[MLS Policy]:- MLS policy problem when manully restart the servers .

Stephen Smalley sds at tycho.nsa.gov
Tue Jun 10 12:07:22 UTC 2008 

On Tue, 2008-06-10 at 17:14 +0530, prakash hallalli wrote:
> Hi All
> 
> I have configured SELinux on ContOS 5.1. I have configured the RBAC
> using MLS (Multilevel Security) Policy. 
> Now i am trying to restart the system services and they are not
> restarting and it is throwing some error message. 
> I have a question here, with mls policy enabled will i be able to
> restart the system service? If yes then what to do and If no what is
> the reason? 
>  
> Steps to reproduce:
> 
> 1) MLS Policy configuration.
> 
> 1. Install selinux-policy-mls
> 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> 3. touch ./autorelabel; on root's home directory, and reboot the
> machine.
> 4. While machine is rebooting, change the GRUB parameter.
> enforcing=0 
> 
> 2) Now system is in permissive mode and SELinux status is as follows.
>    
> # sestatus
> SELinux status:                 enabled
> SELinuxfs mount:               /selinux
> Current mode:                    permissive
> Mode from config file:        enforcing
> Policy version:                  21   
> policy from config file:        mls 
> 
> 3) Restart the system services and they restart successfully.
> 
> [root at turtle11 ~]# service nfs restart
> Shutting down NFS mountd:                                   [FAILED]
> Shutting down NFS daemon:                                  [FAILED]
> Shutting down NFS quotas:                                    [FAILED]
> Shutting down NFS services:                                  [FAILED]
> Starting NFS services:                                           [
> OK  ]
> Starting NFS quotas:                                             [
> OK  ]
> Starting NFS daemon:                                           [
> OK  ]
> Starting NFS mountd:                                            [
> OK  ]
> 
> 4) Now i am setting enforcing mode using setenforce command.
>   
> root at turtle11 ~]#setenforce 1
> root at turtle11 ~]# sestatus
> SELinux status:             enabled
> SELinuxfs mount:          /selinux
> Current mode:               enforcing
> Mode from config file:    enforcing
> Policy version:              21   
> Policy from config file:   mls 
>   
> 5) a) Now system is in enforcing mode and i am trying to restart the
> system service. The restart will result in error message.
> 
> root at turtle11 ~]#service nfs restart
> /sbin/consoletype: error while loading shared libraries: libc.so.6:
> cannot open shared object  file: No such file or directory
> /sbin/consoletype: error while loading shared libraries: libc.so.6:
> cannot open shared object file: No such file or directory 

This suggests that libc.so.6 has the wrong label.  In older versions of
the policy, this was a difference between targeted and strict/mls
policies.  Boot in single-user mode and run fixfiles -F relabel.

> nfs: unrecognized service
> 
> b) When I trying to login it will show the following error.
> 
> turtle login: smbldap3
> /bin/login:error while loading shared libraries: libcrypt.so.1:failed
> to map segment from shared object: Permission denied
> /sbin/mingetty: error while loading shared libraries: libc.so.6:
> failed to map segment from shared object: Permission denied
>  
> c) When using su command.
> 
> root at turtle11 ~]# su smbldap3
> su: error while loading shared libraries: libpam.so.0: failed to map
> segment from shared object: Permission denied
> 
> I am not sure what is going on. I referred to many websites and PDFs
> but couldn't get the proper solution.
> 
> please help me.
>   
> Thanks
> Prakash.
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list