| 1 |
Hi Mike, |
| 2 |
|
| 3 |
I run two gentoo servers with both encrypted root fs and GRSEC/RBAC/PAX |
| 4 |
--- so it is possible. I didn't used LUKS, I set everything up step by |
| 5 |
step by hand. I've got a little mini-howto (with an already prepared |
| 6 |
initrd) if you'd like to see what I did: |
| 7 |
|
| 8 |
http://www.virtualblueness.net/~blueness/encryptedroot/ |
| 9 |
|
| 10 |
I know this doesn't directly answer your question but it may help. |
| 11 |
|
| 12 |
-- |
| 13 |
|
| 14 |
Anthony Basile, Ph.D. |
| 15 |
Chair IT, D'Youville College |
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
On Tue, 2006-07-11 at 10:11 +0200, Michael Decker wrote: |
| 20 |
> Hi, |
| 21 |
> |
| 22 |
> could somebody help me to solve this problem. I try to encrypting whole |
| 23 |
> root device by doing this howto: |
| 24 |
> |
| 25 |
> |
| 26 |
> So my booting fails caused by an unmount error. |
| 27 |
> |
| 28 |
> On booting an own created initrd will be started to open luks encrypted |
| 29 |
> filesystem, so this last steps of linuxrc-script [2] fails (on umount |
| 30 |
> command): |
| 31 |
> |
| 32 |
> --- SNIP --- |
| 33 |
> pivot_root . initrd |
| 34 |
> |
| 35 |
> # Start init and flush ram device exec |
| 36 |
> chroot . /bin/sh <<- EOF >/dev/console 2>&1 |
| 37 |
> umount initrd |
| 38 |
> rm -rf initrd |
| 39 |
> blockdev --flushbufs /dev/ram0 |
| 40 |
> exec /sbin/init ${CMDLINE} |
| 41 |
> EOF |
| 42 |
> --- SNAP --- |
| 43 |
> |
| 44 |
> So I get this error: |
| 45 |
> --- SNIP --- |
| 46 |
> EXT3 FS on dm-0, internal journal |
| 47 |
> EXT3-fs: dm-0: 1 orphan inode deleted |
| 48 |
> EXT3-fs: recovery complete. |
| 49 |
> EXT3-fs: mounted filesystem with journal data mode. |
| 50 |
> 0000000037|rsbac_free_dat_dentry(): freeing dat dir dentries |
| 51 |
> 0000000038|do_umount() [sys_umount()]: umount failed -> calling |
| 52 |
> rsbac_mount for Device 01:00 |
| 53 |
> --- SNAP --- |
| 54 |
> |
| 55 |
> I've run the kernel with this options: |
| 56 |
> --- SNIP --- |
| 57 |
> Kernel command line: root=/dev/ram0 rw init=/linuxrc rsbac_softmode |
| 58 |
> console=ttyS0,57600 console=tty0 |
| 59 |
> --- SNAP --- |
| 60 |
> |
| 61 |
> Is this a RSBAC problem? Do I have to modify the script [2]? Perhaps |
| 62 |
> could somebody give a suggestion? |
| 63 |
> |
| 64 |
> Best regards, |
| 65 |
> Michael Decker |
| 66 |
> |
| 67 |
> [1] |
| 68 |
> http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS |
| 69 |
> [2] |
| 70 |
> http://gentoo-wiki.com/SECURITY_Encrypting_Root_Filesystem_with_DM-Crypt_with_LUKS#Initrd_Scripts |
| 71 |
> -- |
| 72 |
> Michael Decker Michael.Decker@×××××.de |
| 73 |
> TESIS SYSware GmbH http://www.tesis.de |
| 74 |
> Baierbrunnerstr. 15 * 81379 Muenchen * Tel. +49 89 747377-0 |
| 75 |
> |
| 76 |
-- |
| 77 |
gentoo-hardened@g.o mailing list |
Archives