problems compiling bitkeeper kernels for selinux

Thomas Molina tmolina at cablespeed.com
Sun Apr 18 13:31:01 UTC 2004 

My first attempt at using a "stock" kernel has failed miserably and I am
hoping someone can tell me what I am doing wrong.  I synced up my tree to
be the latest and greatest kernel and recompiled.  Loading the resulting
kernel works fine with selinux=0, but fails miserably with selinux
enabled, even in permissive mode.  I tried compiling as a regular user,
then as root. I've run fixfiles relabel in both single user and multi-user
mode, but nothing works.  Others have said it works fine for them so I am
missing something; please tell me what it is. Iam enclosing the dmesg 
output from booting the kernel.  The selinux options i enabled look like 
this:
                                                                                                                             
#
# Security options
#
CONFIG_SECURITY=y
# CONFIG_SECURITY_NETWORK is not set
# CONFIG_SECURITY_CAPABILITIES is not set
# CONFIG_SECURITY_ROOTPLUG is not set
CONFIG_SECURITY_SELINUX=y
CONFIG_SECURITY_SELINUX_BOOTPARAM=y
CONFIG_SECURITY_SELINUX_DEVELOP=y
# CONFIG_SECURITY_SELINUX_MLS is not set

I can send the full configuration file used to build the kernel if 
desired.  
-------------- next part --------------
DE UDMA100 controller on pci0000:00:04.1
    ide0: BM-DMA at 0xb800-0xb807, BIOS settings: hda:DMA, hdb:pio
    ide1: BM-DMA at 0xb808-0xb80f, BIOS settings: hdc:DMA, hdd:DMA
hda: MDT MD200BB-00DEA0, ATA DISK drive
Using anticipatory io scheduler
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
hdc: _NEC DVD_RW ND-1300A, ATAPI CD/DVD-ROM drive
hdd: MDT MD200BB-00DEA0, ATA DISK drive
ide1 at 0x170-0x177,0x376 on irq 15
PDC20265: IDE controller at PCI slot 0000:00:11.0
PCI: Found IRQ 11 for device 0000:00:11.0
PDC20265: chipset revision 2
PDC20265: 100% native mode on irq 11
PDC20265: (U)DMA Burst Bit DISABLED Primary PCI Mode Secondary PCI Mode.
    ide2: BM-DMA at 0x7000-0x7007, BIOS settings: hde:pio, hdf:pio
    ide3: BM-DMA at 0x7008-0x700f, BIOS settings: hdg:pio, hdh:pio
hda: max request size: 128KiB
hda: 39102336 sectors (20020 MB) w/2048KiB Cache, CHS=38792/16/63, UDMA(100)
 hda: hda1 hda2 hda3
hdd: max request size: 128KiB
hdd: 39102336 sectors (20020 MB) w/2048KiB Cache, CHS=38792/16/63, UDMA(33)
 hdd: hdd1 hdd2 hdd3
hdc: ATAPI 40X DVD-ROM DVD-R CD-R/RW drive, 2048kB Cache, UDMA(33)
Uniform CD-ROM driver Revision: 3.20
mice: PS/2 mouse device common for all mice
input: PC Speaker
serio: i8042 AUX port at 0x60,0x64 irq 12
input: ImExPS/2 Logitech Explorer Mouse on isa0060/serio1
serio: i8042 KBD port at 0x60,0x64 irq 1
input: AT Translated Set 2 keyboard on isa0060/serio0
NET: Registered protocol family 2
IP: routing cache hash table of 1024 buckets, 32Kbytes
TCP: Hash tables configured (established 32768 bind 9362)
kjournald starting.  Commit interval 5 seconds
EXT3-fs: mounted filesystem with ordered data mode.
VFS: Mounted root (ext3 filesystem) readonly.
Freeing unused kernel memory: 128k freed
NET: Registered protocol family 1
security:  5 users, 7 roles, 1214 types, 1 bools
security:  30 classes, 290098 rules
SELinux:  Completing initialization.
SELinux:  Setting up existing superblocks.
SELinux: initialized (dev , type selinuxfs), uses genfs_contexts
SELinux: (dev hda1, type ext3) has no security xattr handler
SELinux: initialized (dev , type mqueue), not configured for labeling
SELinux: initialized (dev , type devpts), uses transition SIDs
SELinux: initialized (dev , type eventpollfs), uses genfs_contexts
SELinux: initialized (dev , type pipefs), uses task SIDs
SELinux: initialized (dev , type tmpfs), uses transition SIDs
SELinux: initialized (dev , type futexfs), uses genfs_contexts
SELinux: initialized (dev , type sockfs), uses task SIDs
SELinux: initialized (dev , type proc), uses genfs_contexts
SELinux: initialized (dev , type bdev), uses genfs_contexts
SELinux: initialized (dev , type rootfs), uses genfs_contexts
SELinux: initialized (dev , type sysfs), uses genfs_contexts
audit(1082239612.443:0): avc:  denied  { execute } for  pid=1 exe=/sbin/init name=init dev=hda1 ino=966730 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082239612.455:0): avc:  denied  { execute_no_trans } for  pid=1 exe=/sbin/init path=/sbin/init dev=hda1 ino=966730 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082239612.468:0): avc:  denied  { read } for  pid=1 exe=/sbin/init path=/sbin/init dev=hda1 ino=966730 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082239612.483:0): avc:  denied  { getattr } for  pid=1 exe=/sbin/init path=/etc/ld.so.cache dev=hda1 ino=475154 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082239612.523:0): avc:  denied  { read } for  pid=12 exe=/bin/bash name=default dev=hda1 ino=475270 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1082239612.539:0): avc:  denied  { getattr } for  pid=12 exe=/bin/bash path=/etc/hotplug.d/default dev=hda1 ino=475270 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1082239612.555:0): avc:  denied  { ioctl } for  pid=1 exe=/sbin/init path=/dev/tty0 dev=hda1 ino=993782 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file
audit(1082239612.572:0): avc:  denied  { search } for  pid=12 exe=/bin/bash name=default dev=hda1 ino=475270 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1082239612.591:0): avc:  denied  { ioctl } for  pid=20 exe=/bin/bash path=/sbin/hotplug dev=hda1 ino=966786 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082239612.662:0): avc:  denied  { write } for  pid=1 exe=/sbin/init path=/dev/console dev=hda1 ino=985435 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file
audit(1082239612.928:0): avc:  denied  { lock } for  pid=1 exe=/sbin/init path=/var/run/utmp dev=hda1 ino=819205 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082239613.024:0): avc:  denied  { getattr } for  pid=1 exe=/sbin/init path=/dev/initctl dev=hda1 ino=995200 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file
audit(1082239613.045:0): avc:  denied  { read write } for  pid=1 exe=/sbin/init name=initctl dev=hda1 ino=995200 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=fifo_file
audit(1082239613.168:0): avc:  denied  { getattr } for  pid=136 exe=/bin/gawk path=/dev/console dev=hda1 ino=985435 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file
audit(1082239613.273:0): avc:  denied  { read } for  pid=137 exe=/bin/mount name=null dev=hda1 ino=988993 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file
audit(1082239614.333:0): avc:  denied  { syslog_console } for  pid=297 exe=/bin/dmesg scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system
audit(1082239614.594:0): avc:  denied  { search } for  pid=302 exe=/sbin/sysctl name=net dev= ino=4192 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=dir
audit(1082239614.594:0): avc:  denied  { write } for  pid=302 exe=/sbin/sysctl name=ip_forward dev= ino=4214 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=file
audit(1082239614.594:0): avc:  denied  { getattr } for  pid=302 exe=/sbin/sysctl path=/proc/sys/net/ipv4/ip_forward dev= ino=4214 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_net_t tclass=file
Real Time Clock Driver v1.12
usbcore: registered new driver usbfs
usbcore: registered new driver hub
USB Universal Host Controller Interface driver v2.2
PCI: Found IRQ 5 for device 0000:00:04.2
PCI: Sharing IRQ 5 with 0000:00:04.3
PCI: Sharing IRQ 5 with 0000:00:0d.0
uhci_hcd 0000:00:04.2: VIA Technologies, Inc. USB
uhci_hcd 0000:00:04.2: irq 5, io base 0000b400
SELinux: initialized (dev , type usbdevfs), uses genfs_contexts
SELinux: initialized (dev , type usbfs), uses genfs_contexts
uhci_hcd 0000:00:04.2: new USB bus registered, assigned bus number 1
audit(1082254014.466:0): avc:  denied  { getattr } for  pid=345 exe=/bin/bash path=/sys/devices/pci0000:00/0000:00:04.2/usb1/bNumConfigurations dev= ino=962 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t tclass=file
audit(1082254014.468:0): avc:  denied  { read } for  pid=367 exe=/bin/cat name=bNumConfigurations dev= ino=962 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t tclass=file
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
PCI: Found IRQ 5 for device 0000:00:04.3
PCI: Sharing IRQ 5 with 0000:00:04.2
PCI: Sharing IRQ 5 with 0000:00:0d.0
uhci_hcd 0000:00:04.3: VIA Technologies, Inc. USB (#2)
uhci_hcd 0000:00:04.3: irq 5, io base 0000b000
uhci_hcd 0000:00:04.3: new USB bus registered, assigned bus number 2
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
audit(1082254014.683:0): avc:  denied  { mounton } for  pid=394 exe=/bin/mount path=/proc/bus/usb dev= ino=4494 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:proc_t tclass=dir
audit(1082254014.822:0): avc:  denied  { read } for  pid=417 exe=/bin/grep name=devices dev= ino=939 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:usbdevfs_t tclass=file
audit(1082254014.822:0): avc:  denied  { getattr } for  pid=417 exe=/bin/grep path=/proc/bus/usb/devices dev= ino=939 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:usbdevfs_t tclass=file
audit(1082254014.997:0): avc:  denied  { getattr } for  pid=422 exe=/sbin/fsck.ext3 path=/dev/hda1 dev=hda1 ino=985860 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=blk_file
audit(1082254014.998:0): avc:  denied  { getattr } for  pid=422 exe=/sbin/fsck.ext3 path=/sys dev= ino=1 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysfs_t tclass=dir
audit(1082254014.998:0): avc:  denied  { read write } for  pid=422 exe=/sbin/fsck.ext3 name=hda1 dev=hda1 ino=985860 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=blk_file
audit(1082254014.998:0): avc:  denied  { ioctl } for  pid=422 exe=/sbin/fsck.ext3 path=/dev/hda1 dev=hda1 ino=985860 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=blk_file
EXT3 FS on hda1, internal journal
audit(1082254015.075:0): avc:  denied  { write } for  pid=433 exe=/sbin/minilogd name=dev dev=hda1 ino=983041 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1082254015.075:0): avc:  denied  { add_name } for  pid=433 exe=/sbin/minilogd name=log scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1082254015.075:0): avc:  denied  { create } for  pid=433 exe=/sbin/minilogd name=log scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=sock_file
audit(1082254015.076:0): avc:  denied  { associate } for  pid=433 exe=/sbin/minilogd name=log scontext=system_u:object_r:unlabeled_t tcontext=system_u:object_r:fs_t tclass=filesystem
post_create:  setxattr failed, rc=95 (dev=hda1 ino=994985)
audit(1082254015.115:0): avc:  denied  { getattr } for  pid=436 exe=/sbin/minilogd path=/dev/log dev=hda1 ino=994985 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=sock_file
audit(1082254015.116:0): avc:  denied  { write } for  pid=130 exe=/sbin/initlog name=log dev=hda1 ino=994985 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=sock_file
audit(1082254015.172:0): avc:  denied  { remove_name } for  pid=438 exe=/bin/rm name=control dev=hda1 ino=1005989 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=dir
audit(1082254015.173:0): avc:  denied  { unlink } for  pid=438 exe=/bin/rm name=control dev=hda1 ino=1005989 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file
audit(1082254015.226:0): avc:  denied  { check_context } for  pid=441 exe=/sbin/restorecon scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:security_t tclass=security
Adding 1048816k swap on /dev/hda3.  Priority:-1 extents:1
audit(1082254015.664:0): avc:  denied  { write } for  pid=129 exe=/bin/bash name=mtab dev=hda1 ino=475519 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082254015.685:0): avc:  denied  { create } for  pid=448 exe=/bin/mount name=mtab~448 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
post_create:  setxattr failed, rc=95 (dev=hda1 ino=475331)
audit(1082254015.685:0): avc:  denied  { link } for  pid=448 exe=/bin/mount name=mtab~448 dev=hda1 ino=475331 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082254015.685:0): avc:  denied  { unlink } for  pid=448 exe=/bin/mount name=mtab~448 dev=hda1 ino=475331 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082254015.685:0): avc:  denied  { append } for  pid=448 exe=/bin/mount name=mtab dev=hda1 ino=475519 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
post_create:  setxattr failed, rc=95 (dev=hda1 ino=475331)
post_create:  setxattr failed, rc=95 (dev=hda1 ino=475331)
post_create:  setxattr failed, rc=95 (dev=hda1 ino=475331)
post_create:  setxattr failed, rc=95 (dev=hda1 ino=475331)
audit(1082254015.700:0): avc:  denied  { getattr } for  pid=129 exe=/bin/bash path=/proc/sys/kernel/modprobe dev= ino=4145 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_modprobe_t tclass=file
audit(1082254015.702:0): avc:  denied  { write } for  pid=454 exe=/sbin/sysctl name=modprobe dev= ino=4145 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_modprobe_t tclass=file
audit(1082254015.705:0): avc:  denied  { write } for  pid=455 exe=/sbin/sysctl name=hotplug dev= ino=4146 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_hotplug_t tclass=file
audit(1082254015.705:0): avc:  denied  { getattr } for  pid=455 exe=/sbin/sysctl path=/proc/sys/kernel/hotplug dev= ino=4146 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:sysctl_hotplug_t tclass=file
audit(1082254018.440:0): avc:  denied  { unlink } for  pid=904 exe=/sbin/minilogd name=log dev=hda1 ino=994985 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=sock_file
post_create:  setxattr failed, rc=95 (dev=hda1 ino=994985)
post_create:  setxattr failed, rc=95 (dev=hda1 ino=994986)
SELinux: initialized (dev , type tmpfs), uses transition SIDs
post_create:  setxattr failed, rc=95 (dev=hda1 ino=475331)
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hdd1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: (dev hdd1, type ext3) has no security xattr handler
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hdd3, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: (dev hdd3, type ext3) has no security xattr handler
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hda2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: (dev hda2, type ext3) has no security xattr handler
kjournald starting.  Commit interval 5 seconds
EXT3 FS on hdd2, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
SELinux: (dev hdd2, type ext3) has no security xattr handler
audit(1082254019.070:0): avc:  denied  { setattr } for  pid=937 exe=/sbin/pam_console_apply name=fd0 dev=hda1 ino=985579 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=blk_file
audit(1082254019.135:0): avc:  denied  { setattr } for  pid=937 exe=/sbin/pam_console_apply name=dsp dev=hda1 ino=985539 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=chr_file
audit(1082254019.135:0): avc:  denied  { getattr } for  pid=937 exe=/sbin/pam_console_apply path=/dev/dsp0 dev=hda1 ino=985540 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
audit(1082254019.135:0): avc:  denied  { read } for  pid=937 exe=/sbin/pam_console_apply name=dsp0 dev=hda1 ino=985540 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=lnk_file
post_create:  setxattr failed, rc=95 (dev=hda1 ino=819205)
audit(1082254019.363:0): avc:  denied  { setattr } for  pid=941 exe=/bin/chgrp name=utmp dev=hda1 ino=819205 scontext=system_u:system_r:kernel_t tcontext=system_u:object_r:unlabeled_t tclass=file
audit(1082254019.553:0): avc:  denied  { syslog_read } for  pid=955 exe=/bin/dmesg scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:kernel_t tclass=system
post_create:  setxattr failed, rc=95 (dev=hda1 ino=20)
post_create:  setxattr failed, rc=95 (dev=hda1 ino=508036)

More information about the fedora-test-list mailing list