[MLS Policy]:- MLS policy problem when manully restart the servers .
Stephen Smalley
sds at tycho.nsa.gov
Tue Jun 10 12:07:22 UTC 2008
On Tue, 2008-06-10 at 17:14 +0530, prakash hallalli wrote:
> Hi All
>
> I have configured SELinux on ContOS 5.1. I have configured the RBAC
> using MLS (Multilevel Security) Policy.
> Now i am trying to restart the system services and they are not
> restarting and it is throwing some error message.
> I have a question here, with mls policy enabled will i be able to
> restart the system service? If yes then what to do and If no what is
> the reason?
>
> Steps to reproduce:
>
> 1) MLS Policy configuration.
>
> 1. Install selinux-policy-mls
> 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> 3. touch ./autorelabel; on root's home directory, and reboot the
> machine.
> 4. While machine is rebooting, change the GRUB parameter.
> enforcing=0
>
> 2) Now system is in permissive mode and SELinux status is as follows.
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: permissive
> Mode from config file: enforcing
> Policy version: 21
> policy from config file: mls
>
> 3) Restart the system services and they restart successfully.
>
> [root at turtle11 ~]# service nfs restart
> Shutting down NFS mountd: [FAILED]
> Shutting down NFS daemon: [FAILED]
> Shutting down NFS quotas: [FAILED]
> Shutting down NFS services: [FAILED]
> Starting NFS services: [
> OK ]
> Starting NFS quotas: [
> OK ]
> Starting NFS daemon: [
> OK ]
> Starting NFS mountd: [
> OK ]
>
> 4) Now i am setting enforcing mode using setenforce command.
>
> root at turtle11 ~]#setenforce 1
> root at turtle11 ~]# sestatus
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 21
> Policy from config file: mls
>
> 5) a) Now system is in enforcing mode and i am trying to restart the
> system service. The restart will result in error message.
>
> root at turtle11 ~]#service nfs restart
> /sbin/consoletype: error while loading shared libraries: libc.so.6:
> cannot open shared object file: No such file or directory
> /sbin/consoletype: error while loading shared libraries: libc.so.6:
> cannot open shared object file: No such file or directory
This suggests that libc.so.6 has the wrong label. In older versions of
the policy, this was a difference between targeted and strict/mls
policies. Boot in single-user mode and run fixfiles -F relabel.
> nfs: unrecognized service
>
> b) When I trying to login it will show the following error.
>
> turtle login: smbldap3
> /bin/login:error while loading shared libraries: libcrypt.so.1:failed
> to map segment from shared object: Permission denied
> /sbin/mingetty: error while loading shared libraries: libc.so.6:
> failed to map segment from shared object: Permission denied
>
> c) When using su command.
>
> root at turtle11 ~]# su smbldap3
> su: error while loading shared libraries: libpam.so.0: failed to map
> segment from shared object: Permission denied
>
> I am not sure what is going on. I referred to many websites and PDFs
> but couldn't get the proper solution.
>
> please help me.
>
> Thanks
> Prakash.
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list