Re: [bug] latest -git boot hang

[Casey Schaufler]

Stephen Smalley wrote:
> On Tue, 2008-10-14 at 17:12 +0200, Ingo Molnar wrote:
>   
> > * Stephen Smalley <sds@xxxxxxxxxxxxx> wrote:
> >
> >     
> > > > Right now i have about 40 such annotations for -tip testing:
> > > >
> > > >   fs/Kconfig:	depends on BROKEN_BOOT_ALLOWED
> > > >   fs/Kconfig:	depends on BROKEN_BOOT_ALLOWED
> > > >   security/selinux/Kconfig:	depends on BROKEN_BOOT_ALLOWED
> > > >   security/smack/Kconfig:	depends on BROKEN_BOOT_ALLOWED
> > > >   security/Kconfig:	depends on BROKEN_BOOT_ALLOWED
> > > >         
> > > What in particular under fs/Kconfig and security/*Kconfig falls into 
> > > this category, and why?  What constitutes a "generic distro bootup"? 
> > > For distros that support SELinux, it obviously shouldn't break the 
> > > bootup (there have of course been cases where it has, but those were 
> > > bugs that have been addressed, including the recent /proc/net 
> > > breakage), and for other distros, it should yield no effect as no 
> > > policy will be loaded and thus SELinux just allows everything.
> > >       
> > got this one for rootplug:
> >
> > --- linux.orig/security/Kconfig
> > +++ linux/security/Kconfig
> > @@ -93,6 +93,11 @@ config SECURITY_FILE_CAPABILITIES
> >  config SECURITY_ROOTPLUG
> >         bool "Root Plug Support"
> >         depends on USB=y && SECURITY
> > +
> > +       # fails with hard-to-debug "could not find init" boot failure
> > +       depends on BROKEN_BOOT_ALLOWED
> > +       select BROKEN_BOOT
> >     
>
> Makes sense - rootplug truly is "specialized".
>
>   
> > and this one:
> >
> > --- linux.orig/security/selinux/Kconfig
> > +++ linux/security/selinux/Kconfig
> > @@ -97,6 +97,11 @@ config SECURITY_SELINUX_CHECKREQPROT_VAL
> >  config SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
> >         bool "NSA SELinux enable new secmark network controls by default"
> >         depends on SECURITY_SELINUX
> > +
> > +       # old system booted up with this cannot ssh out
> > +       depends on BROKEN_BOOT_ALLOWED
> > +       select BROKEN_BOOT
> >     
>
> What is the oldest distro you test against?  This one does need to be
> disabled for distros that predate the policy support for secmark, but
> we'd really like to deprecate and ultimately remove the legacy network
> controls from SELinux.
>
>   
> > i also have this temporary annotation:
> >
> > --- linux.orig/security/smack/Kconfig
> > +++ linux/security/smack/Kconfig
> > @@ -1,6 +1,9 @@
> >  config SECURITY_SMACK
> >         bool "Simplified Mandatory Access Control Kernel Support"
> >         depends on NETLABEL && SECURITY_NETWORK
> > +       # breaks networking (TCP connections)
> > +       depends on BROKEN_BOOT_ALLOWED
> > +       select BROKEN_BOOT
> >         default n
> >         help
> >           This selects the Simplified Mandatory Access Control Kernel.
> >
> > has this problem been fixed? A test is only a success if the freshly 
> > booted kernel can autonomously ssh out over a real network and can 
> > indicate success to the QA server. I've got a good mix of old and new 
> > distros as well.
> >     
>
> I thought that Casey had changed Smack such that packets wouldn't be
> explicitly labeled by default when they were at the default/ambient
> network label and thus wouldn't break sshd.
>   
Stephen is correct. The fix has been in for some time.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/