dracut: ordering of modules

dracut: ordering of modules

[Mimi Zohar]

Hi Harald,

Originally, 98integrity/ima-policy-load.sh didn't start executing before
98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.

inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"

As the IMA policy could be dependent on LSM runtime info, this is a
problem.

[   10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
[   10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
[   10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
[   10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
[   10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
[   10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
[   10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
[   10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
[   10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
[   10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
[   11.898956] SELinux:  Completing initialization.

I've tried adding a depend for selinux, but it doesn't seem to resolve
the problem, nor does delaying 98integrity to later.  Any suggestions
would be appreciated.

thanks,

Mimi

Re: dracut: ordering of modules

[Roberto Sassu]

Hi Mimi

i'm CCing the systemd and Fedora SELinux mailing lists.

Unfortunately, the SELinux policy initialization (at least
in Fedora 16) has been moved to systemd, so, now, loading an
IMA policy cannot be done in the initial ramdisk.

Further, the SELinux policy loading code is not in a unit file
but embedded in the main binary, which means that the new code for
loading IMA policies must be added just after that point.

I already wrote a patch for this. I need some time to test it
and will post in the systemd mailing list at the beginning of
the next week.

Roberto Sassu


On 02/10/2012 04:01 PM, Mimi Zohar wrote:
> Hi Harald,
>
> Originally, 98integrity/ima-policy-load.sh didn't start executing before
> 98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.
>
> inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
> inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
>
> As the IMA policy could be dependent on LSM runtime info, this is a
> problem.
>
> [   10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
> [   10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
> [   10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
> [   10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
> [   10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
> [   10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
> [   10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
> [   10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
> [   10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
> [   10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
> [   11.898956] SELinux:  Completing initialization.
>
> I've tried adding a depend for selinux, but it doesn't seem to resolve
> the problem, nor does delaying 98integrity to later.  Any suggestions
> would be appreciated.
>
> thanks,
>
> Mimi
>

Re: [systemd-devel] dracut: ordering of modules

[Lennart Poettering]

On Fri, 10.02.12 16:31, Roberto Sassu (roberto.sassu@polito.it) wrote:

> 
> Hi Mimi
> 
> i'm CCing the systemd and Fedora SELinux mailing lists.
> 
> Unfortunately, the SELinux policy initialization (at least
> in Fedora 16) has been moved to systemd, so, now, loading an
> IMA policy cannot be done in the initial ramdisk.
> 
> Further, the SELinux policy loading code is not in a unit file
> but embedded in the main binary, which means that the new code for
> loading IMA policies must be added just after that point.
> 
> I already wrote a patch for this. I need some time to test it
> and will post in the systemd mailing list at the beginning of
> the next week.

Hmm, what is this about? You need a place to load additional security
policies into the kernel at early boot? For SELinux that indeed takes
place from within PID 1 now in systemd. I'd expect that other security
technologies like AppArmor should work the same.

If you want to hack on this basing your work on selinux-setup.c in the
systemd tree should be fairly easy.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.

Re: [systemd-devel] dracut: ordering of modules

[Mimi Zohar]

On Fri, 2012-02-10 at 19:14 +0100, Lennart Poettering wrote:
> On Fri, 10.02.12 16:31, Roberto Sassu (roberto.sassu@polito.it) wrote:
> 
> > 
> > Hi Mimi
> > 
> > i'm CCing the systemd and Fedora SELinux mailing lists.
> > 
> > Unfortunately, the SELinux policy initialization (at least
> > in Fedora 16) has been moved to systemd, so, now, loading an
> > IMA policy cannot be done in the initial ramdisk.
> > 
> > Further, the SELinux policy loading code is not in a unit file
> > but embedded in the main binary, which means that the new code for
> > loading IMA policies must be added just after that point.
> > 
> > I already wrote a patch for this. I need some time to test it
> > and will post in the systemd mailing list at the beginning of
> > the next week.

Thanks Roberto!
 
> Hmm, what is this about? You need a place to load additional security
> policies into the kernel at early boot? For SELinux that indeed takes
> place from within PID 1 now in systemd. I'd expect that other security
> technologies like AppArmor should work the same.

The IMA measurement/appraisal policy, which is described in
Documentation/ABI/testing/ima_policy, can be based on a number
of criteria.  One of these criteria are LSM subj/obj labels. The IMA
measurement/appraisal policy should be loaded as early as possible, but
only after the LSM policy has been loaded.

Mimi

> If you want to hack on this basing your work on selinux-setup.c in the
> systemd tree should be fairly easy.
> 
> Lennart

Re: dracut: ordering of modules

[Harald Hoyer]

Am 10.02.2012 16:01, schrieb Mimi Zohar:
> Hi Harald,
> 
> Originally, 98integrity/ima-policy-load.sh didn't start executing before
> 98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.
> 
> inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
> inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
> 
> As the IMA policy could be dependent on LSM runtime info, this is a
> problem.
> 
> [   10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
> [   10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
> [   10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
> [   10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
> [   10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
> [   10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
> [   10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
> [   10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
> [   10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
> [   10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
> [   11.898956] SELinux:  Completing initialization.
> 
> I've tried adding a depend for selinux, but it doesn't seem to resolve
> the problem, nor does delaying 98integrity to later.  Any suggestions
> would be appreciated.
> 
> thanks,
> 
> Mimi
> 

In Fedora the selinux dracut module is disabled by default. You have to enable
it manually.

echo 'add_dracutmodules+=" selinux "' >> /etc/dracut.conf.d/99-my.conf

although, this also should do the thing:

$ git diff modules.d/98integrity/module-setup.sh
diff --git a/modules.d/98integrity/module-setup.sh
b/modules.d/98integrity/module-setup.sh
index 7d5771c..ff1b4aa 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -7,7 +7,7 @@ check() {
 }

 depends() {
-    echo masterkey securityfs
+    echo masterkey securityfs selinux
     return 0
 }

Re: dracut: ordering of modules

[Roberto Sassu]

On 02/13/2012 10:59 AM, Harald Hoyer wrote:
> Am 10.02.2012 16:01, schrieb Mimi Zohar:
>> Hi Harald,
>>
>> Originally, 98integrity/ima-policy-load.sh didn't start executing before
>> 98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.
>>
>> inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
>> inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
>>
>> As the IMA policy could be dependent on LSM runtime info, this is a
>> problem.
>>
>> [   10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
>> [   10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
>> [   10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
>> [   10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
>> [   10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
>> [   10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
>> [   10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
>> [   10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
>> [   10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
>> [   10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
>> [   11.898956] SELinux:  Completing initialization.
>>
>> I've tried adding a depend for selinux, but it doesn't seem to resolve
>> the problem, nor does delaying 98integrity to later.  Any suggestions
>> would be appreciated.
>>
>> thanks,
>>
>> Mimi
>>
>
> In Fedora the selinux dracut module is disabled by default. You have to enable
> it manually.
>

Hi Harald

this functionality seems to be broken in dracut due to a change in the
SELinux load_policy tool.
After enabling the selinux module in dracut, i obtain:

[    3.369059] dracut: Loading SELinux policy
[    3.449850] dracut: /sbin/load_policy: Can't load policy: No such 
file or directory
[    3.659899] dracut: Switching root


> echo 'add_dracutmodules+=" selinux "'>>  /etc/dracut.conf.d/99-my.conf
>
> although, this also should do the thing:
>
> $ git diff modules.d/98integrity/module-setup.sh
> diff --git a/modules.d/98integrity/module-setup.sh
> b/modules.d/98integrity/module-setup.sh
> index 7d5771c..ff1b4aa 100755
> --- a/modules.d/98integrity/module-setup.sh
> +++ b/modules.d/98integrity/module-setup.sh
> @@ -7,7 +7,7 @@ check() {
>   }
>
>   depends() {
> -    echo masterkey securityfs
> +    echo masterkey securityfs selinux
>       return 0
>   }
>
>
>
>
>

Re: dracut: ordering of modules

[Harald Hoyer]

Am 13.02.2012 11:17, schrieb Roberto Sassu:
> Hi Harald
> 
> this functionality seems to be broken in dracut due to a change in the
> SELinux load_policy tool.
> After enabling the selinux module in dracut, i obtain:
> 
> [    3.369059] dracut: Loading SELinux policy
> [    3.449850] dracut: /sbin/load_policy: Can't load policy: No such file or
> directory
> [    3.659899] dracut: Switching root
> 

This error can have multiple causes... Dan?

Re: dracut: ordering of modules

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2012 05:29 AM, Harald Hoyer wrote:
> Am 13.02.2012 11:17, schrieb Roberto Sassu:
>> Hi Harald
>> 
>> this functionality seems to be broken in dracut due to a change
>> in the SELinux load_policy tool. After enabling the selinux
>> module in dracut, i obtain:
>> 
>> [    3.369059] dracut: Loading SELinux policy [    3.449850]
>> dracut: /sbin/load_policy: Can't load policy: No such file or 
>> directory [    3.659899] dracut: Switching root
>> 
> 
> This error can have multiple causes... Dan?

Well likeliest would be selinux-policy package is not installed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85QaIACgkQrlYvE4MpobMNbwCgi8JG0fmlQsnvo2HNnA+Orxzr
UYcAoKqHj0+Ll8lfbYpvGzANxck4MAwP
=geIr
-----END PGP SIGNATURE-----

Re: dracut: ordering of modules

[Roberto Sassu]

Hi Dan

i confirm this issue happens in a Fedora 16 system with the
selinux-policy package installed.

The selinux dracut module tries to load the policy but returns
with the error below. After switching root, the policy is
successfully loaded by Systemd.

Thanks

Roberto Sassu


On 02/13/2012 06:00 PM, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 02/13/2012 05:29 AM, Harald Hoyer wrote:
>> Am 13.02.2012 11:17, schrieb Roberto Sassu:
>>> Hi Harald
>>>
>>> this functionality seems to be broken in dracut due to a change
>>> in the SELinux load_policy tool. After enabling the selinux
>>> module in dracut, i obtain:
>>>
>>> [    3.369059] dracut: Loading SELinux policy [    3.449850]
>>> dracut: /sbin/load_policy: Can't load policy: No such file or
>>> directory [    3.659899] dracut: Switching root
>>>
>>
>> This error can have multiple causes... Dan?
>
> Well likeliest would be selinux-policy package is not installed.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk85QaIACgkQrlYvE4MpobMNbwCgi8JG0fmlQsnvo2HNnA+Orxzr
> UYcAoKqHj0+Ll8lfbYpvGzANxck4MAwP
> =geIr
> -----END PGP SIGNATURE-----

Re: dracut: ordering of modules

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2012 10:53 AM, Roberto Sassu wrote:
> Hi Dan
> 
> i confirm this issue happens in a Fedora 16 system with the 
> selinux-policy package installed.
> 
> The selinux dracut module tries to load the policy but returns with
> the error below. After switching root, the policy is successfully
> loaded by Systemd.
> 
> Thanks
> 
> Roberto Sassu
> 
> 
Well in F16 dracut is not supposed to load the policy.
> On 02/13/2012 06:00 PM, Daniel J Walsh wrote: On 02/13/2012 05:29
> AM, Harald Hoyer wrote:
>>>> Am 13.02.2012 11:17, schrieb Roberto Sassu:
>>>>> Hi Harald
>>>>> 
>>>>> this functionality seems to be broken in dracut due to a
>>>>> change in the SELinux load_policy tool. After enabling the
>>>>> selinux module in dracut, i obtain:
>>>>> 
>>>>> [    3.369059] dracut: Loading SELinux policy [
>>>>> 3.449850] dracut: /sbin/load_policy: Can't load policy: No
>>>>> such file or directory [    3.659899] dracut: Switching
>>>>> root
>>>>> 
>>>> 
>>>> This error can have multiple causes... Dan?
> 
> Well likeliest would be selinux-policy package is not installed.
> 
> -- selinux mailing list selinux@lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk86rZ4ACgkQrlYvE4MpobPKXwCfbVdkQuaylTtHIASztazyokqN
u4wAnR9bueXLrFH4vvDxSPYSNqBDYP19
=W0oJ
-----END PGP SIGNATURE-----

Re: dracut: ordering of modules

[Mimi Zohar]

On Mon, 2012-02-13 at 10:59 +0100, Harald Hoyer wrote:
> Am 10.02.2012 16:01, schrieb Mimi Zohar:
> > Hi Harald,
> > 
> > Originally, 98integrity/ima-policy-load.sh didn't start executing before
> > 98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.
> > 
> > inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
> > inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
> > 
> > As the IMA policy could be dependent on LSM runtime info, this is a
> > problem.
> > 
> > [   10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
> > [   10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
> > [   10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
> > [   10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
> > [   10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
> > [   10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
> > [   10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
> > [   10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
> > [   10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
> > [   10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
> > [   11.898956] SELinux:  Completing initialization.
> > 
> > I've tried adding a depend for selinux, but it doesn't seem to resolve
> > the problem, nor does delaying 98integrity to later.  Any suggestions
> > would be appreciated.
> > 
> > thanks,
> > 
> > Mimi
> > 
> 
> In Fedora the selinux dracut module is disabled by default. You have to enable
> it manually.
> 
> echo 'add_dracutmodules+=" selinux "' >> /etc/dracut.conf.d/99-my.conf
> 
> although, this also should do the thing:
> 
> $ git diff modules.d/98integrity/module-setup.sh
> diff --git a/modules.d/98integrity/module-setup.sh
> b/modules.d/98integrity/module-setup.sh
> index 7d5771c..ff1b4aa 100755
> --- a/modules.d/98integrity/module-setup.sh
> +++ b/modules.d/98integrity/module-setup.sh
> @@ -7,7 +7,7 @@ check() {
>  }
> 
>  depends() {
> -    echo masterkey securityfs
> +    echo masterkey securityfs selinux
>      return 0
>  }

Already tried that, as mentioned above.

thanks,

Mimi

Re: dracut: ordering of modules

[Hannes Reinecke]

On 02/13/2012 10:59 AM, Harald Hoyer wrote:
> Am 10.02.2012 16:01, schrieb Mimi Zohar:
>> Hi Harald,
>>
[ .. ]

Ohh, can you _order_ dracut modules now?

Harald, that'll be four modules for me, please :-)


Sorry, I just _had_ to go for that cheap pun.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		      zSeries & Storage
hare@suse.de			      +49 911 74053 688
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg
GF: J. Hawn, J. Guild, F. Imendörffer, HRB 16746 (AG Nürnberg)