| 1 |
Hi, |
| 2 |
|
| 3 |
I've been running a couple of Gentoo SELinux systems using the stock |
| 4 |
reference policy for a few months now, for testing & policy development, |
| 5 |
but have recently run into a snag. The SELinux folks directed me here |
| 6 |
since it seems to be only Gentoo that's giving me problems. |
| 7 |
|
| 8 |
The latest refpolicy requires versions of the SELinux userland that |
| 9 |
aren't yet in portage. So I created a local overlay and wr0te ebuilds |
| 10 |
for all of them, which seemed to work fine. However, on more than one |
| 11 |
machine, I can reproduce a problem by upgrading libselinux from the |
| 12 |
latest version in portage to the latest development version (1.34.14 -> |
| 13 |
2.0.65). |
| 14 |
|
| 15 |
As soon as I install the v2.0 library, my system stops booting properly |
| 16 |
until I either disable SELinux in the kernel, or back down to 1.34.14. |
| 17 |
The problem manifests itself by causing every app that runs out of init |
| 18 |
to fail immediately. None of the /sbin/rc scripts run, and as soon as |
| 19 |
the gettys launch they immediately crash until init stops respawning |
| 20 |
them. CTRL-ALT-DEL also doesn't work, as init doesn't create the |
| 21 |
/dev/initctl socket, and only a hard power-down can get me out of this |
| 22 |
state. |
| 23 |
|
| 24 |
If I boot with either "selinux=0" or "emergency" kernel parameters, the |
| 25 |
system boots but obviously not in a useable SELinux state. I have |
| 26 |
sucessfully used the new v2.0 set of userland tools on at least one |
| 27 |
other Gentoo system, as well as Fedora, with no issues. It only seems |
| 28 |
to happen if I start with the v1 library then upgrade to the v2 library, |
| 29 |
but I can't find any particular application that links to libselinux |
| 30 |
that would need to be rebuilt. I tried rebuilding init, pam, login, and |
| 31 |
agetty and none of that helped. |
| 32 |
|
| 33 |
I'm not sure how to even start debugging this problem, though I'd be |
| 34 |
happy to spend the time if I could figure out how :) The system logger |
| 35 |
and audit daemons don't start when the failure occurs, I can't log in to |
| 36 |
trace the apps, and I'm not finding any core dumps anywhere. Can anyone |
| 37 |
point me in the right direction here? |
| 38 |
|
| 39 |
Thanks, |
| 40 |
|
| 41 |
--Mike |
Archives