[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bootup problems

To: SELinux Mail List <selinux@xxxxxxxxxxxxx>
Subject: Re: Bootup problems
From: Timothy Wood <timothy@xxxxxxxxx>
Date: Wed, 16 Feb 2005 02:30:19 -0500
Sender: owner-selinux@xxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Do you ever look further into this issue Stephen?  The reason I ask is
that I'm still seeing it on the current kernel.

Timothy,

| On Sun, 2004-05-23 at 14:13, Thomas Bleher wrote:
|> The attached dmesg (non-relevant lines before and after snipped) is the
|> bootlog of a 2.6.6er-kernel on a SuSE 9.0 system. No initrd, no special
|> modules (only sound as module, everything else compiled in).
|> The system works fine afterwards, the filesystem is properly labeled.
|> It just seems like it is the file labels are initialized to late.
|> Anyone knows why this is happening or where I should look?
|
| The sequence appears to be:
| 1) policy load is started (from /sbin/init, right?),
| 2) usb device is detected,
| 3) policy load completes,
| 4) security initialization of already created superblocks and inodes is
| started (this was deferred until the policy was loaded),
| 5) kernel invokes hotplug due to device detection,
| 6) security state for hotplug inode has not yet been initialized, thus
| it is still marked with unlabeled_t,
| 7) no domain transition occurs on hotplug execution due to lack of
| proper file type, so hotplug runs in kernel_t, yielding a series of
| denials,
| 8) some other inodes are also not yet initialized, so they also have
| unlabeled_t,
| 9) security initialization of hda3 inodes completes, so hotplug and
| other inodes now have the right security context (but the running
| hotplug process is still in kernel_t),
| 10) various denials due to the fact that the filesystems have not yet
| been mounted, so you are just accessing the empty mount point
| directories that are left in file_t.
|
| The interleaving of the device detection / hotplug execution and policy
| load / inode initialization is not good; requires further investigation.
|
| --
| Stephen Smalley <sds@xxxxxxxxxxxxxx>
| National Security Agency

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFCEvaLPT0XLCkCs2ARAu3qAJ9Ldo1z2goPr7cCntUIOzJlizJ41ACfciAO
enBPFxF31kF0NzE3LlamXVU=
=oBiX
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Follow-Ups:
- Re: Bootup problems
  - From: Stephen Smalley

Prev by Date: Re: Best way to label a filesystem for another system
Next by Date: Re: sshd transition points
Previous by thread: Re: dynamic context transitions
Next by thread: Re: Bootup problems
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.