Bootup problems

Bootup problems

[Thomas Bleher]

[-- Attachment #1.1: Type: text/plain, Size: 737 bytes --]

The attached dmesg (non-relevant lines before and after snipped) is the
bootlog of a 2.6.6er-kernel on a SuSE 9.0 system. No initrd, no special
modules (only sound as module, everything else compiled in).
The system works fine afterwards, the filesystem is properly labeled.
It just seems like it is the file labels are initialized to late.
Anyone knows why this is happening or where I should look?

Thomas

re: the last audit deny: /soft is the root of an nfs-mount. Later in the
process it is correctly treated as nfs_t.
PS: This also happend with 2.6.5, it is no new problem of 2.6.6
-- 
http://www.cip.ifi.lmu.de/~bleher/selinux/ - my SELinux pages
GPG-Fingerprint: BC4F BB16 30D6 F253 E3EA  D09E C562 2BAE B2F4 ABE7

[-- Attachment #1.2: dmesg --]
[-- Type: text/plain, Size: 5398 bytes --]

kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
VFS: Mounted root (ext3 filesystem) readonly.
Freeing unused kernel memory: 484k freed
usb 2-2: new low speed USB device using address 2
security:  22 users, 5 roles, 577 types, 1 bools
security:  30 classes, 60011 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
audit(1085334438.959:0): avc:  denied  { execute_no_trans } for  pid=141 comm=khelper path=/sbin/hotplug dev=hda3 ino=1589274 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1085334438.963:0): avc:  denied  { read } for  pid=141 comm=khelper path=/sbin/hotplug dev=hda3 ino=1589274 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1085334438.968:0): avc:  denied  { execute } for  pid=141 comm=khelper name=bash dev=hda3 ino=671755 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1085334438.974:0): avc:  denied  { getattr } for  pid=141 exe=/bin/bash path=/etc/ld.so.cache dev=hda3 ino=213295 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
input: USB HID v1.10 Mouse [Logitech USB Optical Mouse] on usb-0000:00:1d.0-2
SELinux: initialized (dev hda3, type ext3), uses xattr
audit(1085334439.166:0): avc:  denied  { read write } for  pid=137 exe=/bin/bash name=tty dev=hda3 ino=69775 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:devtty_t tclass=chr_file
SELinux: initialized (dev , type usbfs), uses genfs_contexts
SELinux: initialized (dev , type usbdevfs), uses genfs_contexts
audit(1085334439.298:0): avc:  denied  { read } for  pid=137 exe=/bin/bash name=mtab dev=hda3 ino=213423 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_runtime_t tclass=file
audit(1085334439.298:0): avc:  denied  { getattr } for  pid=137 exe=/bin/bash path=/etc/mtab dev=hda3 ino=213423 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_runtime_t tclass=file
SELinux: initialized (dev , type devpts), uses transition SIDs
SELinux: initialized (dev , type eventpollfs), uses genfs_contexts
SELinux: initialized (dev , type pipefs), uses task SIDs
SELinux: initialized (dev , type tmpfs), uses transition SIDs
SELinux: initialized (dev , type futexfs), uses genfs_contexts
SELinux: initialized (dev , type sockfs), uses task SIDs
SELinux: initialized (dev , type proc), uses genfs_contexts
SELinux: initialized (dev , type bdev), uses genfs_contexts
SELinux: initialized (dev , type rootfs), uses genfs_contexts
SELinux: initialized (dev , type sysfs), uses genfs_contexts
audit(1085334439.441:0): avc:  denied  { read } for  pid=137 exe=/bin/bash name=nsswitch.conf dev=hda3 ino=213031 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
audit(1085334439.449:0): avc:  denied  { getattr } for  pid=137 exe=/bin/bash path=/etc/nsswitch.conf dev=hda3 ino=213031 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:etc_t tclass=file
audit(1085334439.616:0): avc:  denied  { ioctl } for  pid=140 exe=/bin/bash path=/sbin/hotplug dev=hda3 ino=1589274 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:hotplug_exec_t tclass=file
audit(1085334440.578:0): avc:  denied  { search } for  pid=337 exe=/sbin/showconsole name=proc dev=hda3 ino=32769 scontext=system_u:system_r:showconsole_t tcontext=system_u:object_r:file_t tclass=dir
audit(1085334440.664:0): avc:  denied  { getattr } for  pid=337 exe=/sbin/showconsole path=/dev/pts dev=hda3 ino=98305 scontext=system_u:system_r:showconsole_t tcontext=system_u:object_r:file_t tclass=dir
audit(1085334440.674:0): avc:  denied  { read } for  pid=337 exe=/sbin/showconsole name=pts dev=hda3 ino=98305 scontext=system_u:system_r:showconsole_t tcontext=system_u:object_r:file_t tclass=dir
Adding 1534196k swap on /dev/hda2.  Priority:42 extents:1
EXT3 FS on hda3, internal journal
SELinux: initialized (dev , type tmpfs), uses transition SIDs
Disabled Privacy Extensions on device c05cfd40(lo)
e100: eth0: e100_watchdog: link up, 100Mbps, full-duplex
HTB init, kernel part version 3.16
HTB: quantum of class 10001 is big. Consider r2q change.
HTB: quantum of class 10011 is big. Consider r2q change.
audit(1085334473.044:0): avc:  denied  { getattr } for  pid=1741 exe=/bin/mount path=/mnt/storage01 dev=hda3 ino=1507869 scontext=system_u:system_r:mount_t tcontext=system_u:object_r:file_t tclass=dir
SELinux: initialized (dev , type rpc_pipefs), uses genfs_contexts
SELinux: initialized (dev 0:e, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:10, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:11, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:12, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:13, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:14, type nfs), uses genfs_contexts
SELinux: initialized (dev 0:15, type nfs), uses genfs_contexts
audit(1085334477.241:0): avc:  denied  { search } for  pid=1753 exe=/sbin/ldconfig name=soft dev=hda3 ino=8700040 scontext=system_u:system_r:ldconfig_t tcontext=system_u:object_r:file_t tclass=dir
PCI: Setting latency timer of device 0000:00:1f.5 to 64
intel8x0_measure_ac97_clock: measured 49289 usecs
intel8x0: clocking to 48000

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Bootup problems

[Stephen Smalley]

On Sun, 2004-05-23 at 14:13, Thomas Bleher wrote:
> The attached dmesg (non-relevant lines before and after snipped) is the
> bootlog of a 2.6.6er-kernel on a SuSE 9.0 system. No initrd, no special
> modules (only sound as module, everything else compiled in).
> The system works fine afterwards, the filesystem is properly labeled.
> It just seems like it is the file labels are initialized to late.
> Anyone knows why this is happening or where I should look?

The sequence appears to be:
1) policy load is started (from /sbin/init, right?),
2) usb device is detected,
3) policy load completes,
4) security initialization of already created superblocks and inodes is
started (this was deferred until the policy was loaded),
5) kernel invokes hotplug due to device detection,
6) security state for hotplug inode has not yet been initialized, thus
it is still marked with unlabeled_t,
7) no domain transition occurs on hotplug execution due to lack of
proper file type, so hotplug runs in kernel_t, yielding a series of
denials,
8) some other inodes are also not yet initialized, so they also have
unlabeled_t,
9) security initialization of hda3 inodes completes, so hotplug and
other inodes now have the right security context (but the running
hotplug process is still in kernel_t),
10) various denials due to the fact that the filesystems have not yet
been mounted, so you are just accessing the empty mount point
directories that are left in file_t.

The interleaving of the device detection / hotplug execution and policy
load / inode initialization is not good; requires further investigation.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bootup problems

[Timothy Wood]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you ever look further into this issue Stephen?  The reason I ask is
that I'm still seeing it on the current kernel.

Timothy,

| On Sun, 2004-05-23 at 14:13, Thomas Bleher wrote:
|> The attached dmesg (non-relevant lines before and after snipped) is the
|> bootlog of a 2.6.6er-kernel on a SuSE 9.0 system. No initrd, no special
|> modules (only sound as module, everything else compiled in).
|> The system works fine afterwards, the filesystem is properly labeled.
|> It just seems like it is the file labels are initialized to late.
|> Anyone knows why this is happening or where I should look?
|
| The sequence appears to be:
| 1) policy load is started (from /sbin/init, right?),
| 2) usb device is detected,
| 3) policy load completes,
| 4) security initialization of already created superblocks and inodes is
| started (this was deferred until the policy was loaded),
| 5) kernel invokes hotplug due to device detection,
| 6) security state for hotplug inode has not yet been initialized, thus
| it is still marked with unlabeled_t,
| 7) no domain transition occurs on hotplug execution due to lack of
| proper file type, so hotplug runs in kernel_t, yielding a series of
| denials,
| 8) some other inodes are also not yet initialized, so they also have
| unlabeled_t,
| 9) security initialization of hda3 inodes completes, so hotplug and
| other inodes now have the right security context (but the running
| hotplug process is still in kernel_t),
| 10) various denials due to the fact that the filesystems have not yet
| been mounted, so you are just accessing the empty mount point
| directories that are left in file_t.
|
| The interleaving of the device detection / hotplug execution and policy
| load / inode initialization is not good; requires further investigation.
|
| --
| Stephen Smalley <sds@epoch.ncsc.mil>
| National Security Agency

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCEvaLPT0XLCkCs2ARAu3qAJ9Ldo1z2goPr7cCntUIOzJlizJ41ACfciAO
enBPFxF31kF0NzE3LlamXVU=
=oBiX
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Bootup problems

[Stephen Smalley]

On Wed, 2005-02-16 at 02:30, Timothy Wood wrote:
> Do you ever look further into this issue Stephen?  The reason I ask is
> that I'm still seeing it on the current kernel.
<snip>
> | The sequence appears to be:
> | 1) policy load is started (from /sbin/init, right?),
> | 2) usb device is detected,
> | 3) policy load completes,
> | 4) security initialization of already created superblocks and inodes is
> | started (this was deferred until the policy was loaded),
> | 5) kernel invokes hotplug due to device detection,
> | 6) security state for hotplug inode has not yet been initialized, thus
> | it is still marked with unlabeled_t,
> | 7) no domain transition occurs on hotplug execution due to lack of
> | proper file type, so hotplug runs in kernel_t, yielding a series of
> | denials,
> | 8) some other inodes are also not yet initialized, so they also have
> | unlabeled_t,
> | 9) security initialization of hda3 inodes completes, so hotplug and
> | other inodes now have the right security context (but the running
> | hotplug process is still in kernel_t),
> | 10) various denials due to the fact that the filesystems have not yet
> | been mounted, so you are just accessing the empty mount point
> | directories that are left in file_t.
> |
> | The interleaving of the device detection / hotplug execution and policy
> | load / inode initialization is not good; requires further investigation.

No, I'm afraid that this hasn't been resolved yet.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.