| 1 |
On Tue, 2009-02-03 at 23:11 +0800, Shaochun Wang wrote: |
| 2 |
> Now I changed to targeted policy, and it seems more easy to tame than |
| 3 |
> strict policy. Becuase I use LVM to manage my disk and the |
| 4 |
> filesystem's root is on an LVM partition, I need to use initramfs to |
| 5 |
> make the kernel to recognize my root partiton. Without SELinux |
| 6 |
> enforcing, everything works; but with it, system hangs with the |
| 7 |
> following message: |
| 8 |
> |
| 9 |
> * Filesystem couldn't be fixed :( |
| 10 |
> Give root password for maintenance |
| 11 |
> ... |
| 12 |
|
| 13 |
I'd bet that the device node has the wrong label (/dev/vg0/slash). |
| 14 |
|
| 15 |
> After giving the root password, I got a shell. Executing df command, I |
| 16 |
> found my root is mounted on two devices: |
| 17 |
> |
| 18 |
> Filesystem ... Mounted on |
| 19 |
> rootfs / |
| 20 |
> /dev/vg0/slash / |
| 21 |
> |
| 22 |
> I use busybox in my initramfs. The initramfs of my system can be |
| 23 |
> downloaded from http://lcs.ios.ac.cn/~scwang/docs/initramfs.tar.gz |
| 24 |
> |
| 25 |
> Any help on initramfs with SELinux support? |
| 26 |
|
| 27 |
We don't have any guides for that. Getting the initialization correct, |
| 28 |
with all processes and objects created having the right context can be |
| 29 |
extremely tricky. The longer objects, like device nodes, have the wrong |
| 30 |
the context, the more likely you will have problems. So its best for |
| 31 |
objects to be created with the right context, but that requires the |
| 32 |
policy to be loaded. But the policy is on the root partition. So after |
| 33 |
the policy is loaded, you have to relabel any objects created ASAP. |
| 34 |
|
| 35 |
> BTW, it seems that SELinux support of Gentoo is dying! |
| 36 |
|
| 37 |
I'm not sure why you feel this way. If you really feel that is the |
| 38 |
case, then you should find ways to contribute. |
| 39 |
|
| 40 |
> On Tue, Feb 03, 2009 at 09:23:45AM -0500, Chris PeBenito wrote: |
| 41 |
> > On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote: |
| 42 |
> > > I tried to work with strict policy on enforcing mode. And almost all |
| 43 |
> > > services can't function as expected. Any help? |
| 44 |
> > |
| 45 |
> > You'll have to be more specific. But one thing to note is that it |
| 46 |
> > hasn't been updated for baselayout-2 (which should be masked on the |
| 47 |
> > selinux profiles). |
| 48 |
> > |
| 49 |
> > -- |
| 50 |
> > Chris PeBenito |
| 51 |
> > <pebenito@g.o> |
| 52 |
> > Developer, |
| 53 |
> > Hardened Gentoo Linux |
| 54 |
> > |
| 55 |
> > Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 56 |
> > Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
| 57 |
> |
| 58 |
> |
| 59 |
> |
| 60 |
|
| 61 |
-- |
| 62 |
Chris PeBenito |
| 63 |
<pebenito@g.o> |
| 64 |
Developer, |
| 65 |
Hardened Gentoo Linux |
| 66 |
|
| 67 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
| 68 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
Archives