Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Gentoo: Hardened

new kernel not being able to mount filesystems?

 

 

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded


roel at vromen

May 23, 2005, 2:32 PM

Post #1 of 6 (216 views)
Permalink
new kernel not being able to mount filesystems?

Hi list,

I have a weird problem: when I compile a 2.6.11-kernel (the version is
probably not the culprit though) and try to boot it (in enforcing mode) it
always gives the following error:
----
audit(1116881914.014:0): avc: denied { execmod } for pid=1 comm=init
path=/sbin/init dev=hda3 ino=418514 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:init_exec_t tclass=file
/sbin/initKernel panic - not syncing: Attempted to kill init!
: error while lo ading shared libraries: cannot restore segment prot after
reloc
: Permission denied
-----

Weird though: I have about the same setup on another system which runs just
fine with linux-2.6.11-hardened-r13 as kernel. ls -Z shows no differenced for
the /sbin/init-labeling, and the kernel.te and bootloader.te show no
differences as far as I can tell. And both kernels are compiled with the
exact same .config file.

Make relabel doesn't change a thing.

Does anyone have a clue where to look or what to do?

regards,

Roel

When I use the old kernel, everything is fine again.


solar at gentoo

May 23, 2005, 1:02 PM

Post #2 of 6 (200 views)
Permalink
Re: new kernel not being able to mount filesystems? [In reply to]

On Mon, 2005-05-23 at 21:32 +0000, Roel Vromen wrote:
> Hi list,
>
> I have a weird problem: when I compile a 2.6.11-kernel (the version is
> probably not the culprit though) and try to boot it (in enforcing mode) it
> always gives the following error:
> ----
> audit(1116881914.014:0): avc: denied { execmod } for pid=1 comm=init
> path=/sbin/init dev=hda3 ino=418514 scontext=system_u:system_r:init_t
> tcontext=system_u:object_r:init_exec_t tclass=file
> /sbin/initKernel panic - not syncing: Attempted to kill init!
> : error while lo ading shared libraries: cannot restore segment prot after
> reloc
> : Permission denied
> -----

Does your init have any text relocations in it?

In the past TEXTREL's were only a problem for hardened toolchain users.
But that has changed. Now selinux will be just as non permitting with
them as the toolchain.
--
Ned Ludd <solar [at] gentoo>

--
gentoo-hardened [at] gentoo mailing list


pageexec at freemail

May 23, 2005, 2:10 PM

Post #3 of 6 (198 views)
Permalink
Re: new kernel not being able to mount filesystems? [In reply to]

> > Does your init have any text relocations in it?
>
> I'm not sure how to interpret this: please forgive my stupidity. I'll try to
> guess:

text relocations is a feature of executable files (including shared
libraries), and it's something to get rid of (this requires changes
to the given app's build system, or sometimes programming). what you
should do is run 'readelf -d /path/to/binary | grep TEXTREL' on init
itself and all libraries it links in, at least one of them will produce
some output (if you have a recent elfutils then you should use
eu-findtextrel instead).

--
gentoo-hardened [at] gentoo mailing list


roel at vromen

May 23, 2005, 3:42 PM

Post #4 of 6 (199 views)
Permalink
Re: new kernel not being able to mount filesystems? [In reply to]

dear Ned,

> > I have a weird problem: when I compile a 2.6.11-kernel (the version is
> > probably not the culprit though) and try to boot it (in enforcing mode)
> > it always gives the following error:
> > ----
> > audit(1116881914.014:0): avc: denied { execmod } for pid=1 comm=init
> > path=/sbin/init dev=hda3 ino=418514 scontext=system_u:system_r:init_t
> > tcontext=system_u:object_r:init_exec_t tclass=file
> > /sbin/initKernel panic - not syncing: Attempted to kill init!
> >
> > : error while lo ading shared libraries: cannot restore segment prot
> > : after
> >
> > reloc
> >
> > : Permission denied
> >
> > -----
>
> Does your init have any text relocations in it?

I'm not sure how to interpret this: please forgive my stupidity. I'll try to
guess:

- In case you meant: are there mountpoints such as "/var/usr/something" which
would then point to another partition: no.

- In case you meant: do you use a line like "kernel (hd0,0)/boot/bzImage" in
your grub.conf, which then points to a real kernel-file
like /boot/kernel-2.6.11-hardened-r13: yes, but the problems are also arising
when I link directly to /boot/kernel-2.6.11-hardened-r13 in grub.conf.

Moreover, both these kind of configurations are the same on the working
system.

Did I understand you correctly, or do I fail to understand your mail?

Regards,

Roel

> In the past TEXTREL's were only a problem for hardened toolchain users.
> But that has changed. Now selinux will be just as non permitting with
> them as the toolchain.
> --
> Ned Ludd <solar [at] gentoo>


roel at vromen

May 24, 2005, 2:03 PM

Post #5 of 6 (199 views)
Permalink
Re: new kernel not being able to mount filesystems? [In reply to]

On Monday 23 May 2005 21:10, pageexec [at] freemail wrote:
> > > Does your init have any text relocations in it?
> >
> > I'm not sure how to interpret this: please forgive my stupidity. I'll try
> > to guess:
>
> text relocations is a feature of executable files (including shared
> libraries), and it's something to get rid of (this requires changes
> to the given app's build system, or sometimes programming). what you
> should do is run 'readelf -d /path/to/binary | grep TEXTREL' on init
> itself and all libraries it links in, at least one of them will produce
> some output (if you have a recent elfutils then you should use
> eu-findtextrel instead).

Nice to have such knowledgeable people on the board. You were so right!

shame though, that it seems that just about any program I use has TEXTREL set
as a feature. I haven't got a clue why this is all over one system, and
nowhere on the other, while emerge system shows the same result.

Fortunately, if I re-emerge a package, I lose the TEXTREL feature.

Looks like I'm going for an emerge -e system...

Thanx,

Roel
--
gentoo-hardened [at] gentoo mailing list


pageexec at freemail

May 25, 2005, 5:27 PM

Post #6 of 6 (197 views)
Permalink
Re: new kernel not being able to mount filesystems? [In reply to]

> shame though, that it seems that just about any program I use has TEXTREL set
> as a feature. I haven't got a clue why this is all over one system, and
> nowhere on the other, while emerge system shows the same result.

this normally comes from some systemwide object file that gets
linked into everything (crt*.o for example) and which is not PIC.
probably you have re-emerged the package that had caused this since
(glibc or gcc come to mind) and hence future compilations will
produce proper PIC everywhere.

--
gentoo-hardened [at] gentoo mailing list

Gentoo hardened RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.