot in
enforcing mode due to some labelling gone wrong, so you'd want to boot
in permissive mode to fix that.

Paul.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied null

[Eamon Walsh]

[-- Attachment #1: Type: text/plain, Size: 1010 bytes --]

Dominick Grift wrote:
> On Tue, 2009-05-19 at 23:11 -0400, Eamon Walsh wrote:
>
>   
>> I found the cause of the "x_device" null avc's.  It was a bad hook call.
>>
>> I'm still stumped on the GLXMakeCurrent null avc's though.  I can't
>> reproduce the problem here running glxinfo/glxgears.  I suspect it
>> depends on the video driver / acceleration architecture being used.
>>     
>
> For what it is worth, that particular system has nvidia geforce 8600M GT and is using the proprietary blob (kmod-nvidia)
>
> Thanks
>   

If you're willing to compile the X server from source, you could apply
the attached patch and use gdb to attach to the running X server (this
has to be done over an ssh connection). 

Break on the SELinuxNullPermissionHappened function and reproduce the
GLXMakeCurrent avc, hopefully the breakpoint will fire and you can get a
backtrace.

Also there is another patch that will fix the x_device null avc's
(attached).


-- 
Eamon Walsh <ewalsh@tycho.nsa.gov>
National Security Agency


[-- Attachment #2: patch.patch --]
[-- Type: text/x-patch, Size: 1256 bytes --]

diff --git a/Xext/xselinux.c b/Xext/xselinux.c
index 3a6f096..c0b9c19 100644
--- a/Xext/xselinux.c
+++ b/Xext/xselinux.c
@@ -424,6 +424,13 @@ SELinuxTypeToClass(RESTYPE type)
     return knownTypes[type];
 }
 
+int
+SELinuxNullPermissionHappened(void)
+{
+    ErrorF("SELinux: null permission!\n");
+    return 0;
+}
+
 /*
  * Performs an SELinux permission check.
  */
@@ -438,6 +445,9 @@ SELinuxDoCheck(SELinuxSubjectRec *subj, SELinuxObjectRec *obj,
     auditdata->command = subj->command;
     errno = 0;
 
+    if (mode == DixUnknownAccess)
+	SELinuxNullPermissionHappened();
+
     if (avc_has_perm(subj->sid, obj->sid, class, mode, &subj->aeref,
 		     auditdata) < 0) {
 	if (mode == DixUnknownAccess)
diff --git a/configure.ac b/configure.ac
index daddd09..5fd9cb1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1219,7 +1219,7 @@ PKG_CHECK_MODULES([XSERVERLIBS], [$REQUIRED_LIBS])
 # XSERVER_SYS_LIBS is the set of out-of-tree libraries which all servers
 # require.
 #
-XSERVER_CFLAGS="${XSERVERCFLAGS_CFLAGS} ${SHA1_CFLAGS}"
+XSERVER_CFLAGS="${XSERVERCFLAGS_CFLAGS} ${SHA1_CFLAGS} -O0 -g3"
 XSERVER_LIBS="$DIX_LIB $CONFIG_LIB $MI_LIB $OS_LIB"
 XSERVER_SYS_LIBS="${XSERVERLIBS_LIBS} ${SYS_LIBS} ${LIBS} ${SHA1_LIB}"
 AC_SUBST([XSERVER_LIBS])

[-- Attachment #3: null_avc.patch --]
[-- Type: text/x-patch, Size: 1142 bytes --]

commit 3cea176d5abcb0f14eefbdcbe17fed0847524dd4
Author: Eamon Walsh <ewalsh@tycho.nsa.gov>
Date:   Tue May 19 19:30:33 2009 -0400

    xace: Fix a bad device access hook call.
    
    Add a proper access mode, and reverse the logic of the return value.
    Zero ("Success") is returned on success from the hook calls.
    
    Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

diff --git a/dix/events.c b/dix/events.c
index 157f9a8..b3caec8 100644
--- a/dix/events.c
+++ b/dix/events.c
@@ -4088,10 +4088,10 @@ CoreFocusEvent(DeviceIntPtr dev, int type, int mode, int detail, WindowPtr pWin)
     {
         xKeymapEvent ke;
         ClientPtr client = clients[CLIENT_ID(pWin->drawable.id)];
-        if (XaceHook(XACE_DEVICE_ACCESS, client, dev, FALSE))
-            memmove((char *)&ke.map[0], (char *)&dev->key->down[1], 31);
-        else
+        if (XaceHook(XACE_DEVICE_ACCESS, client, dev, DixReadAccess))
             bzero((char *)&ke.map[0], 31);
+        else
+            memmove((char *)&ke.map[0], (char *)&dev->key->down[1], 31);
 
         ke.type = KeymapNotify;
         DeliverEventsToWindow(dev, pWin, (xEvent *)&ke, 1,

Re: avc: denied null

[Dominick Grift]

On Wed, 2009-05-20 at 22:36 -0400, Eamon Walsh wrote:

> If you're willing to compile the X server from source, you could apply
> the attached patch and use gdb to attach to the running X server (this
> has to be done over an ssh connection). 
> 
> Break on the SELinuxNullPermissionHappened function and reproduce the
> GLXMakeCurrent avc, hopefully the breakpoint will fire and you can get a
> backtrace.
> 
> Also there is another patch that will fix the x_device null avc's
> (attached).
> 
I tried this. The null avc denials occur on login. 

However, as soon as i "break SELinuxNullPermissionHappened", my login screen becomes unresponsive.

When i cancel the "break" it becomes responsive again.

As you can imagine it is difficult to reproduce the issue if this
happens, as i cannot log in (this is where the null avc occurs) with the
"breakpoint" set.

Any suggestions?

this is what i did:
- rebuild/reinstall xorg rpms with your patches included (seems to work
fine and the other null avcs are gone)
- installed xorg debuginfo rpm
- login using ssh and as root: gdb /usr/bin/Xorg <pid>
- break SELinuxNullPermissionHappened



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: avc: denied null

[Dominick Grift]

On Wed, 2009-05-20 at 22:36 -0400, Eamon Walsh wrote:

> If you're willing to compile the X server from source, you could apply
> the attached patch and use gdb to attach to the running X server (this
> has to be done over an ssh connection). 
> 
> Break on the SELinuxNullPermissionHappened function and reproduce the
> GLXMakeCurrent avc, hopefully the breakpoint will fire and you can get a
> backtrace.
> 
> Also there is another patch that will fix the x_device null avc's
> (attached).
> 
I tried it again this time with some hints from eparis. It got me a little bit further:

(gdb) break SELinuxNullPermissionHappened
Breakpoint 1 at 0x7f86941f9370: file xselinux.c, line 433.
(gdb) continue
Continuing.

Program received signal SIGPIPE, Broken pipe.
0x00000030040d67ab in writev () from /lib64/libc.so.6
(gdb) bt
#0  0x00000030040d67ab in writev () from /lib64/libc.so.6
#1  0x00000000004eedec in _XSERVTransSocketWritev (
    ciptr=<value optimized out>, buf=0x7fff9c426f00, size=1)
    at /usr/include/X11/Xtrans/Xtranssock.c:2184
#2  0x00000000004ea85d in FlushClient (who=<value optimized out>, 
    oc=<value optimized out>, __extraBuf=<value optimized out>, 
    extraCount=<value optimized out>) at io.c:899
#3  0x00000000004eb301 in FlushAllOutput () at io.c:649
#4  0x0000000000446d75 in Dispatch () at dispatch.c:456
#5  0x000000000042d0d5 in main (argc=<value optimized out>, 
    argv=0x7fff9c427198, envp=<value optimized out>) at main.c:397
(gdb) quit
The program is running.  Quit anyway (and detach it)? (y or n) y
LND: Sending signal 13 to process 2456
Detaching from program: /usr/bin/Xorg, process 2456




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Policy loading problem

[Joshua Brindle]

Stephen Smalley wrote:
> On Wed, 2009-05-20 at 22:57 +0800, Dennis Wronka wrote:
>> Okay, here we go:
>>
>> I unmounted /selinux and then got this:
>> load_policy: Can't load policy: Invalid argument
>>
>> I attached my kernel-config and the two traces (trace1 for the "Device or
>> resource busy"-error, trace2 for the "Invalid argument"-error).
>
> Possible patch for libselinux to a) gracefully handle the situation
> where selinuxfs is already mounted, b) report errors when switching to
> permissive, and c) proceed with the policy load even if we cannot switch
> to permissive mode as requested, as proceeding without a policy when the
> kernel only supports enforcing mode is not desirable.
>
> diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
> index a3a28a0..a7800da 100644
> --- a/libselinux/src/load_policy.c
> +++ b/libselinux/src/load_policy.c
> @@ -369,7 +369,7 @@ int selinux_init_load_policy(int *enforce)
>   	 * Check for the existence of SELinux via selinuxfs, and
>   	 * mount it if present for use in the calls below.
>   	 */
> -	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0)<  0) {
> +	if (mount("none", SELINUXMNT, "selinuxfs", 0, 0)<  0&&  errno != EBUSY) {
>   		if (errno == ENODEV) {
>   			/*
>   			 * SELinux was disabled in the kernel, either
> @@ -416,8 +416,11 @@ int selinux_init_load_policy(int *enforce)
>   		goto noload;
>   	if (orig_enforce != *enforce) {
>   		rc = security_setenforce(*enforce);
> -		if (rc<  0)
> -			goto noload;
> +		if (rc<  0) {
> +			fprintf(stderr, "SELinux:  Unable to switch to %s mode:  %s\n", (*enforce ? "enforcing" : "permissive"), strerror(errno));
> +			if (*enforce)
> +				goto noload;
> +		}
>   	}
>
>   	/* Load the policy. */
>

Merged in libselinux 2.0.84.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.