| 1 |
Hi all, |
| 2 |
|
| 3 |
I have a couple of cheap small machines ( AMD Kabinis on AM1 baords - |
| 4 |
cheap and old, but still interesting stuff) that I tred to convert from |
| 5 |
hardened profile to hardened/selinux. |
| 6 |
|
| 7 |
On two out of three, it works. |
| 8 |
|
| 9 |
On a third one, I always get to boot into selunx disabled state ( as |
| 10 |
reported by getenforce or sestate). |
| 11 |
|
| 12 |
I tried loading policy int kernel manually and it failed. |
| 13 |
load_policy kept repeating that it needs to try with lesser selinx |
| 14 |
policy version which it can't find. |
| 15 |
|
| 16 |
I tried going through it with debugger and have seen that it fails |
| 17 |
to mount selinuxfs. |
| 18 |
|
| 19 |
cat /proc/filesystems doesn't list selinuxfs, even though I clearly have |
| 20 |
selinux suppoort compiled in. |
| 21 |
|
| 22 |
I thought that I might have screwed something else in .config, but that |
| 23 |
deosn't seem to be the case. Kernel compiles and runs fine and same |
| 24 |
.config is used on other twoo working machines. |
| 25 |
|
| 26 |
also looking fthrough kernel buffer doesn't show anything unusual. |
| 27 |
selinux gets mentioned just twice in it - once when echoing "BOOT_IMAGE" |
| 28 |
line and once when echoing kernel parameter line ( both are practically |
| 29 |
the same) |
| 30 |
|
| 31 |
And nothing else. Just at the ond of kernel initialisation, just before |
| 32 |
systemd get started, there are no audit lines that usually marrk the |
| 33 |
point where policy gets loaded. |
| 34 |
|
| 35 |
No error, no info, nothing else. |
| 36 |
|
| 37 |
IS it possible that kernels itself switches selinux off if the |
| 38 |
filesystem labels don't smell the right way or something similar ? |
| 39 |
|
| 40 |
|
| 41 |
In that case, I'd expect to see at least a notice, but this fails |
| 42 |
silently... |
| 43 |
|
| 44 |
|
| 45 |
BTW, failing machhine is a local mini server, has a couple disks in RAID |
| 46 |
and is often used, so I can't just simply dissasemble it, swap the disks |
| 47 |
with working ones and see what happens. |
Archives