From: Timothy Wood <timothy@diyab.net>
To: SELinux Mail List <selinux@tycho.nsa.gov>
Subject: Re: Bootup problems
Date: Wed, 16 Feb 2005 02:30:19 -0500 [thread overview]
Message-ID: <4212F68B.2010509@diyab.net> (raw)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Do you ever look further into this issue Stephen? The reason I ask is
that I'm still seeing it on the current kernel.
Timothy,
| On Sun, 2004-05-23 at 14:13, Thomas Bleher wrote:
|> The attached dmesg (non-relevant lines before and after snipped) is the
|> bootlog of a 2.6.6er-kernel on a SuSE 9.0 system. No initrd, no special
|> modules (only sound as module, everything else compiled in).
|> The system works fine afterwards, the filesystem is properly labeled.
|> It just seems like it is the file labels are initialized to late.
|> Anyone knows why this is happening or where I should look?
|
| The sequence appears to be:
| 1) policy load is started (from /sbin/init, right?),
| 2) usb device is detected,
| 3) policy load completes,
| 4) security initialization of already created superblocks and inodes is
| started (this was deferred until the policy was loaded),
| 5) kernel invokes hotplug due to device detection,
| 6) security state for hotplug inode has not yet been initialized, thus
| it is still marked with unlabeled_t,
| 7) no domain transition occurs on hotplug execution due to lack of
| proper file type, so hotplug runs in kernel_t, yielding a series of
| denials,
| 8) some other inodes are also not yet initialized, so they also have
| unlabeled_t,
| 9) security initialization of hda3 inodes completes, so hotplug and
| other inodes now have the right security context (but the running
| hotplug process is still in kernel_t),
| 10) various denials due to the fact that the filesystems have not yet
| been mounted, so you are just accessing the empty mount point
| directories that are left in file_t.
|
| The interleaving of the device detection / hotplug execution and policy
| load / inode initialization is not good; requires further investigation.
|
| --
| Stephen Smalley <sds@epoch.ncsc.mil>
| National Security Agency
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFCEvaLPT0XLCkCs2ARAu3qAJ9Ldo1z2goPr7cCntUIOzJlizJ41ACfciAO
enBPFxF31kF0NzE3LlamXVU=
=oBiX
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2005-02-16 7:31 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-02-16 7:30 Timothy Wood [this message]
2005-02-16 13:18 ` Bootup problems Stephen Smalley
-- strict thread matches above, loose matches on Subject: below --
2004-05-23 18:13 Thomas Bleher
2004-05-24 14:54 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4212F68B.2010509@diyab.net \
--to=timothy@diyab.net \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.