1 |
On Tue, 2009-02-03 at 23:11 +0800, Shaochun Wang wrote: |
2 |
> Now I changed to targeted policy, and it seems more easy to tame than |
3 |
> strict policy. Becuase I use LVM to manage my disk and the |
4 |
> filesystem's root is on an LVM partition, I need to use initramfs to |
5 |
> make the kernel to recognize my root partiton. Without SELinux |
6 |
> enforcing, everything works; but with it, system hangs with the |
7 |
> following message: |
8 |
> |
9 |
> * Filesystem couldn't be fixed :( |
10 |
> Give root password for maintenance |
11 |
> ... |
12 |
|
13 |
I'd bet that the device node has the wrong label (/dev/vg0/slash). |
14 |
|
15 |
> After giving the root password, I got a shell. Executing df command, I |
16 |
> found my root is mounted on two devices: |
17 |
> |
18 |
> Filesystem ... Mounted on |
19 |
> rootfs / |
20 |
> /dev/vg0/slash / |
21 |
> |
22 |
> I use busybox in my initramfs. The initramfs of my system can be |
23 |
> downloaded from http://lcs.ios.ac.cn/~scwang/docs/initramfs.tar.gz |
24 |
> |
25 |
> Any help on initramfs with SELinux support? |
26 |
|
27 |
We don't have any guides for that. Getting the initialization correct, |
28 |
with all processes and objects created having the right context can be |
29 |
extremely tricky. The longer objects, like device nodes, have the wrong |
30 |
the context, the more likely you will have problems. So its best for |
31 |
objects to be created with the right context, but that requires the |
32 |
policy to be loaded. But the policy is on the root partition. So after |
33 |
the policy is loaded, you have to relabel any objects created ASAP. |
34 |
|
35 |
> BTW, it seems that SELinux support of Gentoo is dying! |
36 |
|
37 |
I'm not sure why you feel this way. If you really feel that is the |
38 |
case, then you should find ways to contribute. |
39 |
|
40 |
> On Tue, Feb 03, 2009 at 09:23:45AM -0500, Chris PeBenito wrote: |
41 |
> > On Mon, 2009-02-02 at 14:40 +0800, Shaochun Wang wrote: |
42 |
> > > I tried to work with strict policy on enforcing mode. And almost all |
43 |
> > > services can't function as expected. Any help? |
44 |
> > |
45 |
> > You'll have to be more specific. But one thing to note is that it |
46 |
> > hasn't been updated for baselayout-2 (which should be masked on the |
47 |
> > selinux profiles). |
48 |
> > |
49 |
> > -- |
50 |
> > Chris PeBenito |
51 |
> > <pebenito@g.o> |
52 |
> > Developer, |
53 |
> > Hardened Gentoo Linux |
54 |
> > |
55 |
> > Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
56 |
> > Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |
57 |
> |
58 |
> |
59 |
> |
60 |
|
61 |
-- |
62 |
Chris PeBenito |
63 |
<pebenito@g.o> |
64 |
Developer, |
65 |
Hardened Gentoo Linux |
66 |
|
67 |
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243 |
68 |
Key fingerprint = B0E6 877A 883F A57A 8E6A CB00 BC8E E42D E6AF 9243 |