Linux Archive - dracut: ordering of modules

Linux Archive

Linux Archive (http://www.linux-archive.org/)

- Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)

- - dracut: ordering of modules (http://www.linux-archive.org/fedora-selinux-support/631219-dracut-ordering-modules.html)

Roberto Sassu

02-10-2012 02:31 PM

dracut: ordering of modules

Hi Mimi

i'm CCing the systemd and Fedora SELinux mailing lists.

Unfortunately, the SELinux policy initialization (at least
in Fedora 16) has been moved to systemd, so, now, loading an
IMA policy cannot be done in the initial ramdisk.

Further, the SELinux policy loading code is not in a unit file
but embedded in the main binary, which means that the new code for
loading IMA policies must be added just after that point.

I already wrote a patch for this. I need some time to test it
and will post in the systemd mailing list at the beginning of
the next week.

Roberto Sassu

On 02/10/2012 04:01 PM, Mimi Zohar wrote:

Hi Harald,

Originally, 98integrity/ima-policy-load.sh didn't start executing before
98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.

inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"

As the IMA policy could be dependent on LSM runtime info, this is a
problem.

[ 10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
[ 10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
[ 10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
[ 10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
[ 10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
[ 10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
[ 10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
[ 10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
[ 10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
[ 10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
[ 11.898956] SELinux: Completing initialization.

I've tried adding a depend for selinux, but it doesn't seem to resolve
the problem, nor does delaying 98integrity to later. Any suggestions
would be appreciated.

thanks,

Mimi

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Roberto Sassu

02-13-2012 09:17 AM

dracut: ordering of modules

On 02/13/2012 10:59 AM, Harald Hoyer wrote:

Am 10.02.2012 16:01, schrieb Mimi Zohar:

Hi Harald,

Originally, 98integrity/ima-policy-load.sh didn't start executing before
98selinux/selinux-loadpolicy.sh finished, but unfortunately it now does.

inst_hook pre-pivot 50 "$moddir/selinux-loadpolicy.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"

As the IMA policy could be dependent on LSM runtime info, this is a
problem.

[ 10.040574] type=1805 audit(1328865524.387:2): action="dont_measure" fsmagic="0x9fa0" res=0
[ 10.040663] type=1805 audit(1328865524.387:3): action="dont_appraise" fsmagic="0x9fa0" res=0
[ 10.040729] type=1805 audit(1328865524.387:4): action="dont_measure" fsmagic="0x62656572" res=0
[ 10.040792] type=1805 audit(1328865524.387:5): action="dont_appraise" fsmagic="0x62656572" res=0
[ 10.040857] type=1805 audit(1328865524.387:6): action="dont_measure" fsmagic="0x64626720" res=0
[ 10.040921] type=1805 audit(1328865524.387:7): action="dont_appraise" fsmagic="0x64626720" res=0
[ 10.040985] type=1805 audit(1328865524.387:8): action="dont_measure" fsmagic="0x01021994" res=0
[ 10.041047] type=1805 audit(1328865524.387:9): action="dont_appraise" fsmagic="0x01021994" res=0
[ 10.041113] type=1805 audit(1328865524.387:10): action="dont_measure" fsmagic="0x73636673" res=0
[ 10.041177] type=1805 audit(1328865524.387:11): action="dont_appraise" fsmagic="0x73636673" res=0
[ 11.898956] SELinux: Completing initialization.

I've tried adding a depend for selinux, but it doesn't seem to resolve
the problem, nor does delaying 98integrity to later. Any suggestions
would be appreciated.

thanks,

Mimi

In Fedora the selinux dracut module is disabled by default. You have to enable
it manually.

Hi Harald

this functionality seems to be broken in dracut due to a change in the
SELinux load_policy tool.
After enabling the selinux module in dracut, i obtain:

[ 3.369059] dracut: Loading SELinux policy
[ 3.449850] dracut: /sbin/load_policy: Can't load policy: No such
file or directory

[ 3.659899] dracut: Switching root

echo 'add_dracutmodules+=" selinux "'>> /etc/dracut.conf.d/99-my.conf

although, this also should do the thing:

$ git diff modules.d/98integrity/module-setup.sh
diff --git a/modules.d/98integrity/module-setup.sh
b/modules.d/98integrity/module-setup.sh
index 7d5771c..ff1b4aa 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -7,7 +7,7 @@ check() {
}

depends() {
- echo masterkey securityfs
+ echo masterkey securityfs selinux
return 0
}

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh

02-13-2012 04:00 PM

dracut: ordering of modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2012 05:29 AM, Harald Hoyer wrote:
> Am 13.02.2012 11:17, schrieb Roberto Sassu:
>> Hi Harald
>>
>> this functionality seems to be broken in dracut due to a change
>> in the SELinux load_policy tool. After enabling the selinux
>> module in dracut, i obtain:
>>
>> [ 3.369059] dracut: Loading SELinux policy [ 3.449850]
>> dracut: /sbin/load_policy: Can't load policy: No such file or
>> directory [ 3.659899] dracut: Switching root
>>
>
> This error can have multiple causes... Dan?

Well likeliest would be selinux-policy package is not installed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85QaIACgkQrlYvE4MpobMNbwCgi8JG0fmlQs nvo2HNnA+Orxzr
UYcAoKqHj0+Ll8lfbYpvGzANxck4MAwP
=geIr
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Roberto Sassu

02-14-2012 02:53 PM

dracut: ordering of modules

Hi Dan

i confirm this issue happens in a Fedora 16 system with the
selinux-policy package installed.

The selinux dracut module tries to load the policy but returns
with the error below. After switching root, the policy is
successfully loaded by Systemd.

Thanks

Roberto Sassu

On 02/13/2012 06:00 PM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2012 05:29 AM, Harald Hoyer wrote:

Am 13.02.2012 11:17, schrieb Roberto Sassu:

Hi Harald

this functionality seems to be broken in dracut due to a change
in the SELinux load_policy tool. After enabling the selinux
module in dracut, i obtain:

[ 3.369059] dracut: Loading SELinux policy [ 3.449850]
dracut: /sbin/load_policy: Can't load policy: No such file or
directory [ 3.659899] dracut: Switching root

This error can have multiple causes... Dan?

Well likeliest would be selinux-policy package is not installed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85QaIACgkQrlYvE4MpobMNbwCgi8JG0fmlQs nvo2HNnA+Orxzr
UYcAoKqHj0+Ll8lfbYpvGzANxck4MAwP
=geIr
-----END PGP SIGNATURE-----

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh

02-14-2012 05:53 PM

dracut: ordering of modules

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2012 10:53 AM, Roberto Sassu wrote:
> Hi Dan
>
> i confirm this issue happens in a Fedora 16 system with the
> selinux-policy package installed.
>
> The selinux dracut module tries to load the policy but returns with
> the error below. After switching root, the policy is successfully
> loaded by Systemd.
>
> Thanks
>
> Roberto Sassu
>
>
Well in F16 dracut is not supposed to load the policy.
> On 02/13/2012 06:00 PM, Daniel J Walsh wrote: On 02/13/2012 05:29
> AM, Harald Hoyer wrote:
>>>> Am 13.02.2012 11:17, schrieb Roberto Sassu:
>>>>> Hi Harald
>>>>>
>>>>> this functionality seems to be broken in dracut due to a
>>>>> change in the SELinux load_policy tool. After enabling the
>>>>> selinux module in dracut, i obtain:
>>>>>
>>>>> [ 3.369059] dracut: Loading SELinux policy [
>>>>> 3.449850] dracut: /sbin/load_policy: Can't load policy: No
>>>>> such file or directory [ 3.659899] dracut: Switching
>>>>> root
>>>>>
>>>>
>>>> This error can have multiple causes... Dan?
>
> Well likeliest would be selinux-policy package is not installed.
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk86rZ4ACgkQrlYvE4MpobPKXwCfbVdkQuaylT tHIASztazyokqN
u4wAnR9bueXLrFH4vvDxSPYSNqBDYP19
=W0oJ
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

All times are GMT. The time now is 12:02 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.