I am using Redhat 7.2 with the current version of SELinux (2.4.17
kernel) and have noticed some "issues" (sorry to introduce Microsoftese)
involving shutdown:
There are a number of access denied messages in shutdown that are hard to catch because they don't appear on the message log (since the system is shutting down).
In some cases, software (postgres and ipchains, for instance) is not properly shut down due to these denials.
I don't know whether this is related, but I get a kernel panic when shutting down in enforcing mode. It's hard to note the details of this problem because the system succeeds in shutting down anyway (so the messages disappear from the screen). I just recall the phrase 'kernel panic' appearing briefly. This is only a problem for my home computer since it shut it down after every use.
In general, I solve all of these problems by using a shutdown script
that puts the system in permissive mode just before shutdown (this is
not a security problem since it's hard to hack a system that is shutting
down...)
--
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
There are two ways to fix this problem,
Easy:
just toggle out of enforcing mode sometime during shutdown. Hard:
move the shutdown of the syslog to later and try to capture the messages, then fix it. Or you can via sysadm role shut down just the services. The problem here is sysadm_t != initrc_t. you have to do a runs as. Also even with enforcing off you get messages.
Shaun
Justin Smith wrote:
> I am using Redhat 7.2 with the current version of SELinux (2.4.17
> kernel) and have noticed some "issues" (sorry to introduce Microsoftese)
> involving shutdown:
>
> There are a number of access denied messages in shutdown that are hard
> to catch because they don't appear on the message log (since the system
> is shutting down).
>
> In some cases, software (postgres and ipchains, for instance) is not
> properly shut down due to these denials.
>
> I don't know whether this is related, but I get a kernel panic when
> shutting down in enforcing mode. It's hard to note the details of this
> problem because the system succeeds in shutting down anyway (so the
> messages disappear from the screen). I just recall the phrase 'kernel
> panic' appearing briefly. This is only a problem for my home computer
> since it shut it down after every use.
>
> In general, I solve all of these problems by using a shutdown script
> that puts the system in permissive mode just before shutdown (this is
> not a security problem since it's hard to hack a system that is shutting
> down...)
>
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On Thu, 24 Jan 2002, Shaun Savage wrote:
> Or you can via sysadm role shut down just the
> services. The problem here is sysadm_t != initrc_t. you have to do a
> runs as.
You can use run_init to run any of the init scripts in the proper security context. So, you can use run_init to shut down the services manually while the system is still logging to a file.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.From: Stephen Smalley <sds_at_tislabs.com>
On 24 Jan 2002, Justin Smith wrote:
> In some cases, software (postgres and ipchains, for instance) is not
> properly shut down due to these denials.
Try shutting them down manually via run_init on their init scripts with the 'stop' command, and see what denials get logged. There is no postgres domain in the example policy, so I don't know what the issue might be there. The ipchains domain was contributed, and it doesn't look complete to me - I would have granted the entire 'create_socket_perms' macro for rawip_socket rather than just create and setopt.
-- Stephen D. Smalley, NAI Labs ssmalley@nai.com -- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:54 EDT