12-nov-05
Hello:
I have a FC3 box which requires compiling the kernel from source to accomodate
acpi & ec.c related hardware quirks, (its a generic laptop).
When compiling & installing the latest kernels, I have discovered an apparent
problem with both the 2.6.14 & 2.6.14.2 kernels and SELinux.
After compiling these kernels, SELinux is silently disabled on boot;
e.g.:
sestatus shows SELinux as disabled regardless of /etc/selinux/config
being set for 'Permissive-targeted'.
ps -Z & ls -Z show no xattributes but returns these values/messages:
torus:~/selinux/kernel-tests> ps -Z
LABEL PID TTY TIME CMD
kernel 3979 pts/6 00:00:00 tcsh
kernel 4005 pts/6 00:00:00 ps
torus:~/selinux/kernel-tests> ls -Z
Sorry, this option can only be used on a SELinux kernel.
dmesg does not have any further SELinux entries after these four:
SELinux: Initializing.
SELinux: Starting in permissive mode
selinux_register_security: Registering secondary module capability
SELinux: Registering netfilter hooks
nor are there any error messages in /var/log/messages.
Kernels built from the 2.6.13.4 & 2.6.12-1.1381_FC3, source trees both work
normally with regard to SELinux.
After a comparison of the '.config' files from the related builds,
I've noticed that the 2.6.14 and 2.6.14.2 kernels no longer support
extended attributes for the pseudo filesystems, while the 2.6.13.4 and
2.6.12-1.1381_FC3 kernels do support the extended attributes, this is
the only significant difference I could find between these kernels'
'.config' files.
i.e. Referring to 'make xconfig': in linux-2.6.14/linux-2.6.14.2 these
two filesystems no longer exist:
'Psuedo Filesystems -> /dev/pts Extended Attributes -> /dev/pts
Security Labels''Psuedo Filesystems -> Virtual memory file system
support ->
tmpfs Extended Attributes -> tmpfs Security Lables'.
Note these error messages were returned when using the '.config' from 2.6.13.4
as a starting point for the '.config' in the 2.6.14/2.6.14.2 trees:
/boot/config-2.6.13.4:2649: trying to assign nonexistent symbol DEVPTS_FS_XATTR
/boot/config-2.6.13.4:2650: trying to assign nonexistent symbol
DEVPTS_FS_SECURITY
The Help sections for these options from the 2.6.13.4 kernel indicate these are
used by Selinux:
Help for /dev/pts Security Labels (DEVPTS_FS_SECURITY)
"Security labels support alternative access control models
implemented by security modules like SELinux. This option
enables an extended attribute handler for file security
label in the /dev/pts filesystem.
If you are not using a security module that requires using
extended attributes for file security labels, say N."
Help for tmpfs Security Labels (TMPFS_SECURITY)
"Security labels support alternative access control models
implemented by security modules like SELinux. This option
enables an extended attribute handler for file security
labels in the tmpfs filesystem.
If you are not using a security module that requires using
extended attributes for file security labels, say N."
I would like to stress that _All_ previous 2.6 kernels that I have
tried prior to 2.6.14 work as expected with regard to SELinux.
Has there been a change to SELinux in the FC4 tree but not in the FC3
tree which anticipated this disappearance of the extended attributes
in the 2.6.14 kernel's pseudo filesystems - or am I on the wrong track
?
Here is my current selinux configuration:
selinux-doc-1.14.1-1
selinux-policy-targeted-sources-1.17.30-3.16
libselinux-1.23.10-2
libselinux-devel-1.23.10-2
selinux-policy-targeted-1.17.30-3.16
setools-gui-2.1.1-2
setools-2.1.1-2
checkpolicy-1.23.1-1
I intend to upgrade to FC4/FC5 when I can get the disks, and wonder if
the problem could be
due to subtle conflicts in the above configuration rather than the
disappearance of the extended attributes in the psuedo filesystem in
the 2.6.14 kernel series.
Thank you,
Brgds
Bob
--
rhp.lpt@xxxxxxxxx
|
