| View previous topic :: View next topic |
| Author |
Message |
luneetunes
n00b
Joined: 17 Mar 2006
Posts: 5
|
 Posted: Mon Mar 20, 2006 1:25 am Post subject: Unable to boot into freshly converted selinux install... |
 |
|
Ok, I had finally figured out what my policy issues were and why I couldn't create them. Now I've hit a giant brick wall. I can't figure out howto trouble shoot it since it involves not being able to even boot into an selinux kernel. Nor does the boot get far enough for me to create or even load the partition /var for the logs to become created in. My issue stems from this lovely boot message..
| Quote: | Checking root filesystem
fsck.ext3: No such file or directory while trying to open /dev/hda3
/dev/hda3:
The super block could not be read or does not describe a correct ext2 filesystem.
|
Along with a few avc errors, but I get those throughout the entire boot. Next it asks me to hit ctrl+d or enter root password to fix errors. Obviously I tried entering in my root password but it never went as far as to loading my LVM groups. So the partitions with most of my system isn't avaliable. Tried mounting them by hand once in my system but that wouldn't work. First tried activating them of course. =) Still no joy.
What I don't understand is why does it talk about the super block being an ext2 file system? Is it not referring to /dev/hda3 in that manner as /dev/hda3 is my / partition and is an ext3 partition.
| Code: |
cat /etc/fstab
/dev/hda1 /boot ext2 noauto,noatime 1 2
/dev/hda3 / ext3 noatime 0 1
/dev/hda2 none swap sw 0 0
/dev/Hardened/usr /usr ext3 noatime 0 2
/dev/Hardened/portage /usr/portage reiserfs noatime,notail 0 2
/dev/Searching/distfiles /usr/portage/distfiles xfs defaults 0 2
/dev/Hardened/var /var ext3 noatime 0 2
/dev/Hardened/compile /var/portage ext3 noatime 0 2
/dev/Searching/tmp /tmp ext3 noatime,noexec,nosuid 0 2
/dev/Searching/data /data xfs defaults 0 2
/dev/Searching/home /home ext3 noatime 0 2
/dev/Searching/ccache /ccache ext3 noatime 0 2
none /selinux selinuxfs defaults 0 0
/dev/cdrw /cdrom iso9660 noauto,ro 0 0
/dev/fd0 /mnt/floppy auto noauto 0 0
proc /proc proc defaults 0 0
shm /dev/shm tmpfs nodev,nosuid,noexec 0 0
pts /dev/pts tmpfs nodev,nosuid,noexec 0 0
|
| Code: |
uname -a
Linux Searching 2.6.15-gentoo-r1 #3 Tue Mar 14 14:50:07 CST 2006 i686 Pentium II (Deschutes) GNU/Linux
|
| Code: |
mount
/dev/hda3 on / type ext3 (rw,noatime)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
udev on /dev type tmpfs (rw,nosuid)
pts on /dev/pts type tmpfs (rw,noexec,nosuid,nodev)
/dev/mapper/Hardened-usr on /usr type ext3 (rw,noatime)
/dev/mapper/Hardened-portage on /usr/portage type reiserfs (rw,noatime,notail)
/dev/mapper/Searching-distfiles on /usr/portage/distfiles type xfs (rw)
/dev/mapper/Hardened-var on /var type ext3 (rw,noatime)
/dev/mapper/Hardened-compile on /var/portage type ext3 (rw,noatime)
/dev/mapper/Searching-tmp on /tmp type ext3 (rw,noexec,nosuid,noatime)
/dev/mapper/Searching-data on /data type xfs (rw)
/dev/mapper/Searching-home on /home type ext3 (rw,noatime)
/dev/mapper/Searching-ccache on /ccache type ext3 (rw,noatime)
shm on /dev/shm type tmpfs (rw,noexec,nosuid,nodev)
usbfs on /proc/bus/usb type usbfs (rw,devmode=0664,devgid=85)
|
As you can see above the files are mounted just fine in a regular gentoo-sources kernel. The current hardened-sources kernel is 2.6.14-r6 which is what I've tried using. This error also happens with 2.6.14-r5. These are the only remaining 2.6 kernels for the hardened sources as the others in portage are 2.4.
Does anyone have either of these two 2.6 kernel versions working? Or is their something wrong with what I've shown so far? By all means if anyone needs more info to go on to be able to help me pinpoint my issue ask. I consider myself a complete selinux noob aside from what I've read on the gentoo hardened project pages and the red hat selinux guides. So I by no means believe think I didn't screw up somewhere. But without logs I dunno where to start. |
|
| Back to top |
|
 |
petlab
Apprentice
Joined: 03 May 2004
Posts: 290
Location: Armpit, Oregon
|
| Posted: Mon Mar 20, 2006 7:03 am Post subject: |
|
|
I could answer the ext2 / ext 3 question - an ext3 filesystem is "an ext2 filesystem with a journal." I read somewhere that "all ext3 fs are valid ext2 fs." So I would ignore that. The system either doesn't like the partition because it has something else in it, or the kern doesn't know ext2/3, or ...
Well, at least I could answer the first question.
HTH
_________________
Get Serious - Get JAWA CZ |
|
| Back to top |
|
|
luneetunes
n00b
Joined: 17 Mar 2006
Posts: 5
|
| Posted: Mon Mar 20, 2006 2:10 pm Post subject: |
|
|
Yes thank you, that does get the one issue out the way. That really was starting to concern me for awhile. =) I don't see why the kernel wouldn't recognize the filesystem though. The ext2 and ext3 filesystems are built into the kernel, not as modules, and the security labels are set as per the hardened selinux handbook instructions. One thing I noticed was there were no security labels for /dev/pts as shown in the handbook. At least not in the 2.6.14 hardened sources. Is this built in per default of the hardened sources kernel? Thus no option?
Like I said earlier I'm no selinux pro. Is there a policy setting that would block a fsck.ext3 from occuring on boot or in general? I've read thru the hardened handbook for selinux front to back. Quite a few times. I fail to see where it has me change any type of policy settings or loosen up any type of system restrictions. Should the default settings, "just work?" |
|
| Back to top |
|
|
krolden
Apprentice
Joined: 28 May 2004
Posts: 293
Location: Belgium
|
| Posted: Mon Mar 20, 2006 11:06 pm Post subject: |
|
|
Everything in SELinix gets a security context. This also includes processes. The policy enforcement server makes decision on whether or not to allow an action based on the action, contexts of subject and object and the rules defined through Type Enforcement.
During boot there is a period of time when that server isn't up yet. So SELinux has defined a certain boot procedure. It uses initial SIDs (Security ID) to accomplish this.
I believe that the problem has something to do with those initial SIDs. The actions it goes through are probably not adequately defined and hence are denied (everything is denied except explicitly permitted pretty much sums up the SELinux approach).
In my experience SELinux has a high learning curve and it takes some time to understand how it works. Nonetheless it's a very interesting framework. (I'm writing my MSc thesis on it btw). |
|
| Back to top |
|
|
Turbo
n00b
Joined: 29 Oct 2004
Posts: 43
|
| Posted: Thu Mar 23, 2006 1:01 am Post subject: |
|
|
| Why not boot it in permissive mode ? |
|
| Back to top |
|
|
luneetunes
n00b
Joined: 17 Mar 2006
Posts: 5
|
| Posted: Fri Mar 24, 2006 10:21 pm Post subject: |
|
|
| Turbo wrote: | | Why not boot it in permissive mode ? |
I _was_ booting into permissive mode.
Anyways, I'd like to thank Krolden and Petlab. I learned a bit during this adventure but in the end found out that the howto is missing something. Not sure what that is yet but ran into too many problems. Ended up just deleting my entire install and starting a fresh selinux installation using the 2005.1 hardened cd. It went extremely smooth aside from a few minor issues. Writing to you now "thru" the new selinux install as it is my router/firewall. Thanks again guys.
One final question for this thread before I mark it solved. This doesn't deserve its own topic. Is there anywhere I can find better selinux docs for daily setup and usage other than the red hat documentation? I found it to be rather complete. The official selinux site on www.nsa.gov/selinux isn't as helpful as I'd like it to be. It's no gentoo documentation equal that's for sure. And the mailing lists I've found are rather slow in terms of new content. |
|
| Back to top |
|
|
krolden
Apprentice
Joined: 28 May 2004
Posts: 293
Location: Belgium
|
| Posted: Wed Apr 12, 2006 8:56 pm Post subject: |
|
|
| luneetunes wrote: | | Turbo wrote: | | Why not boot it in permissive mode ? |
I _was_ booting into permissive mode.
Anyways, I'd like to thank Krolden and Petlab. I learned a bit during this adventure but in the end found out that the howto is missing something. Not sure what that is yet but ran into too many problems. Ended up just deleting my entire install and starting a fresh selinux installation using the 2005.1 hardened cd. It went extremely smooth aside from a few minor issues. Writing to you now "thru" the new selinux install as it is my router/firewall. Thanks again guys.
One final question for this thread before I mark it solved. This doesn't deserve its own topic. Is there anywhere I can find better selinux docs for daily setup and usage other than the red hat documentation? I found it to be rather complete. The official selinux site on www.nsa.gov/selinux isn't as helpful as I'd like it to be. It's no gentoo documentation equal that's for sure. And the mailing lists I've found are rather slow in terms of new content. |
I found the O'Reilly book to be quite good.
Also take a look at http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/ |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
