Fwd: [MLS Policy]:- MLS policy problem when manully restart the servers .

prakash hallalli prakashkhallalli at gmail.com
Tue Jun 10 15:35:37 UTC 2008


Hi
I have followed the same steps what you are given the information to change
the libc.so.6 file label. Now user will be able to login to the system it
not showing any error message while login time. But still i am not able do
system restart services. Now it showing error message is  unrecognized
service.

I have received the following error messages.

[root at turtle11 ~]# sestatus
SELinux status:                  enabled
SELinuxfs mount:                /selinux
Current mode:                     permissive
Mode from config file:          enforcing
Policy version:                    21
Policy from config file:         mls

[root at turtle11 ~]# service nfs restart
Shutting down NFS mountd:                                   [  OK  ]
Shutting down NFS daemon:                                  [  OK  ]
Shutting down NFS quotas:                                    [ OK  ]
Shutting down NFS services:                                  [  OK  ]
Starting NFS services:                                           [  OK  ]
Starting NFS quotas:                                              [  OK  ]
Starting NFS daemon:                                            [  OK  ]
Starting NFS mountd:                                             [  OK  ]

[root at turtle11 ~]# setenforce 1
[root at turtle11 ~]# sestatus
SELinux status:                   enabled
SELinuxfs mount:                 /selinux
Current mode:                      enforcing
Mode from config file:           enforcing
Policy version:                     21
Policy from config file:          mls

[root at turtle11 ~]# service nfs restart
nfs: unrecognized service

[root at turtle11 ~]# service ldap restart
ldap: unrecognized service

[root at turtle11 ~]# service samba restart
samba: unrecognized service

[root at turtle11 ~]# service named restart
named: unrecognized service
[root at turtle11 ~]#

Please help me, what should i do.

Thanks,
prakash






On Tue, Jun 10, 2008 at 5:37 PM, Stephen Smalley <sds at tycho.nsa.gov> wrote:

>
> On Tue, 2008-06-10 at 17:14 +0530, prakash hallalli wrote:
> > Hi All
> >
> > I have configured SELinux on ContOS 5.1. I have configured the RBAC
> > using MLS (Multilevel Security) Policy.
> > Now i am trying to restart the system services and they are not
> > restarting and it is throwing some error message.
> > I have a question here, with mls policy enabled will i be able to
> > restart the system service? If yes then what to do and If no what is
> > the reason?
> >
> > Steps to reproduce:
> >
> > 1) MLS Policy configuration.
> >
> > 1. Install selinux-policy-mls
> > 2. Set SELINUXTYPE=MLS in /etc/selinux/config file
> > 3. touch ./autorelabel; on root's home directory, and reboot the
> > machine.
> > 4. While machine is rebooting, change the GRUB parameter.
> > enforcing=0
> >
> > 2) Now system is in permissive mode and SELinux status is as follows.
> >
> > # sestatus
> > SELinux status:                 enabled
> > SELinuxfs mount:               /selinux
> > Current mode:                    permissive
> > Mode from config file:        enforcing
> > Policy version:                  21
> > policy from config file:        mls
> >
> > 3) Restart the system services and they restart successfully.
> >
> > [root at turtle11 ~]# service nfs restart
> > Shutting down NFS mountd:                                   [FAILED]
> > Shutting down NFS daemon:                                  [FAILED]
> > Shutting down NFS quotas:                                    [FAILED]
> > Shutting down NFS services:                                  [FAILED]
> > Starting NFS services:                                           [
> > OK  ]
> > Starting NFS quotas:                                             [
> > OK  ]
> > Starting NFS daemon:                                           [
> > OK  ]
> > Starting NFS mountd:                                            [
> > OK  ]
> >
> > 4) Now i am setting enforcing mode using setenforce command.
> >
> > root at turtle11 ~]#setenforce 1
> > root at turtle11 ~]# sestatus
> > SELinux status:             enabled
> > SELinuxfs mount:          /selinux
> > Current mode:               enforcing
> > Mode from config file:    enforcing
> > Policy version:              21
> > Policy from config file:   mls
> >
> > 5) a) Now system is in enforcing mode and i am trying to restart the
> > system service. The restart will result in error message.
> >
> > root at turtle11 ~]#service nfs restart
> > /sbin/consoletype: error while loading shared libraries: libc.so.6:
> > cannot open shared object  file: No such file or directory
> > /sbin/consoletype: error while loading shared libraries: libc.so.6:
> > cannot open shared object file: No such file or directory
>
> This suggests that libc.so.6 has the wrong label.  In older versions of
> the policy, this was a difference between targeted and strict/mls
> policies.  Boot in single-user mode and run fixfiles -F relabel.
>
> > nfs: unrecognized service
> >
> > b) When I trying to login it will show the following error.
> >
> > turtle login: smbldap3
> > /bin/login:error while loading shared libraries: libcrypt.so.1:failed
> > to map segment from shared object: Permission denied
> > /sbin/mingetty: error while loading shared libraries: libc.so.6:
> > failed to map segment from shared object: Permission denied
> >
> > c) When using su command.
> >
> > root at turtle11 ~]# su smbldap3
> > su: error while loading shared libraries: libpam.so.0: failed to map
> > segment from shared object: Permission denied
> >
> > I am not sure what is going on. I referred to many websites and PDFs
> > but couldn't get the proper solution.
> >
> > please help me.
> >
> > Thanks
> > Prakash.
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> --
> Stephen Smalley
> National Security Agency
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080610/e65f3450/attachment.htm>


More information about the fedora-selinux-list mailing list