View previous topic :: View next topic |
Author |
Message |
Shadow_Fury Tux's lil' helper
Joined: 20 Apr 2021 Posts: 138 Location: 11.435765792823453, 143.05926743686274
|
Posted: Sat Mar 04, 2023 11:19 pm Post subject: |
|
|
ukky wrote: | As @grknight pointed out, I have these lines in my init script:
Code: | SWITCH_ROOT="/bin/busybox switch_root"
exec ${SWITCH_ROOT} ${NEWROOT} ${INIT} ${INIT_ARGS} |
Please try:
Code: | exec /bin/busybox switch_root /mnt/root /sbin/init || rescue_shell "failed to hand off execution to main kernel" |
|
does not help
also, i don't think it's the /init script since it is literally identical to the one that booted my previous installation (uuids are same since it's literally installed on the same partitions as the old one) |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4236 Location: Bavaria
|
Posted: Sat Mar 04, 2023 11:21 pm Post subject: |
|
|
@all,
I dont think its a problem with security settings. Yes, there are a lot options enabled which could lead to problems ...
... e.g. when using UNSIGNED modules then THIS would cause a reject to load a module:
Code: | CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y |
Also this can lead also to problems:
Code: | CONFIG_DM_VERITY=m
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_DM_VERITY_FEC=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_ARCH_POLICY=y |
... BUT ... we would see error messages from kernel ...
I assume this is a virtual machine ?
Code: | CONFIG_DRM_VIRTIO_GPU=y |
I assume some settings in kernel have been made without knowing what it does:
Code: | CONFIG_GENTOO_KERNEL_SELF_PROTECTION=y |
(it does nothing; there must be enabled two other options; see more here: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP )
I would suggest to enable this
Code: | # CONFIG_PANIC_ON_OOPS is not set |
and then we will see more.
I had also some problems with my (embedded) initramfs ... if there is any problem with busybox you will see only a kernel panic ... |
|
Back to top |
|
|
Shadow_Fury Tux's lil' helper
Joined: 20 Apr 2021 Posts: 138 Location: 11.435765792823453, 143.05926743686274
|
Posted: Sat Mar 04, 2023 11:25 pm Post subject: |
|
|
pietinger wrote: | @all,
I dont think its a problem with security settings. Yes, there are a lot options enabled which could lead to problems ...
... e.g. when using UNSIGNED modules then THIS would cause a reject to load a module:
Code: | CONFIG_SECURITY_LOCKDOWN_LSM=y
CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y
CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y |
Also this can lead also to problems:
Code: | CONFIG_DM_VERITY=m
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
CONFIG_DM_VERITY_FEC=y
CONFIG_IMA_APPRAISE=y
CONFIG_IMA_ARCH_POLICY=y |
... BUT ... we would see error messages from kernel ...
I assume this is a virtual machine ?
Code: | CONFIG_DRM_VIRTIO_GPU=y |
I assume some settings in kernel have been made without knowing what it does:
Code: | CONFIG_GENTOO_KERNEL_SELF_PROTECTION=y |
(it does nothing; there must be enabled two other options; see more here: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP )
I would suggest to enable this
Code: | # CONFIG_PANIC_ON_OOPS is not set |
and then we will see more.
I had also some problems with my (embedded) initramfs ... if there is any problem with busybox you will see only a kernel panic ... |
not a VM, i think i thought that that was either because i thought it was necessary for running virtio guests, or i turned it on accidentally.
in terms of this:
Code: |
I assume some settings in kernel have been made without knowing what it does:
[code]CONFIG_GENTOO_KERNEL_SELF_PROTECTION=y[/code]
(it does nothing; there must be enabled two other options; see more here: https://wiki.gentoo.org/wiki/User:Pietinger/Tutorials/Kernel_Hardening_with_KSPP )
|
i think i turned off some things in an attempt to debug, so that might be why some configs seem strange. I could also just have been an idiot, so there's that reason too.
i'll turn on panic on oops and try to boot again, see if anything changes... |
|
Back to top |
|
|
Shadow_Fury Tux's lil' helper
Joined: 20 Apr 2021 Posts: 138 Location: 11.435765792823453, 143.05926743686274
|
Posted: Sat Mar 04, 2023 11:38 pm Post subject: |
|
|
update:
turned on CONFIG_PANIC_ON_OOPS (and turned off module compression),
nothing changed. literally no new panics, still just frozen at the handover... |
|
Back to top |
|
|
pingtoo l33t
Joined: 10 Sep 2021 Posts: 932 Location: Richmond Hill, Canada
|
Posted: Sat Mar 04, 2023 11:59 pm Post subject: |
|
|
Shadow_Fury wrote: | before running openrc sysinit, the /sys/fs/selinux dir is empty, after running it, enforce is already 0.
before sysinit, the /sys/kernel/security dir is empty, after, the contents of lsm is as follows: "lockdown,capability,selinux"
in the dmesg log, there is just a bunch of audit calls, that look like this:
Code: |
audit: type=1800 audit(1677969036.072:148): pid=613 uid=0 audid=4294967295 ses=4294967295 subj=kernel op=appraise_data cause=IMA-signature-required comm="dmesg" name="/lib64/libc.so.6" dev="dm-2" ino=252710 res=0 errno=0
|
Code: |
linux /vmlinuz ... ima_appraise=fix ...
|
this sets IMA into fix mode, where it doesn't actually enforce signatures, so IMA shouldn't be the problem
when running /sbin/openrc sysinit, the following output is produced:
Code: |
OpenRC 0.46 is starting up Gentoo linux (x86_64)
* /proc is already mounted
* mounting /run ...
* /run/openrc : creating directory ...
* /run/lock : creating directory ...
* /run/lock : correcting owner ...
* Caching service dependencies ...
* Mounting Security filesystem ...
* Mounting SElinux filesystem ...
* Mounting efivars filesystem ...
* Restoring SElinux contexts in /sys
* Mounting cgroup filesystem ...
* Restoring SElinux contexts in /sys/fs/cgroup
* remounting devtmpfs on /dev
* Mounting /dev/mqueue
* Mounting /dev/pts
* Mounting /dev/shm
* restoring SElinux contexts in /dev
* creating list of static device nodes for the current kernel
* creating static device nodes in /dev
* starting udev
* populating /dev/ with existing devices through uevents ...
|
as mentioned above, /sys/kernel/security/lsm, and /sys/fs/selinux/enforce do not exist until this runs, and SElinux is set to permissive mode already. |
This demonstrate that you have good rootfs so far. I am not expecting this. I was hoping we will discovery something not right at this point.
we can try to further the boot sequence, may be in boot level or even in one of the run level.
so assume you restart from begining. Code: | exec switch_root /mnt/root /bin/bash
/sbin/openrc sysinit
/sbin/openrc boot
/sbin/openrc single | If all flow normally to the end of "/sbin/openrc single". At this point your are boot into single user mode. I am not sure if you will get message to indicate you are in single user mode or not. However if you can again poke around system to see if everything looks normal to you? at this point /dev should be mounted /proc, /sys, some cgroup and file system you specified in /etc/fstab should be mounted (I think). If all looks normal, may be we can try to switch runlevel to default by Code: | /sbin/openrc default |
If switch runlevel lead to a expected normal system. As in you either get a login prompt or your GUI system started. Then something wrong with the /sbin/init binary. May be you want to to to rebuild it to see if that help solve this problem.
However if in the switch runlevel to default lead to a black screen, you may be missing necessary display driver. At this point I am not much of help, because I am on RPI, I don't know much about X86 based display system. I hope someone else can lead to help you about the display system problem.
EDIT: just thought of another possibility, the /etc/inittab is bad. Assume switch runlevel to default is successful. my guess is either /sbin/init is bad or something funk about /etc/inittab. may be something hidden in /etc/inittab. try to compare it with other system to see of chksum match. I have experience with /etc/{passwd,shadow} with extra blank in the end, this cause strange for su/sudo complain /bin/sh(or /bin/bash) does not exist. It actually is complain "/bin/sh "(or "/bin/bash ") not exist but it is hard to read by the error message. |
|
Back to top |
|
|
Shadow_Fury Tux's lil' helper
Joined: 20 Apr 2021 Posts: 138 Location: 11.435765792823453, 143.05926743686274
|
Posted: Sun Mar 05, 2023 12:32 am Post subject: |
|
|
... i'm an idiot...
the problem is the handover to /sbin/int, right?
so what do i forget to try? rebuilding the sysvinit package...
long story short, that fixed the problem.
also note: sysvinit does not appreciate clang's link time optimizer, so make sure that you don't run it with the -flto compiler flag..
issue solved, user feels like an idiot.
thank you, everyone for the help.
-S |
|
Back to top |
|
|
ukky Tux's lil' helper
Joined: 26 Feb 2023 Posts: 109 Location: Montreal, Canada
|
Posted: Sun Mar 05, 2023 12:37 am Post subject: |
|
|
Shadow_Fury,
That's great you found a fix.
And nothing wrong in making mistakes. We all do them. |
|
Back to top |
|
|
NeddySeagoon Administrator
Joined: 05 Jul 2003 Posts: 54300 Location: 56N 3W
|
Posted: Sun Mar 05, 2023 11:49 am Post subject: |
|
|
Shadow_Fury,
That's experience. Across the forum, we have a lot of it.
Experience is what you get just after you needed it. :)
I'm pleased its fixed. _________________ Regards,
NeddySeagoon
Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|